Manualsbrain.com
  1. 매뉴얼
  2. 브랜드
  3. Cisco
  4. Cisco ASA 5510 Adaptive Security Appliance
  5. 백서

Cisco Cisco ASA 5510 Adaptive Security Appliance 백서

다운로드
페이지 29
 
 
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. 
Page 2 of 29 
retired because the operational decoupling between service devices and application flows results in 
obsolete rules remaining in place. In the end, the configured policy set no longer matches the desired 
topology. The network must be intelligent enough to apply or retire rules on service devices based on the 
current application and policy needs. A layered model should be used to classify and filter traffic as close to 
the point of entry as possible. Each service device should be contextually programmed with only those rules 
that are relevant to the specific transit flows, creating a truly distributed and simplified policy set. 
 
Although recent developments in the area of software-defined networking (SDN) have produced solutions that 
mask some of the challenges, none of these products solve the underlying problem with the traditional physical 
network. A typical shortcut is to preconfigure network devices with basic terminal scripts and overlay a complex 
mesh of virtual tunnels to assist with the traffic engineering tasks. Full Layer 2 and 3 connectivity is still required 
within the underlying data center network, so the complications of VLAN segregation and IP routing continue to 
apply. As a result, the network administrator must now manage two networks, the physical and virtual. Many such 
models remain central to virtual computing, and none of them attempt to break away from the traditional network 
limitations or concepts. The simple conclusion is that the network itself must gain the speed and intelligence to 
adapt itself to its applications and the associated services. 
Next-Generation Data Center Fabric Architecture 
The Cisco Nexus
®
 9000 Application Centric Infrastructure (ACI) framework revolutionizes the traditional data center 
model by separating logical and physical network topologies and supporting centralized control, automation, and 
service orchestration. The next-generation data center fabric becomes an ultra-high-speed physical network itself, 
so it can dynamically configure and interconnect heterogeneous external devices based on application policy 
needs. The Cisco
®
 Application Policy Infrastructure Controller (APIC) represents a single point of orchestration, 
distributed policy provisioning, and network intelligence. This new model abstracts the network into the following 
components: 
● 
Fabric nodes are powered by the Cisco Nexus 9000 switch platform. Spine nodes create the core of the 
intelligent fabric, and they interconnect leaf nodes, which provide connections for external physical 
endpoints into the fabric. The longest path between two leaf interfaces anywhere in the fabric is always 
through a single spine node. The overhead of such point-to-point connections through the fabric measures 
in nanoseconds, which is negligible as far as the hosted applications and network services are concerned. 
This light-speed connectivity almost eliminates the need for hardware colocation and directly addresses the 
elastic scalability goal. 
● 
Service consumers are simply the endpoints that rely on network services. They can be physical devices 
of virtual machines. Typical service consumers are the data center application servers or their clients, but 
they can also include external network connections. Both physical consumer devices and the computing 
server hosts connect to the fabric through leaf nodes. 
● 
Service producers are the typical network service devices, such as firewalls, intrusion detection and 
prevention systems, network analyzers, SSL accelerators, and other in-line traffic processing systems. 
Physical service producers connect to the fabric directly through leaf nodes. Virtual service producers 
logically link into the fabric through port groups that are extended to the leaf node through the underlying 
physical server hardware; this capability directly supports service virtualization. 
● 
Endpoint groups (EPGs) define similar service consumers in terms of application services and usage. For 
instance, all web servers on the same network segment may be grouped into a single EPG. Each physical 
or logical fabric leaf port belongs to a particular EPG, and you can group any such ports into any number of