Solved: ACI Layer two and layer three out connections

ksherwood · ‎04-28-2016

Hi Tomas,

thankyou for your previous APIC setup help.

Could you please write up a step by step process to connect a brownfield network to Greenfield ACI network via Layer 2 trunk and 3 outs (for GUI)?

ie step 1. Create bla bla bla
step 2. bla bla bla

and also post the GUI screenshot

I need to provide a migration link before moving servers and vlans into the ACI

Thanks in advance

Robert Burns · ‎04-29-2016

Depending on your requirements you can connect your legacy environment over just an L3 External connection (routed) or if you want to build them in tandem without changing too much, you can use a L2 External connection and leave your routing where it is today (gateway).

Yes, here's a sister doc for External L2 connectivity. Again, these docs don't talk at all about design, they are simple config steps. To get the full design details, refer to the guide titled "Connecting ACI to External L2/L3 Networks".

Robert

View solution in original post

Robert Burns · ‎05-03-2016

Kevin,

The two options you have are to extend EPGs or Extend the Bridge Domain. If you want to simply map a VLAN => EPG, then EPG extension using the static path binding is the way to go. All traffic between each endpoint within the fabric and external to the fabric will be subject to the contracts/filters applied to each respective EPG. Depending how many EPGs/VLANs you have this might take a little work initially to setup.

The alternative is to extend the bridge domain. Here you essentially create a L2 Domain with a range of VLANs. This L2 Domain essentially becomes it's own EPG, so contracts are applied to the L2 Domain and any other EPG they need to access. The question comes down to the need for granularity of policies. In the "Connecting ACI to extneral L2/L3 Networks" whitepaper see Figure 54. which shows the logical difference with these two options. http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c07-732033.html#_Toc395143568

The other thing to consider is where you plan to host your GW for each subnet during the migration. Are you keeping your routing on the 6500's or will you allow the ACI Fabric to act as the GW for your subnets? If the fabric is to be your GW, then you will need to route between the fabric & the 6500's with a L3 connection. If you simply go with the EPG extension and keep your GW on the 6500's you're simply mapping EPGs to VLANs, with no inter-EPG traffic routed by the fabric itself - hence you aren't really applying any policies (contracts) between EPGs from the fabric perspective. This skips around one of the major value-adds of ACI - enforcing inter-EPG policy.

As you can see Kevin, there's lots to consider and too many unknowns for us to blankly advise you which is best for your existing & future needs. The more details you give us, the more we can advise.

Robert

View solution in original post

Tomas de Leon · ‎04-28-2016

Kevin,

It is difficult for a step by step example for you since there are may be specific requirements for your network and your connections. I have included some documentation links that you may or may not already read but it explains L2 & L3 examples and what it takes to connect to existing networks.

Also, if you sign up for the Cisco Learning Networks there are some ACI Training and ACI How to videos on topics that you are asking for. These will give you a starting point for configuring your connections.

Connecting Application Centric Infrastructure (ACI) to Outside Layer 2 and 3 Networks
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c07-732033.html

Integrate Cisco Application Centric Infrastructure with Existing Networks
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-731860.html

ACI Training Videos
https://learningnetwork.cisco.com/community/learning_center/aci-training-videos/videos

Take a look at the material and try configuring a test L3 & L2 connection and then let us know how it goes and if you have issues what are the issues that you are seeing.

Thanks again for using the ACI Cisco Support Community!

T.

ksherwood · ‎04-28-2016

Yes, I have read those documents, so I'm not just wasting your time and being lazy :>)

I know you're the guru so it would be nice if you could just give me the basic requisites as opposed to all the fluff you get in the document ?

ie 1. Create a Tenant
    2. Create a BD
    3. Create a EPG
    4. etc.

Once I know the minimum requirements I can fill in the rest. I do want to use EIGRP on the two layer 3 outs if possible though.

Robert Burns · ‎04-29-2016

Kevin,

The "fluff" in those docs is necessary to give the context and help identify other considerations when deploying features. I can appreciate our docs are about 10x larger than they need to be, but with a product as complex as ACI, there's going to be quite a bit of collateral to absorb.

I don't have a cheat sheet for EIGRP specifically, but I can give you this one for OSFP. No screenshots, just a quick and dirty reference. You should be able to sub in EIGRP when you get to that step.

Robert

ksherwood · ‎04-29-2016

Thanks Robert, I appreciate it's a wide field. That jump start looks very good.

Do you have something like that for Layer 2 Out as well ?

I'm assuming I need layer 2 and layer 3 outs to effect a brownfield migration.

Robert Burns · ‎04-29-2016

Depending on your requirements you can connect your legacy environment over just an L3 External connection (routed) or if you want to build them in tandem without changing too much, you can use a L2 External connection and leave your routing where it is today (gateway).

Yes, here's a sister doc for External L2 connectivity. Again, these docs don't talk at all about design, they are simple config steps. To get the full design details, refer to the guide titled "Connecting ACI to External L2/L3 Networks".

Robert

ksherwood · ‎05-01-2016

I'm still a bit confused, so please correct me if I'm wrong.

I have an existing core, distribution and ToR data centre. The core routes to WAN and Internet. To migrate to ACI I want to slowly move existing Nexus, Fex and UCS. I want to have use existing VLAN = EPG = BD To do this I need to,

1. Connect the new ACI to the existing 6500 VSS Distribution switches via Layer2Out Trunked links (but what layer 2 out option should I use) ?

2. Once all existing connections are moved I can turn on ACI routing including the Layer3Out to get to WAN and remove Layer2Out and Brownfield DC routing ?

I assume if I get the external routing right I could set this up any time, but the Layer2Out options are a worry. which one would I use so that I get VLAN to EPG to BD and have the VLANs co-exist until I'm finished ???

Robert Burns · ‎05-03-2016

Kevin,

The two options you have are to extend EPGs or Extend the Bridge Domain. If you want to simply map a VLAN => EPG, then EPG extension using the static path binding is the way to go. All traffic between each endpoint within the fabric and external to the fabric will be subject to the contracts/filters applied to each respective EPG. Depending how many EPGs/VLANs you have this might take a little work initially to setup.

The alternative is to extend the bridge domain. Here you essentially create a L2 Domain with a range of VLANs. This L2 Domain essentially becomes it's own EPG, so contracts are applied to the L2 Domain and any other EPG they need to access. The question comes down to the need for granularity of policies. In the "Connecting ACI to extneral L2/L3 Networks" whitepaper see Figure 54. which shows the logical difference with these two options. http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c07-732033.html#_Toc395143568

The other thing to consider is where you plan to host your GW for each subnet during the migration. Are you keeping your routing on the 6500's or will you allow the ACI Fabric to act as the GW for your subnets? If the fabric is to be your GW, then you will need to route between the fabric & the 6500's with a L3 connection. If you simply go with the EPG extension and keep your GW on the 6500's you're simply mapping EPGs to VLANs, with no inter-EPG traffic routed by the fabric itself - hence you aren't really applying any policies (contracts) between EPGs from the fabric perspective. This skips around one of the major value-adds of ACI - enforcing inter-EPG policy.

As you can see Kevin, there's lots to consider and too many unknowns for us to blankly advise you which is best for your existing & future needs. The more details you give us, the more we can advise.

Robert

ksherwood · ‎05-03-2016

Excellent, thanks Robert, that clears things up for me a bit better.

Because I want to move many VLANs I think I'll use the BD option.

The routing will remain on the existing network until all is migrated so the layer 3 out can wait also.

I take it I will need layer 3 out once the tie is broken between old and new ?

Robert Burns · ‎05-03-2016

Yes, before you zap your existing connection between old & new you'll need to setup a new L3 out for your fabric to reach the WAN devices.

Robert

ksherwood · ‎05-04-2016

Excellent, thanks to Robert and Tomas for their patience and advice

SWC · ‎08-17-2016

Hello Robert,

I have the exactly same kind of environment I need to migration. I found this post very helpful. The Cisco general documents for ACI are kind of "fluff" for people who are new to APIC stuff, like me:). The jump start document is helpful. However, I installed APIC 2.0. As Cisco did for ASDM, Cisco changed the way and place to configure different features in new version of APIC. The link you sent for L2/L3 connection is not same as what I saw on APIC 2.0. Do you have update document for L2/L3 connection. It is very frustrated Cisco changed GUI all the time. We just learn how to use it. It is changed again.

Thanks,

Sean

sergio.anacleto · ‎01-13-2018

Hi Robert,

Can you help with the following please in regards to your last paragraph

"The other thing to consider is where you plan to host your GW for each subnet during the migration. Are you keeping your routing on the 6500's or will you allow the ACI Fabric to act as the GW for your subnets? If the fabric is to be your GW, then you will need to route between the fabric & the 6500's with a L3 connection. If you simply go with the EPG extension and keep your GW on the 6500's you're simply mapping EPGs to VLANs, with no inter-EPG traffic routed by the fabric itself - hence you aren't really applying any policies (contracts) between EPGs from the fabric perspective. This skips around one of the major value-adds of ACI - enforcing inter-EPG policy."

From the above are you saying that if the Default gateway stays as is on the legacy environment, you need to have the L2 extension and L3out connectivity setup right at the same time? I believe it would be required to be able to route to the other VLAN's on the legacy on the 6500's ?

ksherwood · ‎05-03-2016

Tomas, can you please answer my question about which layer 2 out option to use ?

Dan Peronto · ‎05-03-2016

Subscribed