ACI Terminology

This chapter contains the following sections:

• ACI Terminology, on page 1

ACI TerminologyDescriptionIndustry Standard Term

(Approximation)Cisco ACI Term

A changeable name for a given object. Whilethe name of an object, once created, cannotbe changed, the Alias is a field that can bechanged. For more details, refer to "UsingTags and Alias" section under "Using theREST API":

AliasAlias

The API Inspector in the Cisco APIC GUIprovides a real-time display of the REST APIcommands that the Cisco APIC processes toperform GUI interactions.

—API Inspector

The Cisco ACIApp Center allows you to fullyenable the capabilities of the Cisco APIC bywriting applications running on the controller.Using the Cisco ACI App Center, customers,developers, and partners are able to buildapplications to simplify, enhance, andvisualize their use cases. These applicationsare hosted and shared at the Cisco ACI AppCenter and installed in the Cisco APIC.

—App Center

ACI Terminology1

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

The Cisco APIC, which is implemented as areplicated synchronized clustered controller,provides a unified point of automation andmanagement, policy programming, applicationdeployment, and health monitoring for theCisco ACI multitenant fabric. The minimumrecommended size for a Cisco APIC clusteris three controllers.

Approximation of clustercontroller

Application PolicyInfrastructure Controller(APIC)

An application profile (fvAp) defines thepolicies, services, and relationships betweenendpoint groups (EPGs).

—Application Profile

Atomic counters allow you to gather statisticsabout traffic between leafs. Using atomiccounters, you can detect drops and misroutingin the fabric, enabling quick debugging andisolation of application connectivity issues.For example, an administrator can enableatomic counters on all leaf switches to tracepackets from endpoint 1 to endpoint 2. If anyleaf switches have nonzero counters, otherthan the source and destination leaf switches,an administrator can drill down to those leafswitches.

Atomic CountersAtomic Counters

An Attachable Access Entity Profile (AEP)is used to group domains with similarrequirements. By grouping domains intoAEPsand associating them, the fabric knows wherethe various devices in the domain live and theApplication Policy Infrastructure Controller(APIC) can push theVLANs and policywhereit needs to be.

—Attachable Entity Profile

Border leaf switches refers to a leaf that isconnected to a layer 3 device like externalnetwork devices or services such as firewallsand router ports. Other devices like serverscan also connect to it.

Border Leaf SwitchesBorder Leaf Switches

A bridge domain is a set of logical ports thatshare the same flooding or broadcastcharacteristics. Like a virtual LAN (VLAN),bridge domains span multiple devices.

Bridge DomainBridge Domain

ACI Terminology2

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

The Cisco ACI Optimizer feature in the CiscoAPIC GUI is a Cisco APIC tool that enablesyou to determine howmany leaf switches youwill need for your network and suggests howto deploy each application and external EPGon each leaf switch without violating anyconstraints. It can also help you determine ifyour current setup has what you need, if youare exceeding any limitations, and suggestshow to deploy each application and externalEPG on each leaf switch.

—Cisco ACI Optimizer

Cisco AVS is a distributed virtual switch thatis integrated with the Cisco ACI architectureas a virtual leaf and managed by the CiscoAPIC. It offers different forwarding andencapsulation options and extends acrossmany virtualized hosts and data centersdefined by the VMware vCenter server.

—Cisco Application VirtualSwitch (AVS)

Configuration zones divide the Cisco ACIfabric into different zones that can be updatedwith configuration changes at different times.This limits the risk of deploying a faultyfabric-wide configuration that may disrupttraffic or even bring the fabric down. Anadministrator can deploy a configuration to anon-critical zone, and then deploy it to criticalzones when satisfied that it is suitable. Formore details, refer to: Configuration Zones

—Configuration Zones

An EPG that consumes a service.—Consumer

A virtual routing and forwarding instancedefines a Layer 3 address domain that allowsmultiple instances of a routing table to existand work simultaneously. This increasesfunctionality by allowing network paths to besegmented without using multiple devices.Cisco ACI tenants can containmultiple VRFs.

Virtual Routing andForwarding (VRF) or PrivateNetwork

Context or VRF Instance

The rules that specify what and howcommunication in a network is allowed. InCisco ACI, contracts specify howcommunications between EPGs take place.Contract scope can be limited to the EPGs inan application profile, a tenant, a VRF, or theentire fabric.

Approximation of AccessControl List (ACL)

Contract

ACI Terminology3

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

A unique name that describes a MO andlocates its place in the MIT.

Approximation of FullyQualified Domain Name(FQDN)

Distinguished Name (DN)

A logical entity that contains a collection ofphysical or virtual network endpoints. In CiscoACI, endpoints are devices connected to thenetwork directly or indirectly. They have anaddress (identity), a location, attributes (e.g.,version, patch level), and can be physical orvirtual. Endpoint examples include servers,virtual machines, storage, or clients on theInternet.

Endpoint GroupEndpoint Group (EPG)

The Cisco ACI fabric includes Cisco Nexus9000 Series switches with the Cisco APICcontroller to run in the leaf/spine Cisco ACIfabric mode. These switches form a “fat-tree”network by connecting each leaf node to eachspine node; all other devices connect to theleaf nodes. The Cisco APIC manages theCisco ACI fabric.

—Fabric

Cisco ACI uses a whitelist model: allcommunication is blocked by default;communication must be given explicitpermission. A Cisco ACI filter is a TCP/IPheader field, such as a Layer 3 protocol typeor Layer 4 ports, that are used to allowinbound or outbound communicationsbetween EPGs.

Approximation of AccessControl List andapproximation of Firewall

Filter

The Cisco ACI GOLF feature (also known asLayer 3 EVPN Services for Fabric WAN)enables much more efficient and scalableCisco ACI fabric WAN connectivity. It usesthe BGPEVPNprotocol over OSPF forWANrouters that are connected to spine switches.

—GOLF

A bridged connection connects two or moresegments of the same network so that they cancommunicate. In Cisco ACI, an L2 Out is abridged (Layer 2) connection between a CiscoACI fabric and an outside Layer 2 network,which is usually a switch.

Bridged ConnectionL2 Out

ACI Terminology4

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

A routed Layer 3 connection uses a set ofprotocols that determine the path that datafollows in order to travel across multiplenetworks from its source to its destination.Cisco ACI routed connections perform IPforwarding according to the protocol selected,such as BGP, OSPF, or EIGRP.

Routed ConnectionL3 Out

Label matching is used to determine whichconsumer and provider EPGs cancommunicate. Contract subjects of a givenproducer or consumer of that contractdetermine that consumers and providers cancommunicate. A label matching algorithm isused determine this communication. For moredetails, refer to: ACI Fundamentals Guide

—Label

An abstract representation of networkresources that are managed. In Cisco ACI, anabstraction of a Cisco ACI fabric resource.

MOManaged Object (MO)

A hierarchical management information treecontaining all the managed objects (MOs) ofa system. In Cisco ACI, the MIT contains allthe MOs of the Cisco ACI fabric. The CiscoACI MIT is also called the ManagementInformation Model (MIM).

MITManagement InformationTree (MIT)

Microsegmentationwith the CiscoApplicationCentric Infrastructure (ACI) provides theability to automatically assign endpoints tological security zones called endpoint groups(EPGs) based on various network-based orvirtual machine (VM)-based attributes.

Microsegmentation,micro-segmentation

Microsegmentation withCisco ACI

ACI Terminology5

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

Multipod enables provisioning a morefault-tolerant fabric comprised of multiplepods with isolated control plane protocols.Also, multipod provides more flexibility withregard to the full mesh cabling between leafand spine switches. For example, if leafswitches are spread across different floors ordifferent buildings, multipod enablesprovisioning multiple pods per floor orbuilding and providing connectivity betweenpods through spine switches. Multipod usesMP-BGP EVPN as the control-planecommunication protocol between the CiscoACI spine switches in different pods. Formore details, refer to the Multipod WhitePaper:

—Multipod

ACI Terminology6

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

A fabric administrator creates domain policiesthat configure ports, protocols, VLAN pools,and encapsulation. These policies can be usedexclusively by a single tenant, or they can beshared. Once a fabric administrator configuresdomains in the Cisco ACI fabric, tenantadministrators can associate tenant endpointgroups (EPGs) to domains. A domain isconfigured to be associated with a VLANpool. EPGs are then configured to use theVLANs associated with a domain. You canconfigure the following domain types:

• VMM domain profiles (vmmDomP) arerequired for virtual machine hypervisorintegration.

• Physical domain profiles (physDomP)are typically used for bare metal serverattachment and management access.

• Bridged outside network domain profiles(l2extDomP) are typically used toconnect a bridged external network trunkswitch to a leaf switch in the Cisco ACIfabric.

• Routed outside network domain profiles(l3extDomP) are used to connect a routerto a leaf switch in the Cisco ACI fabric.

• Fibre Channel domain profiles (fcDomP)are used to connect Fibre ChannelVLANs and VSANs.

—Networking Domains

Named entity that contains genericspecifications for controlling some aspect ofsystem behavior. For example, a Layer 3Outside Network Policy would contain theBGP protocol to enable BGP routing functionswhen connecting the fabric to an outside Layer3 network.

—Policy

Named entity that contains the necessaryconfiguration details for implementing one ormore instances of a policy. For example, aswitch node profile for a routing policy wouldcontain all the switch-specific configurationdetails required to implement the BGP routingprotocol.

—Profile

ACI Terminology7

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

An EPG that provides a service.—Provider

The Quota management feature enables anadmin to limit what managed objects can beadded under a given tenant or globally acrosstenants. Using Quota Management, you canlimit any tenant or group of tenants fromexceeding Cisco ACI maximums per leafswitch or per fabric or unfairly consumingmost available resources, potentially affectingother tenants on the same fabric.

For example, a user has configured a bridgedomain quota of maximum 6 across the entireACI policy model with a fault action. Thecode would be:apic1(config)# quota fvBD max 6 scopeuni exceed-action fault

Quota ManagementQuota Management

The Cisco Application Policy InfrastructureController (APIC) REST API is aprogrammatic interface that uses RESTarchitecture. The API accepts and returnsHTTP (not enabled by default) or HTTPSmessages that contain JavaScript ObjectNotation (JSON) or Extensible MarkupLanguage (XML) documents. The RESTAPIis the interface into the managementinformation tree (MIT) and allowsmanipulation of the object model state. Thesame REST interface is used by the CiscoAPIC CLI, GUI, and SDK, so that wheneverinformation is displayed, it is read through theREST API, and when configuration changesare made, they are written through the RESTAPI. The RESTAPI also provides an interfacethrough which other information can beretrieved, including statistics, faults, and auditevents. It even provides a means ofsubscribing to push-based event notification,so that when a change occurs in the MIT, anevent can be sent through a web socket.

REST APIREST API

In a Cisco ACI Multi-Site configuration, theSchema is a container for single or multipletemplates that are used for defining policies.

—Schema

ACI Terminology8

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

The Cisco APIC cluster domain or singlefabric, treated as a Cisco ACI region andavailability zone. It can be located in the samemetro-area as other sites, or spacedworld-wide.

SiteSite

Stretched Cisco ACI fabric is a partiallymeshed design that connects Cisco ACI leafand spine switches distributed in multiplelocations. The stretched fabric is a singleCisco ACI fabric. The sites are oneadministration domain and one availabilityzone. Administrators are able to manage thesites as one entity; configuration changesmade on any Cisco APIC controller node areapplied to devices across the sites. Thestretched Cisco ACI fabric preserves live VMmigration capability across the sites. Objects(tenants, VRFs, EPGs, bridge-domains,subnets, or contracts) can be stretched whenthey are deployed to multiple sites.

—Stretched ACI

In Cisco ACI, subjects in a contract specifywhat information can be communicated andhow.

Approximation of AccessControl List

Subject

Object tags simplify API operations. In anAPI operation, an object or group of objectsis referenced by the tag name instead of bythe distinguished name (DN). Tags are childobjects of the item they tag; besides the name,they have no other properties.

For more details, refer to "Using Tags andAlias" section under "Using the REST API".

—Tags

In a Cisco ACI Multi-Site configuration,templates are framework to hold policies andconfiguration objects that are pushed to thedifferent sites. These templates reside withinschemas that are defined for each site.

TemplateTemplate

ACI Terminology9

ACI TerminologyACI Terminology

DescriptionIndustry Standard Term(Approximation)

Cisco ACI Term

A secure and exclusive virtual computingenvironment. In Cisco ACI, a tenant is a unitof isolation from a policy perspective, but itdoes not represent a private network. Tenantscan represent a customer in a service providersetting, an organization or domain in anenterprise setting, or just a convenientgrouping of policies. Cisco ACI tenants cancontain multiple private networks (VRFinstances).

TenantTenant

The vzAny managed object provides aconvenient way of associating all endpointgroups (EPGs) in a Virtual Routing andForwarding (VRF) instance to one or morecontracts, instead of creating a seperatecontract relation for each EPG. For moredetails, refer to the "Contracts and PolicyEnforcement" section of ACI Best Practices.

—vzAny

ACI Terminology10

ACI TerminologyACI Terminology