View transcript
and I wanna welcome in the following session I will demonstrate how using Galgo SiC a user can easily implement a traffic change related to one of and one of the applications as part of this change we will see how the traffic flows through a Cisco ACI tenant and in order to implement and accommodate the change request we will also create in EPG automatically without music let's start this is busy flow alga SEC business application management module this application is consisted of various network flows that allow the traffic the allow that network connectivity that is required for the proper functionality of this application India in this case we see that we have a flow it is defined to allow traffic between a couple of clients to our payments processing server we can also see this topology here so this wreck Alliance communicate to this server using HTTP now let's say that we want to allow traffic from a new client from a consultant network to this payment to a server let's do that I am editing the flows and I want to add a new application flow let's call that flow consultants to payment server okay so I know that I want to reach the payment server and this is actually an existing object which is actually an existing EPG defined in one of the tenants this is a known server name I know that I want to communicate with that server using HTTP and now I know I want to define the consultant network okay but this may not exist yet so I consult with the network engineer the network engineer knows that yesterday he implemented a bridge domain for the consultant networks as we can see here in the cisco epic interface development bitch domain the consultant networks with domain is 10 water 137 slash 16 so this is the wide consultant networks rich domain and now the user wants to implement access to one of the specific consultant networks the user wants to create a new object representing that so let's write in your objects of that range let's call it m it concerns didn't San Francisco let's say that this is the required subnet and let's give it's relevant subnet 10 137 10 0/24 so this is a subnet as part of the larger ten one thirty 7/16 they want to enable access right now maybe in the future we want to allow access for additional branches or locations so I defined a new flow and now I'm ready to implement that I am saving this flow and I want to apply draft visit flow stance what is the question into this case we want to add a whole new flow and implement that to the relevant security devices in the network what is happening now is that this is flow fetches and finds the right path through the entire network that can be consisted of hundreds or even thousands of security devices and finds the relevant devices to implement how is that done al cosec holds a network map consisting of the topology of all of the relevant security devices that are defined data were on boarded in al-ghasem as we can see now the initial flow that we had is colic drain meaning this path is allowed and the new path is partially blocked let's see that in action so this is actually the underlying network query that I'll go see kram in a lot of allocate what are the relevant security devices in this case we see that for the request the traffic source destination service algo sec found two devices in the path one firewall that allows the traffic and the target is in a subnet which is protected by a cisco ACI device you can even select this individual tenant and say that the this traffic was blocked as there are no rules allowing for this traffic what we will see now is that business flow has opened automatically a change request in order to implement equality change to allow this traffic I'm clicking this record and then I see that the relevant change request was created in fire flow a local sex change management module we see that as we've seen in the query results here al Bozek has found two devices in the path one device the KCI tenant it blocks the traffic in another device that already allows the traffic the user confirms this device and then we proceed to the next phases within this traffic walk through this part of the change request the traffic workflow consists of planning the change approving the change in terms of risk check acoustic is running risk check what-if analysis to see what will be the risks that will arise as part of implementing this change and in many cases the customer can configure and customize with conditional logic file flow to define that disk stage the approval will be automatically concluded in case no risks are found all if risks are below a certain threshold as we can see in here nova squirrel fund so we good and the security admin approves this change now way off into implementation now we see that far flow created a work order recommendation let's see what we got here so first of all this was the change request the change request what was from this subnet to an existing EPG and we can see its content here using HTTP POST secure web fly flow flow flow recommends to create a new contract with in this tenant for the tool gives a dedicated Google name which is basically the ticket number and also as part of that we define some conditional logic that can automatically decide which service graph redirect name to specify in in this newly created contract it is Christ this is its name to complete that we see that five-floor didn't find any existing objects that consists of this required subnet so far flow recommends when creating a new EPG let's modify the EPG name in order to reflect better there and what we want for this object to represent I'm saving changes and now I'm ready to implement this recommendation just to emphasize if I'll go back to the epic we see that we don't have the relevant EPG here which we'll going to create and we can see that we have the relevant base domain this one is base domain subnet segment contains the required subnet and also we can see here the existing contracts we have four contracts let's implement the change so when I will press this button and your image we'll be created and then you create a contract will be created containing this EPG now because this EPG is this subnet Falco will allocate the relevant bridge domain and create a bridge domain EPG to accommodate this request the traffic so let's do that what happens now is that file flow approaches the a peak API in Auto implement the new EPG and the new contract we can see that this was actually already completed let's see the details we see that five flow created a new EPG as we can see in here and then you all let's see that how was it was created in the epoch so first of all we see that we have a new EP gene this EP gene by even payment consultants are in Francisco is attached to the bridge domain consultant networks and we can see that this is tied to the entire bridge domain which means that basically the whole bridge domain segment 10 1 to 3700 in addition we see that a new contract was created this contract goes from the consumer is the new on a PDA payment consultant a San Francisco the provider is the payment from himself great this is exactly what we want to achieve so I'm ready to conclude this change request what elbow sack will do now is to is will fetch the latest status from the device elbow SEC has a recurring monitoring service that fetches the configuration formed all of the individual devices in the meanwhile while it happens we can see that we can also see elbows like fire analyzer we as we can see on the left we have the device tree this is the ACI a peak and underneath we've seen the different tenants let's go back to the subject tenant this is tenant prod - and actually we can see that I'll go psycho ready fetch the relevant new contract from the epoch as we can see here the consumer PG and the provider PG with the relevant service calf tests and even we have here the name of the relevant is this application I can also see the change as it was fetched and calculated about this new contract we have a new rule with these details and a new EPG with the required content if I now go back to conclude this demonstration we'll see that now we have these two flows the new floors congruent we see that the the traffic that was previously blocked is now allowed on both the firewall and the AC any tenants with that we conclude this presentation thank you for being with us good bye
