Cisco Cisco ASA 5510 Adaptive Security Appliance 백서

Page 4 of 29

Figure 1. Fabric Network Setup and Device Attachment

Figure 2 depicts Web and Database EPGs, which receive network settings from their respective application profiles

within the fabric. All communication from Web EPG to Database EPG must go through the associated policy

contract. Based on this contract, the fabric port ASIC (application-specific integrated circuit) immediately denies all

Telnet traffic from Web service consumers to any Database consumer and allows all TCP connections from Web

consumers to Database consumers on ports 1400 and 1401. All permitted traffic from any Web consumer to any

Database consumer is redirected through the service graph. The service graph contains a firewall device that

statefully inspects all traffic based on more specific policies. Once the firewall permits a packet, it will be delivered

by the fabric to the appropriate consumer in the Database EPG. All other traffic from Web to Database is dropped

by the fabric. This approach to flow forwarding perfectly illustrates the policy set simplification aspect of the fabric.

Some basic IP and transport-port-based rules are applied directly at the port level, so the blocked traffic does not

consume network resources. The firewall in the service graph can apply more detailed rules, including application

inspection where the secondary connections are permitted automatically; in that case, the fabric filter must be more

permissive.

Figure 2. EPG Flow Abstraction with Application Profiles, Contracts, and Service Graphs