Cisco ACI Network Centric vs Application Centric Deployment Models (2024)

Cisco ACI is designed and deployed with access policies encompassing switch and interface profiles, groups, VLAN pools, physical domains, and configuration constructs like VRFs, BDs, EPGs. The same network environment can be designed and implemented in multiple ways using those constructs. There are two approaches that can be used to design and deploy the Cisco ACI configuration—network and application-centric deployment model. The differences between the deployment models are which, how and where the Cisco ACI constructs are used.

Using a network- or application-centric deployment model is a choice that is made upon designing the Cisco ACI deployment. There is no config option in the APIC with which one or another model is turned on.

The differences between the two models are in which and how config constructs are used to describe the environment, the number of them used, where the default gateway is placed, where and how security policies are implemented, and so on.

The starting point for the Cisco ACI design and deployment is how the application logical topology that is used in the environment is seen and understood.

An application blueprint or logical topology is description of how deployed application should look like. The application logical topology therefore encompasses the following aspects of an application:

• Application tiers that comprise a particular application
• Network segments that are used in the logical topology
• How and where the application tiers and their instances are connected to the network
• What traffic flows are used between application tiers (that is, how application tiers communicate between themselves)

An example shows a layout of an application logical topology for a deployment of a WebSphere Business Process Manager (BPM) application that is used for business process modeling (note that this blueprint is just a subset of the complete logical topology to serve as an example for the Cisco ACI deployment model discussion). Mind that such blueprint is not always available, that is, it may be more or less complete.

The application is composed of four application tiers:

• Front-end tier is client facing part through which business users access the BPM application.
• Process Servers tier is the middle tier that is used for application deployment and messaging. The processing in this tier is based on the input from Front-end tier.
• BPM Managers tier encompasses the management services that are used to monitor, update, scale, and so on other tiers of the application.
• BPM databases tier is the databases that are used to store all application-related data like information about the architecture of individual business process models, who created that model, what applications the business model requires, monitoring data for the BPM application, and so on.

The instances of application tiers are put in four separate network segments, that is, VLANs and IP subnets.

The traffic flows are defined with arrows indicating client and server part of the communication along with TCP port (for example the Process Servers listen at TCP ports 55025 and 55080).

The blueprint also indicates that the security policy should protect individual tier, allowing only defined communication.

Network-Centric Design

The network-centric design is based on a topology that is seen as number of network segments. All communication is defined based on VLANs, their respective subnets, and traffic flows between these VLANs. The granularity of communication policies is defined with network segments.

The network-centric approach is typically used as a first step in migrating existing network (that is, brownfield environment) to Cisco ACI because the network construct/topology such as flooding domain is the same as what’s already deployed in the existing network.

It includes connecting external switched segments to Cisco ACI fabric, existing firewall and load-balancing appliances, and little or no changes to the network layout.

In the network-centric deployment model, the Cisco ACI fabric is deployed as a traditional switching fabric:

• Individual VLAN (and optionally IP subnet) corresponds to a single BD encompassing single EPG. The endpoints that are part of EPG belong to a single VLAN/IP subnet. This can simply be described as 1 BD = 1 EPG = 1 VLAN.
• Default gateway for individual IP subnet may be implemented on a routing device external to Cisco ACI fabric (for example, firewall) and not at the BD level.
• BD may be configured with flooding enabled since existing switched networks are typically connected to Cisco ACI and the default gateway may be implemented there.
• Layer 4 through Layer 7 services are integrated using bridging (for example, firewall that is implemented in a transparent mode) or routing.
• Security policies are implemented at Layer 3 boundaries as ACLs that define which VLANs are allowed to communicate.

The implementation of security policies depends on where default gateway is defined:

• When external device is used for default gateway (such as firewall), the ACLs between VLANs are defined as firewall rules between VLANs attached.
• When default gateway is defined at the BD, ACI will be routing the traffic and contracts are required to allow the traffic between EPGs. Since 1 BD = 1 EPG = 1 VLAN, the contracts are actually used as ACLs between VLANs even though the filters that are used by contracts are defined only with ports and protocols.

The Cisco ACI deployment that is using a network-centric approach for the previously mentioned BPM application relies on the application blueprint that is presented earlier. Two design options are presented – the differences are in how ACI fabric is used and where security policies are implemented.

See Also

Configuring Bridge Domain Interfaces

The first design option is defined in the following way:

• Cisco ACI fabric is implemented as a regular Layer 2 switched fabric.
• There are four separate BDs using arbitrary names incorporating VLAN number (BD 100 – BD 103).
• All BDs are put into a single VRF.
• Each BD is configured with a single EPG (EPG 100—EPG 103) also using arbitrary names incorporating VLAN numbers.
• The default gateway functionality for all segments is implemented on the external central firewall.
• All routing and security policies between the VLANs 100 to 103 are implemented via external central firewall.

The second design is defined with using ACI fabric for all functionality:

• Cisco ACI fabric is implemented as Layer 3 routed fabric.
• The same four separate BDs using arbitrary names incorporating VLAN number (BD 100–BD 103) are used.
• All BDs are put into a single VRF.
• Each BD is also configured with a single EPG (EPG 100–EPG 103) also using arbitrary names incorporating VLAN numbers.
• The default gateway functionality for individual segment is implemented at the BD level.
• Routing between the VLANs 100 to 103 is implemented at ACI fabric.
• Security policies defining allowed traffic are defined with contracts that are applied to EPGs, which equal to VLANs.

Application-Centric Design

The application-centric design is based on the layout and requirements of applications. The communication is defined by the endpoint EPG membership and relationships between these EPGs. VLANs and IP subnets are not relevant from the perspective of defining these relationships. The granularity of communication policies is defined with the EPGs.

In the application-centric deployment model, all endpoints will typically be connected directly to the Cisco ACI fabric (note that this is recommended and not required). The approach may be used in new data center implementations or as a second step in implementing Cisco ACI when migration of existing environments needs to be done.

In the application-centric deployment model, the Cisco ACI fabric is deployed following the application architecture and relationships between application tiers:

• There will be a single or just few BDs that can be optimized from the forwarding perspective since flooding and extending to the external switched networks is not required.
• A single BD will be implemented with multiple EPGs.
• Endpoints will be grouped into EPGs based on their communication requirements (that is, typically the endpoints of particular EPG will belong to the same application tier).
• An individual subnet may be split into multiple EPGs.
• Default gateway for individual IP subnet is implemented at the Cisco ACI fabric—single BD will be configured with multiple IP subnets.
• Security policies are implemented with contracts that are applied to EPGs.

With application-centric mode, the security policies are not limited with VLAN/subnet boundaries as EPGs do not equal IP subnets. The contracts using filters that are based on ports and protocols that are applied to EPGs are used to control the traffic between application tiers regardless of the IP subnet they belong to.

In the application-centric approach, the topology of the previously mentioned BPM application is seen as several application tiers as presented in the application blueprint.

The design may be defined in the following way:

• All endpoints are connected directly to the Cisco ACI fabric.
• A single BD is defined for the BPM application.
• Four distinct EPGs are defined individual application tier.

1. EPG-frontend encompasses all servers that are used by users for accessing the BPM application.
2. EPG-mngr encompasses all BPM manager servers that are used to monitor and manage BPM application.
3. EPG-procsrv encompasses all BPM process servers that provide messaging and application deployment services.
4. EPG-DB encompasses all BPM DB servers that are used to store application data and are accessed by the other application tiers.

• All four default gateways and IP subnets are defined at the BD-BPM level providing pervasive gateway functionality at the Cisco ACI fabric.
• Three contracts are defined and applied to allow traffic as defined in the application blueprint:

1. ctr-front is consumed by EPG-mngr and provided by EPG-frontend to allow BPM manager servers to monitor and manage BPM front-end servers
2. ctr-psrv is used to allow BPM manager servers and front-end servers to access BPM process servers. It is provided by EPG-procsrv and consumed by both EPG-frontend and EPG-mngr.
3. ctr-db is used to allow BPM manager, process, and front-end servers to access BPM DB servers. It is provided by EPG-DB and consumed by EPG-frontend, EPG-mngr, and EPG-procsrv.

In Application-Centric design, a single BD can have multiple EPGs. It is recommended to use different VLANs for different EPGs. You could reuse a VLAN ID on a different EPG if it is on a different leaf. You could reuse the same VLAN in different EPGs on the same leaf with a feature called VLAN scope "local" or per Port VLAN, but it must be on different BDs.

Guidance for Application-centric per Port VLAN design:

Source: DCACIA Course