Cisco ACI Basics : EPG and Contracts

Today I am going to talk about the basic policy management in Cisco ACI which said who should talk to whom. If you guys recall my earlier post of SGT's ( Secure group tag ) which we are using in the SD-Access Campus environment to tag the users similarly in Cisco ACI datacenter environment we are using EPG's ( End point Group ). 

So let's talk about EPG and the contracts defined in the Cisco ACI environment. As i said EPG is categorised as Physical or Virtual servers as most of the end points in the data center environment are servers. So each contract is defined by Access lists. Contract is like if one server wants to talk to another server there is a contract between them which is defined by applying permit statement in the Cisco ACI GUI interface. 

So simply, EPG provides a contract when it has a listening socket for incoming requests. As an example an EPG that hosts web servers should be configured as a provider of a contract that includes port 80 and 443. The client side EPG instead is a consumer of a web contract. 

Fig 1.1- Cisco ACI- EPG Contracts

If you want to use the Cisco ACI fabric as a simple routed or switched fabric you can configure contracts that are imported and exported by each EPG, and you can map each EPG to familiar constructs such as VLANs.

The segmentation needs expressed as EPGs and their binding and classification requirements are rendered on each leaf with well-known constructs such as VLANs or VRF instances. 

Communication policy enforcement also uses well-known constructs such as inbound and outbound 5-tuple match permit and denies and is powered by additional application-specific integrated circuits (ASICs) developed by Cisco. 

When you define a configuration, it is expressed in terms of a policy that defines: 
  • Which servers can talk to each other ?
  • What the servers can talk about (for instance which Layer 4 ports can be used, potentially defined as “any any” to allow all communication)  ?
Cisco ACI uses a whitelist model: two EPGs cannot talk unless a contract expresses which traffic is allowed. The firewall in the picture represents the default filtering that occurs via the contract.