Cisco ACI Basics : EPG and Contracts

Today I am going to talk about the basic policy management in Cisco ACI which said who should talk to whom. If you guys recall my earlier post of SGT's ( Secure group tag ) which we are using in the SD-Access Campus environment to tag the users similarly in Cisco ACI datacenter environment we are using EPG's ( End point Group ). 

For SGT, Please have a look on the below mentioned link 
Introduction to Secure Group Tagging ( SGT )

Also look for the ACI multi-Tenant as below 
Datacenter Basics : Cisco ACI Multi-Tenant environment

Other articles on Cisco ACI's are
Introduction to Cisco ACI stretched fabric and ACI Multi-pod Fabric Designs
Introduction to ACI Multi-Site Fabric Design Network
vPC and OTV as DCI for Cisco ACI Spine-Leaf Architecture
Difference Between Cisco ACI Multi-Pod Vs Cisco ACI Multi-Site
Cisco ACI and the VmWare NSX comparison
Overview on VXLAN in the Fabric Network- Cisco ACI

So let's talk about EPG and the contracts defined in the Cisco ACI environment. As i said EPG is categorised as Physical or Virtual servers as most of the end points in the data center environment are servers. So each contract is defined by Access lists. Contract is like if one server wants to talk to another server there is a contract between them which is defined by applying permit statement in the Cisco ACI GUI interface. 

So simply, EPG provides a contract when it has a listening socket for incoming requests. As an example an EPG that hosts web servers should be configured as a provider of a contract that includes port 80 and 443. The client side EPG instead is a consumer of a web contract. 

Fig 1.1- Cisco ACI : EPG's Contract 
If you want to use the Cisco ACI fabric as a simple routed or switched fabric you can configure contracts that are imported and exported by each EPG, and you can map each EPG to familiar constructs such as VLANs.

The segmentation needs expressed as EPGs and their binding and classification requirements are rendered on each leaf with well-known constructs such as VLANs or VRF instances. 

Communication policy enforcement also uses well-known constructs such as inbound and outbound 5-tuple match permit and denies and is powered by additional application-specific integrated circuits (ASICs) developed by Cisco. 

When you define a configuration, it is expressed in terms of a policy that defines: 
  • Which servers can talk to each other ?
  • What the servers can talk about (for instance which Layer 4 ports can be used, potentially defined as “any any” to allow all communication)  ?

Cisco ACI uses a whitelist model: two EPGs cannot talk unless a contract expresses which traffic is allowed. The firewall in the picture represents the default filtering that occurs via the contract. 

Popular Posts

Powered by Blogger.