Module 1: Cisco ACI Software Defined Networking (SDN) Architecture
Objective: Gain comprehensive knowledge of the Cisco SDN Architecture implementation of hardware and software
- Lesson 1: ACI SDN Network Architecture
- Lesson 2: ACI Zero Trust Model and Security constructs
- Lesson 3: ACI Physical Server Integration
- Lesson 4: ACI Security for Physical or Virtual workloads
- Lesson 5: ACI L3Out external routing
Module 2: Secure Hypervisor integration with Cisco ACI
Objective: Understand the secure integration of leading hypervisors with Cisco Application Centric Infrastructure (ACI)
- Lesson 1: Nutanix AHV (Nutanix Acropolis Hypervisor)
- Lesson 2: VMware ESXi and vCenter
- Lesson 3: Microsoft Hyper-V with System Center Virtual Machine Manager (SCVMM)
- Lesson 4: Red Hat OpenStack
- Lesson 5: Google Kubernetes
- Lesson 6: Kernel-based Virtual Machine (KVM)
Module 3: Cisco ACI Native Access Control
Objective: Explore, configure, and evaluate all the native Cisco ACI access control mechanisms
- Lesson 1: ACI networking constructs of Bridge Domain and VRF.
- Lesson 2: ACI Zero Trust model objects of Tenant, EPG, Application Profile, Contract, Subject and Filters
- Lesson 3: Network Centric vs Application Centric Security Models
- Lesson 4: ACI zones
- Lesson 5: ACI VRF Policy Control Enforcement
- Lesson 6: ACI Preferred Groups
- Lesson 7: Configure ACI vzAny
- Lesson 8: Configure an ACI Allow List Model with Contracts and Filters
- Lesson 9: Stateful vs Stateless Contracts
- Lesson 10: ACI Tenant Span to analyze secure traffic flows
- Lesson 11: ACI EPG Shutdown
- Lesson 12: ACI contract logging
- Lesson 13: Contract Inheritance with EPG Contract Master
- Lesson 14: ACI Micro segmented EPG (uEPG) for Intra-EPG communications
- Lesson 15: ACI Endpoint Security Groups (ESGs)
- Lesson 16: VRF Leaking
- Lesson 17: Designing a secure ACI Data Center
Module 4: Cisco ACI L4-L7 Service Graphs for Secure Device Integration
Objective: Develop skills in L4-L7 service graphs to extend ACI security with external devices
- Lesson 1: ACI L4-L7 Service Graph
- Lesson 2: ACI Service Graph Template
- Lesson 3: Concrete Object
- Lesson 4: Service Chaining with multiple highly available devices
- Lesson 5: Managed vs Unmanaged L4-L7 ACI Integration
- Lesson 6: Integrating Cisco ASAv
- Lesson 7: Transparent vs routed mode security device integration
- Lesson 8: Contracts to insert security services into ACI
- Lesson 9: L3Out routing integration with security devices
Module 5: Cisco ACI and NGFW Integration
Objective: Develop skills in understanding the value and approach of Cisco ACI and NGFW integration
- Lesson 1: Next Generation Firewall (NGFW) Integrated Security Architecture
- Lesson 2: Cisco Secure Firewall Management Center (FMC)
- Lesson 3: Cisco Secure Firewall Threat Defense Virtual (formerly FTDv/NGFWv) and Cisco Secure Firewall Management Center (FMC) enabling on Nutanix AHV
- Lesson 4: Firepower Management Center Endpoint Update App for the Cisco Application Centric Infrastructure (ACI)
- Lesson 5: NGFW Routed, switch or inline interface mode
- Lesson 6: ACI L4-L7 Policy Based Redirect (PBR) to security service
- Lesson 7: ACI PBR for micro-segmentation
- Lesson 8: Extend PBR security services to ACI Multi-Pod
- Lesson 9: Cisco NGFW zone-based policies in FMC
- Lesson 10: Threat detection with Cisco intrusion detection systems (IDS) to ACI Insertion
- Lesson 11: Threat detection with Cisco intrusion prevention systems (IPS) to ACI Insertion
- Lesson 12: Cisco ACI Integration with SPAN for IDS and IPS
- Lesson 13: Distributed Denial of Service (DDoS) Services Insertion
- Lesson 14: Cisco DC App ACI Endpoint Update to push endpoint information to the ASA or FMC
Module 6: Application Policy Infrastructure Controller (APIC) Security and Hardening
Objective: Learn method of adding security to the APIC for all management and programmatic functions
- Lesson 1: APIC Hardening
- Lesson 2: APIC Northbound Protocols
- Lesson 3: APIC Northbound Authentication
- Lesson 4: ACI Role Based Access Control (RBAC) for secure access
- Lesson 5: Audit logs for ACI changes
- Lesson 6: Certificate based authentication
- Lesson 7: Two factor authentication
Module 7: Administering Physical ACI Security
Objective: Master administration of ACI Physical Security
- Lesson 1: Remote Leafs
- Lesson 2: MACsec on ACI leafs
- Lesson 3: Enabling 802.1x on ACI leafs
- Lesson 4: NXOS Image signing and verification
Module 8: Cisco ACI Multidomain Security
Objective: Develop skills in understanding the value and approach of Cisco ACI and VMware NSX integration
- Lesson 1: Trustsec Policy Domain
- Lesson 2: Cisco Identity Services Engine (ISE) for a cohesive security policy
- Lesson 3: Trustsec Security Group to ACI External EPG security translation
- Lesson 4: Stealthwatch and ACI Integration
- Lesson 5: Cisco ACI and Cisco Secure Workload Integration
- Lesson 6: Cisco ACI and Cisco Secure Workload Rapid Threat Containment
Lab Outline:
Labs are designed to assure learners a whole practical experience, through the following practical activities:
Lab 0: Accessing the NterOne Lab Devices
- Basics of accessing and setting up the lab environment for Cisco ACI security exercises.
Lab 1: Validate Fabric Discovery
- Validate the pre-configured Cisco ACI Fabric
Lab 2: Create ACI Access Policies
- Setting up policies, profiles, pools and AEPs for device connectivity
Lab 3: Implement Cisco ACI Tenant Policies
- Configure the underlying managed objects to support ACI Security
Lab 4: Integrate APIC with Nutanix Acropolis Hypervisor (AHV)
- Hands-on experience in provisioning Cisco ACI and Nutanix AHV virtual machine manager (VMM) Integration
Lab 5: Enable a Bare Metal Device in your Tenant
- Configure a Bare Metal Device to demonstrate ACI security methodologies for physical servers along with Nutanix Virtual Machines.
Lab 6: Configure External Layer 3 (L3Out) Connection
- Setting up an OSPF L3Out in your tenant to integrate external connectivity with a secure ACI architecture
Lab 7: ACI VRF Policy Control Enforcement
- Configure VRF Policy Control Enforcement and verify connectivity within your Tenant
Lab 8: Configure ACI Preferred Groups
- Creating VRF based Preferred Groups and verify connectivity and isolation within your Tenant
Lab 9: Configure ACI vzAny
- Configure a contract and filter and apply to vzAny within a VRF in your tenant.
Lab 10: Configure an ACI Allow List Model with Contracts and Filters
- Configure a comprehensive security allow list in ACI incorporating one way and bidirectional traffic flows. Demonstrate EPG Shutdown and Contract Logging
Lab 11: Configure Tenant Span to analyze security
- Configure Tenant Span to analyze ACI Security traffic flows with Wireshark
Lab 12: Contract Inheritance with EPG Contract Master
- Configure the inherit contract relationship configuration of master EPG
Lab 13: Configure an ASAv in a ACI Service Graph in Unmanaged Mode
- Configure an ASAv firewall to integrate within the ACI allow list security model.
Lab 14: ACI Endpoint Security Groups (ESGs)
- Configure the new segmentation method available in Cisco ACI that allows creating security groups across multiple bridge domains (BDs)
Lab 15: ACI Micro segmented EPG (uEPG)
- Configure the dynamic uEPG and explore advanced isolation within an EPG
Lab 16: Configure a NGFW Firepower firewall in a ACI with Policy Based Routing (PBR)
- Configure an NGFW Firepower firewall to integrate within the ACI with PBR.
Lab 17: Configure Threat Detection with IDS and IPS in the ACI Integrated NGFW Firepower Security virtual machine
- Configure IDS and IPS L4-L7 integration within your tenant
Lab 18: Enabling 802.1X in ACI
- Configure 802.1X in Cisco ACI to control port-based access control to the leafs.
Lab 19: Monitoring and Diagnosing ACI Security
- Enable and analyze ACI security diagnostic information
Lab 20: Configure RBAC using Local and RADIUS Users
- Configure role-based access control (RBAC) to be used for both local and RADIUS user authentication