03-13-2018 12:57 AM - edited 03-01-2019 05:28 AM
Hi All,
I Just needed a clear understanding to design my network for ACI.
Here is my design consideration.
I have around 15 applications where some applications are 3 tier (Web-App-DB) and some are 2 tier ( DB-App). Consider for example I have Application-A , B and C.
Application-A is built using 3-tier and hence web server needs to be accessed from outside world.
Application-B is also built using 3-tier and the web server is accessed only from the internal users.
Application-C is built using 2-tier (there is no Web). Only App server and DB server.
As per the best practice, I would assign each EPG to 1 BD.
So I create a Web EPG, APP EPG and DB EPG and map all the servers respectively.
But if that is the case then say for Application-A Web Server (EPG-A) has to be accessed from outside world(L3-out EPG) and Appliaction-B Web Server (EPG-A) only has to be access by internal users (Internal-EPG). I cannot create different contracts in this case. Correct me if my understanding is wrong.
The other way is to create EPG based on every application and its traffic flow. This leads me to create separate EPGs per Application. Is this right?
To add on to it, I have all these applications hosted in VM environment.
Do I need to create a separate application profile for every application in the datacenter ?
If so, Can I associate multiple application profile to the same VM domain?
Or should I take into consideration the traffic flow of every server including web,app,db and then understand how it behaves and later group all the servers into one EPG based on the traffic flow, what they need to access and who needs to access them?
Say for example In Application-A and B , web-servers need access to internet so put them in an EPG but for Application X and Y where web-servers need access only to internal networks, we need to group them in a separate EPG.
Solved! Go to Solution.
03-13-2018 07:39 AM
EPG membership is irrespective of subnets. ACI doesn't care. EPG members could be in the same or different IP subnets. Routing between subnets occurs at the BD level within ACI.
The endpoints in either Web1 & Web2 could be in the same subnet (non-overlapping IPs of course) or different. Accessibility is defined/allowed by the contracts between EPGs.
For Example
==========
AppProf1
EPG_Web1 (1.1.1.1/24)
[contract_1]
EPG_App1 (2.2.2.1/24)
[contract_2]
EPG_DB1 (3.3.3.1/24)
AppProf2
EPG_Web2 (1.1.1.1/24)
[contract_3]
EPG_App2 (2.2.2.1/24)
[contract_2]
EPG_DB2 (3.3.3.1/24)
*For simplicity let's assume all the EPGs in both Application Profiles share the same BD & VRF
In above, the endpoints in EPG_Web1 & EPG_Web2 would NOT be able to communicate, even though they're both sharing the same subnet. The Endpoints in App1 would be able to communicate with those in DB2 (AppProfile2). The contracts are what's most important, not the subnets.
Robert
03-13-2018 06:31 AM - edited 03-13-2018 06:33 AM
Raoul7 you have quite a few questions here, I'll try to address most.
Every application should be built into it's own Application Profile. This allows you to monitor the health status of the overall application taking into consideration all Endpoints that comprise that application.
All EPGs get assigned to a Bridge Domain. Bridge domains define the L2 forwarding behavior, so if you want to have different L2 behaviors between different EPGs (ARP, Flooding, Unknown Unicast etc) then it makes sense to have multiple BDs. I consider the BD the most critical configuration piece to ACI - as it dictates the rudimentary forwarding & learning behavior.
Deciding whether or not to assign your BDs to a single VRF or more, can simply come down to your subnets each BD contains. If you're going to have overlapping IP subnets across your BDs, they'll need to be separated into different VRFs. A simple example of this is where users have a Test & Prod environment. This allows you to use the same Subnets in both Test & Prod - such that when your application or Endpoints are moved from Test > Prod, there's no need to reconfigure their IP assignments.
Lastly and very important as your EPGs. This is your policy boundary. If you want to have all endpoints applied with similar policy, you can put them into the same EPG. In your example it sounds like you want to have some "Web" endpoints accessible from outside users, and other "Web" endpoints accessed by only Internal users. In this case, you would want to have separate EPGs for each group of web endpoints. The contracts applied to each respective EPG would dictate who and from where could access them.
Do I need to create a separate application profile for every application in the datacenter ?
-If you want to be able to monitor each applications overall health separately - then Yes.
If so, Can I associate multiple application profile to the same VM domain?
-Application Profiles aren't assigned to VM Domains, EPGs are. VM domains can include different EPGs, AppPRofiles and even Tenants. These constructs are mutually exclusive.
Let me know if you have additional questions. By the way, a great book was just released on ACI Design. I'd highly suggest checking it out if you're in the early stages of your design. It wil save you tonnes of headaches getting your design right the first time :).
Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure - http://www.ciscopress.com/store/deploying-aci-the-complete-guide-to-planning-configuring-9781587144745
Regards,
Robert
03-13-2018 07:13 AM
Hello Robert,
Thank you for your response. Appreciate all your help.
Since you said it is good to have unique application profile for every application hosted in the DC. We would need to create EPGs specific to only that application profile. Am I right?
For example, Application-A has its own Web-EPG, APP-EPG and DB-EPG and Application-B has its own Web-EPG, APP-EPG and DB-EPG.
In this case I will have to place Web-EPG of Application-A and Web-EPG of Application-B into 2 different subnets right? Or can i still place them in the same subnet?
Thanks for directing me to the right book.
03-13-2018 07:39 AM
EPG membership is irrespective of subnets. ACI doesn't care. EPG members could be in the same or different IP subnets. Routing between subnets occurs at the BD level within ACI.
The endpoints in either Web1 & Web2 could be in the same subnet (non-overlapping IPs of course) or different. Accessibility is defined/allowed by the contracts between EPGs.
For Example
==========
AppProf1
EPG_Web1 (1.1.1.1/24)
[contract_1]
EPG_App1 (2.2.2.1/24)
[contract_2]
EPG_DB1 (3.3.3.1/24)
AppProf2
EPG_Web2 (1.1.1.1/24)
[contract_3]
EPG_App2 (2.2.2.1/24)
[contract_2]
EPG_DB2 (3.3.3.1/24)
*For simplicity let's assume all the EPGs in both Application Profiles share the same BD & VRF
In above, the endpoints in EPG_Web1 & EPG_Web2 would NOT be able to communicate, even though they're both sharing the same subnet. The Endpoints in App1 would be able to communicate with those in DB2 (AppProfile2). The contracts are what's most important, not the subnets.
Robert
03-14-2018 07:33 AM
So, if i understood correctly... Raoul can have 2 Application Profile, in each one he can has an EPG for their application servers (Application profile 1 - APP-EPG 1; Application Profile 2 - APP-EPG 2), but both EPG can reside in the same Bridge Domain (APP-BD, e.g.), with the same subnet and all the BD policies aswell... is that?
03-14-2018 07:59 AM
Correct. It would look like this:
apic1# show run tenant Tenant1 # Command: show running-config tenant Tenant1 # Time: Wed Mar 14 14:58:11 2018 tenant Tenant1 vrf context Tenant1-VRF1 exit bridge-domain Tenant1-BD1 vrf member Tenant1-VRF1 exit application AppProf1 epg epg-app1 bridge-domain member Tenant1-BD1 exit exit application AppProf2 epg epg_app2 bridge-domain member Tenant1-BD1 exit exit interface bridge-domain Tenant1-BD1 exit exit apic1#
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide