ACI MicroSegmentation - SafePlus Live Berlin... · 2017-03-28 · Subnet: 192.168.1.254/24 VM Attribute VM OS Equals “Ubuntu” AVS MSFT vSwitch dvPortGroupGREEN EPG GREEN uSeg

ACI MicroSegmentationDeployment Lab

Furong Gisiger, Solutions Architect, CiscoChristine Lakits, Network Consulting Engineer, Cisco

LTRACI-2800

• Introduction

• ACI Micro Segmentation Key Features

• ACI Micro Segmentation Use Cases

• ACI Micro Segmentation Implementation

• Lab Setup and Overview

• Conclusion

• Q & A

Agenda

Introduction

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRACI-2800

Why Micro Segmentation?

Segment 1Segment 3

Se

gm

en

t 2

Se

gm

en

t 4

Segmentation

✔

✖

Segment = Broadcast domain / VLAN / Subnet

5



Segment 1Segment 3

Se

gm

en

t 2

Se

gm

en

t 4

Segmentation Micro Segmentation

Segment 1

Micro Segment 1 Micro Segment 3

✖

Micro Segment 2

✔ ✔✔

✖

Segment = Broadcast domain / VLAN / Subnet Micro Segment = Endpoint or Group of Endpoints

Micro Segment 4

✖

Se

gm

en

t 2

6

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public


• Perimeter security is not enough: oncebreached, lateral movement can allowattackers to compromise more assets

• Improve the security posture inside the Data Center

• Minimize segment size and provide smallest exposure to lateral movement

LTRACI-2800 7


The ACI Micro Segmentation Toolbox

LTRACI-2800 8



LTRACI-2800

EPGs & Contracts

ACI Policy Model

9



LTRACI-2800

EPGs & Contracts

ACI Policy Model

Intra EPG isolation

10



LTRACI-2800

EPGs & Contracts

ACI Policy Model

Intra EPG isolation

Micro-segmented EPGs

with attributes

11



LTRACI-2800

EPGs & Contracts

ACI Policy Model

Intra EPG isolation


with attributes

Integration with L4/L7 Services

ecosystem

12



LTRACI-2800

EPGs & Contracts

ACI Policy Model

Intra EPG isolation


with attributes

Integration with L4/L7 Services

ecosystem

NOT covered in this LAB

13

EPG Segmentation


Endpoint Group (EPG) is a group of devices/endpoints that shares common policy requirements.

LTRACI-2800 15


Endpoint Groups (EPG, fvAEPg)

10.10.10.10 10.10.10.11 10.10.10.12

Example #1: all endpoints in a segment Example #2: all VMs in a PortGroup

PortGroup Orange

Classify based on endpoint

Encapsulation

(VLAN/VXLAN) and Ports

EPG can be considered like Security Zones or Security Groups

A single EPG can have mix of Physical and Virtual Workloads

HR-web Fin-web Sales-web

Example #3: all endpoints in the same application Tier

LTRACI-2800 16


By default … endpoints inside a regular EPG can communicate freely.

endpoints in different EPGs can’t communicate at all.

LTRACI-2800 17


ACI White List Model(*): No Contract, No Communication

Bridge Domain – 10.10.10.1/24

Web-01

10.10.10.11

Web-02

10.10.10.12App-01

10.10.10.13App-02

10.10.10.14

EPG Web EPG App

(*) Default can be changed

Without contracts,

by default there is no

communication

between EPGs

LTRACI-2800 18


ACI White List Model(*): Contract Determines Communication

Bridge Domain – 10.10.10.1/24

Web-01

10.10.10.11

Web-02

10.10.10.12App-01

10.10.10.13App-02

10.10.10.14

EPG Web EPG App

Contract: Blue-to-Green

Subject: AppTraffic

Filter: Action:

tcp/80 allow

tcp/443 allowC

ON

SU

ME

S

PR

OV

IDE

S

tcp/80

tcp/8080

(*) Default can be changed

tcp/443

tcp/80

LTRACI-2800 19


ACI Leaf Uses Zoning Rules to forward or drop the traffic

Web-01

10.10.10.11

Web-02

10.10.10.12

EPG Web

App-01

10.10.10.13App-02

10.10.10.14

EPG App

leaf1# show zoning-rule scope 2162697 | egrep -E "Scope|32771|16387"

Rule ID SrcEPG DstEPG FilterID operSt Scope Action Priority

4616 16387 32771 5 enabled 2162697 permit src_dst_any(8)

4617 32771 16387 5 enabled 2162697 permit src_dst_any(8)

Once contract is created, it

will get programmed on the

ACI leaf as Zoning Rules.

Leaf forwards/drops the

packets based on those rules

LTRACI-2800 20

Intra EPG Isolation


Intra EPG Isolation

Intra EPG Isolation

• Intra EPG Isolation blocks

communication between all endpoints

inside the group

• Supports mixing of Physical and Virtual

endpoints in same EPG

• Can be configured on all type of EPG

Intra EPG Isolation

<fvTenant name="Tenant1">

<fvAp name=”ap1">

<fvAEPg isAttrBasedEPg="no" matchT="AtleastOne" name="baseEPG" pcEnfPref=”enforced" prefGrMemb="exclude" prio="unspecified">

<fvRsBd tnFvBDName="bd"/>

</fvAEPg>

</fvAp>

</fvTenant>

LTRACI-2800 22


Intra EPG Isolation Use Case

• Independent clients accessing common services

• VDI (Virtual Desktop Infrastructure)

• Management devices (CIMC and etc)

• Backup Storage

• Web tier application

LTRACI-2800

CIMC Interfaces NTP/DNS Infra Services

23


EPG-B

LTRACI-2800

Intra EPG Isolation – Zoning Rules

EPG-A

Source Destination Filter Action

EPG-A EPG-B implicit permit

EPG-A EPG-A implicit Deny-all

Intra EPG traffic will be dropped by the leaf

because of the implicit deny-all rule

24


EPG-B

LTRACI-2800

VMWare DVS Intra EPG Isolation

EPG-A

vDS => ACI leaf uplink traffic uses VLAN-secondary

ACI leaf => vDS downlink traffic uses VLAN-primary

DVS VLANDVS VLAN

Port-Group EPGBPort-Group EPGA

PVLAN map is configured in vDS

VL

AN

-se

c

VL

AN

-pri

PVLAN map is configured on the ACI leaf

25


EPG-B

LTRACI-2800

VMWare DVS Intra EPG Isolation

EPG-A




Inter-ESXi host traffic will be dropped by the leaf


Note for Inter-EPG Traffic with Isolation Enabled:

• EPG-B sends traffic over regular VLAN to ACI

Leaf

• Egress Leaf will encapsulate traffic in VLAN-

Primary and send towards EPG-A VMs

Port-Group EPGBPort-Group EPGA• Intra-ESXi host traffic is

encapsulated in VLAN-secondary.

• vDS denies local intra-EPG VM

traffic via PVLAN

DVS VLANDVS VLAN

VL

AN

-se

c

VL

AN

-pri

26


EPG-B

LTRACI-2800

VMWare With Cisco AVS Intra EPG Isolation

EPG-A




Inter-ESXi host traffic will be dropped by the leaf


Port-Group EPGBPort-Group EPGA

Isolation enforcement is local to AVS

within a host

AVS VXLANAVS VXLAN

* VXLAN mode supported. No PVLANs required because of Opflex

28

Micro-segmented EPGswith attributes


uSeg EPG (Attribute Based EPG)

• Endpoints can be classified based on their attributes using uSeg EPGs

LTRACI-2800

VM-01

10.10.10.13

EPG GREEN

BM-02

10.10.10.12

f4:5c:89:b2:ab:cd

uEPG MyDB uEPG Quarantine

BM-01

10.10.10.11

f4:5c:89:b2:bf:cb

Base EPG based on port and encapsulation (i.e

VLAN or VXLAN)

30




LTRACI-2800

VM-01

10.10.10.13

EPG GREEN

BM-02

10.10.10.12

f4:5c:89:b2:ab:cd


Select where:

MAC=f4:5c:89:b2:bf:cb

BM-01

10.10.10.11

f4:5c:89:b2:bf:cb

Select where:

VM-name=VM-01


VLAN or VXLAN)

uSeg EPG based on Attributes

31




LTRACI-2800

VM-01

10.10.10.13

EPG GREEN

BM-02

10.10.10.12

f4:5c:89:b2:ab:cd


Select where:

MAC=f4:5c:89:b2:bf:cb

BM-01

10.10.10.11

f4:5c:89:b2:bf:cb

Select where:

VM-name=VM-01


VLAN or VXLAN)

uSeg EPG based on Attributes

32


uSeg EPG

• The endpoint must be first known to a regular EPG of type base EPG.

• uSeg EPG and base EPG associate with same BD.

• A uSeg EPG is equivalent to a regular/base EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature)

• Endpoints in uSeg EPG by default can NOT communicate to the base EPG (without a contract)

• uSeg EPG does not inherit the contracts from base EPG today.

LTRACI-2800 33


uSeg EPG XML Configuration

LTRACI-2800 34


uSeg EPG XML Configuration

isAttrBasedEPg = “no”

isAttrBasedEPg = “yes”

New attribute called ‘isAttrBasedEPg’ in fvAEPg. Admin has to explicitly specify a

given EPG is an attributed based EPG or not.

LTRACI-2800 35


Endpoint Attributes

LTRACI-2800

Attributes w/ Precedence Type Example

MAC Address Network 5c:01:23:ab:cd:ef

IP Address Network 10.10.1.0/24

10.20.21.1

VNic Dn (vNIC domain name) VM A1:23:45:67:89:0b

VM Identifier VM vm-598

VM Name VM HR_UI_WEB

Hypervisor Identifier VM esxi-host-01

VMM Domain VM AVS-VMM-DC1

Datacenter VM BRU-DC

Custom Attribute

(VMWare AVS/DVS only)

VM AppTier=Web

Guest Operating System VM Windows 2008

Supported attributes as of 2.2(1n)

Physical Domain

VMM Domain

(DVS/AVS/HyperV)

36


MAC and IP Attributes

• MAC and IP attributes can be used for both physical domains and VMM domains.

LTRACI-2800

You can specify large MAC list

You can specify individual IP addresses and/or subnets

37


uSeg EPG Support with VMM Domain

EPG GREEN

vSwitch

dvPortGroup GREEN

ubuntu-01 centos-01 ubuntu-02centos-02

Base EPG:

GREEN

uSeg EPG:

UBUNTU

BD1

Subnet: 192.168.1.254/24

VM Attribute

VM OS Equals

“Ubuntu”

LTRACI-2800 38


uSeg EPGs with Microsoft Hyper-V and VMware vSphere using AVS

dvPortGroup GREEN


Base EPG:

GREEN

uSeg EPG:

UBUNTU

BD1

Subnet: 192.168.1.254/24

VM Attribute

VM OS Equals

“Ubuntu”

AVS MSFT vSwitch

dvPortGroup GREEN dvPortGroup GREEN

EPG GREEN

uSeg EPG UBUNTU

The uEPG does not configure a new

dvPortGroup or VM-Network.

A new encapsulation ID (VLAN or

VXLAN) is allocated for this uEPG

within each VMM. This enables the

leaf to classify endpoints on the right

uEPG.

LTRACI-2800 39


uSeg EPG with VMware vSphere using DVS


Base EPG:

GREEN

uSeg EPG:

UBUNTU

BD1

Subnet: 192.168.1.254/24

VM Attribute

VM OS Equals

“Ubuntu”

EPG GREEN PVLAN mode will be enabled (same

behavior as Intra EPG Isolation

PVLAN allocation will be required If

there is a L2 switch in between.

*Proxy-ARP enabled

VMware DVS

dvPortGroup GREEN

The uEPG does not configure a new

dvPortGroup or VM-Network.

(PVLAN: primary 100, secondary 200)

uSeg EPG UBUNTU

Traffic is always go to the Leaf

because of Proxy-ARP.

LTRACI-2800 40


You can use multiple attributes

• Attribute support depends on VMM, some attributes are vendor specific (i.e. vSphere Custom Attributes)

• In case multiple Attributes are defined for an EPG, the EPG is used if ‘any’ one of the specified attribute matches with the endpoint.

LTRACI-2800 41


Use Case #1Isolate a Malicious VM

• Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM.

WebWeb01Linux

Web02Linux

Web03Win

AppApp01Linux

App02Linux

App03Win

DBDB01Linux

DB02Linux

DB03Win

LTRACI-2800 42


Win EPG



WebWeb01Linux

Web02Linux

Web03Win

AppApp01Linux

App02Linux

App03Win

DBDB01Linux

DB02Linux

DB03Win

Criterion

Attribute

(OS = Windows)

LTRACI-2800 43


Win EPG



WebWeb01Linux

Web02Linux

Web03Win

AppApp01Linux

App02Linux App03

Win

DBDB01Linux

DB02Linux

DB03Win

XCriterion

Attribute

(OS = Windows)

LTRACI-2800 44


Use Case #2Creating additional Security Zones

• Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM)

WebWeb01

HR-Web01

Sales-Web01

AppApp01 App02 App03

DBDB01 DB02 DB03

LTRACI-2800 45


HR-Web



WebWeb01

HR-Web01

Sales-Web01


DBDB01 DB02 DB03

Criterion

Attribute(VM name contains HR)

LTRACI-2800 46


HR-Web

Sales-Web



WebWeb01

HR-Web01

Sales-Web01


DBDB01 DB02 DB03

Criterion

Attribute(VM name contains HR)

Criterion

Attribute(VM name contains Sales)

X

LTRACI-2800 47


Hardware/Software Dependency

Intra EPG Isolation:

• DVS since ACI 1.2(2)

• AVS since ACI 1.3(1)

µSeg EPG with attributes:

• DVS since ACI 1.3(1) with

9300-EX hardware

• AVS since ACI 1.1(1)


• Roadmap


• Microsoft Virtual Switch

since ACI 1.2(1)


• Supported since ACI 1.2(2)


• Roadmap


• Supported since ACI 1.2(2)


• IP EPG since ACI 1.2(1) with

–E hardware

• MAC EPG since ACI 2.1(1)

with –EX hardware

48


Roadmap

• vSphere Tags for Micro-Segmentation

• Match AND/OR operator for Attributes

• Intra-EPG contracts

• Contract Inheritance

• User-Identity Micro-Segmentation: EPG membership based on AD authentication (Infoblox)

• And more…

LTRACI-2800 49

Lab Setup and Overview


Overall Lab Topology

• ACI Fabric

• Spine Switches

• Leaf Switches

• APIC Controllers

• Servers/VMs

• Nexus 3K (Bare-Metal)

• CentOS VMs

LTRACI-2800

Leaf1 Leaf2

N3K/BM

e1/1 e1/3 e1/3e1/1

e1/1

e1/2

e1/4

e1/3

52


Tenant Setup – Pre Lab

LTRACI-2800

Tenant cl-userXX - VRF vrf1

AVS VXLAN

Bridge Domain mgmt – Subnet 172.16.0.1/24

DVS VLAN

Bridge Domain database – Subnet 30.30.0.1/24

EPG - database

EPG – srv-mgmt EPG – backup-srv

Bridge Domain web-app – Subnet 10.10.0.1/24

Subnet 20.20.0.1/24

EPG – web-app

uXX-ap1-db uXX-ap2-db

uXX-ap2-web uXX-ap2-app uXX-ap1-web uXX-ap1-app uXX-backup-srv

*XX = 01 ~ 30 (user ID)

53


Nexus 3K / Bare-Metal (database)vrf context cl-uXX-db1

ip route 0.0.0.0/0 30.30.0.1

vrf context cl-uXX-db2

ip route 0.0.0.0/0 30.30.0.1

interface Ethernet1/1.36XX

description "To:leaf101-e1/1, EP:uXX-ap1-db”

encapsulation dot1q 36XX

MAC-address 18e7.2800.36XX

vrf member cl-uXX-db1

ip address 30.30.0.11/24


description "To:leaf102-e1/1, EP:uXX-ap2-db”



vrf member cl-uXX-db2

ip address 30.30.0.12/24

LTRACI-2800

*XX = 01 ~ 30 (user ID)

Leaf1 Leaf2

N3K/BM

e1/1 e1/1

e1/1 e1/2

VLAN 36XX

uXX-ap1-db

IP: 30.30.0.11/24

MAC: 18e7.2800.36XX

uXX-ap2-db

IP: 30.30.0.12/24

MAC: 18e7.2801.36XX

database BD:

30.30.0.1/24

54


Nexus 3K / Bare-Metal (database-mgmt)vrf context cl-uXX-mgmt1

ip route 0.0.0.0/0 172.16.0.1

vrf context cl-uXX-mgmt2

ip route 0.0.0.0/0 172.16.0.1


description "To:leaf101-e1/3, EP:uXX-ap1-db-

mgmt”



vrf member cl-uXX-mgmt1

ip address 172.16.0.15/24


description "To:leaf102-e1/3, EP:uXX-ap2-db-

mgmt”



vrf member cl-uXX-mgmt2

ip address 172.16.0.16/24

LTRACI-2800

*XX = 01 ~ 30 (user ID)

Leaf1 Leaf2

N3K/BM

e1/3 e1/3

e1/3 e1/4

VLAN 37XX

uXX-ap1-db-mgmt

IP: 172.16.0.15/24

MAC: 18e7.2800.37XX

uXX-ap2-db-mgmt

IP: 172.16.0.16/24

MAC: 18e7.2801.37XX

mgmt BD:

172.16.0.1/24

55


Lab 1 – Intra EPG Isolation

LTRACI-2800


Bridge Domain mgmt – Subnet: 172.16.0.1/24


EPG: srv-mgmt EPG: backup-srv


uXX-ap2-web uXX-ap2-app


uXX-backup-srv

172.16.0.11/24 172.16.0.13/24

172.16.0.12/24 172.16.0.14/24

172.16.0.15/24 172.16.0.16/24

172.16.0.254/24

Bridge Domain mgmt – Subnet: 172.16.0.1/24

EPG: srv-mgmt EPG: backup-srv




uXX-backup-srv

172.16.0.11/24 172.16.0.13/24

172.16.0.12/24 172.16.0.14/24

172.16.0.15/24 172.16.0.16/24

172.16.0.254/24

Before After

56


Lab 2 – MAC Based EPG with BareMetal

LTRACI-2800


Bridge Domain web-app

Subnet: 10.10.0.1/24, 20.20.0.1/24

Bridge Domain database

Subnet: 30.30.0.1/24

EPG: database

uXX-ap1-db

uXX-ap2-db

30.30.0.11/24

30.30.0.12/24

MAC: 18e7.2800.36XX

MAC: 18e7.2801.36XX

EPG: web-app



10.10.0.11/24 20.20.0.11/24

10.10.0.12/24 20.20.0.12/24



Subnet: 10.10.0.1/24, 20.20.0.1/24


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

EPG: web-app



10.10.0.11/24 20.20.0.11/24

10.10.0.12/24 20.20.0.12/24

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX

Before After

57


Lab 3 – VM-Attribute based EPG with DVS

LTRACI-2800



Subnet: 10.10.0.1/24, 20.20.0.1/24

EPG: web-app



10.10.0.11/24 20.20.0.11/24

10.10.0.12/24 20.20.0.12/24



Subnet: 10.10.0.1/24, 20.20.0.1/24


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

EPG: web-app


10.10.0.12/24 20.20.0.12/24

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX

uEPG: ap1-webapp


10.10.0.11/24 20.20.0.11/24

DVS VLAN

AVS VXLAN

DVS VLAN

AVS VXLAN

Before After

58


Lab 4 – VM-Attribute based EPG with AVS

LTRACI-2800



Subnet: 10.10.0.1/24, 20.20.0.1/24



Subnet: 10.10.0.1/24, 20.20.0.1/24


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

uEPG:

ap2-web

uXX-ap2-web

10.10.0.12/24

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX

uEPG: ap1-webapp


10.10.0.11/24 20.20.0.11/24

DVS VLAN

EPG: web-app


10.10.0.12/24 20.20.0.12/24

uEPG: ap1-webapp


10.10.0.11/24 20.20.0.11/24

DVS VLAN

AVS VXLAN

uEPG:

ap2-app

uXX-ap2-app

20.20.0.12/24

AVS VXLAN

DFW

Before After

59


Lab 5 – Quarantine a malicious VM

LTRACI-2800



Subnet: 10.10.0.1/24, 20.20.0.1/24



Subnet: 10.10.0.1/24, 20.20.0.1/24


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

uEPG:

ap2-web

uXX-ap2-web

10.10.0.12/24

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX


Subnet: 30.30.0.1/24

uEPG: ap1-db

uXX-ap1-db

30.30.0.11/24

MAC: 18e7.2800.36XX

uEPG: ap2-db

uXX-ap2-db

30.30.0.12/24

MAC: 18e7.2801.36XX

uEPG:

ap1-webapp

uEPG:

ap2-app

uXX-ap2-app

20.20.0.12/24

AVS VXLAN

uEPG:

ap2-web

uXX-ap2-web

10.10.0.12/24

uEPG: ap1-webapp


10.10.0.11/24 20.20.0.11/24

DVS VLAN

uEPG:

ap2-app

uXX-ap2-app

20.20.0.12/24

AVS VXLAN

uEPG:

Quarantine

uXX-ap1-app uXX-ap1-web

20.20.0.11/24 10.10.0.11/24

DFWDFW

Before After

60


Lab Access

LTRACI-2800

173.36.208.70

cl-userXX

ciscolive.2017

61


Remote Desktop

LTRACI-2800

• Command Prompt

• Chrome

• Firefox

• PuTTY

155.78.120.12

[email protected]

ciscolive.2017

62


Lab Guide

• URL - http://ltraci-2800.lab.test.local

LTRACI-2800 63

http://ltraci-2800.lab.test.local/


Lab Access Information

LTRACI-2800

Device IP Addresses Username Password

VPN 173.36.208.70 cl-userXX ciscolive.2017

Remote Desktop 155.78.120.12 [email protected] ciscolive.2017

APIC1

APIC2

APIC3

172.21.208.173

172.21.208.174

172.21.208.175

admin ciscolive.2017

ESXi Host 172.21.208.187 - -

Nexus 3K 172.21.208.178 useg ciscolive.2017

VMs See lab guide

uXX-backup-srv

uXX-ap1-web

uXX-ap1-app

uXX-ap2-web

uXX-ap2-app

root ciscolive.2017

64


Access Tenant

LTRACI-2800 65


Keyboard in RDP

LTRACI-2800 66

Lab Time


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

LTRACI-2800 68

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• LABACI-1234: ACI Micro-Segmentation Lab

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

• BRKACI-2301: Practical Applications of Cisco ACI Micro Segmentation

• TECSEC-2404: ACI Security

LTRACI-2800 69

Q & A

Thank You

ACI MicroSegmentation - SafePlus Live Berlin... · 2017-03-28 · Subnet: 192.168.1.254/24 VM Attribute VM OS Equals “Ubuntu” AVS MSFT vSwitch dvPortGroupGREEN EPG GREEN uSeg

Documents