Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption 백서
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 29
EPGs. Networks that are external to the fabric are represented as EPGs as well. The fabric controls the
communication between different EPGs according to a configured policy set, and the default behavior is to
drop all inter-EPG traffic.
●
Application profiles describe network parameters, such as subnets and default IP gateways, for service
consumers in each EPG. The fabric acts as the default gateway for each subnet, and it can assign IP
addresses automatically or rely on the pre-existing addressing scheme. For consumers within the same
subnet, the fabric transparently bridges them regardless of the physical location. In addition to supporting
agile provisioning and elastic scalability, application profiles help enable unified configuration management.
●
Contracts describe the traffic-filter rules and service requirements for network communication between
EPGs. Because EPGs are defined at the fabric port level, the contracts allow fine-grained hardware-
accelerated policies at the individual application level. Contracts define what flows should be allowed from a
given EPG, what network services should apply to these flows, and whether any fabric prioritization is
required. For instance, a contract between Web and Database EPGs may allow only backend database
connections and force such traffic through external firewall and intrusion prevention system (IPS) services.
This layered filtering approach paves the way for simplification of the overall policy set.
●
Service graphs (SGs) or service chains are ordered processing sequences of inter-EPG traffic through
service nodes based on the established contracts. For each allowed flow in a contract, the associated
service graph defines the packet path through the network producers. For instance, the administrator may
direct all HTTP traffic on TCP port 80 to traverse a stateful firewall policy, then an IPS and a network
analysis device. Service graphs allow for a greater level of device-level rule abstraction and reuse that also
supports policy set simplification.
Figure 1 illustrates a fabric view of the network and its physical and virtual devices. Any device attaches to the
fabric at any available port at any physical location. The desired topology is created completely by the fabric itself,
so scaling can be extremely elastic. All spine nodes connect directly to every leaf node, which brings inherent
reliability and network path optimization. Service consumers in a single EPG or subnet can be located anywhere
within the topology and still communicate in a completely transparent fashion. Virtual and physical consumers
grouped in a single EPG can use both physical and virtualized services from the producers. Additional virtual
service producers can be instantiated and retired by the fabric based on immediate network needs, helping to
enable the agile provisioning of services. The fabric can intelligently balance flows across multiple service
producers even within a single contract and maintain symmetry for stateful devices.