Cisco ACI is designed and deployed with access policies encompassing switch and interface profiles, groups, VLAN pools, physical domains, and configuration constructs like VRFs, BDs, EPGs. The same network environment can be designed and implemented in multiple ways using those constructs. There are two approaches that can be used to design and deploy the Cisco ACI configuration—network and application-centric deployment model. The differences between the deployment models are which, how and where the Cisco ACI constructs are used.
Using a network- or application-centric deployment model is a choice that is made upon designing the Cisco ACI deployment. There is no config option in the APIC with which one or another model is turned on.
The differences between the two models are in which and how config constructs are used to describe the environment, the number of them used, where the default gateway is placed, where and how security policies are implemented, and so on.
The starting point for the Cisco ACI design and deployment is how the application logical topology that is used in the environment is seen and understood.
An application blueprint or logical topology is description of how deployed application should look like. The application logical topology therefore encompasses the following aspects of an application:
An example shows a layout of an application logical topology for a deployment of a WebSphere Business Process Manager (BPM) application that is used for business process modeling (note that this blueprint is just a subset of the complete logical topology to serve as an example for the Cisco ACI deployment model discussion). Mind that such blueprint is not always available, that is, it may be more or less complete.
The application is composed of four application tiers:
The instances of application tiers are put in four separate network segments, that is, VLANs and IP subnets.
The traffic flows are defined with arrows indicating client and server part of the communication along with TCP port (for example the Process Servers listen at TCP ports 55025 and 55080).
The blueprint also indicates that the security policy should protect individual tier, allowing only defined communication.
Network-Centric Design
The network-centric design is based on a topology that is seen as number of network segments. All communication is defined based on VLANs, their respective subnets, and traffic flows between these VLANs. The granularity of communication policies is defined with network segments.
The network-centric approach is typically used as a first step in migrating existing network (that is, brownfield environment) to Cisco ACI because the network construct/topology such as flooding domain is the same as what’s already deployed in the existing network.
It includes connecting external switched segments to Cisco ACI fabric, existing firewall and load-balancing appliances, and little or no changes to the network layout.
In the network-centric deployment model, the Cisco ACI fabric is deployed as a traditional switching fabric:
The implementation of security policies depends on where default gateway is defined:
The Cisco ACI deployment that is using a network-centric approach for the previously mentioned BPM application relies on the application blueprint that is presented earlier. Two design options are presented – the differences are in how ACI fabric is used and where security policies are implemented.
The first design option is defined in the following way:
The second design is defined with using ACI fabric for all functionality:
Application-Centric Design
The application-centric design is based on the layout and requirements of applications. The communication is defined by the endpoint EPG membership and relationships between these EPGs. VLANs and IP subnets are not relevant from the perspective of defining these relationships. The granularity of communication policies is defined with the EPGs.
In the application-centric deployment model, all endpoints will typically be connected directly to the Cisco ACI fabric (note that this is recommended and not required). The approach may be used in new data center implementations or as a second step in implementing Cisco ACI when migration of existing environments needs to be done.
In the application-centric deployment model, the Cisco ACI fabric is deployed following the application architecture and relationships between application tiers:
With application-centric mode, the security policies are not limited with VLAN/subnet boundaries as EPGs do not equal IP subnets. The contracts using filters that are based on ports and protocols that are applied to EPGs are used to control the traffic between application tiers regardless of the IP subnet they belong to.
In the application-centric approach, the topology of the previously mentioned BPM application is seen as several application tiers as presented in the application blueprint.
The design may be defined in the following way:
In Application-Centric design, a single BD can have multiple EPGs. It is recommended to use different VLANs for different EPGs. You could reuse a VLAN ID on a different EPG if it is on a different leaf. You could reuse the same VLAN in different EPGs on the same leaf with a feature called VLAN scope "local" or per Port VLAN, but it must be on different BDs.
Guidance for Application-centric per Port VLAN design:
Source: DCACIA Course