10-15-2022 09:51 AM - edited 10-15-2022 01:53 PM
Hi In ACI, Bridge domain(BD) must be linked to VRF and must have at least one subnet with it. so can we say in ACI, Bridge domain(BD) must be linked to VRF, and BD could have more that two subnet with it? Thanks
Solved! Go to Solution.
10-16-2022 03:32 PM - edited 10-17-2022 03:25 PM
Hi @interfacedy ,
Here's a picture:
Because some of the Endpoints have duplicated IP addresses, I'll refer to them As EP1, EP2 etc
Firstly, note EP1 and EP2. They are mapped to EPG1 (which is largely irrelevant in this case) which is linked to Bridge Domain BD1
Next, look at EP3 and EP4. They are both mapped to EPG2 which is linked to Bridge Domain BD2 which has been assigned two IP addresses which serve as the default gateway IP addresses for EP3 and EP4 respectively.
Now take a look at look at EP5 and EP6. They are each mapped to different EPGs, and even though both EPGs (EPG3 and EPG4) are linked to Bridge Domain BD3 and both endpoints share the same default gateway, they will NOT be able to communicate in ACI without a contract.
The last two endpoints, EP7 and EP8 They are mapped to the same EPG - EPG5, which in turn is linked to Bridge Domain BD4 but BD4 has NO IP addresses. Instead, the IP addresses that serve as the default gateway IPs have been assigned to EPG5 instead.
Finally, look at the Application Profiles.
Application Profiles serve virtually NO function in ACI except:
So to wrap up your questions:
Hi In ACI, Bridge domain(BD) must be linked to VRF
No. A BD does NOT have to be linked to a VRF in the SPECIAL case of it being a L2 ONLY Bridge Domain
and must have at least one subnet with it.
Usually true, but again, not true in the SPECIAL case of it being a L2 ONLY Bridge Domain, AND not true if a subnet has been assigned to an EPG that is linked to that BD - although in this case the BD essentially "inherits" the subnet form the EPG anyway.
so can we say in ACI, Bridge domain(BD) must be linked to VRF,
...except in the SPECIAL case of it being a L2 ONLY Bridge Domain
and BD could have more that two subnet with it?
Correct. A BD can have many subnets
10-22-2022 08:26 PM
Hi @interfacedy ,
Again - let's bring the picture in
In your diagram above, the gateways for PE2 and PE3 are 20.20.20.1 and 22.22.22.1 respectively. so when PE2 ping PE3, do you think the traffic will go through VRF1? If not, how the both see each other?
OK - Firstly, let me rewrite your question the way I THINK you meant it
the gateways for EP3 and EP4 are 20.20.20.1 and 22.22.22.1 respectively. so when EP3 ping EP4, do you think the traffic will go through VRF1? If not, how the both see each other?
And the answer is YES - the trick with ACI is to understand that those IP addresses (20.20.20.1 and 22.22.22.1) will exist on each switch within VRF1 of every leaf that has an endpoint attached to EPG2.
So when EP3 pings EP4, it will send an IP ICMP packet to the MAC address of 20.20.20.1 (i.e its default gw). The leaf that EP3 is attached to will ROUTE the packet to the 22.22.22.0/24 subnet, then that same leaf will look to see if it knows the MAC address of EP4 - if so it will:
10-16-2022 06:09 AM
That is correct. You may have more than one network in a BD, every BD has to be associated to a VRF.
10-16-2022 03:32 PM - edited 10-17-2022 03:25 PM
Hi @interfacedy ,
Here's a picture:
Because some of the Endpoints have duplicated IP addresses, I'll refer to them As EP1, EP2 etc
Firstly, note EP1 and EP2. They are mapped to EPG1 (which is largely irrelevant in this case) which is linked to Bridge Domain BD1
Next, look at EP3 and EP4. They are both mapped to EPG2 which is linked to Bridge Domain BD2 which has been assigned two IP addresses which serve as the default gateway IP addresses for EP3 and EP4 respectively.
Now take a look at look at EP5 and EP6. They are each mapped to different EPGs, and even though both EPGs (EPG3 and EPG4) are linked to Bridge Domain BD3 and both endpoints share the same default gateway, they will NOT be able to communicate in ACI without a contract.
The last two endpoints, EP7 and EP8 They are mapped to the same EPG - EPG5, which in turn is linked to Bridge Domain BD4 but BD4 has NO IP addresses. Instead, the IP addresses that serve as the default gateway IPs have been assigned to EPG5 instead.
Finally, look at the Application Profiles.
Application Profiles serve virtually NO function in ACI except:
So to wrap up your questions:
Hi In ACI, Bridge domain(BD) must be linked to VRF
No. A BD does NOT have to be linked to a VRF in the SPECIAL case of it being a L2 ONLY Bridge Domain
and must have at least one subnet with it.
Usually true, but again, not true in the SPECIAL case of it being a L2 ONLY Bridge Domain, AND not true if a subnet has been assigned to an EPG that is linked to that BD - although in this case the BD essentially "inherits" the subnet form the EPG anyway.
so can we say in ACI, Bridge domain(BD) must be linked to VRF,
...except in the SPECIAL case of it being a L2 ONLY Bridge Domain
and BD could have more that two subnet with it?
Correct. A BD can have many subnets
10-16-2022 11:28 PM
Hi Chris,
Thank you for supplementing my answer with an elaborate explanation. In relation with L2 BD, it must be attached to a VRF, when a network in an EPG has to be added in a VRF. So in summary, don't attach BD to a VRF if there is no requirement of deploying a subnet. And check "Unicast routing" when you would like to deploy a BD network in a VRF.
Hope this helps!
10-18-2022 07:16 AM - edited 10-18-2022 07:32 AM
@RedNectar Thanks. very good explanation.
here is question. we think VRF1 has only one subnet, but now BD2 has two subnets. How does it work?
10-18-2022 02:53 PM
Hi @interfacedy ,
Let me repeat my diagram for ease of reference:
Consider the following config on a Catalyst switch (I hope you are familiar with Cisco style config)
interface vlan100
ip address 20.20.20.1 255.255.255.0
ip address 22.22.22.1 255.255.255.0 secondary
Here a SVI (Switched Virtual Interface) has been allocated two IP addresses
In ACI, Bridge domains are allocated IP addresses rather than the switch - BUT the IP addresses ARE PUSHED to the switches when (and ONLY when) needed.
So in ACI, the running config for BD2 in my diagram above would look like:
interface bridge-domain BD2
ip address 20.20.20.1/24 secondary
ip address 22.22.22.1/24 secondary
OR (if the [x] Make Primary option was chosen for the 20.20.20.1/24 address)
interface bridge-domain BD2
ip address 20.20.20.1/24
ip address 22.22.22.1/24 secondary
Remember, these addresses are configured on the APIC, and pushed TO EVERY LEAF that has an endpoint in EPG2 (from my diagram) - so multiple leaves may end up with the SAME IP addresses - but this is not a problem in ACI, it is called a Common Pervasive Gateway Address.
Does this answer your question?
10-20-2022 10:24 PM
Hi @interfacedy ,
Have all your questions been answered?
If so, it is a great idea to mark the question as being answered. This helps:
10-21-2022 06:47 PM
Thank you ReaNectar
10-22-2022 07:28 AM - edited 10-22-2022 01:55 PM
Thanks for your very nice explaination.
In your diagram above, the gateways for PE2 and PE3 are 20.20.20.1 and 22.22.22.1 respectively. so when PE2 ping PE3, do you think the traffic will go through VRF1? If not, how the both see each other?
10-22-2022 08:26 PM
Hi @interfacedy ,
Again - let's bring the picture in
In your diagram above, the gateways for PE2 and PE3 are 20.20.20.1 and 22.22.22.1 respectively. so when PE2 ping PE3, do you think the traffic will go through VRF1? If not, how the both see each other?
OK - Firstly, let me rewrite your question the way I THINK you meant it
the gateways for EP3 and EP4 are 20.20.20.1 and 22.22.22.1 respectively. so when EP3 ping EP4, do you think the traffic will go through VRF1? If not, how the both see each other?
And the answer is YES - the trick with ACI is to understand that those IP addresses (20.20.20.1 and 22.22.22.1) will exist on each switch within VRF1 of every leaf that has an endpoint attached to EPG2.
So when EP3 pings EP4, it will send an IP ICMP packet to the MAC address of 20.20.20.1 (i.e its default gw). The leaf that EP3 is attached to will ROUTE the packet to the 22.22.22.0/24 subnet, then that same leaf will look to see if it knows the MAC address of EP4 - if so it will:
10-24-2022 08:56 AM - edited 10-24-2022 09:03 AM
@RedNectar Thanks, during the process, what is function of VRF1? I guess its function is related with routing to outside. but each VRF has its own ip address, so what ip address the VRF1 could be? or what subnet address the VRF1 could be? The reason that I ask the question is because there are two BD under VRF1. The two BD have its own ip address
10-24-2022 11:58 AM
Hi @interfacedy ,
during the process, what is function of VRF1?
I used two VRFs - VRF1 and VRF2 just to show that it is possible to use more than one VRF, just like a regular (modern) router. But just like a router, endpoints connected to one VRF can't communicate with endpoints in another VRF unless you set up route leaking between the VRFs - in my example this would not work anyway because (to show the isolation of the VRFs) I have used subnet 20.20.20.0/24 in BOTH VRFs.
So the function of VRF1 is to allow routing between the 20.20.20.0/24 and 22.22.22.0/24 subnets for EP3 and EP4
I guess its function is related with routing to outside.
No - routing to outside (in ACI) requires a L3Out - that's a whole new topic
but each VRF has its own ip address,
Not really - there are NO IP addresses assigned to VRFs. VRFs are logical functions that allow the routing of packets between subnets
so what ip address the VRF1 could be?
As I said, IP addresses are NOT assigned to VRFs. ROUTES are found in VRFs, and VRFs live on leaves. The APIC pushes those routes to a leaf whenever that leaf is assigned an endpoint for an EPG that is linked to the BD that is linked to the VRF
So if so EP3 was attached to Leaf2201, I'd expect the following output from a show ip route
command:
apic1# fabric 2201 show ip route vrf Tenant1:VRF1 IP Route Table for VRF "Tenant1:VRF1" '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] '%' in via output denotes VRF 20.20.20.0/24, ubest/mbest: 1/0, attached, direct, pervasive *via 10.2.24.64%overlay-1, [1/0], 3d10h, static, tag 4294967294 20.20.20.1/32, ubest/mbest: 1/0, attached, pervasive *via 20.20.20.1, vlan15, [0/0], 3d10h, local, local 22.22.22.0/24, ubest/mbest: 1/0, attached, direct, pervasive *via 10.2.24.64%overlay-1, [1/0], 3d10h, static 22.22.22.1/32, ubest/mbest: 1/0, attached, pervasive *via 22.22.22.1, vlan13, [0/0], 3d10h, local, local
or what subnet address the VRF1 could be?
See above
The reason that I ask the question is because there are two BD under VRF1. The two BD have its own ip address
There is only ONE BD under VRF1, but it does have two IP addresses
10-25-2022 12:04 AM
It is not mandatory in ACI to attach BD with VRF until you need the "Routing" feature of IRB to be used. Besides this BD to VRF association also allows you to "Unenforced" the "Policy Control Enforcement Preferences". Hope you know that if the Policy Control Enforcement Preferences is selected as "Unenforced" then you are saved from using a contract to establish communication between End Points between different EPGs as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide