Operating Cisco Application Centric Infrastructure

New logical concepts from the Operating Cisco Application Centric Infrastructure paper
Fabric – Access Policies


Endpoint groups are considered the “who” in ACI; contracts are considered the “what/when/why”; AEPs can be considered the “where” and domains can be thought of as the “how” of the fabric. Different domain types are created depending on how a device is connected to the leaf switch. There are four different domain types: physical domains, external bridged domains, external routed domains, and VMM domains. 

* Physical domains are generally used for bare metal servers or servers where hypervisor integration is not an option.

* External bridged domains are used for Layer 2 connections. For example, an external bridged domain could be used to connect an existing switch trunked-up to a leaf switch.

* External routed domains are used for Layer 3 connections. For example, an external routed domain could be used to connect a WAN router to the leaf switch.

* Domains act as the glue between the configuration done in the fabric tab to the policy model and endpoint group configuration found in the tenant pane. The fabric operator creates the domains, and the tenant administrators associate domains to endpoint groups.

Ideally, policies should be created once and reused when connecting new devices to the fabric. Maximizing the reusability of policy and objects makes day-to-day operations exponentially faster and easier to make large-scale changes. The usage of these policies can be viewed by clicking the Show Usage button in the Application Policy Infrastructure Controller (APIC) GUI. Use this to determine what objects are using a certain policy to understand the impact when making changes. 

For an in-depth whiteboard explanation on domains, watch the following video titled “How Devices Connect to the Fabric: Understanding Cisco ACI Domains”: https:/ / http://www.youtube.com/ watch?v=_ iQvoC9zQ_ A. 
VLAN Pools

VLAN pools contain the VLANs used by the EPGs the domain will be tied to. A domain is associated to a single VLAN pool. VXLAN and multicast address pools are also configurable. VLANs are instantiated on leaf switches based on AEP configuration. Allow/deny forwarding decisions are still based on contracts and the policy model, not subnets and VLANs. 
Attachable Access Entity Profiles

Attachable Access Entity Profiles (AEPs) can be considered the “where” of the fabric configuration, and are used to group domains with similar requirements. AEPs are tied to interface policy groups. One or more domains can be added to an AEP. By grouping domains into AEPs and associating them, the fabric knows where the various devices in the domain live and the Application Policy Infrastructure Controller (APIC) can push the VLANs and policy where it needs to be. AEPs are configured under the global policies section.