In many of today’s data center networks almost always applications are grouped by virtual LAN (VLAN) and subnets and connectivity polices are applied based on these constructs. This approach in modern data centers has proved it will only lead to limitations in terms of how applications can be grouped and how policy can be applied to those applications, as illustrated in the figure below, with this traditional approach you will have a disconnect or inefficient translation between applications language and network language.
Obviously, the manual configurations and process, of this deign approach leads to slower deployment along with higher configuration error rates. Consequently, this approach creates significant business impact in today market where businesses expect from the technology solutions to offer fast service and applications provisioning.
In contrast, the below figure illustrates how Cisco ACI glue the gap between the applications and network languages with the policy-based model that is primarily enabled by the Cisco Application Policy Infrastructure Controller (APIC), in which the traditional tiered applications, can now be effortlessly deployed in the ACI fabric, simply by defining the objects and the communication requirements between them.In order to design and build a policy-based data center using Cisco ACI you need to have a good understanding of the following key terminologies along with the primary function of each.
What is an Endpoint Group in Cisco ACI?
Endpoint Groups (EPGs) are a collection of similar endpoints representing an application tier or set of services. They provide a logical grouping for objects that require similar policy. For example, an EPG could be the group of components that make up an applications web tier. Endpoints themselves are defined using NIC, vNIC, MAC addresses, IP address, DNS name, VM tags with extensibility for future methods of identifying application components. For instance, the below figure shows an EPG that contains web services (both http and https) defined regardless of their IP subnet (different IP subnets under single EPG). In this example, regardless of the separate subnets, policy is applied to both HTTPS and HTTP services within this EPG. This helps data center operators to separate the addressing of the applications from it’s mapping and policy enforcement across the ACI fabric.
Within the Cisco ACI fabric, policy is applied between EPGs, therefore defining how EPGs communicate with one another. This provides what is commonly referred to as micro-segmentation, in which you need to define a contract between these EPGs. Contracts define inbound and outbound permit, deny, and QoS rules and policies, such as redirect. Contracts allow both simple and complex definitions of the way that an EPG communicates with other EPGs, depending on the requirements of the environment. Also, this policy model allows for both unidirectional and bidirectional policy enforcement.
As it shown in the figure below the Cisco ACI micro-segmentation facilitate restricting communication between hosts in a holistic manner, simply by applying a central policy using the APIC, by defining which traffic flows are allowed and to and from each of the different EPGs that should eventually map to application communication requirements.
In other words, to build a design with the Cisco ACI policy based approach you need:
The figure below shows the basic three-tier web application used previously with some common additional connectivity that would be required in the real world. In this figure we see shared network services (NFS and management), which would be used by all three tiers as well as other EPGs within the fabric. In scenrios like this the contract provides a reusable policy defining how the NFS and MGMT EPGs produce functions or services that can be consumed by other EPGs.
After defining the aforementioned objects (EPGs, Contracts), the data center operator can define the application network profile to be pushed by the ACI APIC and provisioned by the ACI fabric switches as illustrate in the figure below. with this approach network operators do not need to worry about defining and applying manual complex configurations such as VLANs and ACLs.