Q&A: Visibility and Security in Cisco ACI Environments
The deployment of applications in today’s data center is rapidly changing. There are challenges to getting these applications up and running efficiently. And the pressure is on because these applications drive our businesses. As organizations explore different network models, it is also time to think about the impact on the network visibility infrastructure. Being able to access traffic to provide insights on security and performance will help application developers and network infrastructure teams support the business.
One of APCON’s solutions engineers discusses Cisco ACI, and how to ensure complete network visibility in this spine-and-leaf architecture.
What is Cisco ACI?
Cisco ACI (Application Centric Infrastructure) uses an application-centric group-based policy model to control network behavior. It uses a Software Defined Network (SDN) type of open framework to provide flexibility for developers to control network resources through application program interfaces (API).
Why are organizations deploying an ACI network architecture?
SDN brings an openness and flexibility to a data center’s network infrastructure. ACI goes a step beyond the SDN concept by integrating the application requirements with the infrastructure layer configuration. Developers can quickly deploy a container or virtual machine (VM) associated with an existing policy profile without worrying about the networking layer. Cisco’s Nexus platforms are commonly used in data centers today, so network engineers are already familiar with it. Now with ACI, network engineers will need to familiarize themselves with the Application Policy Infrastructure Controller (APIC) and logical constructs like Application Network Profiles and Endpoint Groups (EPG).
Are there any network visibility impacts?
ACI is a full-mesh spine-and-leaf fabric. It uses the underlay and overlay architecture to enable equal-cost multi-path forwarding and host mobility. It allows engineers to program the network and deploy applications according to their requirements. ACI also expands the SPAN feature to mirror traffic based on a logical policy group using ERSPAN type 1 and 2 encapsulation. Most of the Layer 4-7 tools won’t be able to decode those types of headers. In addition, ACI normalizes all network traffic in the fabric by stripping existing overlay encapsulations and adding fabric specific VXLAN headers to packets on the ingress leaf.
What are the critical items for network and security teams to consider when it comes to monitoring traffic in an ACI environment?
The fundamentals of network monitoring are still there. Network engineers still need visibility into their data centers so they can proactively identify any potential issues and threats. With ACI environments, network engineers may need to monitor not only the overlay VXLAN traffic in the fabric, but also the east-west traffic below the leafs.
To support monitoring the east-west traffic between hosts and VMs, ACI provides virtual SPANs to direct traffic from a virtualized host to Layer 4-7 tools. There could also be many VMs in a host, so it’s important to have the capability to aggregate these SPANs to one or many Layer 4-7 tools. With real-time data, network engineers can forecast future network growth.
How does APCON help?
Now more than ever, customers need adaptable and scalable network monitoring solutions. APCON’s family of network visibility solutions improve security and optimizes the security and monitoring tools’ efficiency for ACI network environments. With APCON’s IntellaFlex 40G packet aggregation blade with BiDi QSFP support, network engineers can direct traffic directly from the ACI fabric and aggregate it to Layer 4-7 tools either in a many-to-many or many-to-one ratio or to an APCON network visibility platform. One of the benefits of this visibility platform is APCON’s HyperEngine packet processor, which can terminate tunneled traffic and send decapsulated packets to the organization’s security or performance tools for efficient analysis. All APCON’s advanced features like deduplication and filtering are done at line rate, so network teams can view traffic in real time.