Welcome to IE-LAB!

Generic filters
Generic filters

With the increasing determination, creativity, and intelligence of hackers, it is more important than ever to make sure that an organization’s IT systems are adequately protected from viruses, trojans, and other forms of intrusion. Though there are many ways to help ensure the integrity of a network’s security, one very important method of safeguarding sensitive data is through firewall implementation.

firewall keeps the network, and everything in it, as secure as possible from potential attacks. It does this by analyzing the data that is passing back and forth in a network, and based on the rules that have been configured, determines whether or not the information should be allowed to proceed. It is imperative that every organization include a firewall in their data protection solution. Below are three ways to ensure that the firewall implementation is successful: 

  1. Define security needs: Before installing a firewall solution, it is helpful to first define exactly the level of IT network security necessary for your organization. First, examine any existing solutions and note what currently works, what doesn’t work, and what areas need to be improved. Next, ask the IT department for information about data transactions within your company’s network – where are the weak links and what are the most sensitive areas needing protection. Also determine all points of access that need to be secured using endpoint protection. Finally, because it is likely that there won’t be one solution to meet all your needs, prioritize the list in terms of critical and non-critical, and include budgetary constraints. A well-thought out and detailed internal specification will pave the way to finding a firewall implementation plan that meets your business’s needs.
  2. Research solutions that match the specified needs: Only once a business has defined what it needs from a firewall/managed security service can the process of researching solutions begin. In addition to services, make sure to research every potential IT provider‘s longevity in the business, history of servicing clients, and their all-around stability. Choose a vendor who has a reputation for providing quality firewall implementation and efficient service.
  3. Installation, configuration, and maintenance of the firewalls: Once a vendor has been chosen, the final step in setting up your firewall is the actual implementation. The IT provider you have chosen will install the solution in your environment, covering all of the areas you deemed necessary in your earlier assessment. Post-installation, the firewall will be maintained and upgraded with both manual and automatic updates. Feedback should be provided on a consistent basis to ensure that the firewall implementation is performing as expected.

Firewall implementation is imperative for all businesses to protect the sensitive data of their clients, vendors, and employees. A carefully laid out plan involving both your organization’s internal IT team and the IT firewall provider will ensure that your business is successful in meeting its security needs. 

In between the spine and leaf devices is an IP network (layer 3) that uses an optimized IS-IS routing protocol as of the first release. Other routing protocols may be added in future releases, but this isn’t something the administrator will need to really do much with as it’s all behind the scenes. Since this is all layer 3 there is no need for Spanning Tree Protocol, which we’ve all had problems with over the past several years. Though STP addressed problems with broadcast storms, it could also slow the network down and took a lot of time to plan properly. Adding or removing network switches could create problems with STP as well. These concerns no longer exist with ACI.

Hosts, or EndPoints, of all kinds (network devices, physical servers, virtual servers, etc.) are then connected to the leaf ports, never the spine ports. Both the spine and leaf nodes consist of Cisco Nexus 9000 series switches, though there are ways to integrate other Nexus switches to migrate from your current network to this new ACI model.

Application Policy Infrastructure Controller

ACI uses what Cisco calls an APIC, or Application Policy Infrastructure Controller, to implement the ACI model. Currently the APIC is a hardware appliance that is essentially a UCS C220 M3 with a locked down image which is completely encrypted. At least three APICs are required to ensure high availability, but more can be added to ensure scalability. The APIC provides a Web UI for admins to configure the various constructs that go into creating the ACI network. All of the packet forwarding is handled by the Nexus switches as that’s what they do best. The configuration and telemetry is handled by the APIC, but the APIC does not handle the actual traffic. Within the APIC we can create policies, EndPoint Groups, Contracts, Application Network Profiles, and tenants among other things. So let’s dive into what some of those configurations do.

Policy Model

ACI uses white-list policy model which means that no packets are allowed to flow between applications until it’s been specifically allowed access. In ACI we can set up EndPoint Groups for basically any construct, such as applications, virtual port groups, VLANs, etc. Generally we would set these up to accommodate a 3-tier app model that is found in many data centers. The 3-tier app is usually a web tier, application tier, and database tier. We could have many virtual machines and physical machines within each of these tiers for each application. After EPGs are set up we can create policies to allow certain kinds of traffic to flow between them. For example, if we wanted to allow bi-directional access between the database and app tiers for certain traffic we can do that, unlike with access control lists which only offer unidirectional permissions. Of course, unidirectional access may also only be permitted.

Service Graphs

Sometimes there’s still the need for more traditional network hardware and software in the traffic flow as well. For example we may need load balancers, firewalls, or even some sort of anti-virus or other security solution between our tiers. Using a new protocol called OpFlex (as well as device packages) we’re able to take advantage of that declarative model referred to above with all sorts of Cisco and 3rd-party applications and appliances. This makes it really easy to insert security between tiers as well as create constructs that can be copied and changed more easily making automation even more possible.

Application Network Profile

After we’ve set up EPGs, policies, and service graphs we create Contracts between the tiers. The EPGs will act as either a provider or consumer of these contracts which essentially connect the policies to the tiers with which they should be associated. All of this comes together to become an Application Network Profile. This Application Network Profile can provide us with not only layered security, but again reusable constructs that administrators can apply anywhere within the network.


To provide even more micro-segmentation within the ACI model we can assign EPGs to tenants if we like. Multi-tenancy provides complete isolation between tenants. This can be separated however you feel necessary. For example you could have dev/qa in a totally separate tenant than production. The really great thing about doing it this way is you can completely match the tenants so they look identical. We can actually copy the Application Network Profiles from our dev tenant and apply them to our production tenant within a couple of clicks. Of course, we can also separate departments, customers, etc.

This is really really a small part of tips for Cisco ACI when it comes to ACI and how it works. ACI addresses not only fulfill the need for network virtualization but also hardware abstraction to create a stateless network in the entire data center. This network will make it easier for network administrators to not only communicate better with application administrators, but also create powerful networks that offer great performance in less time than traditional networks because of things like automation and repeatable processes.

For more articles you can follow us on:

error: Content is protected !!
× How can I help you?