Re: Vlan configuration for ACI L2out

sridcloud · ‎03-22-2023

I would like to cable a customer switch into the ACI leaf node. I have a hypervisor physical system cabled to the leaf node as well. I would like to set up an L2OUT between these two so that they can communicate on a shared IP address space. Should I place both sides on the same VLAN? Or is it ok if they are on different VLANS?

RedNectar · ‎03-22-2023

Hi @sridcloud ,

Firstly - don't use L2Outs ever!

Use regular Application EPGs instead, they do EVERYTHING that a L2Out can do, particularly what you want to do - which is to use two different VLANs for the same EPG

So to address your question

I would like to cable a customer switch into the ACI leaf node. I have a hypervisor physical system cabled to the leaf node as well. I would like to set up an L2OUT between these two so that they can communicate on a shared IP address space. Should I place both sides on the same VLAN?

IF YOU REALLY MUST USE A L2OUT, then <Edit 2023.03.24:> you will not only have to use a different VLAN, you'll need to ALSO create a contract to allow the L2OUT to communicate with the VMs ~~YES you MUST put both on the same VLAN. But of course, if they are on the same VLAN, then the communication will occur on the L2 switch, and the packets will never reach ACI anyway.~~ </edit>

Or is it ok if they are on different VLANS?

If you follow my advice, i.e. use Application EPGs then you have two choices (assuming the Hypervisor and L2 switch are cabled to different ports in ACI)

Use the same VLAN for each, just map both port/VLAN combinations to the same EPG
Use different VLANs for each, just map both port/VLAN combinations to the same EPG
BONUS OPTION: Create an application EPG for each set and map a different VLAN to each EPG. You can then create a contract between the EPGs to allow all traffic (or just certain traffic).

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

sridcloud · ‎03-23-2023

Hi @RedNectar Thanks so much for a quick response. We would like to keep this connectivity on different VLANs and yes the Hypervisor and L2Switch are connected to different ports of ACI. We will look at the Application EPG.

If we must use the same VLAN, you said "the communication will occur on the L2 switch and packets will never reach ACI anyway" what does this mean? Does this mean whatever is connected to the L2 switch will not be able to communicate to the VMs on the connected hypervisor, is it?

RedNectar · ‎03-23-2023

Hi @sridcloud ,

My mistake

If we must use the same VLAN, you said "the communication will occur on the L2 switch and packets will never reach ACI anyway" what does this mean? Does this mean whatever is connected to the L2 switch will not be able to communicate to the VMs on the connected hypervisor, is it?

When I wrote that I (for some reason) what thinking that the hypervisor was also attached to the customer switch - I later realised that they weren't, and adjusted part of my answer, but not that bit.

Sorry. I'll edit my original response so I future readers don't get confused.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

sridcloud · ‎03-23-2023

@RedNectar Refer to this video https://www.youtube.com/watch?v=xKxplvVa1xw&t=163s and comment by Joel Guillerm. If the same VLANs are used, an error occurs. This is why I posted the above message to get clarification. Can you comment on this?

RedNectar · ‎03-23-2023

Hi @sridcloud ,

The comment by Joel is:

"it seems you cannot use the same VLAN id on the L2OUT as the one you set on the associated EPG ; when we do so, we got the well known message F0467 telling : " Configuration failed due to Encap Already Used in Another EPG," If we put a different VLAN id on the L2OUT, no fault message occurs"

which simply re-enforces my rule #1 from my first reply

"Firstly - don't use L2Outs ever!"

I should have added rule #2 as well

Rule 2: Don't ever use L2Outs

I'm hoping by now you get the idea I'm not a fan of L2Outs!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

sridcloud · ‎03-27-2023

For my work, I prefer the vlan id not to match on both sides. The requirement, in my case, is to let a network created in ACI with an independent vlan id and be able to connect it to another network with the same or different vlan id and using a common L3 IP address space.

RedNectar · ‎03-31-2023

Hi @sridcloud ,

For my work, I prefer the vlan id not to match on both sides. The requirement, in my case, is to let a network created in ACI with an independent vlan id and be able to connect it to another network with the same or different vlan id and using a common L3 IP address space.

Easy to do in ACI on ONE condition:

The interfaces that the traffic enters ACI for a particular EPG MUST be on different interfaces. I.e, you cant have traffic on VLAN 10 and VLAN 20 being classified to EPG1 if both VLAN 10 and VLAN 20 enter ACI on the same port.

IF VLAN 10 enters on say, interface eth1/10 and VLAN 20 enters on say, interface eth1/20, then you simply map VLAN 10 on interface eth1/10 to EPG1, then map VLAN 20 on interface eth1/20 to EPG1 also.

Of course, you can't do that using L2Outs - which is why I hate them so much.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.