Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACI Micro-Segmentation for Hyper-V

Published byGervais Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "ACI Micro-Segmentation for Hyper-V"— Presentation transcript:

1 ACI Micro-Segmentation for Hyper-V

2 Agenda Overview Attribute Details Feature Details VM Attributes
MAC & IP Attributes Troubleshooting

3 Overview

4 Micro-Segmentation Overview
Support for Attribute based EPG / uSeg EPG Support for VM Attributes Support for IP, MAC Attributes uSeg EPG apples to all the endpoints in the Tenant Typical Use Cases Isolate VMs belonging to vulnerable OS Isolate a Malicious VM Create additional security zones

5 Micro-Segmentation Overview (cont.)
Tenant Web App DB VM VM VM Quarantine VM VM VM

6 Attribute Details

7 Attributes Attribute Configuration Resolution at Resolution Event
Guest OS APIC iLeaf VNIC Attach Custom Attributes VM Name VM (id) VNIC (DN) Hypervisor DVS port-group DVS Datacenter Mac Sets vLeaf Packet Received IP Sets

8 Attribute Preference and Support
Precedence VMWare Hyper-V Mac Sets 1 Yes IP Sets 2 VNIC (DN) 3 VM (ID) 4 VM Name 5 Hypervisor 6 Domain (DVS) 7 Datacenter 8 Custom Attribute 9 No Guest OS 10 DVS port-group 11

9 Feature Details

10 Architecture APIC Policy SCVMM Hyper-V Host Push all the attributes
to leaf Policy Enforce VM Attributes on Leaf APIC -> SCVMM - Networks SCVMM -> APIC - Inventory Push MAC & IP Attributes To host APIC Agent Virtual Switch ACI Opflex Agent Enforce MAC & IP Attributes VM VM SCVMM Hyper-V Host

11 VMM Domain and Attribute Based EPG
User has to associate VM attribute based EPG with one or more VMM Domains. A new encapsulation id (VLAN) is allocated for this EPG within each associated VMM domain. Attribute based EPG is NOT pushed as a VMNetwork to SCVMM System automatically changes the Resolution Immediacy to immediate for EPGs which contains data path attributes (IP/Mac) To avoid packet loss as the attributes are applied in packet path

12 APIC Object Model VMM Domain (vmmDomP) EPG (fvAEPg) Contract AEPg
Criterion (fvCrtrn) Subj Filter IP Attribute (fvIPAttr) MAC Attribute (fvMacAttr) VM Attribute (fvVmAttr)

13 VM Attributes

14 Attribute Matching on iLeaf
For attribute matching, iLeaf needs: Information Object Class Pull/Download Event from APIC Encapsulation for EPG compEpPD Opflex Channel up Pulls all compEpPD under controller (compCtrlr) VM inventory for attributes compVm, compVNic, compHv Pulls inventory of all VMs under controller (compCtrlr) Attribute EPG filter rules fvEpCP On receiving compEpPD Pulls all fvEpCP associated with the domain VM Eps associated opflexIDEp On receiving attach from AVS EPG forwarding policy fvEpP Attach when EP matches the attribute

15 Overview EPCP = End Point Criterion Profile
Container for All of the IP and MAC rules. EPP = End Point Profile Table ID = Tenant’s 64 bit representation in the AVS context. EPPDN = EPP domain name VM Attr EPG: Dynamic EPG based on VM attributes provided by the config path (ie APIC enforced) IP/MAC Attr EPG: Dynamic EPG based on IP/MAC attributes applied by evaluating the packets in datapath.(ie vLeaf enforced).

16 MAC / IP Attributes

17 iLeaf Object Model To match MAC & IP Attributes these objects should be present on iLeaf These objects are downloaded on Hyper-V host from Opflex Agent Opflex Scope Cont (opflexScopeCont) IDEP (opflexIDEp) Opflex EpCP (opflexEpCPDefRef) IDEP Scope Cont (opflexIDEpScopeCont) Opflex Criterion (opflexCrtrnDefRef) IDEP Scope (opflexIDEpScope) Opflex IP Attr (opflexIpAttrDefRef) Opflex Mac Attr (opflexMacAttrDefRef)

18 MAC / IP Policy Enforcement
2. Leaf downloads policy APIC iLeaf Send EP Attach Virtual 6. EP Re-attach with new VLAN is initiated 3. Opflex Agent downloads policy Hyper-V host ACI Switch Extension Switch ACI Opflex Agent 4. Opflex Agent pushes policy to Switch Extension VM VM

19 Configuration

20 Create Attribute based EPG
IP>/api/node/mo/.xml <polUni> <fvTenant name=“Test"> <fvCtx name=“Subject"/> <fvBD name=“bd1"> <fvRsCtx tnFvCtxName=“Subject" /> </fvBD> <fvAp name="Portal"> <fvAEPg name="Web”> <fvRsBd tnFvBDName=“bd1" /> <fvRsDomAtt tDn="uni/vmmp-Microsoft/dom-production"/> </fvAEPg> <!-- Attribute based EPG --> <fvAEPg name="VmAttributeEPG"> <fvCrtrn name="default"> <fvVmAttr name="os" type="guest-os" operator="equals" value="windows"/> <fvIpAttr name="ip" ip=" /24"/> <fvMacAttr name="mac" mac=“FE:80:64:C6:43:17"/> </fvCrtrn> </fvAp> </fvTenant> </polUni>

21 Step by Step Troubleshooting

22 Encapsulation for Attribute EPG
Verify vmmEpPD object under vmmDomP

23 Encapsulation for EPG Verify compEpPD on iLeaf

24 VM Inventory On iLeaf Verify compVm

25 Attribute Rules On iLeaf
Verify fvEpCP object on iLeaf One fvEpCP per EPG Contains Attribute definitions

26 Eps Received From Hyper-V Agent
Verify opflex IDEp on iLeaf

Download ppt "ACI Micro-Segmentation for Hyper-V"

Similar presentations

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Network Virtualization Overlay Control Protocol Requirements draft-kreeger-nvo3-overlay-cp-00 Lawrence Kreeger, Dinesh Dutt, Thomas Narten, David Black,

Network Virtualization Overlay Control Protocol Requirements draft-kreeger-nvo3-overlay-cp-00 Lawrence Kreeger, Dinesh Dutt, Thomas Narten, David Black,
Red Corp Blue Subnet1 Blue Subnet3Blue Subnet2 Blue Subnet5 Blue Subnet4 Red Subnet2 Red Subnet1 Blue Sales Net Red HR Net Multitenant.

Red Corp Blue Subnet1 Blue Subnet3Blue Subnet2 Blue Subnet5 Blue Subnet4 Red Subnet2 Red Subnet1 Blue Sales Net Red HR Net Multitenant.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
Windows Server 2012 On Premises Servers

Windows Server 2012 On Premises Servers
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Must have static IP address pool and VLANs for Provider Address (PA) network – network on which NVGRE encapsulated packets are sent All subnets.

Must have static IP address pool and VLANs for Provider Address (PA) network – network on which NVGRE encapsulated packets are sent All subnets.
1 CCNA 3 v3.1 Module 8. 2 CCNA 3 Module 8 Virtual LANS (VLANS)

1 CCNA 3 v3.1 Module 8. 2 CCNA 3 Module 8 Virtual LANS (VLANS)
An Overview of Software-Defined Network

An Overview of Software-Defined Network
Networking in VMware Workstation 8

Networking in VMware Workstation 8
Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong.

Secure Cloud Computing with Virtualized Network Infrastructure HotCloud 10 By Xuanran Zong.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Blue CorpRed Corp Blue Subnet1 Blue Subnet3Blue Subnet2 Blue Subnet5 Blue Subnet4 Red Subnet2 Red Subnet1 Blue R&D Net Blue Sales Net.

Blue CorpRed Corp Blue Subnet1 Blue Subnet3Blue Subnet2 Blue Subnet5 Blue Subnet4 Red Subnet2 Red Subnet1 Blue R&D Net Blue Sales Net.
An Overview of Software-Defined Network Presenter: Xitao Wen.

An Overview of Software-Defined Network Presenter: Xitao Wen.
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Enable Multi Tenant Clouds Network Virtualization. Dynamic VM Placement. Secure Isolation. … High Scale & Low Cost Datacenters Leverage Hardware. High.

Enable Multi Tenant Clouds Network Virtualization. Dynamic VM Placement. Secure Isolation. … High Scale & Low Cost Datacenters Leverage Hardware. High.
Network Management Microsoft System Center 2012 SP1 Virtual Machine Manager Greg Cusanza Senior Program Manager Microsoft Corporation MGT315.

Network Management Microsoft System Center 2012 SP1 Virtual Machine Manager Greg Cusanza Senior Program Manager Microsoft Corporation MGT315.
Designing Active Directory Child Domain Sainath K.E.V Directory Services MVP 5/Aug/2015.

Designing Active Directory Child Domain Sainath K.E.V Directory Services MVP 5/Aug/2015.
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN

Similar presentations

Ads by Google