Understanding the Cisco ACI Policy Model

Carly Stoughton, a Technical Marketing Engineer at Cisco, presented an in-depth look at the Cisco ACI policy model during a Tech Field Day session on February 13, 2015. She emphasized the unique aspects of the ACI policy model, which focuses on the needs of applications rather than the traditional method of configuring individual network devices. Stoughton illustrated how ACI simplifies network management by defining who is on the network, who can communicate with whom, and what they are allowed to discuss. This approach contrasts with the traditional method of configuring multiple routers, switches, firewalls, and load balancers individually. The ACI policy model uses endpoint groups (EPGs) to categorize network entities that require similar treatment, and it employs a whitelist model where no communication is allowed until explicitly permitted through policies known as contracts.

Stoughton explained that an application typically consists of a front-end web tier, application servers, and a backend database, along with shared services like Active Directory, DHCP, and DNS. These components are grouped into EPGs, which are collections of endpoints needing similar network treatment. The ACI policy model is different from traditional Ethernet networks, as it does not allow any communication by default. Instead, it requires explicit policies, or contracts, to be defined to permit communication between EPGs. These contracts can specify actions such as permit, deny, redirect, log, or copy, and can be unidirectional or bidirectional. The policies are enforced at the leaf switches, which tag packets with source EPG information to ensure proper policy enforcement across the network fabric.

The session also covered the technical aspects of how ACI handles traffic and policy enforcement. Stoughton discussed various methods for defining EPGs, including VLANs, VXLAN tags, physical ports, and virtual ports. She highlighted the flexibility of the ACI policy model in integrating with existing network environments and its ability to support stateful and stateless filtering. The ACI fabric uses a spine-leaf architecture, ensuring predictable latency and bandwidth. Stoughton also touched on the role of the APIC controller cluster, which manages policy configurations and can be interacted with through a GUI or API. The APIC supports automated backups and the export of configurations for version control. Overall, the presentation showcased how the ACI policy model brings a new level of simplicity and efficiency to network management by aligning network configurations with application requirements.