Posts Tagged ‘APIC’


Software Defined Network (SDN) is technology to allow network devices to be managed through software application, thus making configuration process automated and faster.

Network devices have its own management plane, data plane and control plane. Traditional SDN decouples Control plane from all different devices and have all these control plane go live inside  SDN controller so the controller now take care of control plane  and run the routing protocols and do all the control plane related stuff and administer or push instructions down the devices.




This type of SDN is known as stateful approach where SDN controller acts as a control plane for each network device it manages. The SDN controller is responsible for translating policies into commands and pushed to the devices.

SDN controller communicates with the below devices through southbound interfaces .One of the popular SDN controller is called Open Daylight.

Open Daylight is an open source SDN platform, which can use the OpenFlow protocol protocol as Southbound Application programming interface(API) to communicate with network devices that support Openflow  protocol.

We have just talked about the south of controller, north of controller is the applications which communicates to controller through NorthBound Interfaces. Applications can use REST API to communication through Northbound Interface to controller.

REST (REpresentational State Transfer) APIs allows to communicate with SDN controller using http or https .Postman is such one of the application which can be used to communicate the SDN Controller through Northbound interface.

CISCO  takes a bit different approach of  their controller APIC (Application Policy Infrastructure Controller ) and APIC-EM(Enterprise Module) .

APIC and APIC-EM have control plane back to the devices means that control plane is not decoupled from the network devices as in traditional SDN.

Cisco Controller is Stateless approach where each network device has its own control Plane. SDN Controller send policies to the network devices, which are individually responsible for translating policies into commands.






This is APIC which is seen in Data center whereas APIC –EM is generally seen in Campus, LAN or remote offices.

The best part of the APIC-EM is that it can communicate with our traditional devices which do not speak open flow , means that there is no requirement to run Open Flow through southbound interface to communicate with network devices which does not speak SDN languages.



APIC –EM communicate to network devices through southbound interface using TELNET,SSH or SNMP. Whereas Northbound Interface still communicates with APIC-EM using  REST  APIs so in Nutshell Application can send the instruction  to APIC-EM  through Northbound interface using REST APIs ,further APIC-EM push  instructions  to get the required information through Southbound Interface using SSH, TELNET or SNMP which is generally OpenFlow in case of APIC .


Characteristics of APIC

  • For use in Data Centers
  • Typical Applications found on APIC:
    • Policy Manager : Contains policy and rules that can be applied to end point groups
    • Topology Manager :Maintains Information about the topology
    • Observer :Does Monitoring of ACI Components.
    • Boot Director :Used for firmware update and booting of spine or leaf.
    • Appliance Director :Responsible for set and control APIC cluster
    • VM Manager :This acts as intermediator between hypervisor and platform such as openstack.
    • Event Manager :Stores events and faults.
    • Appliance Element :Manages individual controller




APIC-EM is generally used in 2- Tier infrastructure where core and distribution switches are collapsed together.

Characteristics of APIC-EM

  • For use in campus ,LAN or WAN
    • Network Topology Visualization: Dynamically Learn Topology and give maps.
    • CISCO IWAN :Help to set up IWAN
    • Path Trace Application: It get path trace from any Point A to any point B.

APIC-EM Dashboard


Hope this post helped to get basic insight of Traditional SDN and CISCO approach  based APIC and APIC-EM and most importantly the difference between APIC and APIC-EM

Smiles 🙂

Categories: SDN Tags: , , , ,

Nexus 9K –ACI Mode – PART 2

31 May 2017 Leave a comment

Welcome to part 2 of ACI series,  if you want to go through  part 1 of ACI series , here is link for reference

Let’s start with the discussion of new terms related to ACI which will be used further during ACI discussion.



Above Pic tells about the different relation between Tenant and other components. So the first question arise is “What is actually Tenant? “


Customer in service provided environment is same as tenant represent in Nexus-ACI .The terminology is different but concept is same, Tenant may be understood as customer, organization or domain in enterprise.

We will configure different Bridge-Domain, Vrf, Application profile, contract and filter under the Tenant.



VRF can be understood same as the VRF in Service provide J .VRF defines layer 3 address domain, one or more Bridge-domain cane be associated with VRF.So next question comes to mind, what is Bridge-domain?


Bridge-Domain (BD)

Bridge-Domain represent layer 2 domain within fabric construct .Bridge-Domain must be linked to VRF, It is simply a container for subnets.

Consider VRF defining a unique IP address space, that address space consists of multiple subnets .These subnets can be defined in one or more bridge-domain that reference the VRF.

Bridge-Domain are in fact VXLANS (would be discussing the VXLAN in detail on next post), that allows any-to-any communication irrespective whether the communicating devices are on same subnet or not. The Important point to note is that all routing is host based, no need to worry whether devices are in same subnet or whereas in traditional routing, the IP address is important because the routing is based on subnet routing. Cool Feature J .


Endpoint Groups

EPGs are collection of similar endpoint representing logical grouping of objects that require a similar policy. Endpoints are devices that are connected to networks directly or indirectly.  Endpoint examples include servers, virtual machines, network-attached storage, or clients on the Internet.

An EPG can be statically configured by an administrator in the APIC, or dynamically configured by an automated system such as vCenter or OpenStack


Policy always applies to EPGs, never to individual endpoint.

Case 1: End point within the same EPGs can communicate freely.

Case 2: End point between the different EPGs cannot communicate freely, there is need to contract   between different EPGs. So what is Contract?



Contract can be referred as policy construct defining type of traffic that can be pass between EPGs.. When an EPG consumes a contract, the endpoints in the consuming EPG may initiate communication with any endpoint in an EPG that is providing that contract.

Contract is must for any communication between EPGs .Contract will refer to one or more filters.


Contract has some sub-component

  • Subject : Group of filters that apply to specific application or service
  • Filters : Used to classify traffic
  • Actions: Defines actions, which need to perform on filter ,permit, deny, mark all are actions.


Let’s take an example to understand the contract and its sub-component .Consider a server  for Web services ,let’s call as Web server which might be producing  sub applications such as HTTPS,HTTP,FTP,TFTP and so on. We have requirement to impose different policy on these different sub applications .APIC defines these sub applications or services as subjects. In other words, subjects are combined within contracts to represent the set of rules that define how an EPG communicates with other EPGs.

Filters are further define under subject like access-list for endpoint groups. What operation need to be done on filters is defined by Actions






Application Profile

Application profiles are group of EPGs and the policies that define the communication between the groups. For example, Finance application may require a web server, App server, DB server, and access to outside network to enable application transaction .This application profile contain all the necessary EPGs that are logically bind to provide the application.

A group of physical and virtual server may be grouped together in a single tier or 3 tier application. The communication between these 3 tier is necessary to make up complete application, This complete application definition is known as Application profile.



It is necessary to create filters within our tenant that will be utilized by the contract. These contract will be used by different EPGs to complete 3 tier application profile.

We are all most done with the major terms or components involved .Hope this post have help you to get basic insight of different components of ACI.

Smiles 🙂



Categories: SDN Tags: , , , , , ,
%d bloggers like this: