Cisco Cisco ASA 5515-X Adaptive Security Appliance 백서

Solution Guide

Page 1 of 29

Integrating the Cisco ASA with Cisco Nexus 9000
Series Switches and the Cisco Application Centric
Infrastructure

Data Center Design Opportunities

Modern designs for the highly secure data center concentrate on overcoming the constraints of traditional physical

hardware network infrastructures. Network designers strive to optimize physical device insertion points and

accommodate the emerging virtualized environments and applications. Although virtual computing promotes

topological abstraction and supports dynamic logical designs, the underlying network technology must

accommodate the computing layer within the limits of physical connections, VLANs, routing protocols, and

traditionally fragmented management models. Several features can be viewed as clear opportunities in future data

center architectures.

●

Agile provisioning: Although application flows change dynamically along with business needs, physical

network topologies do not. For instance, all transit traffic may be directed through a security device simply

because that particular path cannot be easily avoided. Implementing VLAN segregation and dynamic

routing protocols for service insertion becomes a complex task, and it often results in suboptimal paths for

time-sensitive application traffic. The virtualized provisioning of computation resources has become a nearly

instantaneous requirement, and the associated network service devices must be instantiated just as quickly

and smoothly anywhere within the topology.

●

Elastic scalability: As new computing resources and network service devices are added to the network,

the availability of switch port and power becomes a constraint around the critical application farms. Direct

physical connections are typically required to insert firewalls, traffic analysis tools, and other network

services as close to the application hosts as possible. The network should decouple the placement of

hardware devices from their functions and provide native load-distribution capabilities in order to scale with

business needs.

●

Service virtualization: Traditional network services are still relevant within a virtualized environment, and

the physical-insertion model must be complemented with easy-to-deploy virtual appliances. A colocated

virtual device can effectively extend firewall, load balancing, and similar services to application flows

contained in the same computing hardware without the need to traverse a physical network. Such

virtualized services can be rapidly deployed and retired on demand, increasing the overall scalability and

versatility of the architecture.

●

Unified configuration and visibility: Every network device typically uses its own configuration syntax and

interface. Virtualized environments are managed separately from the network infrastructure with minimal

shared control of common elements. A single point of network management, service provisioning, flow

policy control, and monitoring provides a unified view of the infrastructure and allows the contextual reuse of

common elements in an end-to-end design.

●

Policy set simplification: Even when unified management applications are used to define the common

policy rule set, the administrator must either manually select the policy for each network service device or

push the same extensive rule set to all of them. As new rules are added to this set, obsolete rules are rarely