Design

EPG vs. ESG

Leave a Comment /

The evolution of Cisco ACI’s security model from EPGs to ESGs represents a significant maturation of the platform. While EPGs were instrumental in ACI’s original design, their tightly coupled nature presented challenges in large-scale and complex environments. The ESG model directly addresses these limitations by providing a more flexible, scalable, and operationally efficient approach to security.

The ESG’s ability to decouple security policy from forwarding, expand its scope to the VRF level, and leverage dynamic endpoint selectors allows network professionals to align their security posture with business logic in a way that was not previously possible. This shift not only simplifies complex tasks like route leaking and brownfield migrations but also conserves valuable hardware resources.

The decision of whether to primarily utilize EPGs or ESGs hinges on your specific application requirements and design philosophy.

EPG vs. ESG Read More »

VxLAN EVPN Fabric L4-L7 Connectivity – vPC or PC

3 Comments /

In a VXLAN EVPN fabric, L4-L7 connectivity play a vital role in securing and optimizing network traffic. L4-L7 services are typically connected to the leaf switches, often referred to as service leaf switches. The choice between a dual-attached and single-attached L4-L7 service node design for a VXLAN EVPN fabric depends heavily on the specific requirements

VxLAN EVPN Fabric L4-L7 Connectivity – vPC or PC Read More »

Underlay Multicast Routing for VxLAN BUM Traffic

Leave a Comment /

Belete Ageze – 2xCCIE | CCDE Overview While Cisco VxLAN leverages BGP EVPN for the control plane, it requires mechanisms to manage Broadcast, Unknown Unicast, and Multicast (BUM) traffic within the VxLAN fabric. VxLAN fabrics typically rely on multicast replication in the underlay network to efficiently forward BUM traffic. Although ingress replication serves as an

Underlay Multicast Routing for VxLAN BUM Traffic Read More »

ACI Multi-site Object Naming Consideration

Leave a Comment /

Designing ACI multi-site object names should not be an after thought since it has an implication during inter-site communication deployment. When contract with the right scope is applied between site-local EPGs the ACI objects are mirrored on the remote sites. The mirrored objects appear as if they are deployed in each of these sites’ controllers, while only actually being deployed in one of the sites. These mirrored objects are called “shadow” objects and they appear with the same names as the ones that were deployed directly to each site. Because of the shadow objects requirement for inter-site communication between site-local EPGs, this blogs focus on ACI multi-site object naming consideration an engineer need to be aware of.

ACI Multi-site Object Naming Consideration Read More »