Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

APIC Policy Deployment and Resolution Immediacy For AVS VMM Domain

[toc:faq]

Cisco Application Virtual Switch

Application Virtual Switch is the purpose-built, hypervisor-resident virtual switches designed for the ACI fabric. AVS is integrated into the ACI architecture and supports Application Network Profile (ANP) enforcement at the virtual host layer consistent with the Nexus 9000 series physical switches. AVS is managed centrally along with rest of the ACI fabric components through the Application Policy Infrastructure Controller (APIC).

 

Virtual Machine Manager Domains

The APIC is a single pane of glass that automates the entire networking for all virtual and physical workloads including access policies and Layer 4 to Layer 7 services. In the case of the Cisco Application Virtual Switch (AVS) on ESXi, all the networking functionalities and port groups (EPGs) creation on vCenter are performed using the APIC.

 

Virtual Machine Manager Domain groups vCenter Servers with similar networking policies requirement. Multiple vCenters can share VLAN or VXLAN space and application endpoint groups (EPGs). For Cisco AVS the APIC communicates with vCenter using OpFlex protocol to publish network configurations such as port groups that are then applied to the virtual workloads.

 

Provisioning of EPGs in VMM Domain

  • The APIC pushes EPGs as port groups in vCenter. The vCenter administrator then places vNICs into these port groups.
  • An EPG can span multiple VMM domains, and a VMM domain can contain multiple EPGs.

 

Policy Enforcement Options For VMM Domain

When you associate EPG to VMM domain, there are different ways to enforce and push the policy in the physical and virtual fabric. These options to enforce policy are shown in the following picture.

 

 

It is important to understand what those options are and how are they going to impact during deployment. Following table lists these options, their description and recommendation for Cisco AVS.

 

PropertyDescription
Deploy Immediacy

This property is to deploy policy from APIC controller to physical leaf switch.

It specify whether policies are applied immediately or when needed. The recommended deployment option for Cisco AVS is On Demand. The default is also  On Demand.

Resolution Immediacy

This property is to deploy policy from physical leaf switch to virtual leaf (AVS is a virtual leaf)

It specify whether policies are resolved immediately or when needed. The recommended value for Cisco AVS is On Demand. The default is also On Demand.

 

Deployment Immediacy

Once the policies are downloaded to the physical leaf software, deployment immediacy can specify when the policy is pushed into the hardware policy CAM.

  • Immediate — Specifies that the policy is programmed in the hardware policy CAM as soon as the policy is downloaded in the leaf software.

 

 

 

  • On Demand — Specifies that the policy is programmed in the hardware policy CAM only when the first packet is received through the data path. This process helps to optimize the hardware space.

 

 

 

Resolution Immediacy

  • Immediate — Specifies that EPG policies (for example VLAN, VXMLN bindings, contracts or filters) are downloaded to the associated virtual leaf switch (AVS) software upon hypervisor attachment to Cisco AVS.

 

 

  • On Demand — Specifies that EPG policies (for example VLAN, VXLAN bindings, contracts or filters) is pushed to the virtual leaf node (Cisco AVS) only when a physical NIC (pNIC) attaches to the hypervisor and a VM is placed in the port group (EPG).

 

 

 

 

This policy enforcement is also summarized in the following diagram:

 

 

 

GUI Reference

Following diagram is just for the reference. It shows a sample tenant (te1), its application profile (ap1), an EPG (epg1) and VMM domain association to the EPG.

 

 

785
Views
0
Helpful
0
Comments