Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
5
Helpful
3
Replies

Questions about BD, VLAN, default gateway

Go to solution
bo liu
Level 4
Level 4

‎05-05-2022 07:44 AM

hello everyone

 

I'm going to be managing an ACI system, so I'm learning about ACI.  I have a question that has always puzzled me.  

 

From my understanding,BD is a Layer 2 boundary rather than a VLAN. Configure subnet under BD as the default gateway for the endpoint. In addition, EPG encapsulates VLAN tags. My question is, how does an endpoint know that it belongs to that BD subnet.

 

For example, a BD contains five subnets from 192.168.1.1/24 to 192.168.5.1/24, There are two EPGs, EPG1 and EPG2. EPG1 encapsulates VLAN10, and EPG2 encapsulates VLAN20.

 

Therefore, the endpoint in EPG1 and EPG2 can belong to the 192.168.1.0/24 network segment and the default gateway is 192.168.1.1? Don't care about VLAN encapsulation?

2 Accepted Solutions

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎05-05-2022 07:58 AM

Bo, 

From an object model perspective, an EPG is associated to one (and only one) BD.  The Endpoint has no knowledge of it's BD but we know as the Admins which BDs an EPG has been assigned to.   You're correct in that any EPG (regardless of it's IP) will be able to reach any Subnet SVI of it's associated BD.   For the Endpoint to be able to route, it the BD would need to have unicast routing enabled (assuming the Endpoint is using the BD Subnet as it's GW).   While this may be confusing, its one of the benefits that ACI offers in terms of network abstraction.   

Take this example

Endpoint_A = 192.168.1.1 (Belongs to EPG_A)
Endpoint_B = 192.168.1.2 (Belongs to EPG_B)
BD_1 Subnet = 192.168.1.254/24

EPG_A is associated with BD_1

EPG_B is associated with BD_1

In this example, even though my endpoints are spread across EPGs (different Encaps) and associated to the same BD - they would not be able to communicate.  Not without a contract that is.  This is where ACI shines by separating routing (network) from policy (security).

So to answer your question, the encap only matters for endpoint assignment, and has nothing to do with policy.

 

Make sense?

Robert

View solution in original post

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎05-05-2022 10:45 AM

Hi @bo liu 

This is how you can look at it:

Encap VLAN = the way you tell a leaf in which EPGs to learn endpoints on that specific leaf (remember, you can have static ports assignments with different vlans on different leafs part of same EPG)

EPG = what you use to perform policy enforcement and segmentation in a specific BD

BD = what you use to define your broadcast domain (if routing is enabled, this is translated to an SVI on the leafs, with one or more subnets configured on it)

 

Stay safe,

Sergiu

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎05-05-2022 07:58 AM

Bo, 

From an object model perspective, an EPG is associated to one (and only one) BD.  The Endpoint has no knowledge of it's BD but we know as the Admins which BDs an EPG has been assigned to.   You're correct in that any EPG (regardless of it's IP) will be able to reach any Subnet SVI of it's associated BD.   For the Endpoint to be able to route, it the BD would need to have unicast routing enabled (assuming the Endpoint is using the BD Subnet as it's GW).   While this may be confusing, its one of the benefits that ACI offers in terms of network abstraction.   

Take this example

Endpoint_A = 192.168.1.1 (Belongs to EPG_A)
Endpoint_B = 192.168.1.2 (Belongs to EPG_B)
BD_1 Subnet = 192.168.1.254/24

EPG_A is associated with BD_1

EPG_B is associated with BD_1

In this example, even though my endpoints are spread across EPGs (different Encaps) and associated to the same BD - they would not be able to communicate.  Not without a contract that is.  This is where ACI shines by separating routing (network) from policy (security).

So to answer your question, the encap only matters for endpoint assignment, and has nothing to do with policy.

 

Make sense?

Robert

0 Helpful

Go to solution
bo liu
Level 4
Level 4
In response to Robert Burns

‎05-05-2022 06:06 PM

Hi Robert

 

Thanks for your reply.

 

So suppose:


I have a BD (BD-1) with 2 subnets: 192.168.1.1/24, 172.16.1.1/24, 192 for WebServer, 172 for DBserver.

So I can define two EPGs as two separate businesses:


EPG1 = 192.168.1.10(Web Server) + 172.16.1.10(DB server)

EPG2 = 192.168.1.20(Web server) + 172.16.1.20(DB server)

All endpoints point the default gateway to BD's subnet


In addition, when I need to leak these addresses to another VRF, BD-1 is the provider. I can define subnet in EPG1:192.168.1.10/32 and 172.16.1.10/32 and set scope to shared VRF.


Is that correct?

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎05-05-2022 10:45 AM

Hi @bo liu 

This is how you can look at it:

Encap VLAN = the way you tell a leaf in which EPGs to learn endpoints on that specific leaf (remember, you can have static ports assignments with different vlans on different leafs part of same EPG)

EPG = what you use to perform policy enforcement and segmentation in a specific BD

BD = what you use to define your broadcast domain (if routing is enabled, this is translated to an SVI on the leafs, with one or more subnets configured on it)

 

Stay safe,

Sergiu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License