Microsegmentation is a security requirement to reduce attack surfaces by minimizing the possibilities for lateral movement in the event of a security breach. With traditional networking technologies, this is very hard to accomplish. Network flow and categorized devices depend on functionality or criticality and segment them into zones, but ACI enables a new approach, by allowing degrees of flexibility and automation not possible with traditional network management and operations, making microsegmentation a distinct possibility.
Cisco ACI microsegmentation (uSeg) enables you to automatically assign endpoints to logical security zones called endpoint groups. These EPGs are based on various network-based or virtual machine–based attributes.
Microsegmentation with Cisco ACI supports virtual endpoints attached to the following:
Cisco ACI Virtual Edge
Cisco Application Virtual Switch (AVS)
Microsoft vSwitch
VMware vSphere Distributed Switch (VDS)
Microsegmentation with network-based attributes also supports bare-metal environments.
Note
You can configure microsegmentation with Cisco ACI for physical and virtual endpoints, and you can share the same EPGs for both physical and virtual endpoints.
Microsegmentation using the Cisco ACI involves the Cisco APIC, vCenter, or Microsoft System Center Virtual Machine Manager (SCVMM), and leaf switches. The workflow for microsegmentation using the Cisco ACI Virtual Edge, Cisco AVS, VMware VDS, or Microsoft vSwitch is shown here.
The APIC workflow is as follows:
1. The user configures a VMM domain for the Cisco ACI Virtual Edge, Cisco AVS, VMware VDS, or Microsoft vSwitch in the Cisco APIC.
2. The Cisco APIC connects to vCenter or SCVMM and does the following:
Creates an instance of the Cisco ACI Virtual Edge, Cisco AVS, VMware VDS, or Microsoft vSwitch.
Pulls VM and hypervisor inventory information from the associated VMware vCenter or Microsoft SCVMM.
3. The user creates an application EPG and associates it with a vCenter/SCVMM domain. In each vCenter/SCVMM domain, a new encapsulation is allocated for this application EPG. The application EPG does not have any attributes. The vCenter/SCVMM administrator assigns virtual endpoints to this application EPG—not to any microsegment EPGs. It is the application EPG that appears in vCenter/SCVMM as a port group.
4. The user creates a uSeg EPG and associates it with the VMM domain. The uSeg EPG does not appear in vCenter/SCVMM as a port group; it has a special function:
The uSeg EPG has VM-based attributes to match filter criteria. If a match occurs between the uSeg EPG VM attributes and VMs, the Cisco APIC dynamically assigns the VMs to the uSeg EPG.
The endpoints are transferred from the application EPG to the uSeg EPG. If the uSeg EPG is deleted, the endpoints are assigned back to the application EPG.
The uSeg EPG must be assigned to a VMM domain in order for it to take effect. When you associate the uSeg EPG to a VMM domain, its criteria are applied for that VMM domain only. If you have VMware VDS, you also must assign the uSeg EPG to the same bridge domain as the application EPG.
In the case of VMware VDS, its criteria are applied for that VMM domain and bridge domain.
The leaf switch and the Cisco ACI Virtual Edge, Cisco AVS, or Microsoft vSwitch workflow is as follows:
1. The physical leaf switch pulls the attribute policies from the Cisco APIC.
2. The Cisco ACI Virtual Edge, Cisco AVS, or Microsoft vSwitch sends a VM attach message to the physical leaf switch using the OpFlex protocol when a VM attaches to the Cisco ACI Virtual Edge, Cisco AVS, or Microsoft vSwitch.
3. The physical leaf switch matches the VM against the configured attribute policies for the tenant.
4. If the VM matches the configured VM attributes, the physical leaf switch pushes the uSeg EPG—along with the corresponding encapsulation—to the Cisco ACI Virtual Edge, Cisco AVS, or Microsoft vSwitch.
Note that this action does not change the original port-group assignment for the VM in vCenter/SCVMM.
Packet forwarding for the Cisco ACI Virtual Edge, Cisco AVS, or Microsoft vSwitch workflow is as follows:
1. When the VM sends the data packets, the Cisco ACI Virtual Edge, Cisco AVS, or Microsoft vSwitch tags the packets using encapsulation corresponding to the uSeg EPG, not the application EPG.
2. The physical leaf hardware sees an attribute-based encapsulated VM packet and matches it with the configured policy.
The VM is dynamically assigned to a uSeg EPG, and the packet is forwarded based on the policy defined for that particular uSeg EPG.