Solved: Same encapsulation in L2out EPG and L3out SVI in same VRF

vaibhavsalgaonkar · ‎03-28-2019

Hi,

Is it possible to have Same encapsulation in L2out EPG and L3out SVI in same VRF?

I am getting error same encapsulation being used by different EPG. Please see attached diagram.

I have created EPG 100 in which static ports(L2NNI) are called with encapsulation 100. I need to call same encapsulation as SVI on different interface connecting to LB for L3 out. Please suggest.

Jayesh Singh · ‎03-28-2019

Hi Vaibhav,

Vlan encap is local to the leaf. However, no two EPGs can have same vlan encap on the same leaf. It throws a fault if configured that way.

There is something called as Per Port Vlan in aci which is a work around for above situation. So in case you have 2 EPGs on the same leaf switch they can still have the same vlan encap with Per Port Vlan config.

Setup looks something like this,

Restriction: This does not apply to ports configured for Layer 3 external outside connectivity.

So, I would suggest you to use different encap for your L3 out.

Refer below link for more details on this concept:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L2_config/b_Cisco_APIC_Layer_2_Configuration_Guide/b_Cisco_APIC_Layer_2_Configuration_Guide_chapter_011.html

Regards,

Jayesh

***Rate all posts that are helpful. Mark it as a solution if it answers your query, it may help other users who have the same query***

View solution in original post

bburns2 · ‎03-29-2022

This is three years late, but we had a similar scenario while migrating from our legacy network to ACI and found another way to work around this. In my scenario, I have two Nexus 7Ks connected to ACI leafs with both L2 and L3 Outs. We had a couple of firewalls and load-balancers that required both L2Outs and L3Outs during the migration. I was able to use VLAN mapping on the Nexus 7Ks to translate the L3Out tags to unused VLAN tags, then configure the L3Out in ACI to match the mapped VLAN tag

interface port-channel20
  description L2 VPC to ACI L3Out
  switchport
  switchport mode trunk
  switchport vlan mapping 100 1100
  switchport vlan mapping 101 1101
  switchport vlan mapping 102 1102
  switchport vlan mapping 103 1103
  switchport vlan mapping 104 1104
  switchport vlan mapping 105 1105
  switchport vlan mapping 106 1106
  switchport vlan mapping 107 1107
  switchport trunk allowed vlan 100-107

I mapped VLAN 100 - 107 to 1100 - 1107 on the L3Out port-channel to ACI. My ACI L2Out encapsulation is configured for VLAN 100 - 107, and my L3Outs are configured for VLAN 1100 - 1107.

I wanted to share my experience in case this helps anyone else out who may run into the same issue.

Brian

View solution in original post

Jayesh Singh · ‎03-28-2019

Hi Vaibhav,

Vlan encap is local to the leaf. However, no two EPGs can have same vlan encap on the same leaf. It throws a fault if configured that way.

There is something called as Per Port Vlan in aci which is a work around for above situation. So in case you have 2 EPGs on the same leaf switch they can still have the same vlan encap with Per Port Vlan config.

Setup looks something like this,

Restriction: This does not apply to ports configured for Layer 3 external outside connectivity.

So, I would suggest you to use different encap for your L3 out.

Refer below link for more details on this concept:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L2_config/b_Cisco_APIC_Layer_2_Configuration_Guide/b_Cisco_APIC_Layer_2_Configuration_Guide_chapter_011.html

Regards,

Jayesh

***Rate all posts that are helpful. Mark it as a solution if it answers your query, it may help other users who have the same query***

bburns2 · ‎03-29-2022

This is three years late, but we had a similar scenario while migrating from our legacy network to ACI and found another way to work around this. In my scenario, I have two Nexus 7Ks connected to ACI leafs with both L2 and L3 Outs. We had a couple of firewalls and load-balancers that required both L2Outs and L3Outs during the migration. I was able to use VLAN mapping on the Nexus 7Ks to translate the L3Out tags to unused VLAN tags, then configure the L3Out in ACI to match the mapped VLAN tag

interface port-channel20
  description L2 VPC to ACI L3Out
  switchport
  switchport mode trunk
  switchport vlan mapping 100 1100
  switchport vlan mapping 101 1101
  switchport vlan mapping 102 1102
  switchport vlan mapping 103 1103
  switchport vlan mapping 104 1104
  switchport vlan mapping 105 1105
  switchport vlan mapping 106 1106
  switchport vlan mapping 107 1107
  switchport trunk allowed vlan 100-107

I mapped VLAN 100 - 107 to 1100 - 1107 on the L3Out port-channel to ACI. My ACI L2Out encapsulation is configured for VLAN 100 - 107, and my L3Outs are configured for VLAN 1100 - 1107.

I wanted to share my experience in case this helps anyone else out who may run into the same issue.

Brian

irenof · ‎12-20-2024

Hi @bburns2, I am interested in your answer since I wil have to migrate L3 device to ACI. I did not know this solution and it seems to fit my case. But did you connect two different VPC from FW to ACI? one for L2 and one for L3? thanks

Same encapsulation in L2out EPG and L3out SVI in same VRF

How to get EPG's, VRF's, L3Out uplinks, and Leafs

L3Out and L2-EPG extensions using same PO

ACI L2out inband epg

ACI share L3Out with "L2Out/EPG"

devnet sandbox for ACI with l2out/l3out