cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3745
Views
0
Helpful
6
Replies

When ACI is not the Gateway for EPGs

Hi,

 

If my ACI is acting as layer 2 for the EPGs and Firewall is connected to ACI acting as a gateway for all the EPGs connected to the ACI.

Do I really need to have one BD for one EPG or Can I have multiple EPGs in the same BD If I want? 

We need to enable ARP Floodling. . 

I can tag multiple EPGs to one interface of the firewall and FW interface will act as a trunk for the VLANs (that mapped to the EPGs).

We still do not need of contract between the EPGs because routing will be handle by the firewall when one EPG in one BD.

Do we need contracts between EPGs when we multiple EPGs in one BD?  but no broadcast will effect other EPGs within the same BD.

What are the possible concerns & consequences If I have multiple EPGs in one BD?

Please share your inputs

 

Regards,

Anser 

2 Accepted Solutions

Accepted Solutions

I have BD1=EPG1=192.168.1.0/24=APP, BD2=EPG2=192.168.2.0/24= DB. If my ACI is acting as layer 2 for the EPGs and Firewall is connected to ACI acting as a gateway for all the EPGs connected to the ACI.
Do We need contract between the EPGs ?

View solution in original post

Hapham2517, 

If FW is the gateway for both EPGs, then simply place the FW into both EPG. Each BD would be pure L2 (disable unicast routing) and set unknown L2 unicast mode to flood.

No need for contracts for 2 reasons: 

1. The BDs would be L2. There would be no way that the endpoints could talk outside of the BD without an external L3 device plugged in

2. ACI would not apply policy for traffic between FW and endpoints because it is intra-EPG

View solution in original post

6 Replies 6

dpita
Cisco Employee
Cisco Employee

Hello

Yes you can have multiple EPGs in the same BD and yes u can turn on ARP Flooding for that BD.

Technically, in a normal scenario where the fabric is the GW, you would still need contracts between the EPGs even if its one BD. Secondly, broadcasts are not bound to a EPG, they are bound by a BD. 

There are really no problems with having multiple EPGs in one BD. The only concern i would have is all the flooding since the gateway is outside and kind of defeats a couple of the nice features ACI provides (distributed default gateway and directed ARPs) but the flooding should be no more than any traditional network so no problems, concerns or consequences occur to me immediately. 

What other questions do you have?

 

Thanks dpita for your quick response. 

 

What is the technical need of contracts between the EPGs when these EPGs have different subnets and gateways are outside the fabric e.g. Firewall is the gateway. These EPGs are belong on one BD. 

Routing should be handle by the firewall for between the subnets. Do we still need the contracts?

 

Regards,

Anser

 

 

I have BD1=EPG1=192.168.1.0/24=APP, BD2=EPG2=192.168.2.0/24= DB. If my ACI is acting as layer 2 for the EPGs and Firewall is connected to ACI acting as a gateway for all the EPGs connected to the ACI.
Do We need contract between the EPGs ?

Hapham2517, 

If FW is the gateway for both EPGs, then simply place the FW into both EPG. Each BD would be pure L2 (disable unicast routing) and set unknown L2 unicast mode to flood.

No need for contracts for 2 reasons: 

1. The BDs would be L2. There would be no way that the endpoints could talk outside of the BD without an external L3 device plugged in

2. ACI would not apply policy for traffic between FW and endpoints because it is intra-EPG

Tks so much :)

hey is it a validated design? is there any doc for that ? 

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License