Microsegmentation Cisco APIC-EM

Frank Jan Veenstra · ‎03-21-2017

Hello,

First of all, I can't find the APIC-EM group, so I post my question here. Sorry.

I'm interested in the Cisco APIC-EM solution to develop a Software Defined Network compatible with the Catalyst switches used here. I'm also interested in microsegmentation to isolate endpoints inside the VLAN's for malware protection. With Cisco ACI, this can be realized by different endpoint groups (EPG's) and adding rules to these groups. It is also possible with the Cisco Application Virtual Switch to add this microsegmentation functionality also to virtual machines running in a VMWare and Citrix cluster.

Is this functionality also possible with the infrastructure we used here (Catalyst switches) and the APIC-EM solution?

Thank you in advance.

Kind regards,

Frank Jan

Philip D'Ath · ‎03-21-2017

I don't know about APIC-EM, but you can configure functionality like that using "switchport protected" from the command line. So it seems reasonable the same functionality will be exposed via APIC-EM.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011101.html

I think this functionality is more likely to work with Catalyst switches running IOS-XE, like the Cisco 3650 and above. You would want to be running the 16.x code train or newer.

Worst case, you could always have your software talk directly to the switch via SSH and the CLI - it's still software defined, just using a different interface.