ACI Logical Construct - Tenant/VRF/BD

ACI Logical Construct

The following figure provides an overview of the ACI policy model logical constructs.

The following is an outline of the main components in ACI Tenant. The details of each group will be explained in following order:

• Logical Policy Grouping

  1. Tenant

  2. Application Profile

• Network Grouping

  1. Virtual Routing and Forwarding

     • Unique Layer 3 forwarding domain

     • Relation to application profile(s) with their policies

  2. Bridge domain

     • Layer 3 functions

     • Subnet, default gateway

     • Bridge domain = broadcast domain

  3. L3Out

• Security Grouping

  1. Endpoint Group

     • Named groups of related endpoints, for example, finance

     • Static or dynamic membership

  2. Contracts

     • The rules that govern the interactions of EPGs

     • Contracts determine how applications use the network

Tenant

A tenant is a logical container for application policies that enable an administrator to exercise domain-based access control. The fabric can contain multiple tenants

The main features of a tenant are:

• Can represent a customer, business unit, or group.

• Provides a separate profile space.

• Tenants only see inside their space.

• Shared services can be defined between tenants.

Three tenants are preconfigured in the system by default, and cannot be deleted:

• Common: A special tenant that provides services that are common to other tenants in the Cisco ACI fabric. Global reuse is a core principle in the common tenant. Examples of common services include Domain Name System (DNS), DHCP, and Active Directory.

• Infra: The infrastructure tenant that is used for all internal fabric communications, such as tunnels and policy deployment, including switch-to-switch (leaf, spine, Cisco Application Virtual Switch [AVS], or Cisco Application Virtual Edge [AVE]) and switch-to-APIC. The infra-tenant does not get exposed to other tenants. It has its own VRF and bridge domains. Fabric discovery, image management, and DHCP for fabric functions are all handled within the infra-tenant.

• Mgmt: The management tenant is provided by the system but can be configured by the fabric administrator. It contains policies that govern the operation of fabric management functions used for in-band and out-of-band configuration of fabric nodes. The management tenant contains a private out-of-bound address space for the APIC/fabric internal communications that is outside the fabric data path that provides access through the management port of the switches.

• User tenants are defined by the administrator according to the needs of users. They contain policies that govern the operation of resources such as applications, databases, web servers, network-attached storage, virtual machines, and so on.

Virtual Routing and Forwarding

A VRF (Virtual Route Forwarding) is the largest network component in a tenant, which provides an IP address spaces and Layer 3 forwarding domain just like a normal router. Each tenant has its own VRF(s) and all tenant components such as endpoints can only belong to a VRF within the same tenant except for tenant common.

Characteristics of VRFs are:

• Layer 3 Forwarding Domain

• One or more per Tenant

• Closed within each Tenant (except for tenant common)

For example, if multiple tenants are created per organization or department even though there is no need to allocate a dedicated VRF for each organization, users will need to configure VRF route leaking unnecessarily to everywhere across organizations for them to talk to each other, which is obviously not a scalable design.