In tegration ACI with MST and vlan pool overlap

csco10387876 · ‎04-05-2016

Good morning,

I am testing the ACI lab before going in production and I ran into something quite specific :

I have 2 tenants with vlan pools

T1 vlan pool 1800-1899

T2 vlan pool 1-4092

Any interface is configured with local significance vlan, so I expected to be able to use any vlan in any pool on the physical ports as they would then be mapped to different bridge domain and so different vxlans.

In T1 I connected and External L2 bridge to a N5k running mst, the fabric create a fault so that I am aware I should have an epg for the native vlan for bdpu. so I followed the doc at https://supportforums.cisco.com/document/12268716/spanning-tree-mst-switches-interaction-aci

as native vlan is 1 on the 5k, I configure the path on the epg with vlan-1, resulting in invalid vlan config, as the vlan-1 is not associated with the l2Ext vlan pool.

The problem comes when I add vlan 1 to the vlan pool of T1, the tenant goes from 99% (everything is at 100% except the native vlan epg) to 0% with no alarm raised.

I removed the vlan 1 from the other tenant vlan pool and all is well again.

Lab kit upgraded to 1.2(2h) apic and 11.2(2h) switches

What could cause this behaviour?

Regards,

lpember · ‎04-05-2016

Hello,

You mentioned the health score is degraded but no alarm is raised. Can you confirm that you don't see any faults under the EPG? You can also see any new faults under the Tenant by selecting the Tenant object for high-level view and looking at faults there.

Interfaces have VLANs that are locally significant to the leaf not to the interface itself. That is in Global scope mode. When using per-port (locally significant to the interface) mode then that is true. Are you using that feature here? It is configured under the interface policy group for the interface(s) under "L2 Interface Policy". It has its own restrictions detailed here.

csco10387876 · ‎04-06-2016

Here are some screenshots :

All tenant ok with vlan 1 only to tenant sandbox

All tenant with vlan 1 removed from sandbox

The tenant goes to 99% as the epg path is has a fault with invalid vlan

Static path config :

tenant view when vlan one is on both vlan pools :

the screenshot is taken after some time, to make sure the fabric had time to raise the fault.

interface policy config :

Every interface policy is configured with the policy for link local vlan significance.

From the help in the vlan pool module :

"A pool represents a range of traffic encapsulation identifiers (for example, VLAN IDs, VNIDs, and multicast addresses). A pool is a shared resource and can be consumed by multiple domains such as VMM and Layer 4 to Layer 7 services. A leaf switch does not support overlapping VLAN pools. Different overlapping VLAN pools must not be associated with the same AEP. The two types of VLAN-based pools are as follows:"

I confirm that the vlan pool are associated to different domains and AAEP.

So how are we supposed to configure it to allow overlapping vlan pools on the same leafs to use port local scope ?

lpember · ‎04-06-2016

What two EPGs do you have VLAN 1 used in on that same leaf? Are they in the same or different bridge domain? Which physical domains are they associated with? Can you please send a screenshot of the fault you see on the leaf? That information will be helpful when troubleshooting.

csco10387876 · ‎04-07-2016

ok so this is even more weird, it is back at 100% with the path active and vlan 1 in both pool....how peculiar ;-)