Solved: Re: ACI BD concept - vlan interface with secondaries?

tsmarcyes · ‎02-07-2019

In ACI discussions, its always mentioned that BDs are NOT VLANS. The most common argument are that vlans equated to one subnet and thus since you can have multiple subnets in a bridge domain, they are therefore not the same as vlans. However, in traditional networking (although typically not recommended), we could have multiple subnets on a vlan (vlan interface) using the secondary command after the ip address. Thus, you can have multiple subnets per vlan even in traditional networking. And guess what, all those subnets are subject to the same flood domain since they are all in the same vlan. Many try to equate BD to PVLANS, but to me the vlan interface with secondary ip addresses seems closer as private vlans are typically used to segregate traffic within the vlan while if Im not mistaken the default behavior in ACI for BD is to allow communication between all subnets, just like a vlan interface with secondaries. Although there are still other constructs involving EPGs, contracts, etc, that then take the BD beyond this simply concept, if we are simply talking about the BD itself, would it not be logically correct to compare it to a vlan interface that MAY have multiple subnets (secondary ip addresses).

RedNectar · ‎02-07-2019

Hi tsmarcyes,

I have to say I never try to explain BDs in that way. Here's my standard spiel:

Bridge Domains are not quite the same a VLANs. They are a broadcast container like VLANs, but have no relationship with 802.1Q VLAN tags. Instead, 802.1Q tags are used to identify EPGs.

As far as IP interfaces go, just like VLANs, a BD can also have multiple IP interfaces - one primary IP address and multiple secondary interfaces, but by applying multiple IP addresses to a BD, you are potentially expanding the size of the Broadcast Domain, just like in a VLAN world. However, ACI does have asome broadcast reduction mechanisms, such as Directerd ARP Broadcasts and Flooding within Encapsulaton, so you can probably get away with a larger number of End Points in your BD than you would a regular VLAN.

So your sumation that "would it not be logically correct to compare it to a vlan interface that MAY have multiple subnets (secondary ip addresses)" is spot on.

I don't see any relevance in relating BDs to PVLANs either. It IS possible to simulate PVLAN behaviour within an EPG (using the Intra EPG Isolation option), but not within a BD.

Bottom line:

When we say that a BD is NOT a VLAN, we mean that it looks like a VLAN, it smells, like a VLAN and walks like a VLAN - but is completely unrelated to 802;1Q VLAN tags, so we don't call it a VLAN.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎02-07-2019

Hi tsmarcyes,

I have to say I never try to explain BDs in that way. Here's my standard spiel:

Bridge Domains are not quite the same a VLANs. They are a broadcast container like VLANs, but have no relationship with 802.1Q VLAN tags. Instead, 802.1Q tags are used to identify EPGs.

As far as IP interfaces go, just like VLANs, a BD can also have multiple IP interfaces - one primary IP address and multiple secondary interfaces, but by applying multiple IP addresses to a BD, you are potentially expanding the size of the Broadcast Domain, just like in a VLAN world. However, ACI does have asome broadcast reduction mechanisms, such as Directerd ARP Broadcasts and Flooding within Encapsulaton, so you can probably get away with a larger number of End Points in your BD than you would a regular VLAN.

So your sumation that "would it not be logically correct to compare it to a vlan interface that MAY have multiple subnets (secondary ip addresses)" is spot on.

I don't see any relevance in relating BDs to PVLANs either. It IS possible to simulate PVLAN behaviour within an EPG (using the Intra EPG Isolation option), but not within a BD.

Bottom line:

When we say that a BD is NOT a VLAN, we mean that it looks like a VLAN, it smells, like a VLAN and walks like a VLAN - but is completely unrelated to 802;1Q VLAN tags, so we don't call it a VLAN.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

tsmarcyes · ‎02-07-2019

Thanks RedNectar for the reply.
See, as far as your bottom line, thats how I have been seeing it as well. However, it seems every document/video/instructor seems to deliberately go out of their way to try to explain it as being far away from being a vlan when in reality they have a lot of similarities in concepts, just technically they don't operate the same at the lower level ..ie tags as you mentioned..

RedNectar · ‎02-07-2019

Clearly I need to write more documents... or do a video :)

Certainly when ACI first came out Cisco seemed to want to avoid stating the obvious which confused me too. And of course, many of those videos are still what people watch.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.