This blog has been developed in association with Javed Asghar, Insieme Business Unit
The Cisco ACI Platform consists of the Cisco APIC controller and Nexus 9000 series switches connected in a spine/leaf topology in a CLOS architecture configuration. All management interfaces (REST API, web GUI and CLI) are authenticated in ACI using AAA services (LDAP, AD, RADIUS, TACACS+) and RBAC policies which maps users to roles and domain.
The ACI fabric is inherently secure because it uses a zero trust model and relies on many layers of security: Here are the highlights:
- All devices attached to the ACI fabric use a HW-based secure keystore:
– All certificates are unique, digitally signed and encrypted at manufacturing time
– The Cisco APIC controllers use Trusted Platform Module (TPM) HW crypto modules
– The Cisco Nexus 9000 series switches use Trust Anchor Module (TAM) to store digitally signed certificates
- During ACI fabric bring-up or while adding a new device to an existing ACI fabric, all devices are authenticated based on their digitally signed certificates and identity information.
- Downloading and image bootup:
– All fabric switch images are digitally signed using RSA-2048 bit private keys
– When the image is loaded onto an ACI fabric device, the signed image must always be verified for its authenticity using hardware rooted Cisco Secure Boot
– Once the verification is complete “only then” the image can be loaded onto the device
- The ACI fabric system architecture completely isolates management vlan, infrastructure vlan and all tenant data-plane traffic from each other. (The Cisco APIC communicates in the infrastructure VLAN (in-band))
- The infrastructure VLAN traffic is fully isolated from all tenant (data-plane) traffic and management vlan traffic.
- All messaging on infrastructure vlan used for bring-up, image management, configuration, monitoring and operation are encrypted using TLS 1.2.
- After a device is fully authenticated, the network admin inspects and approves the device into the ACI fabric.
These are various layers of security built into ACI’s architecture to prevent rogue/tampered device access into the ACI fabric.
Please stay tuned for a blog posting by Praveen Jain (ACI Engineering VP) which will cover the APIC and Fabric security is more detail in coming weeks
Praveen Jain’s recent blogs:
New Innovations for L4-7 Network Services Integration with Cisco’s ACI Approach
Micro-segmentation: Enhancing Security and Operational Simplicity with Cisco ACI
Network Security Considerations
The Cisco Application Policy Infrastructure Controller
Tags: ACI Fabric, ACI Security, ACT2, APIC, Nexus 9000, RSA-2048 encryption
Security continues to be top of mind with our customers and frequently comes up with customers who are evaluating new architectures. I have been in the networking industry for over two decades involved in multi-billion dollar product lines like Catalyst 5K/6K, MDS-9000, Nexus-7K, UCS, and now with Application Centric Infrastructure (ACI). I don’t claim to be a security expert by any means, but have gained good insight into what’s important based on numerous conversations with customers over the years thereby allowing me to write about it with some degree of authority.
That said, security is a very broad topic and there are myriad products in the industry to deal with the various types of attacks that infrastructure and applications are exposed to today. For purposes of this blog, I will focus on the network security aspects and how they intersect with Cisco ACI.
Read More »
Tags: #CiscoACI, @CiscoSecurity
Two weeks ago, in my previous blog, I invited you to consider ways in which you could initiate a “Save to Invest” program for your data center. That is, how can you save money from your current data center spend, in order to re-invest it into currently un- or -under-funded areas of your data center. Thanks to those of you reading who made some comments on Part 1 – good points were raised!
Last time, I discussed my first 3 tips, as follows:
(1) Identify, Turn Off and Remove Idle Servers
(2) Identify Un-used Enterprise Software Applications: Reduce Your Software Costs
(3) Get Rid of Dead Weight – Execute a Server Refresh
Save Some Money for Your Data Center!
Let’s now discuss two additional savings, which in fact can in many cases result in even larger financial savings:
(4) Optimize your Software Licensing, and
(5) Avoid un-budgeted spend – Critical if you have an Unlimited License Agreement (ULA)
Read More »
Tags: application, application portfolio, application rationalization, architecture, asset utilization, Cisco UCS, cost saving, data center, data center modernization, data_center, license management, refresh, simplification, software asset management
Analytics will continue to take center stage as the volume of data generated by embedded systems increases and vast pools of structured and unstructured data within and outside the enterprise are analyzed. — Gartner
Big Data will continue to be important, but it’s critical to first understand how businesses can quickly gather relevant insights from their big data. The value is in unlocking key takeaways from the data because these insights can be used for agile decision-making and faster time-to-market approaches. Discovering better business insights quickly requires the combination of software and hardware that is optimized for speed, scale, and flexibility. And that is exactly what you get when you combine Platfora and Cisco UCS.
When Platfora runs on Cisco UCS, business analysts can find these patterns in minutes or hours rather than months. For example, our joint customer was able to identify exactly what factors impacted their customer experience using the Platfora solution which was deployed in 1/10th the time and cost of traditional approaches.
Platfora enables users to analyze petabytes of data at scale and leverages the latest cutting-edge technologies such as Spark and YARN (MapReduce 2.0). The Platfora end-to-end platform replaces the need for ETL, Data Warehousing, and BI tools. And the combination of Platfora and UCS ensures that there are no performance, scalability, or TCO tradeoffs as we add new data discovery joint use cases. This joint solution is truly designed for enterprise-scale analytics.
Read More »
Tags: BigData, CiscoUCS, data center, ETL, Platfora, Spark, Strata Hadoop, tco, YARN
This June in San Diego, I had the pleasure of meeting Dan Stanton, Trainer and Subject Matter Expert at NterOne, a global IT training and consulting company. Dan shared his challenges to create great digital experiences for NterOne’s students. Dan and his team have to support virtual IT training in many different time zones and must undertake twenty or so dynamic reconfigurations every week. NterOne is like many enterprise customers except they are sped up to a high rate of change.
Dan runs a multi-hypervisor environment which made ACI a perfect match. Please listen to Dan share his use cases and how they positively impact NterOne’s business in the interview below:
For more information and insights into ACI See:
Cisco Application Centric Infrastructure Case Study: NterOne
Getting Started with Cisco Application Centric Infrastructure (ACI) in the Small-to-Midsize Commercial Data Center
Tags: #CiscoACI, ACI, Harry Petty, NterOne