In this topic we will briefly learn about the Cisco ACI terminology which are widely used and who figure is also described.
Tenant – A Tenant is defined as a separate unit like customer, BU, groups etc and it also separates traffic, admin, visibility, etc..
It is a logical Container that keeps all application-related policies and its related construct.
A Tenant can be isolated from one another or Tenant can also even share resources also. Below are some Logical Construct that a Tenant contains:
- VRF Instances
- Bridge Domains
- End Point Groups
- Application Profile
VRF– A VRF is helps in separation of routing instances and administration.
A Tenant can have multiple VRF instances, it defines Layer 3 address domain. One or more BD are associated with VRF instance. A VRF is also called as context or a Private Network.
Bridge Domain(BD) – Bridge Domain is the container for subnets it is not a VLAN and can be used to define an L2 boundary
Subnet– IP addresses within a given Bridge Domain; must be unique within their associated L3 VRF.
Contract– It represent policies between EPGs; it is a contract though which two or more EPG talk to each other wih in VRF or between different VRF. Contract is “provided”by one EPG and “consumed”by another.
Contracts is used to achieve following EPG Communications.
- Between ACI fabric application EPGs, both intra-tenant and inter-tenant
- Between ACI fabric application EPGs and Layer 2 external outside network instance EPGs
- Between ACI fabric application EPGs and Layer 3 external outside network instance EPGs
- Between ACI fabric out-of-band or in-band management EPGs
End-Point Group(EPG)– Container for objects requiring the same policy treatment (i.e. app tiers or services)
EPG provides a model for mapping applications to the network. In ACI, Policies are defined on EPG, and then ports are assigned to it. Once this is done Policy is pushed to all those EPG mapped Interfaces. This method allows us not to configure ACL or QoS on per port basis.
Once this is done, EPGs are then mapped or associated to BD to provide Layer 2 boundary.
Endpoints are defined to EPG when we statically or dynamically attach the EPG either with physical domains or Virtual Domains. Now when End points resides to EPG, below are communication traffic pattern.
- All Communication between Endpoints are free with in EPG by default.
- All Communication between EPG are restricted and no communication is allowed by default. To start communication between EPG, a Contract with Permit rule is required.
ACI fabric contains following types of different EPG.
- Application Endpoint Group (fvEPg)
- Layer 2 external outside network instance endpoint group (l2extInstP)
- Layer 3 external outside network instance endpoint group (l3extInstP)
- Management Endpoints groups for OOB (mgmtOoB) or In-band Management Access (mgmtInB)
Application Profile- It defines a set of policies, Services and its relation between EPGs. An Application Profile is just like a folder that contains one or more EPGs. The Application Profile contains required and related EPGs necessary to provide an application to work.
Learning these Cisco ACI terminology will help you to understand deep concept of ACI and its Architecture