Cisco Cisco ASA 5520 Adaptive Security Appliance Libro blanco
Solution Guide
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 1 of 29
Integrating the Cisco ASA with Cisco Nexus 9000
Series Switches and the Cisco Application Centric
Infrastructure
Series Switches and the Cisco Application Centric
Infrastructure
Data Center Design Opportunities
Modern designs for the highly secure data center concentrate on overcoming the constraints of traditional physical
hardware network infrastructures. Network designers strive to optimize physical device insertion points and
accommodate the emerging virtualized environments and applications. Although virtual computing promotes
topological abstraction and supports dynamic logical designs, the underlying network technology must
accommodate the computing layer within the limits of physical connections, VLANs, routing protocols, and
traditionally fragmented management models. Several features can be viewed as clear opportunities in future data
center architectures.
●
Agile provisioning: Although application flows change dynamically along with business needs, physical
network topologies do not. For instance, all transit traffic may be directed through a security device simply
because that particular path cannot be easily avoided. Implementing VLAN segregation and dynamic
routing protocols for service insertion becomes a complex task, and it often results in suboptimal paths for
time-sensitive application traffic. The virtualized provisioning of computation resources has become a nearly
instantaneous requirement, and the associated network service devices must be instantiated just as quickly
and smoothly anywhere within the topology.
●
Elastic scalability: As new computing resources and network service devices are added to the network,
the availability of switch port and power becomes a constraint around the critical application farms. Direct
physical connections are typically required to insert firewalls, traffic analysis tools, and other network
services as close to the application hosts as possible. The network should decouple the placement of
hardware devices from their functions and provide native load-distribution capabilities in order to scale with
business needs.
●
Service virtualization: Traditional network services are still relevant within a virtualized environment, and
the physical-insertion model must be complemented with easy-to-deploy virtual appliances. A colocated
virtual device can effectively extend firewall, load balancing, and similar services to application flows
contained in the same computing hardware without the need to traverse a physical network. Such
virtualized services can be rapidly deployed and retired on demand, increasing the overall scalability and
versatility of the architecture.
●
Unified configuration and visibility: Every network device typically uses its own configuration syntax and
interface. Virtualized environments are managed separately from the network infrastructure with minimal
shared control of common elements. A single point of network management, service provisioning, flow
policy control, and monitoring provides a unified view of the infrastructure and allows the contextual reuse of
common elements in an end-to-end design.
●
Policy set simplification: Even when unified management applications are used to define the common
policy rule set, the administrator must either manually select the policy for each network service device or
push the same extensive rule set to all of them. As new rules are added to this set, obsolete rules are rarely