ACI Micro-Segmentation for Hyper-V

Slides:



Advertisements
Similar presentations
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Advertisements

Network Virtualization Overlay Control Protocol Requirements draft-kreeger-nvo3-overlay-cp-00 Lawrence Kreeger, Dinesh Dutt, Thomas Narten, David Black,
Red Corp Blue Subnet1 Blue Subnet3Blue Subnet2 Blue Subnet5 Blue Subnet4 Red Subnet2 Red Subnet1 Blue Sales Net Red HR Net Multitenant.
An Overview of Software-Defined Network Presenter: Xitao Wen.
Windows Server 2012 On Premises Servers
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Must have static IP address pool and VLANs for Provider Address (PA) network – network on which NVGRE encapsulated packets are sent All subnets.
1 CCNA 3 v3.1 Module 8. 2 CCNA 3 Module 8 Virtual LANS (VLANS)
An Overview of Software-Defined Network
Networking in VMware Workstation 8
Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Blue CorpRed Corp Blue Subnet1 Blue Subnet3Blue Subnet2 Blue Subnet5 Blue Subnet4 Red Subnet2 Red Subnet1 Blue R&D Net Blue Sales Net.
An Overview of Software-Defined Network Presenter: Xitao Wen.
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Enable Multi Tenant Clouds Network Virtualization. Dynamic VM Placement. Secure Isolation. … High Scale & Low Cost Datacenters Leverage Hardware. High.
Network Management Microsoft System Center 2012 SP1 Virtual Machine Manager Greg Cusanza Senior Program Manager Microsoft Corporation MGT315.
Designing Active Directory Child Domain Sainath K.E.V Directory Services MVP 5/Aug/2015.
Data Center Network Redesign using SDN
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
CONNECTED VIRTUALISATION WESTCON 5-DAAGSE / SALES 13 FEBRUARY 2012 Dennis de Leest Security Systems Engineer.
Implementing Network Access Protection
Virtual Infrastructure 3 Best Practices for a secure installation. Jeff Mayrand.
From Virtualization Management to Private Cloud with SCVMM 2012 Dan Stolts Sr. IT Pro Evangelist Microsoft Corporation
CON Software-Defined Networking in a Hybrid, Open Data Center Krishna Srinivasan Senior Principal Product Strategy Manager Oracle Virtual Networking.
Author: Bill Buchanan. 1. Broadcast: What is the MAC address of this network address? 2. Requested host: All the hosts read the broadcast and checks.
11 NETWORK CONNECTION HARDWARE Chapter 3. Chapter 3: NETWORK CONNECTION HARDWARE2 NETWORK INTERFACE ADAPTER  Provides the link between a computer and.
Windows Azure Pack Service Provider Foundation 2012 R2 Windows Server 2012 R2 Virtual Machine Manager 2012 R2 Damian Flynn MVP System Center
Michael Faden Technology Solution Professional - Datacenter 2012 R2.
How to Integrate Security Tools to Defend Data Assets Robert Lara Senior Enterprise Solutions Consultant, GTSI.
Configuring Network Access Protection
Switching Topic 2 VLANs.
Microsoft Virtual Academy. System Center 2012 Virtual Machine Manager SQL Server Windows Server Manages Microsoft Hyper-V Server 2008 R2 Windows Server.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Reid Purvis Rob Tappenden Microsoft Cloud meets Cisco ACI CLD23 4.
Introduction to Mininet, Open vSwitch, and POX
Copyright 2003 CCNA 3 Chapter 9 Virtual LANs By Your Name.
1 Virtual LANS (VLANS). 222 Introduction to VLANs.
| Basel Fabric Management with Virtual Machine Manager Philipp Witschi – Cloud Architect & Microsoft vTSP Thomas Maurer – Cloud Architect & Microsoft MVP.
VS (Virtual Subnet) draft-xu-virtual-subnet-03 Xiaohu Xu IETF 79, Beijing.
XRBLOCK IETF 85 Atlanta Network Virtualization Architecture Design and Control Plane Requirements draft-fw-nvo3-server2vcenter-01 draft-wu-nvo3-nve2nve.
15.1 Chapter 15 Connecting LANs, Backbone Networks, and Virtual LANs Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Micro-Segmentation Support For Vmware vDS Part 2.
Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services.
L4 – L7 Services Network Stitching Only Mode. Why do we need this feature and where is it used?
AVS Brazos : IPv6. Agenda AVS IPv6 background Packet flows TSO/TCO Configuration Demo Troubleshooting tips Appendix.
Shared Layer 3 Outside. Agenda – Shared Layer3 Outside Overview & Description Configuration Troubleshooting Other Related Documents.
APIC NXOS CLI – Vlan Domains
VRealize ACI Plugin.
VRF, Interface Configuration. Enable VRF On A Leaf Command Syntax: Enabling VRF on leaf is a pre-requisite for most of the L3 configuration on that leaf.
Intra EPG Isolation Support For AVS
Virtual Local Area Networks In Security By Mark Reed.
Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.
Address Resolution Issues Induced by VPN-oriented Cloud Service
Obtain Your Dream Certification
Virtual Local Area Networks or VLANs
UCS Director: Tenant Onboarding
Implementing Network Access Protection
UCS Director: Tenant Onboarding
ACI Multi-Site Architecture and Deployment
Virtual LANs.
If You Are Thinking About Your Dumps practice-questions.html.
The good, the bad and the ugly…
Cisco Real Exam Dumps IT-Dumps
Network Virtualization
Connecting Devices Hosts and networks do not normally operate in isolation Connecting devices connect hosts together to make a network or connect networks.
Agenda Comware 5 and Comware 7 device based AAA:
Presentation transcript:

ACI Micro-Segmentation for Hyper-V

Agenda Overview Attribute Details Feature Details VM Attributes MAC & IP Attributes Troubleshooting

Overview

Micro-Segmentation Overview Support for Attribute based EPG / uSeg EPG Support for VM Attributes Support for IP, MAC Attributes uSeg EPG apples to all the endpoints in the Tenant Typical Use Cases Isolate VMs belonging to vulnerable OS Isolate a Malicious VM Create additional security zones

Micro-Segmentation Overview (cont.) Tenant Web App DB VM VM VM Quarantine VM VM VM

Attribute Details

Attributes Attribute Configuration Resolution at Resolution Event Guest OS APIC iLeaf VNIC Attach Custom Attributes VM Name VM (id) VNIC (DN) Hypervisor DVS port-group DVS Datacenter Mac Sets vLeaf Packet Received IP Sets

Attribute Preference and Support Precedence VMWare Hyper-V Mac Sets 1 Yes IP Sets 2 VNIC (DN) 3 VM (ID) 4 VM Name 5 Hypervisor 6 Domain (DVS) 7 Datacenter 8 Custom Attribute 9 No Guest OS 10 DVS port-group 11

Feature Details

Architecture APIC Policy SCVMM Hyper-V Host Push all the attributes to leaf Policy Enforce VM Attributes on Leaf APIC -> SCVMM - Networks SCVMM -> APIC - Inventory Push MAC & IP Attributes To host APIC Agent Virtual Switch ACI Opflex Agent Enforce MAC & IP Attributes VM VM SCVMM Hyper-V Host

VMM Domain and Attribute Based EPG User has to associate VM attribute based EPG with one or more VMM Domains. A new encapsulation id (VLAN) is allocated for this EPG within each associated VMM domain. Attribute based EPG is NOT pushed as a VMNetwork to SCVMM System automatically changes the Resolution Immediacy to immediate for EPGs which contains data path attributes (IP/Mac) To avoid packet loss as the attributes are applied in packet path

APIC Object Model VMM Domain (vmmDomP) EPG (fvAEPg) Contract AEPg Criterion (fvCrtrn) Subj Filter IP Attribute (fvIPAttr) MAC Attribute (fvMacAttr) VM Attribute (fvVmAttr)

VM Attributes

Attribute Matching on iLeaf For attribute matching, iLeaf needs: Information Object Class Pull/Download Event from APIC Encapsulation for EPG compEpPD Opflex Channel up Pulls all compEpPD under controller (compCtrlr) VM inventory for attributes compVm, compVNic, compHv Pulls inventory of all VMs under controller (compCtrlr) Attribute EPG filter rules fvEpCP On receiving compEpPD Pulls all fvEpCP associated with the domain VM Eps associated opflexIDEp On receiving attach from AVS EPG forwarding policy fvEpP Attach when EP matches the attribute

Overview EPCP = End Point Criterion Profile Container for All of the IP and MAC rules. EPP = End Point Profile Table ID = Tenant’s 64 bit representation in the AVS context. EPPDN = EPP domain name VM Attr EPG: Dynamic EPG based on VM attributes provided by the config path (ie APIC enforced) IP/MAC Attr EPG: Dynamic EPG based on IP/MAC attributes applied by evaluating the packets in datapath.(ie vLeaf enforced).

MAC / IP Attributes

iLeaf Object Model To match MAC & IP Attributes these objects should be present on iLeaf These objects are downloaded on Hyper-V host from Opflex Agent Opflex Scope Cont (opflexScopeCont) IDEP (opflexIDEp) Opflex EpCP (opflexEpCPDefRef) IDEP Scope Cont (opflexIDEpScopeCont) Opflex Criterion (opflexCrtrnDefRef) IDEP Scope (opflexIDEpScope) Opflex IP Attr (opflexIpAttrDefRef) Opflex Mac Attr (opflexMacAttrDefRef)

MAC / IP Policy Enforcement 2. Leaf downloads policy APIC iLeaf Send EP Attach Virtual 6. EP Re-attach with new VLAN is initiated 3. Opflex Agent downloads policy Hyper-V host ACI Switch Extension Switch ACI Opflex Agent 4. Opflex Agent pushes policy to Switch Extension VM VM

Configuration

Create Attribute based EPG http://<IFC IP>/api/node/mo/.xml <polUni> <fvTenant name=“Test"> <fvCtx name=“Subject"/> <fvBD name=“bd1"> <fvRsCtx tnFvCtxName=“Subject" /> </fvBD> <fvAp name="Portal"> <fvAEPg name="Web”> <fvRsBd tnFvBDName=“bd1" /> <fvRsDomAtt tDn="uni/vmmp-Microsoft/dom-production"/> </fvAEPg> <!-- Attribute based EPG --> <fvAEPg name="VmAttributeEPG"> <fvCrtrn name="default"> <fvVmAttr name="os" type="guest-os" operator="equals" value="windows"/> <fvIpAttr name="ip" ip="10.10.10.0/24"/> <fvMacAttr name="mac" mac=“FE:80:64:C6:43:17"/> </fvCrtrn> </fvAp> </fvTenant> </polUni>

Step by Step Troubleshooting

Encapsulation for Attribute EPG Verify vmmEpPD object under vmmDomP

Encapsulation for EPG Verify compEpPD on iLeaf

VM Inventory On iLeaf Verify compVm

Attribute Rules On iLeaf Verify fvEpCP object on iLeaf One fvEpCP per EPG Contains Attribute definitions

Eps Received From Hyper-V Agent Verify opflex IDEp on iLeaf