Manualsbrain.com
  1. 매뉴얼
  2. 브랜드
  3. Cisco
  4. Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption
  5. 백서

Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption 백서

다운로드
페이지 29
 
 
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 
Page 3 of 29 
EPGs. Networks that are external to the fabric are represented as EPGs as well. The fabric controls the 
communication between different EPGs according to a configured policy set, and the default behavior is to 
drop all inter-EPG traffic. 
● 
Application profiles describe network parameters, such as subnets and default IP gateways, for service 
consumers in each EPG. The fabric acts as the default gateway for each subnet, and it can assign IP 
addresses automatically or rely on the pre-existing addressing scheme. For consumers within the same 
subnet, the fabric transparently bridges them regardless of the physical location. In addition to supporting 
agile provisioning and elastic scalability, application profiles help enable unified configuration management. 
● 
Contracts describe the traffic-filter rules and service requirements for network communication between 
EPGs. Because EPGs are defined at the fabric port level, the contracts allow fine-grained hardware-
accelerated policies at the individual application level. Contracts define what flows should be allowed from a 
given EPG, what network services should apply to these flows, and whether any fabric prioritization is 
required. For instance, a contract between Web and Database EPGs may allow only backend database 
connections and force such traffic through external firewall and intrusion prevention system (IPS) services. 
This layered filtering approach paves the way for simplification of the overall policy set. 
● 
Service graphs (SGs) or service chains are ordered processing sequences of inter-EPG traffic through 
service nodes based on the established contracts. For each allowed flow in a contract, the associated 
service graph defines the packet path through the network producers. For instance, the administrator may 
direct all HTTP traffic on TCP port 80 to traverse a stateful firewall policy, then an IPS and a network 
analysis device. Service graphs allow for a greater level of device-level rule abstraction and reuse that also 
supports policy set simplification. 
 
Figure 1 illustrates a fabric view of the network and its physical and virtual devices. Any device attaches to the 
fabric at any available port at any physical location. The desired topology is created completely by the fabric itself, 
so scaling can be extremely elastic. All spine nodes connect directly to every leaf node, which brings inherent 
reliability and network path optimization. Service consumers in a single EPG or subnet can be located anywhere 
within the topology and still communicate in a completely transparent fashion. Virtual and physical consumers 
grouped in a single EPG can use both physical and virtualized services from the producers. Additional virtual 
service producers can be instantiated and retired by the fabric based on immediate network needs, helping to 
enable the agile provisioning of services. The fabric can intelligently balance flows across multiple service 
producers even within a single contract and maintain symmetry for stateful devices.