Wassim

This post summarizes my study notes on the topic of ACI End Point Groups (EPG). EPG Definitions A Network Engineer can consider an EPG to be a sort of container. And if you’re familiar with Linux Containers, I’ll avoid that term for a while and say a “placeholder”. So an EPG is a placeholder for end hosts to which we can apply a set of network policies. That means, an EPG is a placement in the network where we can enforce policies on a group of end hosts. The end hosts can be: physical servers, virtual machines, Linux Containers, clients from the Internet, etc. But how are end hosts going to be put in the adequate EPGs? Or how does the APIC do that? Don’t we configure a VLAN under a switch port and thus group end hosts on a VLAN ID basis? No. The principle of how an end host is assigned an EPG is based on a traffic classifier. And the traffic classifier in ACI (as far as I know) is the encapsulation identifier (Encap ID), whether it is the 802.1Q VLAN ID o...

Here are my study notes on the topic ACI Bridge Domains Bridge Domain: Concepts A Bridge Domain defines a MAC address space and a L2 flooding domain (layer 2 flooding encompasses layer 2 broadcast traffic and layer 2 multicast traffic), if flooding is enabled on the bridge domain configuration page. The bridge domain in ACI replaces the function of a VLAN in the traditional network world. Remember we use VLANs to segment broadcast domains and “group” end hosts together according to some business needs? A bridge domain fulfills this function, and more, but without the limitation of a VLAN where we attach one subnet per VLAN. In fact, a bridge domain is a container of 0, 1 or more subnets. In other words, we define IP subnets within bridge domains. A Bridge Domain that has at least one subnet selects one gateway as the primary IP address of the bridge domain. We can group subnets altogether in a same bridge domain, or separate them in different bridge domains. The second appro...

These are my study notes on the Cisco ACI L4-7 service insertion topic. Definitions ACI L4-7 (read “Layer four to seven”) Service Insertion is the process of introducing L4-7 services in the data path of a packet in ACI fabric, independently of the physical location of the L4-7 device itself. The L4-7 integration (or insertion) is achievable either manually or with a Service Graph. The L4-7 services can be: packet filtering services packet inspection services NAT services intrusion detection/ intrusion prevention services load balancing services The L4-7 services are performed by the following devices: Firewalls: Cisco ASA, Palo Alto, Fortinet, etc. Load Balancers: f5, Citrix, etc. IPS: Cisco Firepower, etc. We call interchangeably the following terms: L4-7 device service device function device By inserting a service device it is not meant the physical cabling of a service device, but rather the insertion of the function performed by the device within the data path between...

Introduction This post exposes my study notes on ACI Policies. We first distinguish the types of policies in ACI. Then we learn the different fabric access policies. Types of ACI policies We can summarize the types of ACI policies in three categories: Tenant Policies define the behaviour of an application whenever traffic hits the fabric. trigger the access policies. Fabric Policies Fabric policies are necessary for the internal working of the fabric. They specify “things” on leafs and spines. An example of a fabric policy can be NTP . Access Policies Access policies are probably the most intriguing of all ACI policies you will encounter. Access policies perform the configuration of the logical and physical interfaces. However, the configurations remain in a sort of an inactive state on the fabric ports until triggered by a tenant policy. Another way to consider access policies is that they specify “things” on leafs in the direction of access ports. The chronolog...