Solved: Same IP subnet in different EPGs in one BD

Thushan Pramod · ‎03-13-2017

Can we create same IP subnet in different EPGs within single BD?

Jason Williams · ‎03-13-2017

Endpoints within EPG-A talking to other Endpoints within EPG-A will not need a contract. Same goes for EPG-B endpoints talking to others within EPG-B. Inter EPG communication (EPG-A -> EPG-B :: EPG-B -> EPG-A) will require a contract in place.

If you want to allow all communication between EPG-A and EPG-B and still have them in the same subnet, then it might be easier to place them all into the same EPG.

View solution in original post

Jason Williams · ‎03-13-2017

Yes, if the gateway is in ACI then create a subnet in the bridge domain. Associate the EPG(s) to this bridge domain.

Thushan Pramod · ‎03-13-2017

Hi Jason,

GW is defined in the external Fw. Let's say we are going to use IP subnet A. Can we bind the same IP subnet A for EPG1 and EPG2 where two EPGs are binded to one BD?

Jason Williams · ‎03-13-2017

If gateway is on external device, then the usual design is to make the BD L2 (disable unicast routing). No need be concerned with IP subnets since ACI will only forward based on mac.

Thushan Pramod · ‎03-13-2017

Hi Jason,

One thing more.Let's say application A (run on a VM or BM) uses IP subnet A and attached to EPG1 of BD1 and application B (run on a VM or BM) uses IP subnet A and attached to EPG2 of BD1.

Above implementation can be done according to you right.

Default GW is defined in the external FW. So can end points attached to EPG 1 and EPG 2 communicate each other by default or do we need to assign contracts?What is the path of communication?

Since they are in same IP subnet they don't need to reach FW right.

Jason Williams · ‎03-13-2017

Endpoints within EPG-A talking to other Endpoints within EPG-A will not need a contract. Same goes for EPG-B endpoints talking to others within EPG-B. Inter EPG communication (EPG-A -> EPG-B :: EPG-B -> EPG-A) will require a contract in place.

If you want to allow all communication between EPG-A and EPG-B and still have them in the same subnet, then it might be easier to place them all into the same EPG.

Thushan Pramod · ‎03-14-2017

Hi Jason,

This is the thing. One of the customer need it to be happened in that manner.

He has application A on IP subnet A and application B on IP subnet A as well and at the same time he need them running seperately. So iam going to implement them in following manner as you said.

Create BD1

Create EPG1 and EPG2 which are binded to BD1

attach application A (run on a VM or BM) on IP subnet A to EPG1 and application B (run on a VM or BM) on IP subnet A to EPG2

Then these endpoints will run seperately if the customer need to have access between those end points we can create contracts right.

what is required if the end points in EPG1 and EPG2 required to access external network (different IP subnet) packets need to reach the FW right since the GW is defined on FW.?

So How can we accomplish that? Using L2 out or static path config towards FW?

IS it at BD level or do we need to create per EPG level?

One thing finally.

when we compare with legacy network do we need to worry about the vlans? How vlan concept will effect above scenario in ACI?

armedforcesbank · ‎12-27-2017

If the gateway for the subnet is on the FW (an external device), then you can not enforce policies for the EPGs that belong to the BD which in turn does not own the gateway IP. You can enforce the policy only when the BD owns the gateway IP.