Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
6
Replies

L2Out & External Bridge Domain Design

at@ps
Level 1
Level 1

‎09-25-2024 11:44 PM

Hey Folks,

I need to create a L2out connection - not EPG extension - between ACI and external network. So, I have 10 VLANs identical in both sides, so 10 EPGs for each VLAN in my ACI. I need both sides to reach hosts in its VLAN only. So, I did create an L2out successfully by following the steps below:

1. Create an External Bridged Network (L2OUT)

2. Create an External L2OUT EPG

3. Provide the contract at The L2OUT External EPG

4. Consume the contract at the internal EPG side

I'm a little bit confused about the difference between bridge domain, external BD, and Physical Domain.

As I know that each L2out can pass one VLAN - Correct me if I'm wrong.

MY question is: "Should I create One External Bridge Domain for each VLAN or one for each VLAN, and WHY?

 

Thanks

Labels:
0 Helpful
6 Replies 6

RedNectar
VIP
VIP

‎09-26-2024 12:31 AM

Hi at@ps ,

I have one question

I need to create a L2out connection - not EPG extension - between ACI and external network. 

WHY NOT an EPG Extension?

You could much more easily create 10 Application EPGs and map each one to its own VLAN - and should you ever wish to modify this is the future, you'll have more scope than if you'd used a L2Out

  I'm a little bit confused about the difference between bridge domain, external BD, and Physical Domain.

This is one of the reasons I don't recommend L2Outs. Forget they exist and you can also forget External BDs exist too.

But a Bridge Domain is the closest thing ACI has to a Broadcast Domain like the traditional VLAN Broadcast Domain, whereas a Physical (or L2 External or L3 External) Domain is a collection of allowed VLAN IDs defined by an associated VLAN Pool.

As I know that each L2out can pass one VLAN - Correct me if I'm wrong.

That is correct and the main reason L2Outs are so restrictive. Should you want to say in the future add a VM dynamically to the same L2EPG - you can't. But if you used a regular Application EPG, you could.

MY question is: "Should I create One External Bridge Domain for each VLAN or one for each VLAN, and WHY?

No. Create one External Domain and one VLAN Pool with all 10 VLANs in that pool.  If you stick with Application EPGs, this can be a Physical Domain, but if you insist on using L2Outs, it will be an External Bridge Domain.

Why? Well it will save 18 pieces of configuration 9 x VLAN Pools and 9 x External BDs. Although you could do 1 x VLAN Pool and assign it to each of 10 External BDs.

But either way - why give yourself 10 things to choose from every time you need to link to a External BD when one would do?

I've written about L2Outs before. You may find these old posts useful:

 https://community.cisco.com/t5/application-centric-infrastructure/l2-out-in-aci/m-p/3181487/highlight/true#M3504

https://community.cisco.com/t5/application-centric-infrastructure/aci-physical-domain-and-l2out-domain/m-p/4164371/highlight/true#M9286 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

at@ps
Level 1
Level 1
In response to RedNectar

‎09-26-2024 05:09 AM

Hey @RedNectar 

Thanks for your comments.

I've been reading your comments in both conversations.

The step you did consist at heavily is that L2out configuration is complicated and waste of time not as EPG extension. Also, in L2out one VLAN is allowed, where many are allowed in EPG extension.

Based on your comments, I see that what you wish to do with L2out is doable by EPG Extension, but not vice versa!

so, you prefer to go with EPG extension in any scenario.

if so, what is the scenario where L2out is the ONLY option to serve me? there should be a reason of existing L2out!? 

0 Helpful

RedNectar
VIP
VIP
In response to at@ps

‎09-26-2024 12:56 PM

Hi at@ps ,

You are correct in saying that my objection to L2Outs is that they serve no additional functionality that can't be achieved using a regular Application APG, and so are a completely unnecessary complication to an already complicated system with a whole lot of confusing names - "External Bridge Domain" be one of the most confusing.

If for some reason you are forced to go with L2Out, then the process you described (steps 1 to 4) sound reasonable assuming the service defined in the contract you mentioned in steps 3 & 4 is hosted (provided) on the External EPG and the Application EPG is using (consuming) that service.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

at@ps
Level 1
Level 1
In response to RedNectar

‎10-07-2024 01:44 AM

Hey @RedNectar , 

I'm still stuck with this approach, I've been studying the best one to apply in my network.

but an important note, I'm trying to connect 2 ACIs to allow each VLAN to access its hosts in the other ACI.

The scenario will be having a host in OLD_ACI and trying to access its GW in the NEW_ACI.

So, It's a migration scenario.

Can you declare the limitations that I may face if I choose the EPG Extension option? 

As I see, in L2Out there will be a contract to manage the traffic, but in the EPG extension option, there will not be any. You just set up an interface as a trunk - (correct me if I'm wrong).

0 Helpful

RedNectar
VIP
VIP
In response to at@ps

‎10-07-2024 12:50 PM

Hi at@ps ,

With the migration strategy you mention, it would be helpful to know the following

  1. Is the GW for a host in the OLD_ACI an IP address assigned to a BD/EPG in ACI, or an external device (FW/Rtr)?
  2. Is the GW for the same host in the NEW_ACI going to be an IP address assigned to a BD/EPG in ACI, or an external device (FW/Rtr)?
  3. Is the GW for a host in the NEW_ACI going to have the exact same IP address as in OLD_ACI?
  4. Will the same VLAN ID be used in both OLD_ACI and NEW_ACI for a given host?

Irrespective of the answers, you can potentially use L2Out or EPG Extension, and this will be independent of what is being used now, however, it may not be as simple as "just set up an interface as a trunk" depending on your answers to the above.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

RedNectar
VIP
VIP

‎10-16-2024 01:49 AM

Hi at@ps ,

Just cleaning up some old stuff - did you ever sort this out in your mind? Do you have any follow up questions?

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License