Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2490
Views
0
Helpful
2
Replies

Extend EPG using static path binding

Go to solution
Thushan Pramod
Level 1
Level 1

‎06-27-2017 03:25 AM - edited ‎03-01-2019 05:16 AM

Hi All,

I have an urgent requirement, please assist me to figure out a way.

 In ACI  I have configured 5 EPGs in 5 BDs respectively in single tenant/ single VRF. In those EPGs vlans may be reused as well. Is it possible to extend the traffic to external firewall in this scenario since the default GW is defined externally? If so what is the appropriate method? Please assist I am bit confused on this ACI concept.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
micgarc2
Cisco Employee
Cisco Employee

‎07-05-2017 08:24 PM

Hello Thushan,
Just to touch on Chris's point: It seems in your case you are going to use ACI as a purely L2 fabric. Therefore, unicast routing will be disabled on all 5 BDs. Unicast routing is only enabled when you want to do IP learning and you want the fabric to perform routing. In your case you would also enable ARP flooding.  By default in ACI we do not enable ARP flooding. We rely on the hardware to directly forward the packet to the correct endpoint. We essentially turn broadcast traffic into unicast traffic and send it to the correct leaf switch. By enabling ARP flooding it allows the CPU on the leaf to receive any ARP/GARP packet. If traditional ARP flooding is desired, this needs to be enabled.
Another important thing to note is whether these reused VLANs (in different EPGs) will be configured on the same leaf node. ACI does not allow you to deploy the same VLAN on the same leaf. Also, if an EPG has ports deployed as untagged, you can not deploy that EPG as tagged on other ports of the same switch.
If your environment requires you to use the same vlan on the same switch in different EPGs you have configure the per port VLAN feature. An example of this would be : 
EPG1 traffic comes in on leaf101 on port 1/1 tagged with vlan 10 but also uses vlan 10 on leaf101 port 1/2 to identify EPG2 traffic. 

To workaround the tagged/untagged issue you can change the untagged ports to 802.1p mode. This will allow this scenario to work and the packets will just be tagged as VLAN zero.

Hope this clears things up!

Regards,
Michael G.
Thank you for participating in the Cisco Support Forum for ACI! If you have other questions related to this post, please let us know. If this response answers your questions, please mark this post "answered" and assign a rating to the response(s) provided. This will help notify other viewers that your question(s) is answered and this helps us provide better responses for this and future questions.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
RedNectar
VIP
VIP

‎06-27-2017 09:33 PM

Hi Thushan Pramod,

Is it possible to extend the traffic to external firewall in this scenario since the default GW is defined externally?

Yes

If so what is the appropriate method?

The simple approach

  1. Disable IP routing in each BD, or
    1. make sure the DB's IP address is different to Host's DG address; and
    2. enable ARP flooding for the BD
  2. Statically map each interface (or subinterface/SVI interface) on the firewall to the appropriate EPG.  In other words, the Firewall interfaces just become additional EPs in each EPG

This approach is quick, but doesn't make use of any of the ACI advances features.

Another approach would be to create additional bridge domains and use ACI's PBR to redirect just the traffic you want to go to the firewall, but involves considerably more configuration

See http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver201/b_L4L7_Deploy_ver201_chapter_01001.html

Also http://d2zmdbbm9feqrf.cloudfront.net/2017/anz/pdf/BRKACI-2016.pdf (Cisco Live login required)

Regarding:

In those EPGs vlans may be reused as well.

Remember that a VLAN in ACI is nothing like a VLAN in the traditional world.  In ACI:

  • the role of broadcast domain has been replaced by a slightly different Bridge Domain, but for a simple explanation, think of a Bridge Domain as the new broadcast domain.
  • VLAN tags are now used to identify which EPG a packet belongs to.  So long as you map existing VLAN tags to the correct EPGs, you should be good, even if that EPG uses other VLAN IDs for other devices.

RedNectar

aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
micgarc2
Cisco Employee
Cisco Employee

‎07-05-2017 08:24 PM

Hello Thushan,
Just to touch on Chris's point: It seems in your case you are going to use ACI as a purely L2 fabric. Therefore, unicast routing will be disabled on all 5 BDs. Unicast routing is only enabled when you want to do IP learning and you want the fabric to perform routing. In your case you would also enable ARP flooding.  By default in ACI we do not enable ARP flooding. We rely on the hardware to directly forward the packet to the correct endpoint. We essentially turn broadcast traffic into unicast traffic and send it to the correct leaf switch. By enabling ARP flooding it allows the CPU on the leaf to receive any ARP/GARP packet. If traditional ARP flooding is desired, this needs to be enabled.
Another important thing to note is whether these reused VLANs (in different EPGs) will be configured on the same leaf node. ACI does not allow you to deploy the same VLAN on the same leaf. Also, if an EPG has ports deployed as untagged, you can not deploy that EPG as tagged on other ports of the same switch.
If your environment requires you to use the same vlan on the same switch in different EPGs you have configure the per port VLAN feature. An example of this would be : 
EPG1 traffic comes in on leaf101 on port 1/1 tagged with vlan 10 but also uses vlan 10 on leaf101 port 1/2 to identify EPG2 traffic. 

To workaround the tagged/untagged issue you can change the untagged ports to 802.1p mode. This will allow this scenario to work and the packets will just be tagged as VLAN zero.

Hope this clears things up!

Regards,
Michael G.
Thank you for participating in the Cisco Support Forum for ACI! If you have other questions related to this post, please let us know. If this response answers your questions, please mark this post "answered" and assign a rating to the response(s) provided. This will help notify other viewers that your question(s) is answered and this helps us provide better responses for this and future questions.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License