Software-defined networking (SDN) along-side with micro-segmentation has been proposed as a new paradigm to deploy applications faster and, simultaneously, protect the individual workloads against lateral movement. Its implementation usually follows an application-centric view where the underlying network specifics are abstracted away from the management layers. Hence, an application developer only defines how similar parts of his application can communicate (e.g. web servers can connect to database servers on the following port) without considering the details of the network communication (e.g. IP addresses/subnets and routing tables).
A prominent solution in this area is the Application Centric Infrastructure (ACI) by Cisco. ACI is based on Nexus switches in a spine-leaf configuration and one (or preferably more) Application Policy Infrastructure Controller (APIC). APICs are ACI's brain controlling the configuration of the switches to provide SDN and micro-segmentation capabilities for connected endpoints. Endpoints can then be aggregated into so-called endpoint groups (EPGs), which serve as the basic entities to apply filtering rules.
In this talk, we will demystify the magic that surrounds the ACI wonderland and follow the APIC on its journey down the rabbit hole from when it gets first connected to the leaf switches till its configuration with EPGs and filtering rules. Along this journey we will participate in a crazy tea party. Here, the Mad Hatter will introduce us to the components involved in setting up the ACI fabric (including their background communication and used protocols), the March Hare will demonstrate what things can go wrong, and the Dormouse, before finally drifting to sleep, will release exploits for identified vulnerabilities.