Solved: Design consideration for ACI

Raoul07 · ‎03-13-2018

Hi All,

I Just needed a clear understanding to design my network for ACI.

Here is my design consideration.

I have around 15 applications where some applications are 3 tier (Web-App-DB) and some are 2 tier ( DB-App). Consider for example I have Application-A , B and C.

Application-A is built using 3-tier and hence web server needs to be accessed from outside world.

Application-B is also built using 3-tier and the web server is accessed only from the internal users.

Application-C is built using 2-tier (there is no Web). Only App server and DB server.

As per the best practice, I would assign each EPG to 1 BD.

So I create a Web EPG, APP EPG and DB EPG and map all the servers respectively.

But if that is the case then say for Application-A Web Server (EPG-A) has to be accessed from outside world(L3-out EPG) and Appliaction-B Web Server (EPG-A) only has to be access by internal users (Internal-EPG). I cannot create different contracts in this case. Correct me if my understanding is wrong.

The other way is to create EPG based on every application and its traffic flow. This leads me to create separate EPGs per Application. Is this right?

To add on to it, I have all these applications hosted in VM environment.

Do I need to create a separate application profile for every application in the datacenter ?

If so, Can I associate multiple application profile to the same VM domain?

Or should I take into consideration the traffic flow of every server including web,app,db and then understand how it behaves and later group all the servers into one EPG based on the traffic flow, what they need to access and who needs to access them?

Say for example In Application-A and B , web-servers need access to internet so put them in an EPG but for Application X and Y where web-servers need access only to internal networks, we need to group them in a separate EPG.

Robert Burns · ‎03-13-2018

EPG membership is irrespective of subnets. ACI doesn't care. EPG members could be in the same or different IP subnets. Routing between subnets occurs at the BD level within ACI.

The endpoints in either Web1 & Web2 could be in the same subnet (non-overlapping IPs of course) or different. Accessibility is defined/allowed by the contracts between EPGs.

For Example

==========

AppProf1

EPG_Web1 (1.1.1.1/24)

[contract_1]

EPG_App1 (2.2.2.1/24)

[contract_2]

EPG_DB1 (3.3.3.1/24)

AppProf2

EPG_Web2 (1.1.1.1/24)

[contract_3]

EPG_App2 (2.2.2.1/24)

[contract_2]

EPG_DB2 (3.3.3.1/24)

*For simplicity let's assume all the EPGs in both Application Profiles share the same BD & VRF

In above, the endpoints in EPG_Web1 & EPG_Web2 would NOT be able to communicate, even though they're both sharing the same subnet. The Endpoints in App1 would be able to communicate with those in DB2 (AppProfile2). The contracts are what's most important, not the subnets.

Robert

View solution in original post

Robert Burns · ‎03-13-2018

Raoul7 you have quite a few questions here, I'll try to address most.

Every application should be built into it's own Application Profile. This allows you to monitor the health status of the overall application taking into consideration all Endpoints that comprise that application.

All EPGs get assigned to a Bridge Domain. Bridge domains define the L2 forwarding behavior, so if you want to have different L2 behaviors between different EPGs (ARP, Flooding, Unknown Unicast etc) then it makes sense to have multiple BDs. I consider the BD the most critical configuration piece to ACI - as it dictates the rudimentary forwarding & learning behavior.

Deciding whether or not to assign your BDs to a single VRF or more, can simply come down to your subnets each BD contains. If you're going to have overlapping IP subnets across your BDs, they'll need to be separated into different VRFs. A simple example of this is where users have a Test & Prod environment. This allows you to use the same Subnets in both Test & Prod - such that when your application or Endpoints are moved from Test > Prod, there's no need to reconfigure their IP assignments.

Lastly and very important as your EPGs. This is your policy boundary. If you want to have all endpoints applied with similar policy, you can put them into the same EPG. In your example it sounds like you want to have some "Web" endpoints accessible from outside users, and other "Web" endpoints accessed by only Internal users. In this case, you would want to have separate EPGs for each group of web endpoints. The contracts applied to each respective EPG would dictate who and from where could access them.

Do I need to create a separate application profile for every application in the datacenter ?

-If you want to be able to monitor each applications overall health separately - then Yes.

If so, Can I associate multiple application profile to the same VM domain?

-Application Profiles aren't assigned to VM Domains, EPGs are. VM domains can include different EPGs, AppPRofiles and even Tenants. These constructs are mutually exclusive.

Let me know if you have additional questions. By the way, a great book was just released on ACI Design. I'd highly suggest checking it out if you're in the early stages of your design. It wil save you tonnes of headaches getting your design right the first time :).

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure - http://www.ciscopress.com/store/deploying-aci-the-complete-guide-to-planning-configuring-9781587144745

Regards,

Robert

Raoul07 · ‎03-13-2018

Hello Robert,

Thank you for your response. Appreciate all your help.

Since you said it is good to have unique application profile for every application hosted in the DC. We would need to create EPGs specific to only that application profile. Am I right?

For example, Application-A has its own Web-EPG, APP-EPG and DB-EPG and Application-B has its own Web-EPG, APP-EPG and DB-EPG.

In this case I will have to place Web-EPG of Application-A and Web-EPG of Application-B into 2 different subnets right? Or can i still place them in the same subnet?

Thanks for directing me to the right book.

Robert Burns · ‎03-13-2018

EPG membership is irrespective of subnets. ACI doesn't care. EPG members could be in the same or different IP subnets. Routing between subnets occurs at the BD level within ACI.

The endpoints in either Web1 & Web2 could be in the same subnet (non-overlapping IPs of course) or different. Accessibility is defined/allowed by the contracts between EPGs.

For Example

==========

AppProf1

EPG_Web1 (1.1.1.1/24)

[contract_1]

EPG_App1 (2.2.2.1/24)

[contract_2]

EPG_DB1 (3.3.3.1/24)

AppProf2

EPG_Web2 (1.1.1.1/24)

[contract_3]

EPG_App2 (2.2.2.1/24)

[contract_2]

EPG_DB2 (3.3.3.1/24)

*For simplicity let's assume all the EPGs in both Application Profiles share the same BD & VRF

In above, the endpoints in EPG_Web1 & EPG_Web2 would NOT be able to communicate, even though they're both sharing the same subnet. The Endpoints in App1 would be able to communicate with those in DB2 (AppProfile2). The contracts are what's most important, not the subnets.

Robert

EduardR · ‎03-14-2018

So, if i understood correctly... Raoul can have 2 Application Profile, in each one he can has an EPG for their application servers (Application profile 1 - APP-EPG 1; Application Profile 2 - APP-EPG 2), but both EPG can reside in the same Bridge Domain (APP-BD, e.g.), with the same subnet and all the BD policies aswell... is that?

Robert Burns · ‎03-14-2018

Correct. It would look like this:

apic1# show run tenant Tenant1
# Command: show running-config tenant Tenant1
# Time: Wed Mar 14 14:58:11 2018
  tenant Tenant1
    vrf context Tenant1-VRF1
      exit
    bridge-domain Tenant1-BD1
      vrf member Tenant1-VRF1
      exit
    application AppProf1
      epg epg-app1
        bridge-domain member Tenant1-BD1
        exit
      exit
    application AppProf2
      epg epg_app2
        bridge-domain member Tenant1-BD1
        exit
      exit
    interface bridge-domain Tenant1-BD1
      exit
    exit
apic1#

Robert