Contract Priority Archives - Think Smarter. Design Smarter. Build Smarter Networks.

EPG vs. ESG

The evolution of Cisco ACI’s security model from EPGs to ESGs represents a significant maturation of the platform. While EPGs were instrumental in ACI’s original design, their tightly coupled nature presented challenges in large-scale and complex environments. The ESG model directly addresses these limitations by providing a more flexible, scalable, and operationally efficient approach to security.

The ESG’s ability to decouple security policy from forwarding, expand its scope to the VRF level, and leverage dynamic endpoint selectors allows network professionals to align their security posture with business logic in a way that was not previously possible. This shift not only simplifies complex tasks like route leaking and brownfield migrations but also conserves valuable hardware resources.

The decision of whether to primarily utilize EPGs or ESGs hinges on your specific application requirements and design philosophy.

EPG vs. ESG Read More »

ACI Application Centric Deployment (ACD) and Subnet Sharing with Route Leaking

Leave a Comment / Belete Ageze

1. Overview In Cisco ACI, a powerful feature called route leaking enables applications and services to communicate seamlessly across Virtual Routing and Forwarding (VRF) instances. This allows for efficient data flow within the network infrastructure, even when applications reside in separate VRFs for security or isolation purposes. Route leaking achieves this by sharing routing information

ACI Application Centric Deployment (ACD) and Subnet Sharing with Route Leaking Read More »

Cisco ACI Contract

Leave a Comment / Belete Ageze

Cisco ACI security architecture is based on allow-list where explicit definition of traffic flow need to be defined. Contract is a foundation for ACI security architecture where communication between EPGs|ESGs is defined. The contract relationship is between ESGs, EPGs (regular or uSig EPGs) or within EPG|ESG for intra-EPG contract.

Cisco ACI Contract Read More »

ACI TCAM Resource Utilization and Optimization

1 Comment / Belete Ageze

Policy CAM and TCAM In this article, I will discuss ACI TCAM resource utilization and optimization. In ACI policy, contract/filters are programmed in Policy CAM and Overflow TCAM (OTCAM). The policy CAM, Content Addressable Memory, is the hardware resource used by Cisco switches. Cisco ACI leaf switches use policy CAM to allow filtering of traffic

ACI TCAM Resource Utilization and Optimization Read More »

ACI Contract Priority

1 Comment / Belete Ageze

This blog post will focus on ACI contract priority. Contract is applied in a provider / consumer relationship and a leaf program a security policy (zoning rules) on TCAM (Ternary Content Addressable Memory). Zoning rule entry defines an action (permit, deny, redirect, log) based on the source EPG, the destination EPG, and filter. The source EPG and destination EPG are represented by a unique class ID ( pcTag ). Zoning rules are per VRF, defined with a unique scope and has a priority. The lower the number of the priority, the higher the priority. Zoning rule with the lower value (higher priority) win over zoning rule with a higher value (lower priority). When a traffic between EPGs match more than one zoning rules, the zoning rule priority with some higher level rules is used to decide the action applied on the traffic flow.

ACI Contract Priority Read More »

ACI Contract Priority Infographic Video

Leave a Comment / Belete Ageze

The infographic video will focus on ACI contract priority. Contract is applied in a provider / consumer relationship and a leaf program a security policy (zoning rules) on TCAM (Ternary Content Addressable Memory). Zoning rule entry defines an action (permit, deny, redirect, log) based on the source EPG, the destination EPG, and filter. The source

ACI Contract Priority Infographic Video Read More »

ACI Contract

Leave a Comment / Belete Ageze

The ACI security architecture plays a foundational role toward Zero Trust architecture and Micro Segmentation initiatives in data center. In this blog post ACI contract structure, contract inheritance, contract labels are discussed. EPG|ESG classification, policy enforcement, and ways of deploying contracts from Macro to micro level are also covered.

ACI Contract Read More »