Clarification on "Unicast Routing" Option in ACI Bridge Domain

willytech007 · ‎07-15-2025

Hi Cisco Community,

I’ve been reviewing the Official Cert Guide (OCG) for ACI and have some questions about the "Unicast Routing" option in Bridge Domains (BDs). Here’s what I’ve understood so far:

When "Unicast Routing" is enabled on a BD, the default gateway for the associated subnets resides within the ACI fabric (handled by the Spine/Leaf nodes).
When disabled, the default gateway should be external (e.g., on a router, firewall, or L3 switch outside ACI).

Key Questions:

Are there other critical use cases or best practices for enabling/disabling this option?
- For example:
  - Impact on microsegmentation (EPG contracts).
  - Scenarios where this might affect traffic flows (e.g., asymmetrical routing).
How does this interact with features like:
- L3Outs?
- Shared services (e.g., a central firewall)?
- Multi-pod/fabric designs?

My Observations:

Enabling this option seems ideal when ACI is the sole L3 gateway for the subnet.
Disabling it makes sense if the gateway lives elsewhere (e.g., legacy networks).

Would appreciate any insights, real-world examples, or documentation references!

Thanks in advance

RedNectar · ‎07-16-2025

Hi @willytech007 ,

Seems you've nailed it.

If unicast routing is disabled for the BD, then you have a L2 BD. Probably makes sense to have only EPG and one encapsulation (VLAN) on the BD.

And once unicast routing is disabled for the BD, there's no point in assigning any IP addresses to the BD - unlike L3 switches where you can assign an IP to a VLAN and it will respond to a ping (even if it is not a gateway address), ACI never responds to any L3 addresses assigned to a BD in L2 mode (=unicast routing disabled)

Once the unicast routing is enabled, then you need to assign an IP address, just like you would on any router interface that is acting as a gateway. And like any router, you can assign secondary addresses too. And FWIW, IP addresses assigned to an EPG also live on the BD too. (Unless it is a /32)

apic1# fabric 1202 show ip interface vlan12
----------------------------------------------------------------
 Node 1202 (Leaf1202)
----------------------------------------------------------------
IP Interface Status for VRF "Tenant18:Production_VRF"
vlan12, Interface status: protocol-up/link-up/admin-up, iod: 125, mode: pervasive
  IP address: 10.118.11.1, IP subnet: 10.118.11.0/24             #IP address on BD
  IP address: 10.118.22.1, IP subnet: 10.118.22.0/24 secondary   #IP address on EPG linked to the same BD
  IP address: 10.118.11.2, IP subnet: 10.118.11.0/30 secondary   #IP address on EPG linked to the same BD
  IP broadcast address: 255.255.255.255
  IP primary address route-preference: 0, tag: 0

So if you are using ACI as L2 transport only, or using ACI where everyone uses the BD IPs as default gateway IPs, the world is sweet, life is easy.

But there's no real networks like that!

So what do you do if you want to use a router as a default gateway, or a firewall?

The shortest and simplest answer is to just use ACI as L2 transport, and place the router/firewall interface in the same EPG as the servers.

But if you want to take advantage of ACI, and integrate L3Outs and the like, then PBR probably makes a better option.

With PBR, you set the default gateway IP of the servers to an ACI address (with unicast routing enabled) but then set up PBR to re-route some or all of the traffic to a firewall - you may for instance allow some EPG-to-EPG traffic to be handled by ACI, but send sensitive EPG-to-SecureEPG via a firewall.

However, setting up PBR is a PIA and a even bigger pain to modify.

So at the end of the day, a fairly common approach is to attach the firewall via a L3Out. EPG-to-EPG traffic is handled by ACI, EPG-to-Eternal is sent the the L3Out where the firewall handles it.

Now multi-pod designs is a whole new ball game, and getting away from anything to do with unicast routing being enabled or not, so I'll let someone else tackle that part of your question! (=cop out, but my dinner is ready)

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

willytech007 · ‎07-23-2025

Hi sir

Can you show me the config Bridge domian GUI? I would to like compare with GUI bcasue I only have access to sandbox lab free not CLI.

Another thing to mention, when you say attach the firewall via a L3out, It is routing, but the GW is the ACI, the book speak about 2 methods Extend EPG and extend Bridge domain to reach GW outside the fabri, my question is why do you mention another via?

Maybe in real life is more complicated?

Thanks in advance

RedNectar · ‎07-23-2025

Hi @willytech007 ,

Can you show me the config Bridge domian GUI? I would to like compare with GUI bcasue I only have access to sandbox lab free not CLI.

Here's a screenshot of my BD config (I don't have access to my lab ATM, so this is taken from the sandbox - it is exactly the same). Although I'm not sure it will help much.

Another thing to mention, when you say attach the firewall via a L3out, It is routing, but the GW is the ACI, the book speak about 2 methods Extend EPG and extend Bridge domain to reach GW outside the fabri,

The book is correct but misleading. The methods Extend EPG and Extend BD refer to how you can connect existing segments.

If I had written that book, I would have told you about the Extend EPG method and simply ignored the Extend BD method, The most significant contribution that the Extend BD method has made to ACI is to totally confuse people like me and you. My advice is to forget that such a method exists, completely avoid using L2Outs and completely avoid using External Bridge Domains

Let me explain it with an analogy

Imagine you are trying to drive from city A to city B. You have two options, the six lane freeway and a two lane backroad. Either path will get you from city A to city B. In a ACI environment, the Extend EPG method is the six lane highway and the Extend BD method is the two lane backroad. This is because the Extend EPG method allows multiple VLANs to be mapped to a single Application EPG, even if you start with only one, while the Extend BD method allows only one now and forever.

But as far as connecting an external router or gateway by either Extend EPG or Extend BD methods, you have to keep in mind what the default gateway of the devices in the Application EPG (i.e. the extended EPG) or the L2EPG (i.e. the extended BD) will be. If the gateway address is going to be that external router or firewall, then you need to configure your BD without an IP address and with Unicast routing turned off.

my question is why do you mention another via?

If you embrace ACI concepts, you won't do as I just described. Instead, you'll configure the default gateway IP of the devices on the BD, and then connect the router/firewall via a L3 Out

Maybe in real life is more complicated?

You are correct

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

julian.bendix · ‎07-17-2025

In very simple words.. you can see your ACI Fabric like a huge L2/L3 Switch. Enabling Unicast Routing should only be done if an IP is associated with the BD, which would be the equivaltent of creating an SVI on your regular L3 Switch.

BR
Jules

willytech007 · ‎07-23-2025

Yes sir, that part is clear for me