Re: We are in the process of migrating to ACI from legacy 7K with 2 VD

joeharb · ‎01-25-2023

We have a large portion of Layer 2 for 2 separate VDC's (Core and DMZ) migrated to ACI utilizing 2 respective physical domains with no vlan overlap and separate uplinks to the 7K's for the 2 VDC's. We also have UCS connected to ACI for both environments and this also uses independent port-channels from ACI to UCS.

We now have been asked to present a vlan from both CORE and DMZ to an end device within ACI. Would it be possible to created a new AAEP with 2 vlan pools that contain the respective VLAN and then associate that AAEP to the uplinks attached to this new device?

I assume I would need to add these 2 vlan pools to their respective Physical domains for upstream connectivity to the 7K's.

Please let me know if I need to explain more or if you have any questions,

Joe

RedNectar · ‎01-25-2023

Hi @joeharb ,

When you think about "who sees what" in ACI - forget about VLANs, VLAN Pools and AAEPs. It's all about End Point Groups (EPGs)

We now have been asked to present a vlan from both CORE and DMZ to an end device within ACI.

OK. "A" VLAN. Or TWO VLANs - one form Core and one from DMZ? I'm going to guess TWO VLANs need to reach an End Point with two NICs, or at least two IP addresses on one NIC.

Each of those VLANs will be mapped to an EPG in ACI. To allow that device to see both EPGs, you just need to map the interface(s) that the End Point attaches by to both EPGs. Simple. Job done. But...

If the EP is a VM, give it two NICs and map each NIC to the portgroup/VLAN that maps to the EPG
If the end point connects directly to ACI - no intervening switches/vSwitches, then (assuming the EP has only ONE NIC), you'll have to make sure the end device has each IP address mapped to the appropriate VLAN. Then map one VLAN to one EPG and the other VLAN to the other EPG
NOTE - If the VLAN from the Core is say VLAN 10, and the VLAN from the DMZ is VLAN 20
- And Core_EPG has a static mapping on some physical port for VLAN 10
- And DMZ_EPG has a static mapping on some physical port for VLAN 20
- AND for some reason you don't want to allow VLAN 10 or 20 on the physical port that reaches the "end device" you speak of
- THEN - there's nothing stopping you from mapping VLAN 11 to Core_EPG and VLAN 12 to DMZ_EPG on the physical port that "end device" attaches via, and then mapping VLAN 11 & 12 to the appropriate interfaces on the "end device"
- The point of this is that in ACI, devices don't NEED to be on the same VLAN to be in the same EPG and still see each other at Layer 2

After that, the rest of this is irrelevant and unnecessary

~~Would it be possible to created a new AAEP with 2 vlan pools that contain the respective VLAN and then associate that AAEP to the uplinks attached to this new device?~~
~~I assume I would need to add these 2 vlan pools to their respective Physical domains for upstream connectivity to the 7K's~~.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

khorram1998 · ‎01-25-2023

Yes, it is possible to create a new Application Profile (AAEP) with two VLAN pools and associate it with the uplinks attached to the new end device. The new AAEP would need to be created with the VLAN pools that contain the VLANs from both the Core and DMZ environments.

You would also need to add these VLAN pools to their respective Physical domains for upstream connectivity to the 7Ks. Additionally, you would need to create a BD and EPG for the new end device and associate it with the appropriate AAEP.

In order for the end device to communicate with the VLANs from both the Core and DMZ environments, you would also need to configure appropriate VLAN mapping and VLAN encapsulation on the Leaf switches.

It's important to keep in mind that this configuration would allow the end device to communicate with the VLANs from both the Core and DMZ environments, but it would not allow communication between the VLANs themselves. In order to achieve that, you would need to configure additional policies such as EPG-to-EPG connectivity and VLAN Translation.

Please let me know if you have any further questions or if you need more clarification.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

joeharb · ‎01-26-2023

Thanks so much for your response, I think I have a good understanding of how to implement this...

Create 2 VLAN pools that consist of the respective vlans for both CORE and DMZ.

Create a new physical Domain that consists of the New Vlan Pools.

Associate the Domain to a new AAEP and assign that to the uplink ports to the new device.

Associate the new Vlan Pools to respective physical domain that will allow them access to their proper VDC.

Create EPGS with appropriate static epg binding for both new device and uplink to VDC.

Sound correct?

Thanks,

Joe

RedNectar · ‎01-26-2023

Hi @joeharb ,

I realise I made a mistake when I gave my first answer, I talked about default gateways in ACI - on re-reading I see that you have:

"We have a large portion of Layer 2 for 2 separate VDC's (Core and DMZ) migrated to ACI utilizing 2 respective physical domains with no vlan overlap and separate uplinks to the 7K's for the 2 VDC's."

I missed the Layer 2 part of your description (sorry). But, since the Core and DMZ have already been migrated to ACI, let's draw that - but I'm going to have to assume that the Core and DMZ have VLANs mapped to EPGs already. I'll use VLANs A, B, C & D as a representative sample of what must be there. (Note VLAN C (Core) and VLAN D (DMZ) - just to help with thinking). You didn't say you were using two AAEPs, but I'll assume you are.

Diagram 1 - Assumed current Core/DMZ design

Next you say

"We also have UCS connected to ACI for both environments and this also uses independent port-channels from ACI to UCS."

I have no idea how this is relevant, unless the End Point you talk about later lives here

Moving on:

"We now have been asked to present a vlan from both CORE and DMZ to an end device within ACI."

OK. So there is another End Point somewhere, already in ACI (perhaps via the UCS??) - I guess where doesn't matter, but let me add that to the picture. If it is already in ACI, then it MUST already have a VLAN Pool and Physical Domain (or VMM Domain) as well as an AAEP linking it to a Policy Group etc and be in an EPG so therefore already has a VLAN associated. I'll add this "end device within ACI" marking its EXISTING EPG, Domain, AAEP and VLAN with ???

Diagram 2 - Assumed current design with "end device within ACI" added

Is this an accurate picture of your existing setup?

If it IS an accurate diagram, then most of what I said before holds true. Simply add additional mappings for that exisiting EPG wither the "end device within ACI" lives. Like this

Diagram 3 - New design with "end device within ACI" added to Core EPG1 and DMZ EPG1

If I haven't missed something in your description, all you need to do is

Add VLAN C and VLAN D to the existing ??? Physical Domain
Link the ??? Physical Domain to the Core EPG1
Map Core EPG1 via VLAN C to the interface where "end device within ACI" lives
Link the ??? Physical Domain to the DMZ EPG1
Map DMZ EPG1 via VLAN D to the interface where "end device within ACI" lives
Make sure the "end device within ACI" has interfaces with appropriate IP addressing an static mapping to the gateway IPs of VLAN C and VLAN D - i.e. the "end device within ACI" will need 3 NICs - one mapped to VLAN ???, one to VLAN C and one to VLAN D

Given that no new physical interfaces are being mapped you don't need any more Physical Domain or any more AAEPs, nor is there any need to add more interface selectors or Interface Policy Groups. And if there are no more Interface Policy Groups, then any new AAEP is going to be an island and connect to nothing.

So now to your last reply

Create 2 VLAN pools that consist of the respective vlans for both CORE and DMZ.

Don't do that. IF this is a NEW connection (as you indicate later), just create ONE VLAN Pool with both VLANs in it.

Create a new physical Domain that consists of the New Vlan Pools.

Again - if this a NEW connection, you'll add a new Physical Domain, but you can only link a Physical Domain to ONE VLAN Pool

Associate the Domain to a new AAEP and assign that to the uplink ports to the new device.

What New device? There was no new device in your original description - just a "end device within ACI" If there is indeed a new device, I'll replace ??? with NEW and the diagram is simplified to

Diagram 4 - New design with "NEW device NOT YET within ACI" added to Core EPG1 and DMZ EPG1

Associate the new Vlan Pools to respective physical domain that will allow them access to their proper VDC.

Well. That's what you did already with the last 3 steps.

Create EPGS with appropriate static epg binding for both new device and uplink to VDC.

You don't need new EPGs - the whole point is you want to give this device access to the existing EPGs

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

joeharb · ‎01-30-2023

Thank you so much for your detailed response, very helpful.

To clarify the 2 VLANs do not currently exist in ACI, so your Diagram 4 looks correct. Maybe I thinking about this wrong but wouldn't I need to include the new VLANs in there respective Pools (CORE/DMZ) as well to allow for them to reach layer 2 devices outside of ACI?

Thanks

Joe

RedNectar · ‎01-30-2023

Hi @joeharb ,

To clarify the 2 VLANs do not currently exist in ACI, so your Diagram 4 looks correct. Maybe I thinking about this wrong but wouldn't I need to include the new VLANs in there respective Pools (CORE/DMZ) as well to allow for them to reach layer 2 devices outside of ACI?

Correct. Here's an updated diagram

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

We are in the process of migrating to ACI from legacy 7K with 2 VDCs