06-17-2024 03:00 AM
So we have two sites, one with ACI and one without. In the site where there is no ACI, for a project PoC, we needed to deploy a new VLAN on the core switches and extending it to other access switches but no SVI for the VLAN. Basically, L2 VLAN only. The gateway for the VLAN will be on the firewall.
So for eg, we created VLAN 100 on the core, assigned two access ports to the vlan, one port goes towards another access switch which extends the VLAN 100 to other switches and other access port which connects to the firewall and the firewall has the gateway for VLAN 100 configured.
How can I achieve the same on Cisco ACI? It's a fairly straightforward ask, but I want to ensure I am doing it the right way. I want to create an L2 VLAN on the ACI fabric whose gateway is outside the fabric. How can I do this? My knowledge on ACI is on-off, due to lack of practice. Please help.
Solved! Go to Solution.
06-17-2024 04:22 AM - edited 06-17-2024 04:24 AM
Hi @CollisionDomain ,
Don't know from where you start, but assuming your Fabric is already set with Domains/AEP/Switch/Interface Profiles/Tenant/VRF, you need to create a Bridge Domain with all L2UU/Multi-Destination/ARP set to "Flood" and no Unicast Routing, create an EPG attached to that BD, and assign the server and FW ports to that EPG using EPG Static Port Binding (Port type, Port-encap Vlan 100, Mode trunk/access). That's basically it.
Keep in mind that using ACI as L2 only prevents you from many benefits the Fabric can bring.
Regards
06-17-2024 11:35 PM - edited 06-18-2024 01:57 PM
Hi @Ali Aghababaei & @CollisionDomain ,
I really thought Ali was saying the same thing as @Remi1 (who has described the bones of what you need to do) but with more detail.
Until I got to Step 5 - @CollisionDomain please don't do Step 5 or 6 - i.e DO NOT CONFIGURE ANY L2Outs
And further, I'd suggest you start do Step 4 from Ali's list before Step 1
To avoid confusion with Steps 5 & 6, let me spell it out:
Note: in the menu sequences below >+ means right-click and the double >> indicates the transition from the top level menus to the side navigation pane, and >| indicates the transition from the side navigation pane to the work pane
Note: If using ACI with an version earlier than V5.2(7g), you'll also need to create Interface Profiles with Interface Selectors that define the actual physical ports, and link those Interface Selectors with the appropriate Interface Policy Groups, AND create Leaf Profiles and link them to the Interface Profiles. There's a tutorial on the Access Policy Chain out there that I wrote in 2015 so still refers to Interface Profiles, Interface Selectors and Leaf Profiles.
If you have completed the steps as outlined above, your L2 Endpoints will be able to ping their default gateway IP on the firewall.
I repeat - do not touch or configure anything to do with L2Outs. There is nothing a L2Out can do that can't be done with a regular Application EPG, and there is MUCH more that can be done eith an Application EPG than a L2Out.
Footnote:
Something bugs me about Ali's answer - how could he have got it so wrong to suggest you create both an EPG AND a L2Out? Was any AI engine at work perhaps??????
06-17-2024 04:22 AM - edited 06-17-2024 04:24 AM
Hi @CollisionDomain ,
Don't know from where you start, but assuming your Fabric is already set with Domains/AEP/Switch/Interface Profiles/Tenant/VRF, you need to create a Bridge Domain with all L2UU/Multi-Destination/ARP set to "Flood" and no Unicast Routing, create an EPG attached to that BD, and assign the server and FW ports to that EPG using EPG Static Port Binding (Port type, Port-encap Vlan 100, Mode trunk/access). That's basically it.
Keep in mind that using ACI as L2 only prevents you from many benefits the Fabric can bring.
Regards
06-24-2024 02:17 AM
I should have mentioned about my existing fabric in the post. My bad. Yes, all of that is already setup. Your answer was helpful!
06-17-2024 10:57 AM
Hello @CollisionDomain
To configure a Layer 2 VLAN on Cisco ACI with the gateway outside the fabric, you can follow these steps to ensure the VLAN traffic is handled correctly while keeping the gateway on an external firewall:
### Steps to Configure a Pure L2 VLAN on Cisco ACI:
1. **Create a Bridge Domain (BD)**:
- Navigate to **Tenant > Networking > Bridge Domains**.
- Create a new Bridge Domain for your VLAN. Ensure you disable "Unicast Routing" because the gateway is outside the ACI fabric.
- Enable "ARP Flooding" to allow ARP requests to propagate through the network.
2. **Create an Endpoint Group (EPG)**:
- Navigate to **Tenant > Application Profiles > [Your Application Profile] > EPGs**.
- Create an EPG and associate it with the Bridge Domain created earlier.
- This EPG will be used to handle the traffic for VLAN 100.
3. **Static Binding of Ports**:
- Navigate to the EPG and select **Static Ports**.
- Bind the physical ports to the EPG that are connected to your core switch and firewall.
- Configure the ports to operate in "Trunk" mode if the traffic will be tagged with VLAN 100, or "Access" mode if it is untagged.
4. **Policy Configuration**:
- Ensure that the correct policies are applied to these ports, such as interface policies and VLAN pools.
- Make sure these policies align with your security and network requirements.
5. **External Network Configuration**:
- Navigate to **Tenant > Networking > External Networks > L2Out**.
- Create an L2Out connection that represents the external network (the network outside the ACI fabric).
- Select the Bridge Domain you created earlier and configure the appropriate VLAN (e.g., VLAN 100).
6. **Associate VLAN with L2Out**:
- Configure the L2Out to map the VLAN 100 to the appropriate physical ports.
- This step ensures that VLAN 100 traffic can leave the ACI fabric and reach the external firewall where the gateway is configured.
By following these steps, you can extend a Layer 2 VLAN in Cisco ACI to an external gateway, enabling seamless integration with non-ACI environments and external firewalls.
06-17-2024 11:35 PM - edited 06-18-2024 01:57 PM
Hi @Ali Aghababaei & @CollisionDomain ,
I really thought Ali was saying the same thing as @Remi1 (who has described the bones of what you need to do) but with more detail.
Until I got to Step 5 - @CollisionDomain please don't do Step 5 or 6 - i.e DO NOT CONFIGURE ANY L2Outs
And further, I'd suggest you start do Step 4 from Ali's list before Step 1
To avoid confusion with Steps 5 & 6, let me spell it out:
Note: in the menu sequences below >+ means right-click and the double >> indicates the transition from the top level menus to the side navigation pane, and >| indicates the transition from the side navigation pane to the work pane
Note: If using ACI with an version earlier than V5.2(7g), you'll also need to create Interface Profiles with Interface Selectors that define the actual physical ports, and link those Interface Selectors with the appropriate Interface Policy Groups, AND create Leaf Profiles and link them to the Interface Profiles. There's a tutorial on the Access Policy Chain out there that I wrote in 2015 so still refers to Interface Profiles, Interface Selectors and Leaf Profiles.
If you have completed the steps as outlined above, your L2 Endpoints will be able to ping their default gateway IP on the firewall.
I repeat - do not touch or configure anything to do with L2Outs. There is nothing a L2Out can do that can't be done with a regular Application EPG, and there is MUCH more that can be done eith an Application EPG than a L2Out.
Footnote:
Something bugs me about Ali's answer - how could he have got it so wrong to suggest you create both an EPG AND a L2Out? Was any AI engine at work perhaps??????
06-24-2024 02:20 AM
Wow! This was extremely on spot! Very helpful. I will follow these steps and get back to you if I hit a roadblock of some sorts.
06-17-2024 11:24 AM
In Step 2 you also should assiciate phy_domain correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide