Solved: Re: AAEP to EPG setup without static ports

CollisionDomain · ‎01-24-2024

Hello All,

Forgive me for any silly question as I'm still learning ACI.

So, I recently join a small company where we have an ACI fabric. In most setups, I've always seen EPG being linked to interfaces using static ports. However, at this company they're mapping EPG's directly under AAEP.

1. So now my question is, under AAEP when mapping EPG, we have an option "Encap" option and "Primary Encap" option. What are these two and what do they mean (with example, please)? And mode as Trunk/Access/Access(802.1p)

2. Currently, in the EPG section, I see encap with vlan xyz and primary encap as unknown and mode as untagged. So, as per my understanding, it means that anything that comes untagged will get into the aci fabric with encap xyz. This is only so that we know which EPG the traffic should be mapped to. But now, there is request to send another vlan traffic on that same interface.

How do we achieve this request? Currently there is 1:1 mapping between BD and Subnet.

Thanks in advance for the help.

RedNectar · ‎01-26-2024

Hi @CollisionDomain ,

Forgive me for any silly question as I'm still learning ACI.

Good luck then. No question is silly.

1. So now my question is, under AAEP when mapping EPG, we have an option "Encap" option and "Primary Encap" option. What are these two and what do they mean (with example, please)? And mode as Trunk/Access/Access(802.1p)

The Encap option is where you define the vlan ID that you wish to associate with the particular EPG. If you are deploying micro-segmentation (usually via a VMM Domain) then you'll also need to supply a Primary Encap as well. You can read more about micro-segmentation here.

Keep in mind when deploying EPGs via the AAEP, the VLAN ID and encapsulation mode (Trunk/Access(Untagged)/Access(802.1p)) you specify will be applied to EVERY interface that has it's Interface Policy Group linked to that AAEP. This means that you need to be VERY careful if you use any encapsulation mode other than trunk.

This means that if you specify ONE untagged encapsulation for an AAEP, EVERY INTERFACE that has it's Interface Policy Group linked to that AAEP is now an ACCESS PORT - and you can never have a trunk port in that AAEP. So using this "mapping up" method of defining EPGs, you'll almost certainly NEVER want to specify any Access(Untagged) encapsulations. If you want to specify untagged traffic AND have Trunk ports you'll have to use Access(802.1p) encapsulation for the untagged traffic.

But it's not that simple. If you specify that vlan-10 defines traffic belonging to EPG_A Access(802.1p) (or Access(untagged)), then you'll NEVER be able to use any other untagged/802.1p encapsulation on ANY interface that has its Interface Policy Group linked to that AAEP. In other words, you can't have vlan-10 defining traffic belonging to EPG_A untagged/802.1p, and vlan-11 defining traffic belonging to EPG_B untagged/802.1p in the same AAEP.

And that goes for any static "mapping down" from the EPG to any untagged encapsulations too - if you've done an untagged/802.1p "mapping up" for any vlan for a particular AAEP, you won't be able to do any untagged/802.1p "mapping down" from the EPG to any untagged encapsulation either.

2. Currently, in the EPG section, I see encap with vlan xyz and primary encap as unknown and mode as untagged. So, as per my understanding, it means that anything that comes untagged will get into the aci fabric with encap xyz.

Almost correct. Let me rephrase it for you:
...encap with vlan xyz and primary encap as unknown and mode as untagged means that anything that comes untagged on the statically mapped ports will get into the EPG ~~aci fabric with encap xyz.~~

This is only so that we know which EPG the traffic should be mapped to. But now, there is request to send another vlan traffic on that same interface.
How do we achieve this request?

The moment you need more than one VLAN encapsulation on an interface, you have to change any Access(untagged) encapsulations to Access (802.1p) - this is the equivalent of changing the interface from an Access port to a Trunk port.

Once you have done that, you'll be able to specify a "another vlan traffic on that same interface" without any problems.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

Nova777 · ‎01-25-2024

Attach both EPGs/VLANs in the AEP and set both as trunk.

CollisionDomain · ‎01-26-2024

Great. That helps. Do you also know the answer to the first question?

RedNectar · ‎01-26-2024

Hi @CollisionDomain ,

Forgive me for any silly question as I'm still learning ACI.

Good luck then. No question is silly.

1. So now my question is, under AAEP when mapping EPG, we have an option "Encap" option and "Primary Encap" option. What are these two and what do they mean (with example, please)? And mode as Trunk/Access/Access(802.1p)

The Encap option is where you define the vlan ID that you wish to associate with the particular EPG. If you are deploying micro-segmentation (usually via a VMM Domain) then you'll also need to supply a Primary Encap as well. You can read more about micro-segmentation here.

Keep in mind when deploying EPGs via the AAEP, the VLAN ID and encapsulation mode (Trunk/Access(Untagged)/Access(802.1p)) you specify will be applied to EVERY interface that has it's Interface Policy Group linked to that AAEP. This means that you need to be VERY careful if you use any encapsulation mode other than trunk.

This means that if you specify ONE untagged encapsulation for an AAEP, EVERY INTERFACE that has it's Interface Policy Group linked to that AAEP is now an ACCESS PORT - and you can never have a trunk port in that AAEP. So using this "mapping up" method of defining EPGs, you'll almost certainly NEVER want to specify any Access(Untagged) encapsulations. If you want to specify untagged traffic AND have Trunk ports you'll have to use Access(802.1p) encapsulation for the untagged traffic.

But it's not that simple. If you specify that vlan-10 defines traffic belonging to EPG_A Access(802.1p) (or Access(untagged)), then you'll NEVER be able to use any other untagged/802.1p encapsulation on ANY interface that has its Interface Policy Group linked to that AAEP. In other words, you can't have vlan-10 defining traffic belonging to EPG_A untagged/802.1p, and vlan-11 defining traffic belonging to EPG_B untagged/802.1p in the same AAEP.

And that goes for any static "mapping down" from the EPG to any untagged encapsulations too - if you've done an untagged/802.1p "mapping up" for any vlan for a particular AAEP, you won't be able to do any untagged/802.1p "mapping down" from the EPG to any untagged encapsulation either.

2. Currently, in the EPG section, I see encap with vlan xyz and primary encap as unknown and mode as untagged. So, as per my understanding, it means that anything that comes untagged will get into the aci fabric with encap xyz.

Almost correct. Let me rephrase it for you:
...encap with vlan xyz and primary encap as unknown and mode as untagged means that anything that comes untagged on the statically mapped ports will get into the EPG ~~aci fabric with encap xyz.~~

This is only so that we know which EPG the traffic should be mapped to. But now, there is request to send another vlan traffic on that same interface.
How do we achieve this request?

The moment you need more than one VLAN encapsulation on an interface, you have to change any Access(untagged) encapsulations to Access (802.1p) - this is the equivalent of changing the interface from an Access port to a Trunk port.

Once you have done that, you'll be able to specify a "another vlan traffic on that same interface" without any problems.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

CollisionDomain · ‎02-08-2024

Thank you so much @RedNectar. 50% of my ACI knowledge is from your answers in this forum. Appreciate it.