EPG/Application Profile in ACI

Endpoint Group

EPGs are used to create logical groupings of hosts or servers (endpoints) that perform similar functions within the fabric. ACI defines multiple endpoint groups (EPG) within a Layer 2 domain (BD) for security isolation purposes on top of Layer 2 network separation. In ACI, EPG is a security segmentation smaller than Layer 2 domain and VLAN ID is a parameter for security separation instead of Layer 2 network separation.

Since EPG is to security separation, no endpoints can talk to each other across EPGs unless it’s explicitly allowed, which is performed by a policy called contract. Any endpoints within a same EPG can talk to each other because they are not segmented from each other.

The EPG features can be summarized in this way:

• A group to provide more granular segmentation than Layer 2 network separation

• A group of endpoints with a similar security requirement

• Unrestricted intra-EPG communication

• Inter-EPG communication controlled by contracts

• An EPG belongs to a bridge domain

• A bridge domain may contain multiple EPGs

Endpoints

Without a proper domain association to an EPG, a fault F0467 will be raised to warn users the interface and/or VLAN is not allowed to be used in the EPG. Please note the same applies to Layer 2 Out and Layer 3 Out with Layer 2 Domain and Layer 3 Domain.

The endpoint is learned and mapped to an EPG when the packet reached to a leaf. Hence, the endpoint that is sourcing the traffic may or may not be connected to ACI directly. ACI just learns the source MAC and/or source IP address of the packet as an endpoint and map them to an EPG based on the VLAN and interface, which means a Layer 2 switch or a server blade switch such as Cisco UCS Fabric Interconnect can be in between a leaf and endpoints. In such scenario, the intermediate switch needs to be manually configured with the same VLAN as ACI Static/Dynamic Path binding so the traffic from endpoints reaches a leaf with a correct VLAN ID. Once the packet reaches a leaf, ACI maps it to an EPG, and bridging is performed within the associated bridge domain. If the destination is another EPG, a contract policy is required to allow the packet.

Adding Bare-Metal Servers to Endpoint Groups

Static path binding is used to connect a bare-metal server, VMs without ACI VMM integrations, or any endpoints that do not have dynamic integration with ACI such as VMware vCenter or Microsoft SCVMM, and so on.

In the example, there are three bare-metal servers that have their own VLAN for network connectivity. Server A uses VLAN A, server B uses VLAN B, and so on. Here, ACI needs to classify these servers into appropriate EPG based on VLAN and the interface. To classify server A into WEB_EPG, a static path binding with VLAN A and Leaf101 eth1/10 needs to be configured on the WEB_EPG.

Hence there will be three static path bindings:

1. VLAN A and Leaf 101 Eth1/10 on WEB_EPG for server A

2. VLAN B and Leaf 102 Eth1/10 on APP_EPG for server B

3. VLAN C and Leaf 103 Eth1/10 on DB_EPG for server C

The high-level EPG configuration procedure involves these steps:

1. Create an application profile.

2. Add the defined EPGs (in this case, WEB_EPG, APP_EPG, and DB_EPG).

To connect a bare-metal server via static path binding, the required EPG configuration from the figure above are the following:

• Name: EPG name

• Bridge Domain: Layer 2 domain for this EPG

• Statically Link with Leaves/Paths: To configure static path binding in the next page.

The following are other advanced parameters for your information:

• Intra-EPG isolation: Intra-EPG endpoint isolation policies provide full isolation for virtual or physical endpoints in the same EPG; no communication is allowed between endpoints in an EPG that is operating with isolation being enforced. This policy is used when there are many endpoints that need to access the same EPG that provides a common service while each endpoint is not allowed to talk to each other. The default value is Unenforced.

• Preferred group member: If an EPG is marked as Include in a PreferredGroupMember, it is put into an internally created contract group where all members of the group are allowed to communicate with each other without requiring a contract between them. The default is Exclude.

• Flood in encapsulation: When enabled, a Layer 2 flood domain for this EPG becomes each VLAN encapsulation like a normal switch instead of a BD.

• Statically link with leaves/paths: When this check box is enabled, the next wizard becomes a configuration for static path binding.

• Associate to VM domain profiles: When this check box is enabled, the next wizard becomes a configuration for VMM Domain association for dynamic path binding.

First, choose a physical domain from the Physical Domain drop-down list. A domain is a component that bundles VLAN Pool and Attachable Access Entity Profile (set of interfaces). By associating a domain, this EPG is allowed to use VLANs and interfaces from the domain for static path binding.