Suppose we have 1000+ SQL servers and administratively they all need to be in a single group since they are having the same policies. It can be considered as advance VLAN, which has multiple subnets in a single broadcast domain. It cannot be considered as VLAN since it carries multiple subnets, however, it is similar to the VLAN layer 2 broadcast domain. BD also refers to the default gateway of subnets. We can define one or more layer 3 networks (VRF instances) and one or more bridge domains per network.īridge domain: – It refers to a container that carries multiple subnets. Private Network (VRF): – It provides IP address space isolation for tenants. It allows us to configure access policies for fabric nodes. Tenant: –Used for in-band and OOB management.
The Infra tenant does not have any relationship with userspace (tenants) and it has its own private network space and bridge domains. Infra Tenant:– Internal Fabric communication is possible with this tenant, which includes interaction between the switch to switch (leaf, spine, Application Virtual Switch (AVS)) and switch to Application Policy Infrastructure Controller (APIC).Common Tenant:– Provides common services to all tenants, shared 元/ Shared Private network/ shared bridge domains/ DNS/ DHCP/ Active directory.Cisco ACI Tenantīy default, we have three ACI tenants in CISCO – One tenant cannot talk with another tenant. Tenants would help to create different departments with their own private network. Let’s take an instance where a company has multiple departments (sales, HR, Marketing) in their network and all departments require separation from their business and operational boundaries. Tenants allow re-use of IP address space multiple tenants may have the same subnets. Tenants provide secure and exclusive virtual computing environment and can contain Multiple Private networks (VRF Instances). Tenants can be customers, business units (BU’s), groups who have separate administration and data flows. Tenants: – It refers to a logical unit for management. As shown in the above diagram, Tenant may have multiple Private Networks and Private Network may be linked to multiple bridge domain and in the same way, Bridge domains may have multiple child subnets.īelow is the detailed information on the components:. Subnets and Bridge domains are a child of Tenants. VRF’s/ Bridge Domain/ EPG’s all are the subsets of Tenants – Private networks have a direct relationship with Bridge Domain’s, while others are parent-child relationships. All these components are required to contain routed traffic. Bridge Domains are used to provide multicast and broadcast isolation (like VLANs). End Point Groups are used for grouping of policies on an object. Therefore, it is right to say that servers are not recognized by their services but by their IP address in traditional network setups.Ĭontrary to above-described scenarios, ACI will not perform segregation based on VLAN’s, instead, it uses Tenants and VRF’s (Private Network) to provide IP address isolation. We map services like APP/ DB/ Web with IP address. In order to have a common broadcast domain for a set of services like Web or APP or DB, a general understanding is to consider one network having one VLAN.The traditional network has a dependency on the IP subnet or on VLAN’s where applications are recognized by their IP address or VLAN’s. Since policies are built based on the IP subnet or VLAN’s, therefore if IP subnet or VLAN changes occur, all the policies such as QoS, ACL, Segmentation will become ineffective and consequently, policies need to be updated or new ones configured. If we wish to implement policy (QoS, ACL, and Segmentation) on a server, it will be configured on 元 hop (which is the gateway device), further based on the policies forwarding decision can be made.If we wish to separate the traffic, then segmentation should be based on either L2 (VLAN or MAC) or 元 (IP subnet ), which means one department traffic is segregated from another department using VLAN’s.