The management profile includes the out-of-band EPG MO that provides access to management functions via the out-of-band contract (vzOOBBrCP). The vzOOBBrCP enables the external management instance profile (mgmtExtInstP) EPG to consume the out-of-band EPG. This exposes the fabric node supervisor ports to locally or remotely connected devices, according to the preference of the service provider. While the bandwidth of the supervisor ports will be lower than the in-band ports, the supervisor ports can provide direct access to the fabric nodes when access through the in-band ports is unavailable. Authentication, access, and audit logging apply to these connections; any user attempting to access management functions through the out-of-band EPG must have the appropriate access privileges. When an administrator configures an external management instance profile, it specifies a subnet range for devices that are allowed out-of-band access. Any device not in this range will not have out-of-band access.
Figure 4-32 shows how out-of-band management access can be consolidated through a dedicated switch.
For security reasons, some service providers restrict out-of-band connectivity to local connections. Others can choose to enable routed or bridged connections from external networks. Also, a service provider can choose to configure a set of policies that include both in-band and out-of-band management access for local devices only, or both local and remote devices.
Figure 4-32 Out-of-Band Access Scenario
ACI VXLAN
All traffic in the ACI fabric is normalized as VXLAN packets. At ingress, ACI encapsulates external VLAN, VXLAN, and Network Virtualization using Generic Routing Encapsulation (NVGRE) packets in a VXLAN packet. Figure 4-33 shows ACI encapsulation normalization.
Figure 4-33 ACI Encapsulation Normalization
The ACI can consistently enforce policy in a fully distributed manner; every packet in the fabric carries ACI policy attributes. The ACI decouples application policy EPG identity from forwarding. Figure 4-34 shows how the ACI VXLAN header identifies application policy within the fabric.
Figure 4-34 ACI VXLAN Packet Format VXLAN enables the ACI to deploy Layer 2 virtual networks at scale across the fabric underlay Layer 3 infrastructure. Application endpoint hosts can be flexibly placed in the data center network without concern for the Layer 3 boundary of the underlay infrastructure, while maintaining Layer 2 adjacency in a VXLAN overlay network.