LEARN WORK IT

INFORMATION TECHNOLO GY (NE T WORK )

C I S C O ACI BLO GS VMWARE N SX BLO G S CISCO ROUT ING B LO G

C I S CO SW ITCHIN G BLO G IT INS TITU TES CONTACT US

TERMS & CONDIT ION

22.ACI
Application
Profiles (APs) &
Endpoint Groups
(EPGs)
 APRIL 1, 2021  LEAVE A COMMENT
 ACI Application
Profiles (APs) &
Endpoint Groups
(EPGs)
Application Profiles (APs)
Application Pro�les (APs) are containers for the
grouping of Endpoint Groups (EPGs). We can have more
than one EPG with an AP. For example, an AP could
group a web server with the backend database, with
storage, and so on. EPGs are assigned to different bridge
domains.

An application pro�le de�nes the policies, services, and

relationships between endpoint groups (EPGs).
Application pro�les contain one or more EPGs. Modern
applications contain multiple components. For
example, an e-commerce application could require a
web server, a database server, data located in a storage
area network, and access to outside resources that
enable �nancial transactions. The application pro�le
contains as many (or as few) EPGs as necessary that
are logically related to providing the capabilities of an
application. 
Creating an Application
Profile
1.Under Tenant > Click on
Application Pro�le

2. Give Name (Demo-Application-

Pro�le) and Click Submit
3. Application pro�le is created,
Now create EPG

EPG: Endpoint Groups

EPG is a group of objects that require similar policies.
EPGs are logical entities containing a collection of
endpoints with common policy requirements example
Security, L4-L7 Services, etc. Traf�c from endpoints is
grouped into EPGs based on various con�gurations, and
these endpoints are classi�ed into three types.
P hy s i c a l E n d p o i n t s
Vir tual Endp oints
External Endp oints

The following traf�c classi�cation con�guration

possibilities are used for incoming traf�c to the leaf as
follows:
Based on VLAN encapsulation
Based on port and VLAN
Based on network and mask or IP address for traf�c
originating outside the fabric, this traf�c can be
considered as part of L3 external traf�c.
Based on source IP address or subnet
Based on the source MAC address.
EPG mapping options:
Map an EPG statically to a port and VLAN
MAP an EPG statically to a VLAN switch wide on a leaf.
MAP an EPG to a VMM domain

If you con�gure EPG mapping to a VLAN switch wide

(using a static leaf binding), Cisco ACI con�gures all leaf
ports as Layer 2 ports. If you then need to con�gure an
L3Out connection on this same leaf, these ports cannot
then be con�gured as Layer 3 ports. This means that if a
leaf is both a computing leaf and a border leaf, you
should use EPG mapping to a port and VLAN, not switch
wide to a VLAN.

EPG-to-VLAN Mapping
In general, VLANs in Cisco ACI have local signi�cance
on a leaf switch. If per-port VLAN signi�cance is
required, you must con�gure a physical domain that is
associated with a Layer 2 interface policy that sets the
VLAN scope to port local.
The rules of EPG-to-VLAN mapping with a
VL AN sc op e set to global are as follows:
You can map an EPG to a VLAN that is not yet mapped
to another EPG on that leaf.
Regardless of whether two EPGs belong to the same or
different bridge domains, on a single leaf, you cannot
reuse the same VLAN used on a port for two different
EPGs.
The same VLAN number can be used by one EPG on one
leaf and by another EPG on a different leaf. If the two
EPGs are in the same bridge domain, they share the
same �ood domain VLAN for BPDUs and they share the
broadcast domain.
The rules of EPG-to-VLAN mapping with the
VL AN sc op e set to lo c al are as follows:
You can map two EPGs of different bridge domains to
the same VLAN on different ports of the same leaf if the
two ports are con�gured for different physical domains.
You cannot map two EPGs of the same bridge domain to
the same VLAN on different ports of the same leaf.

Creating EPG (
ENDPOINT GROUP)
1. Click on created Application
Pro�le dropdown navigator.

2. Right click on Application EPG

3. Click on Create application EPG

4. Identity enter the Name of EPG

and enter the BD after that click on
Finish tab.

Policy pushed to Leaf nodes based

on Resolution Immediacy

. P r e - P r o v i s i o n – Policies are pushed to every leaf

node with a port associated with the VMM domain
. I m m e d i a t e – Policies are pushed to leaf node upon
hypervisor pNIC attachment to VDs
.O
On D e m a n d – Policies only pushed to leaf node upon
hypervisor attachment to VDS and VM assignment to
the port group

Policy programming in Leaf node hardware

based on Instrumentation Immediacy

. I m m e d i a t e – Policies are programmed in policy CAM

as soon they are received
. O n D e m a n d – Polices are programmed in policy CAM
only when the �rst packet received through data path