In any operational data center, the two high-level outcome possibilities in the network are connectivity and isolation. If every device can connect to every other device by enabling full connectivity, networking is relatively easy to create, but inherently unsecure. If a network fully isolates all forms of traffic, it is unusable.
Between these two extremes of connectivity and isolation exists an optimal balance for any organization.
In this article, we discuss how to achieve that optimal security approach in the data center with Cisco Application Centric Architecture, or ACI.
The primary logical component in Cisco ACI to create connectivity or isolation for production data traffic in a Cisco ACI data center is a tenant.
A tenant is purely a logical construct in software and it is applied to all spines and leaves. A tenant is easy to create, and could represent your company, another company, a unique business unit, or even a lab or for software testing. By default, all tenants are completely isolated from all other tenants, and thus different computers in different tenants can share the same IP addressing without any concern of duplicate IP errors.
Deny List vs. Allow List Security Model
Traditional Cisco networking before ACI used a deny list model which means if you connect an end device such as a server to a switch, it has full connectivity from the switch. If you want to deny traffic in the deny list model, you need to perform an action like add an access control list (ACL) to a network device.
Deny List means “do something” to isolate traffic whereas otherwise it would be allowed.
Cisco ACI is always based on an allow list security model. In an allow list model, if you connect an end device to an ACI leaf, there is no connectivity by default. Even a simple ping test from a server to any other server will fail by default until its connectivity is enabled.
An allow list model is in every way more secure than a deny list model in that any issue that is forgotten, will be remembered by ACI, and blocked. We can say that in Cisco ACI, “implicit deny is always everywhere.”
Allow List means “do something” to allow traffic whereas otherwise it would be isolated.
Creating an Allow-list model
If an allow list isn’t created in a new ACI installation, then no networking traffic will be allowed for any device connected to any leaf. The entire data center would be unusable.
The first task to create an allow list is to create a tenant. Multiple tenants can exist within an ACI fabric. By default, all tenants are fully isolated from other tenants.
Inside the tenant, create an application profile. Multiple application profiles can exist in any tenant. An application profile should represent actual applications that communicate with each other in the data center. A common three-tiered application example is with web servers, application servers, and databases. The web servers often need to communicate to the application servers, and the application servers need to communicate to the databases.
For each type of application, an endpoint group, or EPG, can be created in the application profile. By default, all new endpoints connected to the leaf or leaves will have full connectivity to each other if they are in the same EPG.
All devices in one EPG will be totally isolated from other EPGs by default unless there is a contract between EPGs. A contract is like a “virtual cable” in that it is connected always at both ends to two different ACI objects like and EPG.
A contract is then logically connected to a filter. A filter is very close to a traditional extended access list, except with no IP addressing. The entire ACI allow list is not based on IP addressing.
The easiest allow list possible in ACI would be to create a single-tenant, make one application profile and create one EPG inside. Then, place every server in the data center into this one EPG. This entire configuration can be created in just a few minutes. While this would be easy to configure, it would be the least secure configuration possible as all devices have full connectivity to all devices.
On the opposite end of the security spectrum would be to implement full micro-segmentation. This would require every application server to be in its own EPG.
Then the only connectivity allowed between EPGs would be within the filters in the contracts between any chosen EPGs. This approach can get very complex in a large data center but would be exceptionally secure.
It would be fair to say that “easy” and “secure” are opposites in an allow list model like ACI. Most ACI architects choose an ideal and workable position between these two extremes.
The security of accessing any data network grows considerably when Cisco ACI is deployed with a well-architected allow list.
These Global Knowledge Cisco classes provide a comprehensive view of Cisco ACI.
DCACI - Implementing Cisco Application Centric Infrastructure v1.0
Cisco Application Centric Infrastructure Operations and Troubleshooting (DCACIO) v4.2
DCACIA - Implementing Cisco Application Centric Infrastructure – Advanced v1.0
DCAUI - Implementing Automation for Cisco Data Center Solutions v1.1