Cisco ACI security deployment and policy enforcement provide a streamlined approach to protecting modern Data Centers. This article explores the policy identification, the directional flow of enforcement, and the design options available within the Cisco ACI fabric to optimize network security and control.
Summary
- By default, Cisco ACI uses a whitelist security model where traffic within the EPG is allowed and traffic between EPGs is not allowed without a contract.
- ACI contracts are applied to unicast traffic only. However, BUM traffic (the Broadcast, Unknown unicast, and Multicast traffic) is implicitly permitted by default.
- ACI policy is created based on contracts between EPGs supporting L2-4 filters (like ACLs in NX-OS).
- Each EPG is assigned a unique pcTag value used in policy deployment (pcTag = Source Group/sClass), and the ACI policy is enforced between the source and the destination EPGs.
- The ACI policy can be enforced at the ingress or egress leaf switches.
- By default, an EPG and its associated contracts are programmed in a leaf switch only if EPs related to that EPG are locally attached to the leaf. It can be changed from the deployment immediately under the static path binding settings.
