Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
116
Views
0
Helpful
3
Replies

L2Out & External Bridge Domain Design

at@ps
Level 1
Level 1

‎09-25-2024 11:44 PM

Hey Folks,

I need to create a L2out connection - not EPG extension - between ACI and external network. So, I have 10 VLANs identical in both sides, so 10 EPGs for each VLAN in my ACI. I need both sides to reach hosts in its VLAN only. So, I did create an L2out successfully by following the steps below:

1. Create an External Bridged Network (L2OUT)

2. Create an External L2OUT EPG

3. Provide the contract at The L2OUT External EPG

4. Consume the contract at the internal EPG side

I'm a little bit confused about the difference between bridge domain, external BD, and Physical Domain.

As I know that each L2out can pass one VLAN - Correct me if I'm wrong.

MY question is: "Should I create One External Bridge Domain for each VLAN or one for each VLAN, and WHY?

 

Thanks

Labels:
0 Helpful
3 Replies 3

RedNectar
VIP
VIP

‎09-26-2024 12:31 AM

Hi at@ps ,

I have one question

I need to create a L2out connection - not EPG extension - between ACI and external network. 

WHY NOT an EPG Extension?

You could much more easily create 10 Application EPGs and map each one to its own VLAN - and should you ever wish to modify this is the future, you'll have more scope than if you'd used a L2Out

  I'm a little bit confused about the difference between bridge domain, external BD, and Physical Domain.

This is one of the reasons I don't recommend L2Outs. Forget they exist and you can also forget External BDs exist too.

But a Bridge Domain is the closest thing ACI has to a Broadcast Domain like the traditional VLAN Broadcast Domain, whereas a Physical (or L2 External or L3 External) Domain is a collection of allowed VLAN IDs defined by an associated VLAN Pool.

As I know that each L2out can pass one VLAN - Correct me if I'm wrong.

That is correct and the main reason L2Outs are so restrictive. Should you want to say in the future add a VM dynamically to the same L2EPG - you can't. But if you used a regular Application EPG, you could.

MY question is: "Should I create One External Bridge Domain for each VLAN or one for each VLAN, and WHY?

No. Create one External Domain and one VLAN Pool with all 10 VLANs in that pool.  If you stick with Application EPGs, this can be a Physical Domain, but if you insist on using L2Outs, it will be an External Bridge Domain.

Why? Well it will save 18 pieces of configuration 9 x VLAN Pools and 9 x External BDs. Although you could do 1 x VLAN Pool and assign it to each of 10 External BDs.

But either way - why give yourself 10 things to choose from every time you need to link to a External BD when one would do?

I've written about L2Outs before. You may find these old posts useful:

 https://community.cisco.com/t5/application-centric-infrastructure/l2-out-in-aci/m-p/3181487/highlight/true#M3504

https://community.cisco.com/t5/application-centric-infrastructure/aci-physical-domain-and-l2out-domain/m-p/4164371/highlight/true#M9286 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

at@ps
Level 1
Level 1
In response to RedNectar

‎09-26-2024 05:09 AM

Hey @RedNectar 

Thanks for your comments.

I've been reading your comments in both conversations.

The step you did consist at heavily is that L2out configuration is complicated and waste of time not as EPG extension. Also, in L2out one VLAN is allowed, where many are allowed in EPG extension.

Based on your comments, I see that what you wish to do with L2out is doable by EPG Extension, but not vice versa!

so, you prefer to go with EPG extension in any scenario.

if so, what is the scenario where L2out is the ONLY option to serve me? there should be a reason of existing L2out!? 

0 Helpful

RedNectar
VIP
VIP
In response to at@ps

‎09-26-2024 12:56 PM

Hi at@ps ,

You are correct in saying that my objection to L2Outs is that they serve no additional functionality that can't be achieved using a regular Application APG, and so are a completely unnecessary complication to an already complicated system with a whole lot of confusing names - "External Bridge Domain" be one of the most confusing.

If for some reason you are forced to go with L2Out, then the process you described (steps 1 to 4) sound reasonable assuming the service defined in the contract you mentioned in steps 3 & 4 is hosted (provided) on the External EPG and the Application EPG is using (consuming) that service.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License