Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
ACI Terminology
This chapter contains the following sections:
• ACI Terminology, on page 1
ACI TerminologyDescriptionIndustry Standard Term
(Approximation)Cisco ACI Term
A changeable name for a given object. Whilethe name of an object, once created, cannotbe changed, the Alias is a field that can bechanged. For more details, refer to "UsingTags and Alias" section under "Using theREST API":
AliasAlias
The API Inspector in the Cisco APIC GUIprovides a real-time display of the REST APIcommands that the Cisco APIC processes toperform GUI interactions.
—API Inspector
The Cisco ACIApp Center allows you to fullyenable the capabilities of the Cisco APIC bywriting applications running on the controller.Using the Cisco ACI App Center, customers,developers, and partners are able to buildapplications to simplify, enhance, andvisualize their use cases. These applicationsare hosted and shared at the Cisco ACI AppCenter and installed in the Cisco APIC.
—App Center
ACI Terminology1
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
The Cisco APIC, which is implemented as areplicated synchronized clustered controller,provides a unified point of automation andmanagement, policy programming, applicationdeployment, and health monitoring for theCisco ACI multitenant fabric. The minimumrecommended size for a Cisco APIC clusteris three controllers.
Approximation of clustercontroller
Application PolicyInfrastructure Controller(APIC)
An application profile (fvAp) defines thepolicies, services, and relationships betweenendpoint groups (EPGs).
—Application Profile
Atomic counters allow you to gather statisticsabout traffic between leafs. Using atomiccounters, you can detect drops and misroutingin the fabric, enabling quick debugging andisolation of application connectivity issues.For example, an administrator can enableatomic counters on all leaf switches to tracepackets from endpoint 1 to endpoint 2. If anyleaf switches have nonzero counters, otherthan the source and destination leaf switches,an administrator can drill down to those leafswitches.
Atomic CountersAtomic Counters
An Attachable Access Entity Profile (AEP)is used to group domains with similarrequirements. By grouping domains intoAEPsand associating them, the fabric knows wherethe various devices in the domain live and theApplication Policy Infrastructure Controller(APIC) can push theVLANs and policywhereit needs to be.
—Attachable Entity Profile
Border leaf switches refers to a leaf that isconnected to a layer 3 device like externalnetwork devices or services such as firewallsand router ports. Other devices like serverscan also connect to it.
Border Leaf SwitchesBorder Leaf Switches
A bridge domain is a set of logical ports thatshare the same flooding or broadcastcharacteristics. Like a virtual LAN (VLAN),bridge domains span multiple devices.
Bridge DomainBridge Domain
ACI Terminology2
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
The Cisco ACI Optimizer feature in the CiscoAPIC GUI is a Cisco APIC tool that enablesyou to determine howmany leaf switches youwill need for your network and suggests howto deploy each application and external EPGon each leaf switch without violating anyconstraints. It can also help you determine ifyour current setup has what you need, if youare exceeding any limitations, and suggestshow to deploy each application and externalEPG on each leaf switch.
—Cisco ACI Optimizer
Cisco AVS is a distributed virtual switch thatis integrated with the Cisco ACI architectureas a virtual leaf and managed by the CiscoAPIC. It offers different forwarding andencapsulation options and extends acrossmany virtualized hosts and data centersdefined by the VMware vCenter server.
—Cisco Application VirtualSwitch (AVS)
Configuration zones divide the Cisco ACIfabric into different zones that can be updatedwith configuration changes at different times.This limits the risk of deploying a faultyfabric-wide configuration that may disrupttraffic or even bring the fabric down. Anadministrator can deploy a configuration to anon-critical zone, and then deploy it to criticalzones when satisfied that it is suitable. Formore details, refer to: Configuration Zones
—Configuration Zones
An EPG that consumes a service.—Consumer
A virtual routing and forwarding instancedefines a Layer 3 address domain that allowsmultiple instances of a routing table to existand work simultaneously. This increasesfunctionality by allowing network paths to besegmented without using multiple devices.Cisco ACI tenants can containmultiple VRFs.
Virtual Routing andForwarding (VRF) or PrivateNetwork
Context or VRF Instance
The rules that specify what and howcommunication in a network is allowed. InCisco ACI, contracts specify howcommunications between EPGs take place.Contract scope can be limited to the EPGs inan application profile, a tenant, a VRF, or theentire fabric.
Approximation of AccessControl List (ACL)
Contract
ACI Terminology3
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
A unique name that describes a MO andlocates its place in the MIT.
Approximation of FullyQualified Domain Name(FQDN)
Distinguished Name (DN)
A logical entity that contains a collection ofphysical or virtual network endpoints. In CiscoACI, endpoints are devices connected to thenetwork directly or indirectly. They have anaddress (identity), a location, attributes (e.g.,version, patch level), and can be physical orvirtual. Endpoint examples include servers,virtual machines, storage, or clients on theInternet.
Endpoint GroupEndpoint Group (EPG)
The Cisco ACI fabric includes Cisco Nexus9000 Series switches with the Cisco APICcontroller to run in the leaf/spine Cisco ACIfabric mode. These switches form a “fat-tree”network by connecting each leaf node to eachspine node; all other devices connect to theleaf nodes. The Cisco APIC manages theCisco ACI fabric.
—Fabric
Cisco ACI uses a whitelist model: allcommunication is blocked by default;communication must be given explicitpermission. A Cisco ACI filter is a TCP/IPheader field, such as a Layer 3 protocol typeor Layer 4 ports, that are used to allowinbound or outbound communicationsbetween EPGs.
Approximation of AccessControl List andapproximation of Firewall
Filter
The Cisco ACI GOLF feature (also known asLayer 3 EVPN Services for Fabric WAN)enables much more efficient and scalableCisco ACI fabric WAN connectivity. It usesthe BGPEVPNprotocol over OSPF forWANrouters that are connected to spine switches.
—GOLF
A bridged connection connects two or moresegments of the same network so that they cancommunicate. In Cisco ACI, an L2 Out is abridged (Layer 2) connection between a CiscoACI fabric and an outside Layer 2 network,which is usually a switch.
Bridged ConnectionL2 Out
ACI Terminology4
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
A routed Layer 3 connection uses a set ofprotocols that determine the path that datafollows in order to travel across multiplenetworks from its source to its destination.Cisco ACI routed connections perform IPforwarding according to the protocol selected,such as BGP, OSPF, or EIGRP.
Routed ConnectionL3 Out
Label matching is used to determine whichconsumer and provider EPGs cancommunicate. Contract subjects of a givenproducer or consumer of that contractdetermine that consumers and providers cancommunicate. A label matching algorithm isused determine this communication. For moredetails, refer to: ACI Fundamentals Guide
—Label
An abstract representation of networkresources that are managed. In Cisco ACI, anabstraction of a Cisco ACI fabric resource.
MOManaged Object (MO)
A hierarchical management information treecontaining all the managed objects (MOs) ofa system. In Cisco ACI, the MIT contains allthe MOs of the Cisco ACI fabric. The CiscoACI MIT is also called the ManagementInformation Model (MIM).
MITManagement InformationTree (MIT)
Microsegmentationwith the CiscoApplicationCentric Infrastructure (ACI) provides theability to automatically assign endpoints tological security zones called endpoint groups(EPGs) based on various network-based orvirtual machine (VM)-based attributes.
Microsegmentation,micro-segmentation
Microsegmentation withCisco ACI
ACI Terminology5
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
Multipod enables provisioning a morefault-tolerant fabric comprised of multiplepods with isolated control plane protocols.Also, multipod provides more flexibility withregard to the full mesh cabling between leafand spine switches. For example, if leafswitches are spread across different floors ordifferent buildings, multipod enablesprovisioning multiple pods per floor orbuilding and providing connectivity betweenpods through spine switches. Multipod usesMP-BGP EVPN as the control-planecommunication protocol between the CiscoACI spine switches in different pods. Formore details, refer to the Multipod WhitePaper:
—Multipod
ACI Terminology6
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
A fabric administrator creates domain policiesthat configure ports, protocols, VLAN pools,and encapsulation. These policies can be usedexclusively by a single tenant, or they can beshared. Once a fabric administrator configuresdomains in the Cisco ACI fabric, tenantadministrators can associate tenant endpointgroups (EPGs) to domains. A domain isconfigured to be associated with a VLANpool. EPGs are then configured to use theVLANs associated with a domain. You canconfigure the following domain types:
• VMM domain profiles (vmmDomP) arerequired for virtual machine hypervisorintegration.
• Physical domain profiles (physDomP)are typically used for bare metal serverattachment and management access.
• Bridged outside network domain profiles(l2extDomP) are typically used toconnect a bridged external network trunkswitch to a leaf switch in the Cisco ACIfabric.
• Routed outside network domain profiles(l3extDomP) are used to connect a routerto a leaf switch in the Cisco ACI fabric.
• Fibre Channel domain profiles (fcDomP)are used to connect Fibre ChannelVLANs and VSANs.
—Networking Domains
Named entity that contains genericspecifications for controlling some aspect ofsystem behavior. For example, a Layer 3Outside Network Policy would contain theBGP protocol to enable BGP routing functionswhen connecting the fabric to an outside Layer3 network.
—Policy
Named entity that contains the necessaryconfiguration details for implementing one ormore instances of a policy. For example, aswitch node profile for a routing policy wouldcontain all the switch-specific configurationdetails required to implement the BGP routingprotocol.
—Profile
ACI Terminology7
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
An EPG that provides a service.—Provider
The Quota management feature enables anadmin to limit what managed objects can beadded under a given tenant or globally acrosstenants. Using Quota Management, you canlimit any tenant or group of tenants fromexceeding Cisco ACI maximums per leafswitch or per fabric or unfairly consumingmost available resources, potentially affectingother tenants on the same fabric.
For example, a user has configured a bridgedomain quota of maximum 6 across the entireACI policy model with a fault action. Thecode would be:apic1(config)# quota fvBD max 6 scopeuni exceed-action fault
Quota ManagementQuota Management
The Cisco Application Policy InfrastructureController (APIC) REST API is aprogrammatic interface that uses RESTarchitecture. The API accepts and returnsHTTP (not enabled by default) or HTTPSmessages that contain JavaScript ObjectNotation (JSON) or Extensible MarkupLanguage (XML) documents. The RESTAPIis the interface into the managementinformation tree (MIT) and allowsmanipulation of the object model state. Thesame REST interface is used by the CiscoAPIC CLI, GUI, and SDK, so that wheneverinformation is displayed, it is read through theREST API, and when configuration changesare made, they are written through the RESTAPI. The RESTAPI also provides an interfacethrough which other information can beretrieved, including statistics, faults, and auditevents. It even provides a means ofsubscribing to push-based event notification,so that when a change occurs in the MIT, anevent can be sent through a web socket.
REST APIREST API
In a Cisco ACI Multi-Site configuration, theSchema is a container for single or multipletemplates that are used for defining policies.
—Schema
ACI Terminology8
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
The Cisco APIC cluster domain or singlefabric, treated as a Cisco ACI region andavailability zone. It can be located in the samemetro-area as other sites, or spacedworld-wide.
SiteSite
Stretched Cisco ACI fabric is a partiallymeshed design that connects Cisco ACI leafand spine switches distributed in multiplelocations. The stretched fabric is a singleCisco ACI fabric. The sites are oneadministration domain and one availabilityzone. Administrators are able to manage thesites as one entity; configuration changesmade on any Cisco APIC controller node areapplied to devices across the sites. Thestretched Cisco ACI fabric preserves live VMmigration capability across the sites. Objects(tenants, VRFs, EPGs, bridge-domains,subnets, or contracts) can be stretched whenthey are deployed to multiple sites.
—Stretched ACI
In Cisco ACI, subjects in a contract specifywhat information can be communicated andhow.
Approximation of AccessControl List
Subject
Object tags simplify API operations. In anAPI operation, an object or group of objectsis referenced by the tag name instead of bythe distinguished name (DN). Tags are childobjects of the item they tag; besides the name,they have no other properties.
For more details, refer to "Using Tags andAlias" section under "Using the REST API".
—Tags
In a Cisco ACI Multi-Site configuration,templates are framework to hold policies andconfiguration objects that are pushed to thedifferent sites. These templates reside withinschemas that are defined for each site.
TemplateTemplate
ACI Terminology9
ACI TerminologyACI Terminology
DescriptionIndustry Standard Term(Approximation)
Cisco ACI Term
A secure and exclusive virtual computingenvironment. In Cisco ACI, a tenant is a unitof isolation from a policy perspective, but itdoes not represent a private network. Tenantscan represent a customer in a service providersetting, an organization or domain in anenterprise setting, or just a convenientgrouping of policies. Cisco ACI tenants cancontain multiple private networks (VRFinstances).
TenantTenant
The vzAny managed object provides aconvenient way of associating all endpointgroups (EPGs) in a Virtual Routing andForwarding (VRF) instance to one or morecontracts, instead of creating a seperatecontract relation for each EPG. For moredetails, refer to the "Contracts and PolicyEnforcement" section of ACI Best Practices.
—vzAny
ACI Terminology10
ACI TerminologyACI Terminology