Hi RedNectar,

Thank you for the thorough explanation as always. Yes, I am aware of the above, but when trying to understand the concept using ACI simulator, then using a customer deployment (mainly for CLI interrogation) I noticed each leaf shows a different set of allowed trunk vlans, so I mistakenly assumed this was a thing. My assumption was this was due to the associated VLAN Pool, although this did not match up with the pool. 

Thank you once again for in-depth handholding and knowledge on this topic.

Regards 

Hi @chrisdale ,

[Edit: I've had a bit of a re-think about what I said last night - I realised that it might leave some confusion regarding exactly what tags are placed on the frames as they leave the switch to the external device. So check the addendum below too.]

Yes, I forgot to mention that the VLANs that you see on the port would be the internal VLANs used on on each switch which are local to that switch.  In other words, if you configure say VLAN 100 on VCP1 on switch 1 and switch 2, potentially that will be mapped internally on switch 1 to say VLAN 16 and on switch 2 to VLAN 22.

There is a very good reason for this, because ACI supports many thousands of VLANs (they used to say a million, but I think they have pruned that back to reality) whereas each switch supports only the regular 4095 VLANs.  To may ACI viable across hundreds of switches, each switch does this internal mapping.

NOW - having said that, when it comes to the simulator, all bets are off. It may be that the simulator has just something there that doesn't really exist, just to make it look right (oh dear)

ADDENDUM

As I explained before, the ports you see when you look at the port with the switcport option, you see the internal VLANs.

To be specific (for others who may read this) the command @chrisdale used was something like

leaf1201# show interface po3 switchport 
Name: port-channel3
  Switchport: Enabled
  Switchport Monitor: not-a-span-dest
  Operational Mode: trunk
  Access Mode Vlan: unknown (default)
  Trunking Native Mode VLAN: unknown (default)
  Trunking VLANs Allowed: 2,5-6,17
  FabricPath Topology List Allowed: 0
  Administrative private-vlan primary host-association: none
  Administrative private-vlan secondary host-association: none
  Administrative private-vlan primary mapping: none
  Administrative private-vlan secondary mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none

These are the internal VLAN IDs. To see the VLAN tags that will be sent and accepted on that port, use the command 
show vpc [brief]    !Note - adding the word brief to the show vpc command does NOTHING to change the output

In my example below, I've issued the command from the APIC using the fabric construct to save the boring process of logging into the switch

apic1# fabric 1201 show vpc                                                                                                                                                
----------------------------------------------------------------                                                                                                           
 Node 1201 (Leaf1201)                                                                                                                                                      
----------------------------------------------------------------                                                                                                           
Legend:                                                                                                                                                                    
                (*) - local vPC is down, forwarding via vPC peer-link                                                                                                      
                                                                                                                                                                           
vPC domain id                     : 12                                                                                                                                     
Peer status                       : peer adjacency formed ok                                                                                                               
vPC keep-alive status             : Disabled                                                                                                                               
Configuration consistency status  : success                                                                                                                                
Per-vlan consistency status       : success                                                                                                                                
Type-2 consistency status         : success                                                                                                                                
vPC role                          : primary                                                                                                                                
Number of vPCs configured         : 3                                                                                                                                      
Peer Gateway                      : Disabled                                                                                                                               
Dual-active excluded VLANs        : -                                                                                                                                      
Graceful Consistency Check        : Enabled                                                                                                                                
Auto-recovery status              : Enabled (timeout = 200 seconds)                                                                                                        
Delay-restore status              : Enabled (timeout = 120 seconds)                                                                                                        
Delay-restore SVI status          : Enabled (timeout = 0 seconds)                                                                                                          
Operational Layer3 Peer           : Disabled                                                                                                                               
                                                                                                                                                                           
vPC Peer-link status                                                                                                                                                       
---------------------------------------------------------------------                                                                                                      
id   Port   Status Active vlans                                                                                                                                            
--   ----   ------ --------------------------------------------------                                                                                                      
1           up     -                                                                                                                                                       
                                                                                                                                                                           
vPC status                                                                                                                                                                 
----------------------------------------------------------------------                                                                                                     
id   Port   Status Consistency Reason                     Active vlans                                                                                                     
--   ----   ------ ----------- ------                     ------------                                                                                                     
5    Po3    up     success     success                    1043-1044                                                                                                        

685  Po1    up     success     success                    -                                                                                                                

686  Po4    up     success     success                    1033-1034,1                                                                                                      
                                                          230,1234-12                                                                                                      
                                                          35                 

 Here you can see the actual VLAN IDs that will be used on the port channel.

I hope this helps.

Hi RedNectar,

For clarity, the command I used was on the Apic CLI was:

fabric 101 show interface port-channel 5 switchport

fabric 102 show interface port-channel 5 switchport

I did see trunking vlans allowed differences between the 2 which I found odd.  Hence raising this as a question. Which you have helped to clear this up in pointing out the local differences, which when trying to learn the platform only adds to more confusion.

Regards 

Hi @chrisdale ,

This is another example of the dynamic nature of ACI.  When the port-channel is created, a port-channel number is chosen by each switch. Often it is the same, but often it is different, so a command like

fabric 101 show interface port-channel 5 switchport

is quite likely to refer to a different port-channel than

fabric 102 show interface port-channel 5 switchport

BUT, if you notice the id of the port-channel as shown in my example above (and below in abbreviated form)...

apic1# fabric 1201 show vpc                                                                                                                                                
...<Snip>...                                                                                                                      
vPC status                                                                                                                                                                 
----------------------------------------------------------------------                                                                                                     
id   Port   Status Consistency Reason                     Active vlans                                                                                                     
--   ----   ------ ----------- ------                     ------------                                                                                                     
5    Po3    up     success     success                    1043-1044    

...then you could issue the command (translate numbers for your fabric)

apic1# fabric 1201-1202 show vpc 5

 to see the same VPC on both switches

Hi RedNectar,

Ah yes, apologies I forgot to mention the member interfaces were validated as the same Po across the other switches. 

Yet again, thank you for the accurate guidance and explanations of the platform, this has been extremely invaluable. I have also being reading your blog which helps to iron out vague, or missing definitions in the CP books. 

So a massive heartfelt thanks to yourself and Brian McGahan for helping me overcome the many hurdles and challenges of ACI.

Regards