Solved: EPG _different hosts in same VLAN/Subnet_Cisco ACI/APIC

NDP · ‎05-25-2017

Network :- 10.0.10.0/24

EPG App:- 10.0.10.100

EPG WEB:- 10.0.10.150

EPG DB:- 10.0.10.200

VLAN :- 100

with the above information, Can we map given IPs to required EPGs with Static port mapping( ENCAP-VLAN ID)

Thank you in advance

Jason Williams · ‎05-26-2017

Durga,

Where will the default gateway for these EPGs reside? (On the fabric or outside of the fabric)

Considering all 3 share the same subnet, you may want keep them in the same L2 / flood domain (Bridge domain). If this is the case, then you would not be able to use the same VLAN. The VLAN maps to an EPG source class (identifier used to apply policy).

You could try this:

EPG App -> VLAN 100 -> BD-1

EPG Web -> VLAN 200 -> BD-1

EPG DB -> VLAN 300 -> BD-1

The option above would permit ACI to be the gateway for all EPGs since they map to the same bridge domain.

Another option is to use per-port VLAN which does allow the encap VLAN IDs to be re-used for different EPGs. The requirements for re-using VLAN IDs are:

1. For each VLAN which is re-used, it must be re-used on a different port of the switch

2. Each EPG must be in a different bridge domain

EPG App -> VLAN 100 -> Leaf 101 Eth1/1 -> BD-1

EPG Web -> VLAN 100 -> Leaf 101 Eth1/2 -> BD-2

EPG DB -> VLAN 100 -> Leaf 101 Eth1/3 -> BD-3

Jason

View solution in original post

Jason Williams · ‎05-26-2017

Durga,

Where will the default gateway for these EPGs reside? (On the fabric or outside of the fabric)

Considering all 3 share the same subnet, you may want keep them in the same L2 / flood domain (Bridge domain). If this is the case, then you would not be able to use the same VLAN. The VLAN maps to an EPG source class (identifier used to apply policy).

You could try this:

EPG App -> VLAN 100 -> BD-1

EPG Web -> VLAN 200 -> BD-1

EPG DB -> VLAN 300 -> BD-1

The option above would permit ACI to be the gateway for all EPGs since they map to the same bridge domain.

Another option is to use per-port VLAN which does allow the encap VLAN IDs to be re-used for different EPGs. The requirements for re-using VLAN IDs are:

1. For each VLAN which is re-used, it must be re-used on a different port of the switch

2. Each EPG must be in a different bridge domain

EPG App -> VLAN 100 -> Leaf 101 Eth1/1 -> BD-1

EPG Web -> VLAN 100 -> Leaf 101 Eth1/2 -> BD-2

EPG DB -> VLAN 100 -> Leaf 101 Eth1/3 -> BD-3

Jason

M@xim0 · ‎12-14-2018

Dear Jason,

I tried to configure your second option: same vlan, on same Leaf, on different port and different BD, but ACI don't accept the same vlan. It works only if i use another Leaf.

Do you think I miss something or am I right?

Max

M@xim0 · ‎12-14-2018

Dear Jason,

I tried to configure your second option: same vlan, on same Leaf, on different port and different BD, but ACI don't accept the same vlan. It works only if i use another Leaf.

Do you think I miss something or am I right?

Max

Robert Burns · ‎05-26-2017

You can do IP-based EPG classification on physical endpoints, but it does require "E/EX" series Leaf switches and they endpoints would need to be in different subnets. If all your endpoints are in the same 10.0.10.0/24 subnet, this will not work. Classification into uSeg EPGs based on IPs require the traffic to be routed by the ALE ASIC.

You would have to chop up your /24 into a /26 and ensure each web/app/db endpoint is assigned to a different subnet.

This also would require the GW to exist in the fabric.

Its far easier to classify based on the VLAN as Jason detailed, if you can migrate to a proper VLAN design for your hosts.

Robert

NDP · ‎06-05-2017

The requirement was to seperate Endpoints in same subnets connected to same leaf port. I checked all possibilities and found that It's not possible. You are correct, We should try IP based endpoints segregation.

Thank you :-)