Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
3
Helpful
3
Replies

VLAN POOLS

Go to solution
Suprit Chinchodikar
Level 1
Level 1

‎02-04-2024 10:25 PM

Hello,
Why do we need VLAN POOLS if we already have Bridge domains in cisco ACI?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
RedNectar
VIP
VIP

‎02-05-2024 12:49 PM

Hi @Suprit Chinchodikar ,

Where do I start?

Firstly, Bridge Domains have nothing to do with VLANs directly.  So there a reason right off the bat.  But I suspect your question reveals a deeper confusion with ACI.

Lesson 1. 802.1Q VLAN Tags

Forget whatever you learned about VLANs before ACI.  Before ACI, you were taught that

  1. VLANs were a broadcast domain. 
  2. The 802.1Q VLAN tag identifies the VLAN/Broadcast Domain
  3. Each 802.1Q VLAN tag identifies exactly one VLAN
    • This limits the total VLAN count for the system to 4095

In ACI, 

  1. Broadcast Domains are defined by Bridge Domains, and have NOTHING to do with 802.1Q VLAN tags
  2. 802.1Q VLAN tags are used to identify the End Point Group (EPG)
  3. An EPG can have more than one 802.1Q VLAN tag used to identify traffic for that EPG (typical scenario, a statically allocated VLAN tag for bare metal servers and a different VLAN tag for VMs)
  4. The SAME 802.1Q VLAN tag can be used to identify DIFFERENT EPGs on different switches (even on the same switch if necessary). Typically, this case would equate to two different Tenants using the same VLAN tag for two different EPGs

Now there IS a link between EPGs and Bridge Domains - every EPG must be linked to a BD. But it is possible (and sometimes very desirable) to have multiple EPGs linked to the same BD - and I already mentioned that more than one VLAN tag can be used to identify an EPG

This means that a BD may have multiple VLAN tags defining traffic for that BD - which as I mentioned earlier is the equivalent of a broadcast domain in ACI.

This fact may prompt you to ask: Does that mean that a broadcast sent on one legacy VLAN can end up on another legacy VLAN?

Answer. Yes, and given that an EPG may be represented by multiple VLAN tags, this is a very desirable design feature of ACI.  If endpoint 10.1.1.10 was statically mapped to EPG1 on VLAN 10, and 10.1.1.11 was dynamically mapped to the same EPG1 on VLAN 100, you'd want them to be able to see each other's broadcasts.

But there is a bit more to it than that.  ACI has several tweaks that reduce the number of broadcasts seen by endpoints, and to restrict broadcasts to a single VLAN encapsulation if that is required.  But that is a whole new topic which you will find I have written about many times before on this forum.

Lesson 2. VLAN Pools

Before ACI, you were taught that you could use any VLAN ID in the range 1-4094 (with some vendor restrictions and with VLAN 1 often being "special") on a switch. There was no configuration option that restricted you to using say ONLY VLAN IDs 100-199.

Every time you configured a NEW switch, it was up to you to make sure that 

  1. the VLAN IDs and names were consistent across switches
  2. paths between switches were configured to carry 802.1 Q VLAN tags for any VLANs shared between the switches.  Many vendors (including Cisco) referred to inter-switch connecting ports as trunk ports

In ACI, you have the ability to allocate restricted ranges of VLAN IDs by using VLAN Pools. So when a VLAN is allocated to an EPG, that VLAN must be part of a VLAN Pool.  So the administrator has the ability to restrict which VLANs are available for use.

In ACI, the VLAN configuration is allocated dynamically, so you don't need to worry about whether VLAN10 is the same on one switch as it is on another. All you care about are the EPGs and which VLANs map to that EPG.

Note: There are some restrictions about using the same VLAN ID for more than one EPG on a single switch. Topic for another day.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

3 Replies 3

Go to solution
RedNectar
VIP
VIP

‎02-05-2024 12:49 PM

Hi @Suprit Chinchodikar ,

Where do I start?

Firstly, Bridge Domains have nothing to do with VLANs directly.  So there a reason right off the bat.  But I suspect your question reveals a deeper confusion with ACI.

Lesson 1. 802.1Q VLAN Tags

Forget whatever you learned about VLANs before ACI.  Before ACI, you were taught that

  1. VLANs were a broadcast domain. 
  2. The 802.1Q VLAN tag identifies the VLAN/Broadcast Domain
  3. Each 802.1Q VLAN tag identifies exactly one VLAN
    • This limits the total VLAN count for the system to 4095

In ACI, 

  1. Broadcast Domains are defined by Bridge Domains, and have NOTHING to do with 802.1Q VLAN tags
  2. 802.1Q VLAN tags are used to identify the End Point Group (EPG)
  3. An EPG can have more than one 802.1Q VLAN tag used to identify traffic for that EPG (typical scenario, a statically allocated VLAN tag for bare metal servers and a different VLAN tag for VMs)
  4. The SAME 802.1Q VLAN tag can be used to identify DIFFERENT EPGs on different switches (even on the same switch if necessary). Typically, this case would equate to two different Tenants using the same VLAN tag for two different EPGs

Now there IS a link between EPGs and Bridge Domains - every EPG must be linked to a BD. But it is possible (and sometimes very desirable) to have multiple EPGs linked to the same BD - and I already mentioned that more than one VLAN tag can be used to identify an EPG

This means that a BD may have multiple VLAN tags defining traffic for that BD - which as I mentioned earlier is the equivalent of a broadcast domain in ACI.

This fact may prompt you to ask: Does that mean that a broadcast sent on one legacy VLAN can end up on another legacy VLAN?

Answer. Yes, and given that an EPG may be represented by multiple VLAN tags, this is a very desirable design feature of ACI.  If endpoint 10.1.1.10 was statically mapped to EPG1 on VLAN 10, and 10.1.1.11 was dynamically mapped to the same EPG1 on VLAN 100, you'd want them to be able to see each other's broadcasts.

But there is a bit more to it than that.  ACI has several tweaks that reduce the number of broadcasts seen by endpoints, and to restrict broadcasts to a single VLAN encapsulation if that is required.  But that is a whole new topic which you will find I have written about many times before on this forum.

Lesson 2. VLAN Pools

Before ACI, you were taught that you could use any VLAN ID in the range 1-4094 (with some vendor restrictions and with VLAN 1 often being "special") on a switch. There was no configuration option that restricted you to using say ONLY VLAN IDs 100-199.

Every time you configured a NEW switch, it was up to you to make sure that 

  1. the VLAN IDs and names were consistent across switches
  2. paths between switches were configured to carry 802.1 Q VLAN tags for any VLANs shared between the switches.  Many vendors (including Cisco) referred to inter-switch connecting ports as trunk ports

In ACI, you have the ability to allocate restricted ranges of VLAN IDs by using VLAN Pools. So when a VLAN is allocated to an EPG, that VLAN must be part of a VLAN Pool.  So the administrator has the ability to restrict which VLANs are available for use.

In ACI, the VLAN configuration is allocated dynamically, so you don't need to worry about whether VLAN10 is the same on one switch as it is on another. All you care about are the EPGs and which VLANs map to that EPG.

Note: There are some restrictions about using the same VLAN ID for more than one EPG on a single switch. Topic for another day.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Go to solution
Suprit Chinchodikar
Level 1
Level 1
In response to RedNectar

‎02-05-2024 09:15 PM

@RedNectar,

Thanks for the brief explanation.

Go to solution
davidadam63871
Level 1
Level 1

‎08-11-2024 08:28 PM

Great question! VLAN Pools and Bridge Domains serve different purposes within Cisco ACI. While Bridge Domains provide Layer 2 forwarding and address isolation for endpoints, VLAN Pools are used to define a range of VLAN IDs that can be dynamically assigned to EPGs (Endpoint Groups). This flexibility is especially useful in large-scale environments where automated VLAN assignment helps manage network resources more efficiently. Think of it like having a pool builder for your VLANs—where the system dynamically assigns and manages VLANs, ensuring optimal usage without manual intervention. This separation of roles helps maintain a scalable and organized network infrastructure.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License