Cisco ACI usually uses a different terminology than OpenStack Group Based Policy (GBP) model. Please se below the terminology description.
Network Services and Terminology
- OpenStack Group is equivalent of Cisco ACI End Point Group (EPG).
- OpenStack Policy Classifier is an abstraction of protocol definition in networking.
- OpenStack Policy Rule is a group of Policy classifiers
- OpenStack Policy Rule Set is equivalent of Cisco ACI Contract and contains multiple Policy Rules
- OpenStack Network Policy is Cisco ACI Bridge Domain
Layer 2 and 3 Policy Management
A Layer 2 policy is an independent switching domain that may or may not enable broadcast semantics. In Cisco ACI, it maps to a bridge domain.
A Layer 3 policy represents an independent address space and a collection of Layer 2 policies. In Cisco ACI, it maps to a private network (or Virtual Routing and Forwarding [VRF] instance).
GBP offers several options for managing Layer 2 and 3 policies:
- By default, GBP creates and manages Layer 2 and 3 policies automatically. As each policy group is created, a corresponding Layer 2 policy is matched to it and placed in a default Layer 3 policy.
- A user can create Layer 2 and 3 policies through GBP and use them for policy groups.
- An administrator can register preconfigured APIC bridge domains and contexts as Layer 2 and 3 policies to be used for different policy groups.
OpenStack GBP UI
The GBP UI contains four sections:
- Groups contains group management operations together with creating group's members.
- Application Policy contains definition of Contracts and related policies.
- Network and Services Policy is for management of NAT, External Connectivity and L3 policies.
- Network Services contains Service chaining definitions for Layer 4 through 7 automation for physical devices and virtual devices not created through OpenStack.
Network Topology is showing Defined Groups.
Network Topology View
Please note that links between the Groups do not reflect Contracts.
OpenStack GBP Cisco ACI Integration
OpenVSwitch (OVS) is packing VM interface into so called uplink VXLAN and sets up the correct ID which is later handled by LEAF.
jak funguje spolupráce opflex, ovs, apic, neutron - co s čím komunikuje
- Neutron configures OVS
- Neutron communicates with APIC
- APIC communicates with opflex-agent through opflex protocol
- opflex-agent and python-opflex-agent (OpenStack part) communicates with Neutron
OpenStack GBP vs OpenStack NoGBP
We have two operational modes with CISCO ACI
- OpenStack Neutron with GBP extension
- OpenStack Neutron with Neutron API mapped to CISCO ACI
|Instance cannot have interface on public network
||Instance can have an interface on public network
|Security Groups do not work
||Security Groups work
|There is no virtual router
||IP is allocated for GW, but GW uses IP from SNAT
||The network path is changed during live migration
OpenStack GBP with VMWare
Currently we have no implementation that would handle a similar concept with VMWare.
Last modified: Nov. 7, 2017