So, you’ve had your ACI fabric for a while now, the novelty has worn off, and it’s no longer your shiny new toy.
Your Leafs and Spines are quietly whirring away, and the APICs are sitting in the DCs gathering dust. It’s easy to forget about it at this stage, to leave it alone and let it carry on forwarding your DC traffic, invisible to the rest of the organisation.
If it’s not causing any issues or headaches, why touch it? “If it ain’t broke, don’t fix it,” right? And that’s good… or is it?
What if you could get more out of it? Could you get a greater return on your investment? Are you fully using it to its capabilities? Are you still running in a network-centric model, overwhelmed by the effort involved in going truly Application-Centric, as you always intended?…
You’re not alone
At WhiteSpider, we’ve deployed ACI fabrics for dozens of clients for nearly a decade, and the vast majority are in the same boat.
However, this trend is changing.
In an ideal world, a data centre is built as a true greenfield environment – everything is brand new from the network, security, compute, and application perspectives. The infrastructure can be designed to be a perfect fit. But as we all know, that’s a pipe dream. True greenfield doesn’t exist.
In reality, we’re usually tasked with implementing a DC networking solution that must coexist with legacy infrastructure components and support the migration of existing services. That’s why nearly all clients implement ACI in a network-centric model on day one, where Bridge Domains (BDs) and Endpoint Groups (EPGs) directly map to existing VLANs, and the common default or another “permit-any” contract is used across all EPGs.
This isn’t wrong, it’s often just the simplest way to migrate services to ACI.
Even clients who do start out Application-Centric usually still need an element of network-centric configuration to facilitate workload migrations. These deployments, launched with the best intentions, often get left alone because they’re working “just fine.”
Now, many of these clients are reaching the next phase of the product lifecycle. They’re refreshing hardware and maintenance contracts – and they’re at a crossroads:
- Do we stay network-centric and explore other vendors or solutions that offer equivalent functionality at a lower price point? If we’re still treating the DC as traditional infrastructure – VLAN = BD = EPG – it’s easy to walk away.
OR
- Do we commit to a modern data centre fabric approach and finally unlock its full potential?
The second option, staying with ACI, comes with advantages. Because ACI is software-defined, new hardware can be added to the fabric, existing policies applied, and hosts migrated in a controlled, risk-averse way before old equipment is decommissioned.
But hardware refresh alone isn’t reason enough to stay.
Now that your team is more comfortable with ACI, why not start using it as it was always intended? Implement segmentation and security policies within the fabric – a core ACI feature. This avoids relying on external appliances (often firewalls) to enforce traffic restrictions. Going Application-Centric and removing the dependency on external firewalls removes potential bottlenecks (on the firewall or its interfaces) and boosts application performance since filtering is done at the Leaf switch at line rate.
Lowering the load on external appliances might also mean smaller, cheaper models are required, or even lower license tiers can be used, reducing OpEx.
So why doesn’t everyone do it?
The two biggest barriers are:
- Lack of understanding of internal traffic flows.
- Fear of needing to re-IP workloads to implement segmentation.
These concerns spark fears of instability and outages – what if one missed contract filter breaks an app?
Here’s the good news: it doesn’t have to be painful.
With careful planning, there are ways to overcome these challenges and migrate to Application-Centric gradually and safely.
In a perfect world, application and service owners would give you a full list of ports and destinations, but in reality, that rarely happens. That’s where tools like Tetration or Nexus Dashboard Insights (which may already be included with your ACI license!) come in handy. They help identify the who/what/where of your traffic flows.
It’s wise to take a granular approach. Apply restrictive contracts to one server or application at a time, this limits the blast radius of any single change.
Two common methods to achieve this are Micro-segmentation (uSeg) and Endpoint Security Groups (ESGs).
Micro-segmented EPGs (uEPGs)
Instead of dot1q tags, uEPGs use attributes like IP address, MAC address, or – if you’ve integrated with a hypervisor – VM name, tags, or OS.
They allow you to break large EPGs into smaller subsets without changing IPs, subnets, or gateways. You can still use your legacy VLANs while introducing segmentation.
When we’ve implemented this for customers, we’ve seen minimal to zero disruption, often no more than a single lost ping!
Endpoint Security Groups (ESGs)
Introduced in ACI 5.0, ESGs are like cross-BD EPGs. They can include endpoints across multiple BDs (within the same VRF) and apply consistent security policies across subnets.
This reduces the number of contracts/filters needed and helps optimise TCAM utilisation, crucial for large-scale deployments.
The main limitation? ESGs can’t apply contract logic between an ESG and an EPG/uEPG.
But this can be worked around—e.g., using a “non-isolated” ESG to enable open communication initially, then gradually transitioning endpoints into isolated ESGs with custom policies.
So yes – it might sound daunting. But migrating to Application-Centric can be done safely, and the payoff is well worth it.
Unlock the full value of your fabric
At WhiteSpider, we’ve guided dozens of organisations through the journey from network-centric to application-centric ACI, minimising risk while maximising value.
We also help clients take full advantage of advanced ACI capabilities, including:
- VMM integration
- L4–L7 service insertion
- Multi-Site and Multi-Cloud deployments
- Policy-driven automation
Together, these features unlock powerful efficiencies, tighter security, and long-term ROI from your data centre fabric. Curious how this works in practice? Talk to our team today to get started.