About Cisco CISCO ACI

maogo11 · ‎04-04-2024

Dear community

In Cisco ACI, when an EPG (Endpoint Group) is extended beyond one VRF (Virtual Routing and Forwarding) instance, its pcTag may be changed from Local scope to Global scope. This is because initially, an EPG is assigned a Local pcTag within its own VRF. However, if the EPG needs to be accessed across multiple VRFs, a Global pcTag is required.

Now, if an existing external EPG1 is connected via L3out and a new external EPG2 is added (like connecting a new WAN), the concern is whether this addition will break communication with the already established external EPG1. Ideally, the external EPG1, which should already be operating on the global pcTag, would not be affected by the new addition. Usually, the communication interruption occurs when the EPG pcTag is migrated from local to global as part of the initial setup, or when a change in network configuration triggers a reevaluation of the pcTag scope. if EPG1 is already using the Global pcTag and the addition of EPG2 does not require changing the pcTag of EPG1, then EPG1 communication should not be interrupted.

Please let me know if you know or have verified this.

BANERJEE SHIBASISH · ‎07-27-2024

Hi @maogo11 Thanks for your query. Adding the new EPG2 to the existing L3out under the global pctag scope with EPG1 which is already in global scope should not break the communication.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards,

Shibasish

AshSe · ‎07-29-2024

First of all let's understand What is pcTag:

pcTag = Policy Class Tag
It is a numeric ID used for internal representation of EPG.
Also referred to as Source Class (sclass) or Destination Class (dclass).
It is used for:

Classification of traffic and
Policy Enforcement (Contract Enforcement).

ACI Leaf classifies and marks incoming and outgoing traffic by assigning a pcTag value to it.

The pcTag assigned to source epg is called SCLASS
The pcTag assigned to destination EPG is called DCLASS.

pcTag value ranges from 1-65535
pcTag types/Scope:

System Scope

These are internal system tag values
Range: 1-15

pcTag 13 = drop EPG
pcTag 15 = L3Out with 0.0.0.0/0 subnet

Global Scope

Default scope of pcTag = Local
Required in case of inter VRF contract
Is Unique across ACI fabric
Range: 16-16385

Local Scope

Default scope
Range: 16383-65535

AshSe · ‎07-29-2024

Now your requirement (in diagram):

Now Answer to your question:

Since new external EPG2 will get a new Global pcTag value, different from pcTag value assigned to external EPG1, they both will establish independent sessions with internal EPG and thus previously established connection will not break.

--------------------------------------------------------------------------------------------

If this helps, please give your thumps up (Helpful) and mark as "Resolved"

--------------------------------------------------------------------------------------------