cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
249
Views
4
Helpful
6
Replies

Pure L2 VLAN on Cisco ACI with Gateway outside the fabric

CollisionDomain
Level 1
Level 1

So we have two sites, one with ACI and one without. In the site where there is no ACI, for a project PoC, we needed to deploy a new VLAN on the core switches and extending it to other access switches but no SVI for the VLAN. Basically, L2 VLAN only. The gateway for the VLAN will be on the firewall. 

So for eg, we created VLAN 100 on the core, assigned two access ports to the vlan, one port goes towards another access switch which extends the VLAN 100 to other switches and other access port which connects to the firewall and the firewall has the gateway for VLAN 100 configured.

How can I achieve the same on Cisco ACI? It's a fairly straightforward ask, but I want to ensure I am doing it the right way. I want to create an L2 VLAN on the ACI fabric whose gateway is outside the fabric. How can I do this? My knowledge on ACI is on-off, due to lack of practice. Please help.

2 Accepted Solutions

Accepted Solutions

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @CollisionDomain ,

Don't know from where you start, but assuming your Fabric is already set with Domains/AEP/Switch/Interface Profiles/Tenant/VRF, you need to create a Bridge Domain with all L2UU/Multi-Destination/ARP set to "Flood" and no Unicast Routing, create an EPG attached to that BD, and assign the server and FW ports to that EPG using EPG Static Port Binding (Port type, Port-encap Vlan 100, Mode trunk/access). That's basically it.

Keep in mind that using ACI as L2 only prevents you from many benefits the Fabric can bring.

Regards

Remi Astruc

View solution in original post

Hi @Ali Aghababaei & @CollisionDomain ,

I really thought Ali was saying the same thing as @Remi1 (who has described the bones of what you need to do) but with more detail.

Until I got to Step 5 - @CollisionDomain please don't do Step 5 or 6 - i.e DO NOT CONFIGURE ANY L2Outs

And further, I'd suggest you start do Step 4 from Ali's list before Step 1

To avoid confusion with Steps 5 & 6, let me spell it out:

Note: in the menu sequences below >+ means right-click and the double >> indicates the transition from the top level menus to the side navigation pane, and >| indicates the transition from the side navigation pane to the work pane

Step 1: Access Policy Configuration (i.e. create an Access Policy Chain) = Ali's step 4

  1. Create a VLAN Pool [Fabric > Access Policies >> Pools > VLAN >+ Create VLAN Pool]
    1. For illustrative purposes, I'll call this Pool MappedVLANs_VLAN.Pool
    2. Make it a Dynamic VLAN Pool
    3. Add a Static block of VLANs that includes VLAN 100
  2. Create a Physical Domain [Fabric > Access Policies >> Physical and External Domains > Physical Domains >+ Create Physical Domain]
    1. For illustrative purposes, I'll call this Domain MappedVLANs_PhysDom
    2. Link the Physical Domain to the MappedVLANs_VLAN.Pool
  3. Create an AAEP [Fabric > Access Policies >>Policies > Global > Attachable Access Entity Profiles >+ Create Attachable Access Entity Profile
    1. For illustrative purposes, I'll call this AAEP L2Links_AAEP
    2. Link the AAEP to the MappedVLANs_PhysDom
  4. Create an Interface Policy Group [Fabric > Access Policies >> Interfaces > Leaf Interfaces > Policy Groups > Leaf Access Port >+ Create Leaf Access Port Policy Group OR, if the links are to be VPCs, Fabric > Access Policies >> Interfaces > Leaf Interfaces > Policy Groups > VPC Interface >+ Create Leaf VPC Interface Policy Group
    1. For illustrative purposes, I'll call the Interface Policy group L2Hosts_APPG (if it is an Access Port Policy Group) or xxxx..yyyy:1:nn_VPCIPG if it is a VPC Interface Policy Group, where xxxx is the leaf ID of the first leaf of the VPC, and yyyy is the 2nd leaf of the VPC and nn is the port number that the VPC connect to)
      1. If more than once VPC is involved, you'll need a different VPCIPG for each VPC
    2. Add whichever policies you want to the Policy Group, such as system-cdp-enabled if you wish etc
      1. If it is a VPC, make sure you include a Port Channel Policy, like system-lacp-active
    3. Most importantly, make sure you link the Policy Group to the L2Links_AAEP
  5. Assuming ACI v5.2(7g) or later, navigate to Fabric > Access Policies >> Interface Configuration
    1. Under the Actions menu, choose Configure Interfaces
    2. Choose the Interface(s)
    3. Select either the L2Hosts_APPG or xxxx..yyyy:1:nn_VPCIPG as appropriate
    4. Repeat for all relevant interfaces leading to the L2 Hosts and to the other data centre

Note: If using ACI with an version earlier than V5.2(7g), you'll also need to create Interface Profiles with Interface Selectors that define the actual physical ports, and link those Interface Selectors with the appropriate Interface Policy Groups, AND create Leaf Profiles and link them to the Interface Profiles. There's a tutorial on the Access Policy Chain out there that I wrote in 2015 so still refers to Interface Profiles, Interface Selectors and Leaf Profiles. 


Step 2: Tenant Policy Configuration = Ali's Steps 1-3

  1. Create a Tenant, [Tenants > Add Tenant] give it a name. No need to create a VRF yet since you are doing L2 Only
  2. Create a Bridge Domain (BD) within the Tenant [Tenant >> Networking > Bridge Domains >+ Create Bridge Domain]
    1. For illustrative purposes, I'll call this BD L2_BD
    2. During BD creation, choose Custom for the Forwarding option
      1. Set L2 Unknown Unicast to Flood
      2. Set Multi-Destination Flooding to Flood in BD or Flood in Encapsulation
    3. When configuring L3 Configuration for the BD
      1. Set Unicast Routing to Disabled
  3. Create an Application Profile within the Tenant [Tenant >> Application Profiles >+ Create Application Profile]
    1. For illustrative purposes, I'll call this AP L2VLANs_AP
  4. Create an EPG within the Application Profile [Tenant >> Application Profiles > L2VLANs_AP >+Create Application EPG]
    1. For illustrative purposes, I'll call this EPG VLAN100_EPG
    2. for the Bridge Domain, link the EPG to the L2_BD
  5. Link the EPG to your Physical Domain [Tenant >> Application Profiles > L2VLANs_AP > Application EPGs > VLAN100_EPG > Domains >+ Add Physical Domain Association]
    1. Select the MappedVLANs_PhysDom 
  6. Link your EPG to the relevant VLAN + Ports/VPCs
    1. Method #1 Mapping Down. [Tenant >> Application Profiles > L2VLANs_AP > Application EPGs > VLAN100_EPG > Static Ports >+ Deploy Static EPG on PC, VPC, or interface
      1.  Select Port or VPC as appropriate for Path Type
      2. Choose the relevant Node/Port or VPC Interface Policy Group
      3. Set the Port Encap (or ... Micro-seg) to VLAN 100
      4. Leave the encapsulation Mode as Trunk
      5. Repeat for all relevant ports/VPCs
    2. Alternate Method #2 Mapping Up. (Not necessary if Method #1 chosen) [Fabric > Access Policies >>Policies > Global > Attachable Access Entity Profiles > L2Links_AAEP >| Application EPGs section]
      1. Click the  to add and EPG tot he AAEP
      2. Choose Your Tenant, the L2VLANs_AP Application Profile, the VLAN100_EPG  EPG and enter vlan-100 as the Encap
      3. Job done - no repeating for other interfaces using Method #2 Mapping Up.

Step 3 Test

If you have completed the steps as outlined above, your L2 Endpoints will be able to ping their default gateway IP on the firewall.

I repeat - do not touch or configure anything to do with L2Outs. There is nothing a L2Out can do that can't be done with a regular Application EPG, and there is MUCH more that can be done eith an Application EPG than a L2Out.


Footnote:

Something bugs me about Ali's answer - how could he have got it so wrong to suggest you create both an EPG AND a L2Out? Was any AI engine at work perhaps??????

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

6 Replies 6

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @CollisionDomain ,

Don't know from where you start, but assuming your Fabric is already set with Domains/AEP/Switch/Interface Profiles/Tenant/VRF, you need to create a Bridge Domain with all L2UU/Multi-Destination/ARP set to "Flood" and no Unicast Routing, create an EPG attached to that BD, and assign the server and FW ports to that EPG using EPG Static Port Binding (Port type, Port-encap Vlan 100, Mode trunk/access). That's basically it.

Keep in mind that using ACI as L2 only prevents you from many benefits the Fabric can bring.

Regards

Remi Astruc

I should have mentioned about my existing fabric in the post. My bad. Yes, all of that is already setup. Your answer was helpful!

Ali Aghababaei
Level 1
Level 1

Hello @CollisionDomain 


To configure a Layer 2 VLAN on Cisco ACI with the gateway outside the fabric, you can follow these steps to ensure the VLAN traffic is handled correctly while keeping the gateway on an external firewall:

### Steps to Configure a Pure L2 VLAN on Cisco ACI:

1. **Create a Bridge Domain (BD)**:
- Navigate to **Tenant > Networking > Bridge Domains**.
- Create a new Bridge Domain for your VLAN. Ensure you disable "Unicast Routing" because the gateway is outside the ACI fabric.
- Enable "ARP Flooding" to allow ARP requests to propagate through the network.

2. **Create an Endpoint Group (EPG)**:
- Navigate to **Tenant > Application Profiles > [Your Application Profile] > EPGs**.
- Create an EPG and associate it with the Bridge Domain created earlier.
- This EPG will be used to handle the traffic for VLAN 100.

3. **Static Binding of Ports**:
- Navigate to the EPG and select **Static Ports**.
- Bind the physical ports to the EPG that are connected to your core switch and firewall.
- Configure the ports to operate in "Trunk" mode if the traffic will be tagged with VLAN 100, or "Access" mode if it is untagged.

4. **Policy Configuration**:
- Ensure that the correct policies are applied to these ports, such as interface policies and VLAN pools.
- Make sure these policies align with your security and network requirements.

5. **External Network Configuration**:
- Navigate to **Tenant > Networking > External Networks > L2Out**.
- Create an L2Out connection that represents the external network (the network outside the ACI fabric).
- Select the Bridge Domain you created earlier and configure the appropriate VLAN (e.g., VLAN 100).

6. **Associate VLAN with L2Out**:
- Configure the L2Out to map the VLAN 100 to the appropriate physical ports.
- This step ensures that VLAN 100 traffic can leave the ACI fabric and reach the external firewall where the gateway is configured.

By following these steps, you can extend a Layer 2 VLAN in Cisco ACI to an external gateway, enabling seamless integration with non-ACI environments and external firewalls.

 

Hi @Ali Aghababaei & @CollisionDomain ,

I really thought Ali was saying the same thing as @Remi1 (who has described the bones of what you need to do) but with more detail.

Until I got to Step 5 - @CollisionDomain please don't do Step 5 or 6 - i.e DO NOT CONFIGURE ANY L2Outs

And further, I'd suggest you start do Step 4 from Ali's list before Step 1

To avoid confusion with Steps 5 & 6, let me spell it out:

Note: in the menu sequences below >+ means right-click and the double >> indicates the transition from the top level menus to the side navigation pane, and >| indicates the transition from the side navigation pane to the work pane

Step 1: Access Policy Configuration (i.e. create an Access Policy Chain) = Ali's step 4

  1. Create a VLAN Pool [Fabric > Access Policies >> Pools > VLAN >+ Create VLAN Pool]
    1. For illustrative purposes, I'll call this Pool MappedVLANs_VLAN.Pool
    2. Make it a Dynamic VLAN Pool
    3. Add a Static block of VLANs that includes VLAN 100
  2. Create a Physical Domain [Fabric > Access Policies >> Physical and External Domains > Physical Domains >+ Create Physical Domain]
    1. For illustrative purposes, I'll call this Domain MappedVLANs_PhysDom
    2. Link the Physical Domain to the MappedVLANs_VLAN.Pool
  3. Create an AAEP [Fabric > Access Policies >>Policies > Global > Attachable Access Entity Profiles >+ Create Attachable Access Entity Profile
    1. For illustrative purposes, I'll call this AAEP L2Links_AAEP
    2. Link the AAEP to the MappedVLANs_PhysDom
  4. Create an Interface Policy Group [Fabric > Access Policies >> Interfaces > Leaf Interfaces > Policy Groups > Leaf Access Port >+ Create Leaf Access Port Policy Group OR, if the links are to be VPCs, Fabric > Access Policies >> Interfaces > Leaf Interfaces > Policy Groups > VPC Interface >+ Create Leaf VPC Interface Policy Group
    1. For illustrative purposes, I'll call the Interface Policy group L2Hosts_APPG (if it is an Access Port Policy Group) or xxxx..yyyy:1:nn_VPCIPG if it is a VPC Interface Policy Group, where xxxx is the leaf ID of the first leaf of the VPC, and yyyy is the 2nd leaf of the VPC and nn is the port number that the VPC connect to)
      1. If more than once VPC is involved, you'll need a different VPCIPG for each VPC
    2. Add whichever policies you want to the Policy Group, such as system-cdp-enabled if you wish etc
      1. If it is a VPC, make sure you include a Port Channel Policy, like system-lacp-active
    3. Most importantly, make sure you link the Policy Group to the L2Links_AAEP
  5. Assuming ACI v5.2(7g) or later, navigate to Fabric > Access Policies >> Interface Configuration
    1. Under the Actions menu, choose Configure Interfaces
    2. Choose the Interface(s)
    3. Select either the L2Hosts_APPG or xxxx..yyyy:1:nn_VPCIPG as appropriate
    4. Repeat for all relevant interfaces leading to the L2 Hosts and to the other data centre

Note: If using ACI with an version earlier than V5.2(7g), you'll also need to create Interface Profiles with Interface Selectors that define the actual physical ports, and link those Interface Selectors with the appropriate Interface Policy Groups, AND create Leaf Profiles and link them to the Interface Profiles. There's a tutorial on the Access Policy Chain out there that I wrote in 2015 so still refers to Interface Profiles, Interface Selectors and Leaf Profiles. 


Step 2: Tenant Policy Configuration = Ali's Steps 1-3

  1. Create a Tenant, [Tenants > Add Tenant] give it a name. No need to create a VRF yet since you are doing L2 Only
  2. Create a Bridge Domain (BD) within the Tenant [Tenant >> Networking > Bridge Domains >+ Create Bridge Domain]
    1. For illustrative purposes, I'll call this BD L2_BD
    2. During BD creation, choose Custom for the Forwarding option
      1. Set L2 Unknown Unicast to Flood
      2. Set Multi-Destination Flooding to Flood in BD or Flood in Encapsulation
    3. When configuring L3 Configuration for the BD
      1. Set Unicast Routing to Disabled
  3. Create an Application Profile within the Tenant [Tenant >> Application Profiles >+ Create Application Profile]
    1. For illustrative purposes, I'll call this AP L2VLANs_AP
  4. Create an EPG within the Application Profile [Tenant >> Application Profiles > L2VLANs_AP >+Create Application EPG]
    1. For illustrative purposes, I'll call this EPG VLAN100_EPG
    2. for the Bridge Domain, link the EPG to the L2_BD
  5. Link the EPG to your Physical Domain [Tenant >> Application Profiles > L2VLANs_AP > Application EPGs > VLAN100_EPG > Domains >+ Add Physical Domain Association]
    1. Select the MappedVLANs_PhysDom 
  6. Link your EPG to the relevant VLAN + Ports/VPCs
    1. Method #1 Mapping Down. [Tenant >> Application Profiles > L2VLANs_AP > Application EPGs > VLAN100_EPG > Static Ports >+ Deploy Static EPG on PC, VPC, or interface
      1.  Select Port or VPC as appropriate for Path Type
      2. Choose the relevant Node/Port or VPC Interface Policy Group
      3. Set the Port Encap (or ... Micro-seg) to VLAN 100
      4. Leave the encapsulation Mode as Trunk
      5. Repeat for all relevant ports/VPCs
    2. Alternate Method #2 Mapping Up. (Not necessary if Method #1 chosen) [Fabric > Access Policies >>Policies > Global > Attachable Access Entity Profiles > L2Links_AAEP >| Application EPGs section]
      1. Click the  to add and EPG tot he AAEP
      2. Choose Your Tenant, the L2VLANs_AP Application Profile, the VLAN100_EPG  EPG and enter vlan-100 as the Encap
      3. Job done - no repeating for other interfaces using Method #2 Mapping Up.

Step 3 Test

If you have completed the steps as outlined above, your L2 Endpoints will be able to ping their default gateway IP on the firewall.

I repeat - do not touch or configure anything to do with L2Outs. There is nothing a L2Out can do that can't be done with a regular Application EPG, and there is MUCH more that can be done eith an Application EPG than a L2Out.


Footnote:

Something bugs me about Ali's answer - how could he have got it so wrong to suggest you create both an EPG AND a L2Out? Was any AI engine at work perhaps??????

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Wow! This was extremely on spot! Very helpful. I will follow these steps and get back to you if I hit a roadblock of some sorts.

AlexI1978
Level 1
Level 1

In Step 2 you also should assiciate phy_domain correct? 

Save 25% on Day-2 Operations Add-On License