Beruflich Dokumente
Kultur Dokumente
Demystifying ACI
Security
Fabien Gandola – CSE Security for EMEA
BRKSEC-2048
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
CONCLUSION
In Conclusion
• ACI helps tackling DC Security Challenges by :
• Integrating security in the Application
• Accelerating security deployment
• Automating security insertion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
LET’S TAKE A STEP
BACK…
Business Trends and
Datacenter Challenges
What Changed ?
• Virtualization
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
What Changed ?
• Virtualization
• Requirements for security for
East-West Traffic
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
What Changed ?
• Virtualization
• Requirements for security
for East-West Traffic
• Architecture with Multiple
active Data Centers
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
What Changed ?
• Virtualization
• Requirements for security
for East-West Traffic
• Architecture with Multiple
active Data Centers
• Hybrid Data Center with
Public Cloud Solution
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Digitization generates DC Challenges
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
The Cisco Advantage
An Architectural Approach
Clusterin
g
NGIPS
• Control North/South traffic with NGFW
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
…Leveraging the Infrastructure…
Clusterin
Lancope Stealhwatch
g
NGIPS
Leverage your Cisco Infrastructure to
fight Advanced Pervasive Threats SGT SGT
SGT
ASA FW
NGA
SGT
TrustSec with Security Group Tagging
SGT SGT
Simplify
SGT SGT
Virtual
FlowSensor
Accelerat
e ISE SGT
SGT
Automate
Standardize
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
…Ready for Next Generation DataCenter.
Clusterin
g
ACI Fabric NGIPS
SERVICE NODES
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Feature Product Matrix
ASA/FTD FTD StealthWatch TrustSec
Access Control
Segmentation
Context Discovery
Threat Detection
Threat Protection
APT Detection
Forensic Analysis
Compliance
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Feature Product Matrix with ACI
ASA/FTD FTD StealthWatch TrustSec
Access Control
Segmentation
Context Discovery
Threat Detection
Threat Protection
APT Detection
Forensic Analysis
Compliance
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
The Case for SDN
Applications All Around Us
…while requiring…
Frequent updates and
Highest Availability (SLAs)
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Challenge for Infrastructure
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Software-Defined Networking
…Comes to the Rescue
“…is an emerging architecture that is dynamic, manageable, cost-
effective, and adaptable, making it ideal for the high-bandwidth,
dynamic nature of today's applications. This architecture decouples
the network control and forwarding functions enabling the network
control to become directly programmable and the underlying
infrastructure to be abstracted for applications and network
services.”
Source: www.opennetworking.org
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
What are the critical
Security Functions in the
DataCenter?
Defining SDN use case for DC security
Automatic
micro- segmentation Remediation
Programmability
Embedding security
policy within Application Ease of Service Insertion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Agenda
Introduction Use Cases Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
• Introduction
Agenda
• Use Cases
• Basic Access Control
• Basic Segmentation
• Micro-Segmentation
• Access Control with NGFW
• Segmentation with NGFW
• Threat Detection with IDS
• Threat Protection with IPS
• Where is my automation in there ?
• Behavior Anomaly Detection
• More Granular Access Control
• Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
About me…
Fabien Gandola –
fgandola@cisco.com
TSA Cyber Security EMEAR
19 years in Cisco
ACI Devices Role
Spine Nodes
Leaf Nodes
Service Producers
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ACI Whitelist Policy supports “Zero Trust” Model
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing
traffic between their members
1 2 3 4
1 2 3 4 EPG 1 EPG 2
“WEB” “APP”
Web App DB
Externa
l
Networ
k
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ACI Communication Abstraction
APIC All TCP/UDP:
- Accept
- Redirect to FW and IPS
Security Policy All Other :
“App” → “DB” - Drop
ACI Fabric
“DB” “App”
Security Services
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
What are the ACI Building Blocks ?
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
A Policy Based on Groups
Web Tier App Tier DB Tier
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
In the ACI model, we do this using the End Point Group (EPG).
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Endpoint Groups Communications
EP EP EP EP EP EP
EP EP EP EP EP EP
Devices within an Endpoint group can communicate, provided that they have IP reachability (provided by
the Bridge Domain/VRF).
Communication between Endpoint groups is, by default, not permitted.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Contract
“EPG Web” “EPG App” “EPG DB”
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
EP EP EP EP EP EP
Filters
TCP: 80 A contract typically refers to one or
TCP: 443
more ‘filters’ to define specific
protocols & ports allowed between
EPGs.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Create a Contract
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Access Control From Outside
Contract
Client-Web
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
How Secure is the
Fabric to rely on it for
Security ?
ACI Fabric Security
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-
736292.html
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Is there away to create
Management zones ?
Tenants
A Tenant is a container
Engineering-Tenant Marketing-Tenant
for all network, security,
troubleshooting and L4 –
7 service policies.
Tenant resources are
isolated from each other,
allowing management by
different administrators.
IT Internet
Shared Test /
IPTV
Tenants can provide traffic
Services Dev
and RBAC isolation…
ACI Fabric
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• Introduction
Agenda • Use Cases :
• Basic Access Control
• Basic Segmentation
• Micro-Segmentation
• Access Control with NGFW
• Segmentation with NGW
• Threat Detection with IDS
• Threat Protection with IPS
• Where is my Automation in there ?
• Behavior Anomaly Detection
• More Granular Access Control
• Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Contract
“EPG Web” “EPG App” “EPG DB”
EP EP EP EP EP EP
EP EP EP EP EP EP
Stateless Firewall(Contract)
Stateless Firewall(Contract)
Load Balancer
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
But what if I want all
EPGs to be able to
send syslog, query
DNS, communicate
with the AD, etc…?
vzAny applies rules to all EPGs in a VRF
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
But what if I want some
EPGs to communicate
freely between
themselves?
Contract Preferred Groups
Allow traffic between a group of EPGs
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Those 2 forms of
contracts help a lot
fighting the number of
contracts impacting
TCAM usage in switches.
Is that really helping me
Compare to traditional
ACLs ????
The abstraction layer provided by
the EPG detaches the security
policy from the infrastructure
such as IP address or Vlans.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Application Profile
EP EP EP EP EP EP
Contract Contract
EP EP EP EP EP EP
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
The ACI Micro Segmentation Toolbox
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
The ACI Micro Segmentation Toolbox
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Intra-EPG endpoint isolation
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
The ACI Micro Segmentation Toolbox
No Service Graph
attached
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
The ACI Micro Segmentation Toolbox
Micro-segmented EPGs
with attributes
• Use of attributes to classify
endpoints in a specific kind of EPG
called µEPG
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
About Micro-segmented EPGs
• µSeg EPGs are not linked to a “Base” EPG (though virtual endpoints are still
“attached” to their corresponding Port Groups):
• They have their own Bridge Domain Endpoints addressing must be taken into
consideration in the design
• They have their own set of Contracts There is no contract inheritance from the “Base”
EPG.
• Attributes are matched using an “OR” operator with a precedence order in case
of conflict
• Any VM in the VMM Domain & Tenant matching an attribute will be put in the µSeg EPG
Choose wisely the attribute(s) you want to match
• In the last 2 case studies, Custom Attributes would be a natural choice
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
USE CASE
Securing infrastructure
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Use Case 3: Application life Cycle
Joomla Web Application
Production
Web Database
tcp/80 Environment
tcp/3306
WAN
tcp/80 Web Web VM
VM1 VM2 MySQL
http://172.16.1.100
VIP - 172.16.1.100
Load Balancer can reach web
servers, but not the DB
WAN
Test Site:
http://172.16.1.200/acme Test
Web Database
172.16.1.200
VM
MySQL
HAProxy
Dev
Web Database
Test vDesktops
Web VM
VM3 MySQL
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Micro Segmented EPGs with VM Attributes
WAN/INTERNET
V V V V
Production M M M M
Clusters V V V V
M M M M
Test V V V V
Clusters M M M M
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Cisco ACI Supports Flexible East-West Security Models
L4 Stateless Security L4-7 Visibility and Control
Cisco ACI Services
Graph
Firewall at Each
Leaf Switch L4-7 Security Services
(physical or virtual,
Servers (Physical or Virtual) location independent)
L4−7 Security via Cisco ACI™
► L4 Distributed Stateless Firewall ► Service Graph
L4 Stateless Firewall Advanced Protection with NGFW, IPS/IDS,
Attached to Every Server DDoS Services Insertion
Port
Line Rate Policy Enforcement Sizing at Scale: Can add ASA Cluster
L4-7 Security Policy Applied
Policy Follows Workloads Consistently for Any Workload
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Why Inserting Security Services ?
• Stateless Segmentation not sufficient for compliance
• More granular Access Control (i.e. user based)
• Dynamic protocol requiring better inspection
• Better protection and detection mechanisms
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Where to Connect Security Services in the Fabric ?
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Flexible Options for Services Insertion
ACI L2 Fabric Service Graph Service Graph
No Package Managed
• APIC defines Tenants • Fabric GW/Routing • Orchestrate with
Vendor:
• EPG is VLAN/Subnet • No Device Package: - Service Policy or
-Network Policy Mode - Service Manager
SecOps Control Service Device Packages
APIC in
Control
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
L2 Network Stitching
- Each Interfaces of the Firewall is
set to belong to the different
EPG
- The Forwarding decision is 100%
network centric, and doesn’t
involve APIC
- NO CONTRACT NEEDED
- No Integration with APIC EPG EPG EPG
Web App DB
When use this method :
- When policy is quite static
BD BD BD
- When more than 2 interfaces Web App DB
needed on the FW
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Service Graph
technology was
designed to automate
and accelerate the
deployment of L4-L7
sevices in the network.
Why Use Service Graph ?
• Security is fully inserted to the Application as the service graph is an
extension of the contract in the Application Profile
• Granular way to send traffic to the Security Service using the contract
• Configuration Templates
• Automation of the Network configuration both for Fabric and Security
appliance (with Device Package)
• Statistics and health score automatically collected for the services
• Dynamic update of the ACLs based on End point discovery in the EPG
• Insert several services seamlessly with Service Chaining
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
ACI Zero Trust Model
APIC
CONTRACT
ACI Fabric
“DB” “App”
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Service Graph
“EPG Web” “EPG App” “EPG DB”
EP EP EP EP EP EP
Contract Contrac
t
EP EP EP EP EP EP
ACI Fabric
“DB” “App”
Security Services
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Add a Service graph to a Contract
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
• Service automation requires a vendor <locked=“yes”>
APIC Node
Service automation
requires a vendor
•
Device specification
(XML file)
Device scripts (Python)
Service Device
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
ASA Device Package Opt 1: Policy Orchestration
Managed – Service Policy
FirePOWER Services
Threat Defence Polices
Threat Policy on FMC Security team configures via FMC
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
ASA PO & FI Device Package
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
ASA DP Built-In Profiles
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
ASA PO Function Profile – I.e., PBR One-Arm
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Why Use Managed Service Graph ?
• Full Tenant orchestration with L4-L7 services
• ACL changes on the firewall can be offloaded to custom tools,
using Northbound API
• Device package allows for very fast deployment of security
• APIC monitors the service health and validates configuration
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Why Use Unmanaged Service Graph ?
• Continuity of the SecOps management workflows and tools
• No device package available from a Vendor
• Quicker migration of security appliance configs and policies into
ACI fabric
• Allow use of the full spectrum of product features, not just the
features supported by the device package
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Can we get the benefits
of the Device Package
without the Drawbacks ?
Service Graph Hybrid Managed
• Leverage the network and interface configuration automation from
APIC with the Device Package
• Leverage the External Security management solution for the
security team to create the security policy
• Use the Service graph to tie together the policy and the network
insertion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
ASA Device Package Opt 2: Fabric Insertion
Managed – Service Policy Managed – Service Policy
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
ASA PO & FI Device Package
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
FTD Device Package Workflow
1. Existing Rule - Security Admin uses FMC to create an ACP Rule to be
used with the new service graph. The rule includes allowed protocols,
NGIPS, and AMP protections.
• Network Admin uses APIC to attach Security Zones to a given Rule, directing
service graph traffic to an appropriate NGFW inspections.
2. New Rule – Network Admin uses APIC to create a new security Rule on
FMC using the service graph. This is a Deny rule, preventing traffic flow
until Security Admin gets a changes to update it.
• Security Admin uses FMC to update the new ACP Rule with an appropriate allowed
protocol, NGIPS, and AMP policy. To prevent deletion of this rule on service graph
detach, Security Admin can preserve configured security policy by updating ACP
Rule comments.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Security team configures via FMC
App DB
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
FTD FI Device Package Version 1.0.3
APIC configures FMC 6.2.3, using REST-APIs to manage the following devices:
Pre-registered FTD devices in either Stand-alone, HA or Cluster mode
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
1.0.3 1.0.2 1.0.1
• Cluster support • HA support • Routed
• Ether-Channel • FTDv VLAN trunks • Transparent
• Static Routes • FPR2100 support • NGIPS modes
• Dynamic EPG • Interfaces/Zones
• Enhance validation • Inline Pairs
• Suffix changes • Attach Zones to
ACP Rules
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Matching FTD/ACI Deployment Modes
GoThrough
• NGIPS/IDS Modes Service
• Inline (managed) Graph
• or Inline TAP (unmanaged)
• Passive (unmanaged)
Copy
Service Graph
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Until recently, Security
service insertion was
looking like that :
Perimeter FW Goto Mode
Enclave with Single Segment
EPG EPG EPG
L3out Web App DB
Stateless Firewall(Contract)
Perimeter Stateful Firewall Stateless Firewall(Contract)
Load Balancer
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
VRF aka Context aka Private Network
Engineering-Tenant
VRF-1 VRF-3
VRF(also called contexts) are
defined within a tenant to allow
isolated and potentially
overlapping IP address space.
VRF-2 VRF-4
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Bridge Domain: Not a VLAN but almost…
Engineering-Tenant
A bridge domain is a L2
VRF-2 VRF-4
forwarding construct within
Bridge Domain 3 Bridge Domain 7
the fabric, used to constrain
Bridge Domain 4 Bridge Domain 8 broadcast and multicast
traffic
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
In Summary
Tenant “University”
Infrastructure
PN “Engineering” PN “Business”
Subnet 172.1.1.0/24
Subnet 10.1.1.0/24
Subnet 172.1.2.0/24
Subnet 10.1.1.0/24 Subnet 10.1.2.0/24
…
…
Subnet 172.20.1.0/24
EPG
EPG Web Policy “HTTP”
EPG
Web
DB
Apps
Policy “HTTP” EPG
App
Policy “SQL”
EPG EPG Policy “SQL”
App DB
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Use Case 1 (Topology)
L3out 172.16.10.254
0.0.0.0/0 192.168.11.254
EPG 192.168.11.100/24
App
10.1.1.254 10.1.1.1 172.16.10.1
EPG 192.168.11.200/24
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Perimeter FW in GoTo mode
Enclave with Multiple Segment
EPG EPG EPG
L3out Web App DB
Stateless Firewall(Contract)
Perimeter Stateful Firewall Stateless Firewall(Contract)
Load Balancer
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Topology
EPG BD: DB
BD: LB 192.168.13.1/24
DB GW: 192.168.13.254
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Security Service
insertion had to be
thought carefully while
the fabric was
designed.
Security Service
insertion had to be
thought carefully while
the fabric was
designed.
Policy Based Redirect is your Best Friend
Before Service graph is deployed
APIC relies on
Routing to forward
192.168.11.254 192.168.12.254 192.168.13.254
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Policy Based Redirect is your Best Friend
With PBR Service Graph
APIC relies on PBR to redirect
the traffic defined in the
contract to the Security
192.168.11.254 192.168.12.254
Service
192.168.13.254
192.168.100.1 192.168.100.5
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Fabien, PBR seems
great to insert service at
L3 but how does that
help for segmentation ?
Agenda
• Introduction
• Use Cases :
Basic Access Control
Basic Segmentation
Micro-Segmentation
Access Control with NGFW
192.168.10.100 192.168.10.200
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
PBR for micro-Segmentation
Leveraging PBR
The Firewall must be in ONE ARM as
source and destination are in the same
Subnet. It must allow traffic in and out
via the same interface.
192.168.10.254
BD: ASA
EPG EPG EPG L3 Enabled
Web App DB
192.168.200.254
192.168.10.100 192.168.10.200
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Demonstration :
Policy Based Redirect
New features
related to PBR
ACI Version 3.2
• Multi-node PBR
EPG EPG
Client Contract
Web
consumer
Redirect provider
PBR Non-PBR
• ACI 3.2: Support more than 1 node PBR in a Service Graph. (up to 3 nodes)
• We can mix PBR node and non-PBR node in same Service Graph
EPG EPG
Client Contract
Web
consumer
Redirect provider
• vzAny is useful if we have a security requirement that is applied to all EPGs in same VRF
and also it helps to reduce policy TCAM consumption.
• Today, PBR with vzAny (provider) is not supported.
• vzAny (consumer) can be used for shared service use case.
VRF1 VRF1
vzAny
PBR Node PBR Node
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
ACI
PBR with vzAny 3.2
VRF1 VRF1
consumer provider
Client Web Client Web
vzAny Contract vzAny
Contract
Redirect App DB
Redirect App DB
vzAny vzAny
PBR Node PBR Node
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Resilient Hash PBR Before
• Symmetric PBR is supported today, but if one of the PBR nodes is down,
traffic will be re-hashed. So existing connection having been going
through available PBR nodes could be affected.
Thanks to Symmetric PBR, incoming Some traffic could be load-balanced to different PBR
and return traffic go to same PBR nodes that don’t have existing connection info.
node.
X
User1 User1
Incoming Return Incoming Return
Traffic Traffic Traffic Traffic
User2 User2
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
ACI
Resilient Hash PBR 3.2
• With Resilient Hash PBR, only the traffics that went though failed
node will start using different PBR node.
X
User1 User1
Incoming Return Incoming Return
Traffic Traffic Traffic Traffic
User2 User2
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Policy Based Redirect Consideration
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
PBR Consideration Explanation
EPG EPG
Web App
EPG EPG
Web App
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
What about IDS ?
Agenda
• Introduction
• Use Cases :
Basic Access Control
Basic Segmentation
Micro-Segmentation
Access Control with NGFW
Segmentation with NGW
Threat Detection with IDS
Threat Protection with IPS
Where is my Automation in there ?
Behavior Anomaly Detection
More Granular Access Control
• Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
IDS Insertion in ACI
• Traditional Span mechanism based on EPG source/Destination
• NEW Copy Service :
• Specific Service graph
• As based attached to contract, leverage Subject for a more granular
selection of traffic than SPAN
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
ACI Integration with SPAN
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
SPAN: Add Source
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and what
is allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and
specify the ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the traffic
from the service graph. When you configure the device selection policy, you specify
the contract, service graph, copy cluster, and cluster logical interface that is in copy
device.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Copy Service : Service Graph Template
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-
x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211
_chapter_01101.html#id_28562
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Agenda
• Introduction
• Use Cases :
Basic Access Control
Basic Segmentation
Micro-Segmentation
Access Control with NGFW
Segmentation with NGW
Threat Detection with IDS
Threat Protection with IPS
Where is my Automation in there ?
Behavior Anomaly Detection
More Granular Access Control
• Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Cisco Firepower Threat Defense Features
Cisco Firepower Threat Defense Full Feature-Set - NGFW
L2-L7 Firewall with L3 (Routed), L2 (Transparent IRB or Inline-NGIPS)
Modes
Scalable CGNAT, ACL, Dynamic Routing, Fail-to-Wire I/O modules
Application Inspection, PKI for Site-to-Site VPN, Onbox Manager
Inter-chassis cluster, FlexConfig, REST-APIs, Packet Tracer/Capture
NSS Leading Next-Gen IPS - SourceFIRE
Comprehensive Threat Prevention, L7 Application Visibility and Control Cisco
Security Intelligence (C&C, Botnets, IP, DNS, etc.), Threat / Risk Reports
Firepower
Blocking of Files by Type, Protocol, and Direction, Protocol Rate Limiting
Threat Defense
Access Control: Enforcement by Application and User AD integration
Switch, Routing, NAT Options, and ISE PxGRID integration 6.2
URL Filtering, Malware Blocking, Continuous File Analysis
Malware Network Trajectory, User-based IOCs, URL lookup
AMP public & private cloud with ThreatGrid, FMC-ThreatGrid APIs
Firepower Management Center (fka. FireSIGHT or Defense Center)
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
GoThrough Perimeter NGIPS
The Server gateway is out of the fabric
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
NGIPS between App Tiers
BD: MyApp
192.168.10.0/24
L3 Enabled
192.168.10.100 192.168.10.200
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
My Best practices
• For new deployment PBR is recommended when possible
• Leverage L4-7 security services for the access control of an
enclave or security zone
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
My Best practices
• For new deployment PBR is
recommended when possible
• Leverage L4-7 security services for
the access control of an enclave or
security zone App1 App 2 App 3
• Leverage Contracts within an EPG EPG EPG
Enclave for segmentation Web Web Web
EPG EPG EPG
App App App
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Best practices
• For new deployment PBR is
recommended when possible
• Leverage L4-7 security services
for the access control of an
enclave or security zone App1 App 2 App 3
• Leverage Contracts within an EPG EPG EPG
Enclave for segmentation Web Web Web
EPG EPG EPG
• Enhanced Segmentation and App App App
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Best practices
• For new deployment PBR is recommended
when possible
• Leverage L4-7 security services for the
access control of an enclave or security
zone
• Leverage Contracts within an Enclave for App1 App 2 App 3
segmentation
EPG EPG EPG
• Enhanced Segmentation and Threat Web Web Web
ACE Object-group
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
FMC to APIC Rapid Threat Containment
Step 4: APIC quickly contains/quarantines Step 3: Attack event is configured to trigger
the infected App1 workload into an isolated remediation module for APIC that uses NB API
uSeg EPG to contain the infected host in ACI fabric
4 3
ACI Fabric
FMC
1 2
App2 Infected App1
Step 1: Infected End Point launches an attack Step 2: Intrusion event is generated and sent to
that NGFW(v), FirePOWER Services in ASA, FMC revealing information about the infected
or FirePOWER(v) appliance blocks inline host
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Management tools for every organization
vCenter Plugin
APIC GUI
NX-OS
Style CLI
Choose the
right one!
API - Automation
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Cisco ACI interface summary
CLI
Ruby SDK
Powershell SDK
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
I don’t know Anything about Scripting !!!
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Sniffer: API Inspector
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Capturing API Calls
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Save Objects in JSON format
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Save Objects in JSON format
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Save Objects in JSON format
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Edit Your Jason Code
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Arya - ACI REST Python Adapter
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Arya Example
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Demo : Automation with API scripts
Agenda
• Introduction
• Use Cases :
Basic Access Control
Basic Segmentation
Micro-Segmentation
Access Control with ASA/NGFW
Segmentation with ASA/NGFW
Threat Detection with IDS
Threat Protection with IPS
Where is my Automation in there ?
More Granular Access Control
Behavior Anomaly Detection
• Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878
access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
with TrustSec
Traditional Security Policy
Software Defined
Segmentatio
TrustSec Security Policy
n Network Fabric
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Enabling Group-Based Policies across the
Enterprise
• Cohesive security policy
• Simplified security management
• End-to-End segmentation
TrustSec Policy Domain ACI Policy Domain
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
TrustSec Security Groups Provisioned in ACI
TrustSec ACI
Max: 200 Security Groups
ISE Dynamically provisions TrustSec APIC
DC
Up to 4000/32 mappings (gen1)
Security Groups in ACI Fabric
Up to 10K/32 mappings (gen2) (-
EX)
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
TrustSec Groups Shared with ACI
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
TrustSec Groups Shared with ACI
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Sharing Application Context to TrustSec Policies
TrustSec ACI
ISE dynamically learns internal EPGs
and APIC
DC
VM Bindings from ACI fabric
VM1
TrustSec Domain
VM100
TrustSec Policies Controlling 0
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Data Plane Integration
New Capabilities:
• Take current SGT propagation methods (DMVPN, GETVPN, SXP, IPSEC, GRE, LISP/VXLAN
(campus fabric) into ACI fabric
Benefits:
• Greater scale (remove IP/Group info from leaf)
• Seamless integration
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Sharing Context Across the Enterprise
TrustSec Policy Domain ACI Policy Domain
ISE SGT/EPG
Namespace Alignment
APIC
DC
Class ID
SGT # to EPG #
Translation Table
5 Enterprise
CMD iVXLAN #
Backbone SRC:10.1.10.220
SRC:10.1.10.220
DST: 10.1.100.52
DST: 10.1.100.52
BYOD SGT: 5 TrustSec Border Device Class ID
10.1.10.220 (ASR 1K) ACI Spine (N9K)
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Agenda
• Introduction
• Use Cases :
Basic Access Control
Basic Segmentation
Micro-Segmentation
Access Control with NGFW
Segmentation with NGW
Threat Detection with IDS
Threat Protection with IPS
Where is my Automation in there ?
More Granular Access Control
Behavior Anomaly Detection
• Conclusion
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
StealthWatch
Verizon Report
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Kill Chain: Post Breach
Threat Detection
1. Command 2. Reconnaissance
Switches
and Control
Routers
Firewall
IPS
N-AV
Web Sec
Email Sec
4. Data Theft
3.Propagation
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Scalable Network Defense
Threat Detection
1. Command 2. Reconnaissance
Switches
and Control
Routers
Firewall
IPS
N-AV
Web Sec
Email Sec
4. Data Theft
3.Propagation
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Cisco CTD Solution: Providing Scalable Visibility
Drilling into a single flow yields a plethora of information
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Flow-based Anomaly Detection
1 2
• # Concurrent flows • Number of SYNs
• Packets per second received
• Bits per second • Rate of connection
• New flows created resets
• Number of SYNs • Duration of the flow
sent • Over 80+ other
• Time of day attributes
threshold threshold
threshold
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
NetFlow
It Can :Security Use cases
Detect Sophisticated and Persistent Threats. Malware that makes it past
perimeter security can remain in the enterprise waiting to strike as lurking threats.
These may be zero day threats that do not yet have an antivirus signature or be hard
to detect for other reasons.
Identify BotNet Command & Control Activity. BotNets are implanted in the
enterprise to execute commands from their Bot herders to send SPAM, Denial of
Service attacks, or other malicious acts.
Uncover Network Reconnaissance. Some attacks will probe the network looking
for attack vectors to be utilized by custom-crafted cyber threats.
Find Internally Spread Malware. Network interior malware proliferation can occur
across hosts for the purpose gathering security reconnaissance data, data exfiltration
or network backdoors.
Reveal Data Loss. Code can be hidden in the enterprise to export of sensitive
information back to the attacker. This Data Leakage may occur rapidly or over time.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
StealthWatch Solution Components
StealthWatch
Management
Console
NetFlo
w
NBAR NSEL
StealthWatch
StealthWatch
FlowSensor FlowSensor
VE Users/Devices
Cisco Network
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
How do I send Traffic to
my FlowSensor ?
How Send Traffic to my FlowSensor ?
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
ACI Integration with SPAN
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
SPAN: Add Source
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Service Copy Configuration Steps
• Identify the source and destination endpoint groups.
• Configure the contract that specifies what to copy according to the subject and what
is allowed in the contract filter.
• Configure Layer 4 to Layer 7 copy devices that identify the target devices and
specify the ports where they attach.
• Use the copy service as part of a Layer 4 to Layer 7 service graph template.
• Configure a device selection policy that specifies which device will receive the traffic
from the service graph. When you configure the device selection policy, you specify
the contract, service graph, copy cluster, and cluster logical interface that is in copy
device.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Copy Service : Service Graph Template
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-
x/L4-
L7_Services_Deployment/guide/b_L4L7_Deploy_ver211/b_L4L7_Deploy_ver211
_chapter_01101.html#id_28562
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Tetration
Software *=Roadmap
Tetration Analytics Application Insights
Sensors Appliance
SW Sensors
3rd Party
Feed
SW Sensors Integrate
Policy Simulation / Impact Analysis
Nexus 9300-EX
HW Sensors
Whitelist Policy
Recommendation
SW in
CloSen
Recommend
sorsud Forensics and Compliance
3rd
Policy
Party Enforcement
Record,
(Future Roadmap)
Advanced security
Software
Process security
inventory baseline
Segmentation
Application Policy
Whitelist policy
segmentation compliance
Visibility and
Process inventory Application insight
forensics
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Cisco Tetration Platform
Hybrid cloud workload protection approach
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
What is really running on my network?
Cisco Tetration Analytics application insight dependency map
(Service owner)
Service category
Service
Use Cisco
Tetration Analytics™ Service offering
outcome to generate
whitelist policies Application
Dependencies
Security
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Whitelist Policy Recommendation
Application Discovery
Web App DB
Tier Tier Tier
Storage Storage
Policy Enforcement
(Future Roadmap)
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Policy Discovery – What talks to what and how
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Workload Protection
Software Package Inventory, Vulnerability Details, Process Hash & Anomaly
Detection
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Workload Protection
Software Package Inventory, Vulnerability Details, Process Hash & Anomaly
Detection
Privilege
Escalation
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Visual Query with Flow Exploration
• Replay flow details like a DVR
• Information mapped across 25
different dimensions
• Thick lines indicate common flows
• Faint lines indicate uncommon flows
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
Switch on Outlier view to Outlier dimension is
Outliers highlight uncommon flows highlighted with purple circle
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Possible malicious DNS traffic
Show all DNS traffic with packets larger then 82 bytes and a flow duration of greater then
6 seconds.
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Tetration – the “Big Picture” Automated
Historic and
New flows…
Application Insight
Application Infrastructure
Zero-Trust Agnostic
Dependency
Policies Zero Trust Policy
A Mapping Enforcement
p
pli
Real-time Identitiy ca
Tagging Policy
ti
Simulation
Attributes from o
AWS, vCenter, Machine
n
CMDB, ISE, DNS, Learning
In
etc.
si
g Audit &
ht Compliance
OOB
Sensors Event
Real Notification
Netflow
time Trigger Actions
Software Quarantine
Sensors
and Protect
SLB Flow
Search
Hardwar
e
Sensors
Investigatio
n
Headers and Purpose-Built Platform
Context of each Forensic
Appliance, SW, Sensor Visibility
and every
NPMD
packet in
DC/cloud User/Tetration Applications
including sw/ (REST / Python / Scala / SQL /
SW Vulnerability Detection
process Process Behavior Deviation
R*)
inventory #CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
BETTER TOGETHER ?
Network as a Sensor in the Data Center
Tetration for Application Analytics and Stealthwatch for Security Analysis
Application Segmentation and Policy Monitoring
Tetration Stealthwatch
Tetration
Analytics
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Monitoring Unified Policy in the Data Centre
Tetration
Analytics
Tetration
NetFlow Telemetry
EPG
SGT Definitions
Definitions
SPAN
pci_users EV_appProfile_LOB2_App1EPG
ACI Domain
SGT: 16 SGT: 10005
TrustSec Domain ACI Domain
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Conclusion
Complete your online session evaluation
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
#CLUS BRKSEC-2048 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Thank you
#CLUS
#CLUS