Episode 2 - Introduction to ACI Tenants, VRFs, Bridge Domains, Application Profiles, EPGs and Contra

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so in the previous sections we look to the physical building of the network the different topology options that we have and the way that we can construct the physical infrastructure very often though for customers the the physical is is one part of it but really they want to look at the logical constructs that run on top an ACI has got some different terminology from traditional networking so I like to take the terms that we use in ACI and really relate them back to what a customer is really used to within their current infrastructure the first building block that we have is a tenant and a tenant is just a space on the network it's just a configuration place that you've got access to so for example in my environment when I log on I've got access to my tenant if somebody else logs on they've got access to their tenant so it's a way to break up the network for different functions you could think of a production network a pre-production network a test and dev all of the different infrastructure runs on the same physical fabric customers often get a bit confused about how they should use tenants and so the way I view it is if they've got VDCs today on there maybe the nexus 7 KS or they've got different VRS for different functions then start off by thinking that V RF or that V DC is a tenant in AC I speak so very basic just to really not cause too much confusion around tenants we do have a special tenant in a CI and the special tenant is called the common tenant and inside the common tenant everything that I build is accessible by other tenants and what I mean by that is if I build a vrf it can be used by other tenants if I build an EPG or a bridge domain it can be used by other tenants so that the common one is where we might do some some actual configuration and lay down some subnets and brf's all of us say we can do it inside our own tenant so if this is my tenant so I'll just call it a Charmin what I can do inside my tenant is build a VR F and a vr F is no different than a VR F on any other piece of networking kit it's just a logical construct a logical virtual router that we have inside the network fabric and when I build a VR F this VR F is available on every leaf switch across the network so I build it once in the in the UI or command line however I built it and it's available across the entire fabric customers will be used to be our reps they run them today the next building block that we have it's called a bridge domain or right here just a BD a bridge domain a bridge domain is is a logical construct that can either be a layer to construct so like a VLAN if you'd like or it can contain a subnet so like a VLAN with a gateway and this bridge domain is again available across the network I make it once it's available across every leaf switching the fabric the next building block is what's known as an EPG or an endpoint group and that really is a VLAN so for customers are thinking what what's an EPG it's a VLAN in' and the way that we would use it an EPG we would look at a switch an interface and the VLAN and that gets you if you like into that box that's the first method the other method is that we might look at a virtual switch and again that the VLAN that that's batch with all the VX LAN and again that would get us into the EPG box so the EPG it's just a security zone a little bubble on the network that I connect my server interfaces to and that's the security zone that they sit in and now very different from a traditional network if I add a second subnet so a second bridge domain and a second EPG over here where my servers are sitting by default I can't communicate between these EP G's so between this EPG here and this one communication by default is not permitted I have to explicitly say that I want to allow Group one to talk to group two or optionally I could disable the security completely at the vrf level but the security is really just an access list and that's the way I describe it to customers so we put an access list that allows me to talk from Group one to group two to allow that communication so it really makes your whole network look like one large firewall because every group of servers now is isolated and I allow it to talk to something else unless I put a contract or an access list in place to allow it to talk to something else and there's one missing bit there's one missing piece of the puzzle and the missing piece of the puzzle a puzzle is what's known as an application profile it's an application profile is basically a collection of these EP G's so all of these EP G's form the application so it could be Steve's app and I've got a web tier and app tier in a database tier but these form the application and when I mentioned before that customers can use the network configuration to reflect their applications this is exactly what they're doing they're going into the UI they create a folder and this is the folder for my app profile and underneath here I have folders that represent the endpoint groups are the groups of servers on the network and these in turn and map to subnets so it's a very simple way to start construction things and when you build it up for customers in this manner it becomes very easy because it's very logical and it's based on everything that they already know so we have tenants that's slightly new but it's very much like a VDC on a 7 K we've got our VR F's well everyone knows what a VR f is Bridge domains can be layer two or layer 3 so kind of think VLANs and then we're going to take a an EPG or take a security container and attach this onto a subnet and as its mentioned before the way that you get admitted to that EPG is they would look at the income and switch interface in VLAN or virtual switch v9v x land and that gets you into the secure box once you're in that box to talk to something else we have an access list that's known as a contracting in a CI terminology and that allows us to make that connectivity to other devices on the network so we're looking a bit more detail on the next section how we actually build up or different methods that we can build up these EP G's and application profiles but let's look at this in a much neater picture on a slide you
Info
Channel: Cisco UKI
Views: 30,352
Rating: undefined out of 5
Keywords:
Id: vXszKYaZbm0
Channel Id: undefined
Length: 6min 44sec (404 seconds)
Published: Thu Sep 13 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.