Cisco Cisco ASA 5510 Adaptive Security Appliance 백서
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 2 of 29
retired because the operational decoupling between service devices and application flows results in
obsolete rules remaining in place. In the end, the configured policy set no longer matches the desired
topology. The network must be intelligent enough to apply or retire rules on service devices based on the
current application and policy needs. A layered model should be used to classify and filter traffic as close to
the point of entry as possible. Each service device should be contextually programmed with only those rules
that are relevant to the specific transit flows, creating a truly distributed and simplified policy set.
Although recent developments in the area of software-defined networking (SDN) have produced solutions that
mask some of the challenges, none of these products solve the underlying problem with the traditional physical
network. A typical shortcut is to preconfigure network devices with basic terminal scripts and overlay a complex
mesh of virtual tunnels to assist with the traffic engineering tasks. Full Layer 2 and 3 connectivity is still required
within the underlying data center network, so the complications of VLAN segregation and IP routing continue to
apply. As a result, the network administrator must now manage two networks, the physical and virtual. Many such
models remain central to virtual computing, and none of them attempt to break away from the traditional network
limitations or concepts. The simple conclusion is that the network itself must gain the speed and intelligence to
adapt itself to its applications and the associated services.
Next-Generation Data Center Fabric Architecture
The Cisco Nexus
®
9000 Application Centric Infrastructure (ACI) framework revolutionizes the traditional data center
model by separating logical and physical network topologies and supporting centralized control, automation, and
service orchestration. The next-generation data center fabric becomes an ultra-high-speed physical network itself,
so it can dynamically configure and interconnect heterogeneous external devices based on application policy
needs. The Cisco
®
Application Policy Infrastructure Controller (APIC) represents a single point of orchestration,
distributed policy provisioning, and network intelligence. This new model abstracts the network into the following
components:
●
Fabric nodes are powered by the Cisco Nexus 9000 switch platform. Spine nodes create the core of the
intelligent fabric, and they interconnect leaf nodes, which provide connections for external physical
endpoints into the fabric. The longest path between two leaf interfaces anywhere in the fabric is always
through a single spine node. The overhead of such point-to-point connections through the fabric measures
in nanoseconds, which is negligible as far as the hosted applications and network services are concerned.
This light-speed connectivity almost eliminates the need for hardware colocation and directly addresses the
elastic scalability goal.
●
Service consumers are simply the endpoints that rely on network services. They can be physical devices
of virtual machines. Typical service consumers are the data center application servers or their clients, but
they can also include external network connections. Both physical consumer devices and the computing
server hosts connect to the fabric through leaf nodes.
●
Service producers are the typical network service devices, such as firewalls, intrusion detection and
prevention systems, network analyzers, SSL accelerators, and other in-line traffic processing systems.
Physical service producers connect to the fabric directly through leaf nodes. Virtual service producers
logically link into the fabric through port groups that are extended to the leaf node through the underlying
physical server hardware; this capability directly supports service virtualization.
●
Endpoint groups (EPGs) define similar service consumers in terms of application services and usage. For
instance, all web servers on the same network segment may be grouped into a single EPG. Each physical
or logical fabric leaf port belongs to a particular EPG, and you can group any such ports into any number of