POLICY MODEL's ACI3.1 # WHY IS ACI SECURITY NEEDED :
Cisco Application Centric Infrastructure (ACI) policy model that enable an administrator to exercise the domain-based access control. A tenant represents a unit of isolation from a policy perspective, but it does not represent a private network. Tenants can represent a customer in a service provider setting, an organization or domain in an enterprise setting, or just a convenient grouping of policies. The following figure provides an overview of the tenant portion of the management information tree (MIT) and each nodes in the tree represents a Group of Object or Managed Object. An MO can represent a concrete object, such as a switch, adapter, or a logical object, such as an application profile, endpoint group, or fault.
# CICSO ACI POLICY MODEL :
: Tenant is a group of users who share a common access with specific privileges to the software instance and tenant in ACI represets a management domain.
: VRF contains layers 3 routing instance, tables and IP's. VRF must have a unique within their tenant but don't need to be globally unique. VRF are joined to be tenant in which they are created and can't be separated from their tenant. In other words, It is technology included in IP network routers that enables multiple instances of a routing table to exist in a virtual router and work simultaneously.
: Bridge-Domain (BD) is a logical contract that allows you to segment traffice on a per-tenant basis. Each BD has its own set of forwarding rules and can be configured to provide different levels of security and isolation.
: Subnet's When dealing with TCP/IP addresses, each address actually has three components: a network component, a host component and a subnet mask. The function of the subnet mask is to differentiate among the network address, the host address and the directed broadcast address. In binary, a 1 in a bit position in the subnet mask represents a network component and a 0 in a bit position represents a host component.
: Contracts are used to control traffic flow within the ACI fabric between EPG's. Its are assigned a scope of global, Tenant, VRF or Application profile which limit the accessibility of the Contract.
: Application Network Profile different aspects to the tenancy, governing security, quality of services (qos), SLA's and Layer 4 to 7 services. Its are so intrinsically linked tO EPG's that it is harder to create theseare separate tasks.
: End Point Groups (EPG's) is a set of devices (or VMs) that share the same policy requirements. ACI uses a “white list model.” Remember…that's the default behavior. It can be changed.
Communication Between EPGsEndpoints inside an EPG can talk to each other.
Endpoint Groups (EPGs) cannot communicate with each other.
To allow EPGs to speak with each other we connect them using contracts.
: L2 / L3 outside network END points can be directly connected to leaf ports or it can be behind a layer 2 network and is connected to ACI fabric. L3Out (Layer 3 Out) A Layer 3 external outside network (l3extOut object) includes the routing protocol options (BGP, OSPF, EIGRP, static) and the switch- specific and interface-specific configurations. The External EPG exposes the external network to tenant EPGs through a contract.
Be updated into yourself and improve lives through DIT.
0 Comments