思科SDN网络构架秘籍

The Cisco Application Policy Infrastructure

Controller

grouped via policies. Physically, ACI is a high-speed, multipath leaf and spine (bipartite graph) fabric.

The APIC is a unified point of policy-driven configuration. The primary function of the APIC is to provide policy

authority and policy resolution mechanisms for the Cisco ACI and ACI-attached devices. Automation is provided as

a direct result of policy resolution and of rendering its effects onto the Cisco ACI fabric.

The APIC communicates in the infrastructure VLAN (in-band) with the Cisco ACI spine and leaf nodes to distribute

policies to the points of attachment (Cisco leaf) and provide a number of key administrative functions to the Cisco

ACI. The APIC is not directly involved in data plane forwarding, so a complete failure or disconnection of all APIC

elements in a cluster will not result in any loss of existing datacenter functionality.

In general, policies are distributed to nodes as needed upon endpoint attachment or by an administrative static

endpoints with identical network and semantic behaviors as endpoint groups. Policies are specified per interaction

among such endpoint groups.

Key features of the Cisco APIC:

●

Application centric network policies

●

Data model-based declarative provisioning

●

ACI inventory and configuration

●

Implementation on a distributed framework across a cluster of appliances

A single APIC cluster supports over 1 million ACI endpoints, more than 200,000 ports, and more than 64,000

tenants and provides centralized access to ACI information through a number of interfaces, including an object-

oriented RESTful API with XML and JSON bindings, a modernized user-extensible command-line interface (CLI),

and a GUI. All methods are based on a model of equal access to internal information. Furthermore, APIC clusters

The APIC is a network policy control system. However, it is not a network element management system and should

●

Fault and event management

●

System and configuration tools

●

Performance management

●

Automation tools

●

Orchestration frameworks

●

Cloud management

●

IP address management (IPAM)

A tenant is a logical container or a folder for application policies. It can represent an actual tenant, an organization,

or a domain or can just be used for the convenience of organizing information. A normal tenant represents a unit of

tenants. This way, we do not dictate a specific rigidly constrained tenancy model. The endpoint policy specifies a

The Cisco ACI is conceptualized as a distributed overlay system with external endpoint connections controlled and

grouped via policies. The central concept here is to group endpoints (EPs) with identical semantics into endpoint

groups (EPGs) and then write policies that regulate how such groups can interact with each other. These policies

provide rules for connectivity, visibility (access control), and isolation of the endpoints. The APIC’s primary

responsibility is distributing, tracking, and updating such policies to corresponding Cisco ACI nodes as client

endpoint connectivity to the Cisco ACI is established, changed, or removed. Endpoint policy control consists of two

logically coupled elements:

yet created) endpoints.

Endpoints and their ACI attachment location may or may not be known when the EPG is initially defined on the

APIC. Therefore, endpoints either can be prespecified into corresponding EPGs (statically at any time) or can be

added dynamically as they are attached to the ACI. Endpoints are tracked by a special endpoint registry

mechanism of the policy repository. This tracking serves two purposes: It gives the APIC visibility into the attached

endpoints and dictates policy consumption and distribution on the Cisco leaf switches.

An endpoint group (EPG) is a collection of endpoints with identical ACI-level behaviors and requirements. The

practical implication of the EPG in relation to the VM management layer is that it can be thought of as a vSphere

port group, or as a network as defined in the OpenStack Neutron API. Groups have an “application-tier-like”

semantic at the application metadata level, where a web server connects to the network as a member of the EPG

application tiers such as connectivity, visibility, service insertion, packet quality of service (QoS), etc. A contract

allows a user to specify rules and policies for groups of physical or virtual endpoints without understanding any

specific identifiers or even who is providing the service or who is consuming it, regardless of the physical location

of the devices (Figure 4). This abstraction of specificity makes the Cisco policy model truly object oriented and

highly flexible. Each contract consists of a filtering construct, which is a list of one or more classifiers (IP address,

TCP/UDP ports, etc.), and an action construct that dictates how the matching traffic is handled (allow, apply QoS,

log traffic, etc.).

Another implication of the contract filters is their effect on the distribution of policy and endpoint visibility