Hi @weylin.piegorsch ,
Part of the problem with applying policy based on IP addressing is that IP addresses often indicate both location and identity, and traditional methods of applying policy using access control lists forces you to apply apply policy based on IP addresses, you can't apply policy based purely on location or purely on identity.
For instance, to apply policy between two hosts with IP addresses of 10.10.10.10 and 10.10.10.11 using ACLs is impossible unless you arduously resort to using MAC addresses to indicate identity.
ACI gets around that problem by introducing a concept that is independent of IP Addressing - the EPG.
Typically, endpoints are assigned to EPGs based on the VLAN ID. So if your design has one subnet per EPG, go ahead and design it that way.
But a better approach is to look at which servers/endpoints are permitted to communicate with each other without restriction, and have the same policies applied when communicating with other groups of servers. This should be the basis for your EPGs rather than purely based on subnets. Another approach is to group EPGs with similar policies into Application Profiles (you need at least ONE Application Profile, and EPGs get a little hard to manage if you lump all of the into one Application Profile as is often the case, so whichever approach you take, it is a good idea to think about grouping EPGs into Application Profiles right from the get-go)
Having said that, very few places implement ACI like this - it is much more common to stick with the "one VLAN=one subnet=one EPG" philosophy, sometimes referred to as "Network Centric Design"
So let's look at your concern of the number of contracts needed.
Firstly, understand that you can use the same contract over and over between different EPGs. And ACI provides several ways of building contracts in a scaleable way. The Cisco ACI Contract Guide White Paper describes these, but is woefully lacking in practical examples, and some examples are close to useless. I've summarised the items I think you should explore first when designing a solution
- Contract Scope
- If you set that scope of a contract to Application Profile, the same contract can be used between similar pairings of EPGs without traffic leaking between Application Profiles
- If you set that scope of a contract to Application Profile, the same contract can be used between similar pairings of EPGs without traffic leaking between Application Profiles
- Contract Inheritance and Master EPGs
- a feature that allows an EPG to inherit the contract relationships of another EPG (known as the Master EPG)
- Preferred Group
- allows you to group a collection of EPGs (not necessarily in the same Application Profile, but linked to the same VRF) to have full connectivity between themselves
- Unfortunately, you can have only ONE preferred group per VRF, but a similar result can be achieved using Contract Scope and Application Profiles as described above, or using ESGs (Endpoint Security Groups)
- allows you to group a collection of EPGs (not necessarily in the same Application Profile, but linked to the same VRF) to have full connectivity between themselves
- ESGs (Endpoint Security Groups)
- Unlike EPGs which are identified (mostly) by 802.1q tags, ESGs are Security zones linked to a VRF and can be based on more flexible criteria such as IP addressing (ACI v5+)
- You pretty much use ESGs OR EPGs - you can't have a contract between an ESG and an EPG
- Unlike EPGs which are identified (mostly) by 802.1q tags, ESGs are Security zones linked to a VRF and can be based on more flexible criteria such as IP addressing (ACI v5+)
I haven't explored the possibility of using VRFs to group similar groups of servers, but that is another possibility, but applying contracts gets tricky because the Provider EPG(s) need to have subnets defined on the EPGs
Thanks @Ali Aghababaei and @RedNectar. I had a proper responses written about why some of those won;t work in my environment, but it became very "woe is me" sounding so I'll save you from that.
Summary:
I can't really crack up the EPGs (I need to be Network-Centric on that point);
Contract Inheritance, Master Contracts, and contract labels aren't really something I can do; and
I've to-date found insufficient commonality from one legacy ACL to another to be able to take advantage of code re-use.
But....
Is there a meaningful difference to Preferred Groups vs a contract that is the equivalent of "permit IP any any", applied to vzAny as both consumer and provider?
I had a quick thought on ESGs but dismissed it quickly, recognizing there were issues with mixing EPG and ESG contracts, and separately there were issues with using ESG contract with the L4L7 PBR we're developing (one fabric will have this (we hope), the other two fabrics will have no L4L7 devices). Am I mistaken to dismiss ESGs so casually?
I was hoping to avoid microsegmentation (TAC always gets antsy whenever the topic comes up, then audibly gets relieved when I say we don't have any yet, plus I'm running into issues already with the number of VLAN IDs I'm already using even without that) by hearing about potential other approaches. I'll keep my fingers crossed for finding an alternative solution?
I do spread EPGs across various APs. How do I leverage that to aid in redefining legacy ACLs in an ACI security model, with recognizing that (for example) "ZenossProd_EPG" won't be split into Web/App/DB/etc EPGs? (In practice, we static path bind to VMware ports that, for now, don't do VMM Integration, and the VMware team would have their own challenges in their operations team supporting multiple port-groups / VLAN IDs for the same subnet).
