Cisco ACI usually uses a different terminology than OpenStack Group Based Policy (GBP) model. Please se below the terminology description.

Network Services and Terminology

  • OpenStack Group is equivalent of Cisco ACI End Point Group (EPG).
  • OpenStack Policy Classifier is an abstraction of protocol definition in networking.
  • OpenStack Policy Rule is a group of Policy classifiers
  • OpenStack Policy Rule Set is equivalent of Cisco ACI Contract and contains multiple Policy Rules
  • OpenStack Network Policy is Cisco ACI Bridge Domain

CICSO ACI terminology

Layer 2 and 3 Policy Management

A Layer 2 policy is an independent switching domain that may or may not enable broadcast semantics. In Cisco ACI, it maps to a bridge domain.

A Layer 3 policy represents an independent address space and a collection of Layer 2 policies. In Cisco ACI, it maps to a private network (or Virtual Routing and Forwarding [VRF] instance).

GBP offers several options for managing Layer 2 and 3 policies:

  • By default, GBP creates and manages Layer 2 and 3 policies automatically. As each policy group is created, a corresponding Layer 2 policy is matched to it and placed in a default Layer 3 policy.
  • A user can create Layer 2 and 3 policies through GBP and use them for policy groups.
  • An administrator can register preconfigured APIC bridge domains and contexts as Layer 2 and 3 policies to be used for different policy groups.

OpenStack GBP UI

The GBP UI contains four sections:

  • Groups contains group management operations together with creating group's members.
  • Application Policy contains definition of Contracts and related policies.
  • Network and Services Policy is for management of NAT, External Connectivity and L3 policies.
  • Network Services contains Service chaining definitions for Layer 4 through 7 automation for physical devices and virtual devices not created through OpenStack.

OpenStack Group Based Policy UI

Network Topology is showing Defined Groups.

Network Topology View

Please note that links between the Groups do not reflect Contracts.

OpenStack Network Topology

OpenStack GBP Cisco ACI Integration

OpenVSwitch (OVS) is packing VM interface into so called uplink VXLAN and sets up the correct ID which is later handled by LEAF.

jak funguje spolupráce opflex, ovs, apic, neutron - co s čím komunikuje - Neutron configures OVS - Neutron communicates with APIC - APIC communicates with opflex-agent through opflex protocol - opflex-agent and python-opflex-agent (OpenStack part) communicates with Neutron

OpenStack GBP vs OpenStack NoGBP

We have two operational modes with CISCO ACI

  • OpenStack Neutron with GBP extension
  • OpenStack Neutron with Neutron API mapped to CISCO ACI
Instance cannot have interface on public network Instance can have an interface on public network
Security Groups do not work Security Groups work
There is no virtual router
IP is allocated for GW, but GW uses IP from SNAT
The network path is changed during live migration

OpenStack GBP with VMWare

Currently we have no implementation that would handle a similar concept with VMWare.

Last modified: Nov. 7, 2017