10-20-2016 07:07 AM - edited 03-01-2019 05:04 AM
Hi gang,
I am struggling to understand when you could create a subnet under a Bridge Domain vs on an EPG. Is there any guidance as to when each option is more favourable?
In my fairly simply use case, we are using ACI for mostly dev/test networks, so I have some flexibility. We are currently creating a single BD for each tenant, and creating a single subnet under each EPG.
If there are reasons as to why you'd create a subnet in a BD over an EPG, I'd love to hear them.
thanks! your help is greatly appreciated!
J
10-20-2016 07:16 AM
Hey J,
2 Reasons:
1) If you deploy the subnet under the BD, hosts in this subnet can be assigned to multiple EPG's, since you can assign the same BD to multiple EPG's. When defining the subnet under the EPG, only hosts in that EPG can access the Gateway. This is fine in a 'network centric' model where you always have 1 BD per EPG.
2) The other reason is for route leaking. When doing route leaking with 1 Provider and 1 Consumer Contract, the subnet must be defined under the Provider EPG. If the contract is both provided and consumed on both EPG's, the subnet can be defined under the BD's.
Joey
10-20-2016 07:28 AM
Thanks Joey!
I probably do fall more into the "network centric" model. one minor variation in our case is that we have one BD per tenant, but multiple EPGs for each tenant, each with it's own subnet... is it Best Practice to have one BD per EPG (and EPG subnet)?
As for route leaking, we have a single L3Out that's shared by all tenants. Any (EPG) subnets that need to be available outside the datacenter are marked as Shared and Advertised which allows them to route out to the firewall for policy and site-to-site VPNs as needed. Any/all Inter-tenant communications passes through the firewall rather than being governed by contracts.
I don't know if this is a "proper" design, but it suits our needs so far... I guess I haven't fully digested ACI's full capabilities.
10-20-2016 07:32 AM
There isn't really a "best practice" in regards to the network centric design, since both are supported. Most customers migrate to ACI with this approach since it's the easiest concept to understand coming from a traditional network model. Did you mean to say that you only have 1 VRF per tenant? or 1 BD per tenant?
I would definitely recommend splitting some of the EPG's up into their own BD to avoid unnecessary flooding to all EPG's depending on the BD config.
Looks like for the L3Out design, this is considered a "shared l3out" and is the best practice for EPG's in multiple VRF's to be able to use the same L3 out.
Joey
10-20-2016 07:34 AM
Thanks Joey.
In fact, each tenant has a single VRF and a single BD, with multiple EPGs.
I could see some value in defining more BD's - one for each EPG I guess in our model.
You are correct about the L3out.
Interesting stuff! cheers!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide