Secure Fabric

Agenda Overview Modes of operation Enabling Strict Mode Authorizing/Rejecting APICs Replacing existing APIC CLI commands Policies Debug Commands

Overview Securing fabric from unauthorized switches/controllers to join the fabric APICs and Switch are factory provisioned with Cisco certified SSL certificates Serial number based Authorization to allow the switches and controllers to join the Fabric −Switch Authorization (Using the existing Node Identity policy) −Controller Authorization (New Controller Identity policy) All communication between Switches and APICs are encrypted except LLDP, DHCP and ISIS

Modes Of Operation Permissive Mode – Default mode of operation −Allows any existing fabrics with invalid SSL certs to operate normally −APICs to Switch communication is encrypted −No serial number based authorization Strict Mode − Enforces serial number based authorization − Controllers and switches are manually authorized to join the fabric − Only Nodes with SSL cert with authorized Serial number are allowed Strict Mode is allowed only when all the nodes in the existing fabric have valid SSL certificates

Enabling Strict Mode All switches need to have valid SSL certificate

Enabling Strict Mode (cont.) All controllers need to have valid SSL certificate

Approving / Rejecting Controller

APIC Authorization Process APIC sends its ID/Serial Number via LLDP to Leaf Leaf puts the APIC connected port in OOS until the APIC is verified Leaf relays the new APIC details to other APICs that are already part of the cluster User Authorizes the APIC Serial Number (Control Identity Policy) Leaf sends a random auth cookie via IFM/SSL to APIC APIC sends the Auth Cookie back via LLDP Leaf marks the port as verified and makes the port in-service and advertises APIC static route via ISIS

CLI Commands

CLI Commands (cont.) Checking APIC connected port status on Leaf

Policies Enabling Strict Mode Authorizing Controller <!-- /api/mo/uni/controller.xml? 