Skip to main content

Introduction to ACI

What is an ACI network?

At a very basic level ACI is really just a Spine/Leaf network of Nexus 9k switches with a management platform

The network management platform (APIC) provides you with a single place from which to manage the network 

Is ACI an Overlay or Underlay network?

ACI is an automated (VXLAN) overlay network running over an automated (ISIS) underlay network.

ACI can transport any IP traffic including “Overlay” networks based on VXLAN*, NVGRE* etc.


How ACI Fabric is Built - Zero Touch:


What Do We Mean by Policy ?

• Access Policies = Define how a switch or switch port is configured. Specifically Ethernet and link layer properties such as LLDP, LACP, CDP, speed/duplex, etc. 
• Tenant Policies = Govern traditional networking. This is where logical connectivity is defined.
 • Access policies and Tenant policies work in tandem to define where and how endpoints or applications are connected 

1. Tenants: Isolated configuration “zones” on common physical infrastructure

2. VRFs are configured within a Tenant

3. A Bridge Domain is a Layer 2 forwarding segment which maps a (locally significant) VLAN on each Leaf switch to a unique VXLAN segment & A Bridge Domain may have one or more associated SVIs.

4. Endpoint Groups:

An Endpoint Group is a security “container” for devices that are attached to an ACI fabric. There is a 1:1 mapping between EPGs and Bridge Domains

Devices are mapped into an EPG by considering the incoming switch/interface/vlan, or virtual switch/vlan

Communication within an EPG is permitted (by default), communication between EPGs requires a Contract (ACL)

5. Application Profiles:

An Application Profile is a collection of EPGs which may or may not represent an Application. 

Labels:

Comments

Post a Comment

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of t...
Post a Comment
Read more

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID a...
Post a Comment
Read more

Cisco ASA - Order of operations

1. Packet is reached at the ingress interface.  2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one. 3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access−control list (ACL) check is bypassed, and the packet is moved forward. If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged. 4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped...
Post a Comment
Read more