Solved: AAEP for shared interfaces design best practice

newmanf · ‎09-05-2019

Hello,

Currently, I am designing ACI objects for ACI. For AAEP I was following best practice, one AAEP for each tenant with different domains for each tenant. In my network, I have about 10 tenants. Some of the physical interfaces are shared between tenants. For example connection to L3Out is organized thought the same physical interfaces, but each tenant has its own L3Out. Also, physical connection with firewalls is shared between all tenants, but each has a dedicated firewall context, separation is achieved through vlan tags.

My question is, should I make dedicated AAEP for those king of shared interfaces?

Thanks in advance

RedNectar · ‎09-06-2019

Hi @newmanf ,

Re:

My question is, should I make dedicated AAEP for those king of shared interfaces?

The quick answer is simply:

Yes.

I guess the key to understanding AAEPs is to consider them a way of grouping a set of interfaces that share access to a common set of VLANs, and since each tenant is likely to have its own set of VLANs, your idea of using one AAEP per tenant is sound.

However, when interfaces are to be shared and different VLANs allocated to different Tenants, a more "global" set of VLANs must be used, and therfore a new AAEP with its own set of domains and interfaces is entirely appropriate. In your case, you might consider:

A VLAN pool (say Shared_VLAN.Pool) that contains:
1. all of the VLANs that will be used for shared physical Firewall connections
2. all of the LVANs that will be used for shared L3 External Routed connections
A Physical Domain (say Shared_PhysDom) that is linked to the Shared_VLAN.Pool
An External Routed Domain (say Shared_ExtL3Dom) that is linked to the Shared_VLAN.Pool
An AAEP (say Shared_AAEP) that is linked to both the Shared_PhysDom and the Shared_ExtL3Dom

And of course the rest of the Access Policy chain that defines the physical interfaces/VPCs would be linked to this AAEP.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎09-06-2019

Hi @newmanf ,

Re:

My question is, should I make dedicated AAEP for those king of shared interfaces?

The quick answer is simply:

Yes.

I guess the key to understanding AAEPs is to consider them a way of grouping a set of interfaces that share access to a common set of VLANs, and since each tenant is likely to have its own set of VLANs, your idea of using one AAEP per tenant is sound.

However, when interfaces are to be shared and different VLANs allocated to different Tenants, a more "global" set of VLANs must be used, and therfore a new AAEP with its own set of domains and interfaces is entirely appropriate. In your case, you might consider:

A VLAN pool (say Shared_VLAN.Pool) that contains:
1. all of the VLANs that will be used for shared physical Firewall connections
2. all of the LVANs that will be used for shared L3 External Routed connections
A Physical Domain (say Shared_PhysDom) that is linked to the Shared_VLAN.Pool
An External Routed Domain (say Shared_ExtL3Dom) that is linked to the Shared_VLAN.Pool
An AAEP (say Shared_AAEP) that is linked to both the Shared_PhysDom and the Shared_ExtL3Dom

And of course the rest of the Access Policy chain that defines the physical interfaces/VPCs would be linked to this AAEP.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

newmanf · ‎09-17-2019

Hello Chris,

Thank you for an explanation.