09-05-2019 11:35 PM
Hello,
Currently, I am designing ACI objects for ACI. For AAEP I was following best practice, one AAEP for each tenant with different domains for each tenant. In my network, I have about 10 tenants. Some of the physical interfaces are shared between tenants. For example connection to L3Out is organized thought the same physical interfaces, but each tenant has its own L3Out. Also, physical connection with firewalls is shared between all tenants, but each has a dedicated firewall context, separation is achieved through vlan tags.
My question is, should I make dedicated AAEP for those king of shared interfaces?
Thanks in advance
Solved! Go to Solution.
09-06-2019 01:40 PM
Hi @newmanf ,
Re:
My question is, should I make dedicated AAEP for those king of shared interfaces?
The quick answer is simply:
Yes.
I guess the key to understanding AAEPs is to consider them a way of grouping a set of interfaces that share access to a common set of VLANs, and since each tenant is likely to have its own set of VLANs, your idea of using one AAEP per tenant is sound.
However, when interfaces are to be shared and different VLANs allocated to different Tenants, a more "global" set of VLANs must be used, and therfore a new AAEP with its own set of domains and interfaces is entirely appropriate. In your case, you might consider:
And of course the rest of the Access Policy chain that defines the physical interfaces/VPCs would be linked to this AAEP.
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
09-06-2019 01:40 PM
Hi @newmanf ,
Re:
My question is, should I make dedicated AAEP for those king of shared interfaces?
The quick answer is simply:
Yes.
I guess the key to understanding AAEPs is to consider them a way of grouping a set of interfaces that share access to a common set of VLANs, and since each tenant is likely to have its own set of VLANs, your idea of using one AAEP per tenant is sound.
However, when interfaces are to be shared and different VLANs allocated to different Tenants, a more "global" set of VLANs must be used, and therfore a new AAEP with its own set of domains and interfaces is entirely appropriate. In your case, you might consider:
And of course the rest of the Access Policy chain that defines the physical interfaces/VPCs would be linked to this AAEP.
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
09-17-2019 09:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide