VRFs – Cisco Describing Cisco ACI


A virtual routing and forwarding (VRF), or context, is a tenant network. A tenant can have multiple VRFs. A VRF is a unique Layer 3 forwarding and application policy domain. A VRF defines a Layer 3 address domain. One or more bridge domains are associated with a VRF. All of the endpoints within the Layer 3 domain must have unique IP addresses because it is possible to forward packets directly between these devices if the policy allows it. A tenant can contain multiple VRFs. After an administrator creates a logical device, the administrator can create a VRF for the logical device, which provides a selection criteria policy for a device cluster. A logical device can be selected based on a contract name, a graph name, or the function node name inside the graph.

Application Profiles

An application profile defines the policies, services, and relationships between endpoint groups (EPGs). Application profiles contain one or more EPGs. Modern applications contain multiple components. For example, an e-commerce application could require a web server, a database server, data located in a storage area network, and access to outside resources that enable financial transactions. The application profile contains as many (or as few) EPGs as necessary that are logically related to providing the capabilities of an application.

Endpoint Groups

The endpoint group (EPG) is the most important object in the policy model. An EPG is a managed object that is a named logical entity that contains a collection of endpoints. Endpoints are devices connected to the network directly or indirectly. They have an address (identity), a location, and attributes (such as version or patch level), and they can be physical or virtual. Knowing the address of an endpoint also enables access to all its other identity details. Endpoint examples include servers, virtual machines, network-attached storage, or clients on the Internet. Endpoint membership in an EPG can be dynamic or static. An EPG can be statically configured by an administrator in the APIC, or dynamically configured by an automated system such as vCenter or OpenStack. WAN router connectivity (L3Out) to the fabric is an example of a configuration that uses a static EPG. (More on ACI external connectivity options can be found in Chapter 9, “Operating Cisco ACI.”) Virtual machine management connectivity to VMware vCenter is an example of a configuration that uses a dynamic EPG. Once the virtual machine management domain is configured in the fabric, vCenter triggers the dynamic configuration of EPGs that enable virtual machine endpoints to start up, move, and shut down as needed. EPGs contain endpoints that have common policy requirements such as security, virtual machine mobility, QoS, and Layer 4 to Layer 7 services. Rather than endpoints being configured and managed individually, they are placed in an EPG and managed as a group. Policies apply to EPGs, never to individual endpoints.

The ACI fabric can contain the following types of EPGs:

  • Application endpoint group
  • Layer 2 external outside network instance endpoint group
  • Layer 3 external outside network instance endpoint group
  • Management endpoint groups for out-of-band or in-band access

Leave a Reply

Your email address will not be published. Required fields are marked *