11-24-2014 06:02 PM - edited 03-01-2019 04:47 AM
I have reviewed the ACI L2 and L3 Connectivity White Paper. Using the instructions, I have successfully integrated an a VLAN from from the outside into ACI. I used the Extend BD approach. In looking at the instructions, it appears that creating an External Bridge Domain is required for each L2 VLAN from the outside. Is there a way to use the same physical port (VLAN trunk port from downstream switch) to bring in multiple VLANs in to ACI.
I would like to use only one port for all VLANs to be imported.
Is this possible ? If so, what would be the configuration steps ?
thanks,
11-24-2014 06:51 PM
The question that should be asked is what are you trying to accomplish?
1. Either you have external endpoints that need to be members of the same EPG as fabric hosted endpoints
or
2. You have external endpoints that you need to apply policy between everything else inside the fabric.
If this is the first case what you should be extending the EPG, not the bridge domain. By extending the Bridge Domain you're essentially mapping all the external traffic for that BD into one VLAN which will be represented by an External EPG you'd create on the APIC. This is useful in the case where you have all external users coming into the fabric you want to treat together using contracts between external users and internal EPGs.
Ex.
External Users <C> Web_EPG <C> App_EPG <C> DB_EPG
C = Contract
If it's the second case above, and you have end points both inside the fabric and external that need to belong to the same EPG and have the same policies applied endpoints internal or external to ACI, you'll want to extend the EPG as detailed in the first method of the L2/L3 Connectivity guide.
Regards,
Robert
11-25-2014 03:37 AM
Robert, thanks for your response. I would like to have endpoints in two individual, external VLANs (29 and 139) as part of unique EPGs in the Fabric. For example, ext VLAN 29 maps to EPG-29, ext VLAN 139 maps to EPG-139. I can extend the EPG by mapping a path. It appears that I must use a separate physical port (path) for each static VLAN mapping.
Is that correct ?
When I create the VLAN pool for the physical domain, I specify 2 blocks, (29 to 29 ) and (139 to 139). After I map that physical domain to the AEP, I look at the allow VLANs on the path (using the show VLAN extended cmd), I only see the first block listed as allowed.
11-25-2014 05:06 AM
Hello
Yes you can use the same Physical port or port channel multiple times when creating unique External Bridge Domains. You will need to create an individual External Bridge Domain for each VLAN you want to bring into the ACI Fabric.
The steps would be to create a new External Bridge Domain/Network, specify a different encapsulation VLAN ID, I believe in your case it would be 139 if you successfully brought in 29. Then specify the same Path i.e. the same interface used from the last External Bridge Domain created.
One question I have, why did you use a physical domain instead of a Layer 2 Domain?
Please take a look at this video, it might help as well:
https://supportforums.cisco.com/video/12328291/setting-external-bridged-networks
Robert is also correct. From what I understand you are trying to add two different external VLANs as one Endpoint Group. That makes sense, the BD will have VLANs 29 and 139 from outside and the EPG will reference that BD. That EPG with those two VLANs are now one entity for which policy can be applied. Is that what you are trying to accomplish?
11-25-2014 05:13 AM
Thanks for the quick response. After I submitted the questions, I had the same thought. (to create a separate L2 domain for each VLAN. I mapped both domains to the AEP. I mapped the VLAN 29 domain to one EPG, VLAN 139 to the second EPG. Both are working. thanks !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide