05-05-2022 07:44 AM
hello everyone
I'm going to be managing an ACI system, so I'm learning about ACI. I have a question that has always puzzled me.
From my understanding,BD is a Layer 2 boundary rather than a VLAN. Configure subnet under BD as the default gateway for the endpoint. In addition, EPG encapsulates VLAN tags. My question is, how does an endpoint know that it belongs to that BD subnet.
For example, a BD contains five subnets from 192.168.1.1/24 to 192.168.5.1/24, There are two EPGs, EPG1 and EPG2. EPG1 encapsulates VLAN10, and EPG2 encapsulates VLAN20.
Therefore, the endpoint in EPG1 and EPG2 can belong to the 192.168.1.0/24 network segment and the default gateway is 192.168.1.1? Don't care about VLAN encapsulation?
Solved! Go to Solution.
05-05-2022 07:58 AM
Bo,
From an object model perspective, an EPG is associated to one (and only one) BD. The Endpoint has no knowledge of it's BD but we know as the Admins which BDs an EPG has been assigned to. You're correct in that any EPG (regardless of it's IP) will be able to reach any Subnet SVI of it's associated BD. For the Endpoint to be able to route, it the BD would need to have unicast routing enabled (assuming the Endpoint is using the BD Subnet as it's GW). While this may be confusing, its one of the benefits that ACI offers in terms of network abstraction.
Take this example
Endpoint_A = 192.168.1.1 (Belongs to EPG_A)
Endpoint_B = 192.168.1.2 (Belongs to EPG_B)
BD_1 Subnet = 192.168.1.254/24
EPG_A is associated with BD_1
EPG_B is associated with BD_1
In this example, even though my endpoints are spread across EPGs (different Encaps) and associated to the same BD - they would not be able to communicate. Not without a contract that is. This is where ACI shines by separating routing (network) from policy (security).
So to answer your question, the encap only matters for endpoint assignment, and has nothing to do with policy.
Make sense?
Robert
05-05-2022 10:45 AM
Hi @bo liu
This is how you can look at it:
Encap VLAN = the way you tell a leaf in which EPGs to learn endpoints on that specific leaf (remember, you can have static ports assignments with different vlans on different leafs part of same EPG)
EPG = what you use to perform policy enforcement and segmentation in a specific BD
BD = what you use to define your broadcast domain (if routing is enabled, this is translated to an SVI on the leafs, with one or more subnets configured on it)
Stay safe,
Sergiu
05-05-2022 07:58 AM
Bo,
From an object model perspective, an EPG is associated to one (and only one) BD. The Endpoint has no knowledge of it's BD but we know as the Admins which BDs an EPG has been assigned to. You're correct in that any EPG (regardless of it's IP) will be able to reach any Subnet SVI of it's associated BD. For the Endpoint to be able to route, it the BD would need to have unicast routing enabled (assuming the Endpoint is using the BD Subnet as it's GW). While this may be confusing, its one of the benefits that ACI offers in terms of network abstraction.
Take this example
Endpoint_A = 192.168.1.1 (Belongs to EPG_A)
Endpoint_B = 192.168.1.2 (Belongs to EPG_B)
BD_1 Subnet = 192.168.1.254/24
EPG_A is associated with BD_1
EPG_B is associated with BD_1
In this example, even though my endpoints are spread across EPGs (different Encaps) and associated to the same BD - they would not be able to communicate. Not without a contract that is. This is where ACI shines by separating routing (network) from policy (security).
So to answer your question, the encap only matters for endpoint assignment, and has nothing to do with policy.
Make sense?
Robert
05-05-2022 06:06 PM
Hi Robert
Thanks for your reply.
So suppose:
I have a BD (BD-1) with 2 subnets: 192.168.1.1/24, 172.16.1.1/24, 192 for WebServer, 172 for DBserver.
So I can define two EPGs as two separate businesses:
EPG1 = 192.168.1.10(Web Server) + 172.16.1.10(DB server)
EPG2 = 192.168.1.20(Web server) + 172.16.1.20(DB server)
All endpoints point the default gateway to BD's subnet
In addition, when I need to leak these addresses to another VRF, BD-1 is the provider. I can define subnet in EPG1:192.168.1.10/32 and 172.16.1.10/32 and set scope to shared VRF.
Is that correct?
05-05-2022 10:45 AM
Hi @bo liu
This is how you can look at it:
Encap VLAN = the way you tell a leaf in which EPGs to learn endpoints on that specific leaf (remember, you can have static ports assignments with different vlans on different leafs part of same EPG)
EPG = what you use to perform policy enforcement and segmentation in a specific BD
BD = what you use to define your broadcast domain (if routing is enabled, this is translated to an SVI on the leafs, with one or more subnets configured on it)
Stay safe,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide