ACI – Policy Based Data Center Model – Foundations

In many of today’s data center networks almost always applications are grouped by virtual LAN (VLAN) and subnets and connectivity polices are applied  based on these constructs. This approach in modern data centers has proved it will only lead to limitations in terms of how applications can be grouped and how policy can be applied to those applications, as illustrated in the figure below, with this traditional approach you will have a disconnect or inefficient translation between applications language and network language.


Obviously, the manual configurations and process, of this deign approach leads to slower deployment along with higher configuration error rates. Consequently, this approach creates significant business impact in today market where businesses expect from the technology solutions to offer fast service and applications provisioning.

In contrast, the below figure illustrates how Cisco ACI glue the gap between the applications and network languages with the policy-based model that is primarily enabled by the Cisco Application Policy Infrastructure Controller (APIC), in which the traditional tiered applications, can now be effortlessly deployed in the ACI fabric, simply by defining the objects and the communication requirements between them.aci-2In order to design and build a policy-based data center using Cisco ACI you need to have a good understanding of the following key terminologies along with the primary function of each.

  • Application network profile ANP: contains the entire application policy. In fact, ANPs are designed to be modeled in a logical manner that matches the way applications are designed and deployed (over come the disconnect between applications language and the networking language).
  • Endpoint groups EPGs: A policy consists of a number of endpoint groups EPGs, which are typically one or more servers in the same segment.
  • Contracts: A policy contracts define the communication requirements between EPGs.

What is an Endpoint Group in Cisco ACI?

Endpoint Groups (EPGs) are a collection of similar endpoints representing an application tier or set of services. They provide a logical grouping for objects that require similar policy. For example, an EPG could be the group of components that make up an applications web tier. Endpoints themselves are defined using NIC, vNIC, MAC addresses, IP address, DNS name, VM tags with extensibility for future methods of identifying application components. For instance, the below figure shows an EPG that contains web services (both http and https) defined regardless of their IP subnet (different IP subnets under single EPG). In this example, regardless of the separate subnets, policy is applied to both HTTPS and HTTP services within this EPG. This helps data center operators to separate the addressing of the applications from it’s mapping and policy enforcement across the ACI fabric.

Screen Shot 2016-06-08 at 9.23.24 PM

Within the Cisco ACI fabric, policy is applied between EPGs, therefore defining how EPGs communicate with one another. This provides what is commonly referred to as micro-segmentation, in which you need to define a contract between these EPGs. Contracts define inbound and outbound permit, deny, and QoS rules and policies, such as redirect. Contracts allow both simple and complex definitions of the way that an EPG communicates with other EPGs, depending on the requirements of the environment. Also, this policy model allows for both unidirectional and bidirectional policy enforcement.

As it shown in the figure below the Cisco ACI micro-segmentation facilitate restricting communication between hosts in a holistic manner, simply by applying a central policy using the APIC, by defining which traffic flows are allowed and to and from each of the different EPGs that should eventually map to application communication requirements.

Screen Shot 2016-06-08 at 9.44.33 PM

In other words, to build a design with the Cisco ACI policy based approach you need:

  • A way to identify and group together end points: in Cisco ACI model this is achieved by using EPGs
  • You need to determine how these grouped endpoints communicate with each other: in Cisco ACI this can be achieved by creating policies and associate it with contracts as connection points between EPGs.

The figure below shows the basic three-tier web application used previously with some common additional connectivity that would be required in the real world. In this figure we see shared network services (NFS and management), which would be used by all three tiers as well as other EPGs within the fabric. In scenrios like this the contract provides a reusable policy defining how the NFS and MGMT EPGs produce functions or services that can be consumed by other EPGs.

aci - 4

After defining the aforementioned objects (EPGs, Contracts), the data center operator can define the application network profile to be pushed by the ACI APIC and provisioned by the ACI fabric switches as illustrate in the figure below. with this approach network operators do not need to worry about defining and applying manual complex configurations such as VLANs and ACLs.

aci- 3.5

Marwan Al-shawi – CCDE No. 20130066, Google Cloud Certified Architect, AWS Certified Solutions Architect, Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide and the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.


Leave a Reply

Your email address will not be published. Required fields are marked *

Order Now