Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3411
Views
5
Helpful
4
Replies

Subnet in BD vs EPG?

bcn-jbrooks
Level 1
Level 1

‎10-20-2016 07:07 AM - edited ‎03-01-2019 05:04 AM

Hi gang,

I am struggling to understand when you could create a subnet under a Bridge Domain vs on an EPG.  Is there any guidance as to when each option is more favourable?

In my fairly simply use case, we are using ACI for mostly dev/test networks, so I have some flexibility.  We are currently creating a single BD for each tenant, and creating a single subnet under each EPG.

If there are reasons as to why you'd create a subnet in a BD over an EPG, I'd love to hear them.

thanks!  your help is greatly appreciated!

J

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Joseph Ristaino
Cisco Employee
Cisco Employee

‎10-20-2016 07:16 AM

Hey J,

2 Reasons:

1) If you deploy the subnet under the BD, hosts in this subnet can be assigned to multiple EPG's, since you can assign the same BD to multiple EPG's.  When defining the subnet under the EPG, only hosts in that EPG can access the Gateway.  This is fine in a 'network centric' model where you always have 1 BD per EPG.

2) The other reason is for route leaking.  When doing route leaking with 1 Provider and 1 Consumer Contract, the subnet must be defined under the Provider EPG.  If the contract is both provided and consumed on both EPG's, the subnet can be defined under the BD's.

Joey

bcn-jbrooks
Level 1
Level 1
In response to Joseph Ristaino

‎10-20-2016 07:28 AM

Thanks Joey!

I probably do fall more into the "network centric" model.  one minor variation in our case is that we have one BD per tenant, but multiple EPGs for each tenant, each with it's own subnet... is it Best Practice to have one BD per EPG (and EPG subnet)?

As for route leaking, we have a single L3Out that's shared by all tenants.  Any (EPG) subnets that need to be available outside the datacenter are marked as Shared and Advertised which allows them to route out to the firewall for policy and site-to-site VPNs as needed.  Any/all Inter-tenant communications passes through the firewall rather than being governed by contracts.

I don't know if this is a "proper" design, but it suits our needs so far... I guess I haven't fully digested ACI's full capabilities.

0 Helpful

Joseph Ristaino
Cisco Employee
Cisco Employee
In response to bcn-jbrooks

‎10-20-2016 07:32 AM

There isn't really a "best practice" in regards to the network centric design, since both are supported.  Most customers migrate to ACI with this approach since it's the easiest concept to understand coming from a traditional network model.  Did you mean to say that you only have 1 VRF per tenant? or 1 BD per tenant?

I would definitely recommend splitting some of the EPG's up into their own BD to avoid unnecessary flooding to all EPG's depending on the BD config.

Looks like for the L3Out design, this is considered a "shared l3out" and is the best practice for EPG's in multiple VRF's to be able to use the same L3 out.

Joey

0 Helpful

bcn-jbrooks
Level 1
Level 1
In response to Joseph Ristaino

‎10-20-2016 07:34 AM

Thanks Joey.

In fact, each tenant has a single VRF and a single BD, with multiple EPGs.

I could see some value in defining more BD's - one for each EPG I guess in our model.

You are correct about the L3out.

Interesting stuff!  cheers!

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License