04-03-2015 04:48 AM - edited 03-01-2019 04:49 AM
Hi,
If my ACI is acting as layer 2 for the EPGs and Firewall is connected to ACI acting as a gateway for all the EPGs connected to the ACI.
Do I really need to have one BD for one EPG or Can I have multiple EPGs in the same BD If I want?
We need to enable ARP Floodling. .
I can tag multiple EPGs to one interface of the firewall and FW interface will act as a trunk for the VLANs (that mapped to the EPGs).
We still do not need of contract between the EPGs because routing will be handle by the firewall when one EPG in one BD.
Do we need contracts between EPGs when we multiple EPGs in one BD? but no broadcast will effect other EPGs within the same BD.
What are the possible concerns & consequences If I have multiple EPGs in one BD?
Please share your inputs
Regards,
Anser
Solved! Go to Solution.
02-14-2017 07:12 PM
I have BD1=EPG1=192.168.1.0/24=APP, BD2=EPG2=192.168.2.0/24= DB. If my ACI is acting as layer 2 for the EPGs and Firewall is connected to ACI acting as a gateway for all the EPGs connected to the ACI.
Do We need contract between the EPGs ?
02-14-2017 08:36 PM
Hapham2517,
If FW is the gateway for both EPGs, then simply place the FW into both EPG. Each BD would be pure L2 (disable unicast routing) and set unknown L2 unicast mode to flood.
No need for contracts for 2 reasons:
1. The BDs would be L2. There would be no way that the endpoints could talk outside of the BD without an external L3 device plugged in
2. ACI would not apply policy for traffic between FW and endpoints because it is intra-EPG
04-03-2015 05:44 AM
Hello
Yes you can have multiple EPGs in the same BD and yes u can turn on ARP Flooding for that BD.
Technically, in a normal scenario where the fabric is the GW, you would still need contracts between the EPGs even if its one BD. Secondly, broadcasts are not bound to a EPG, they are bound by a BD.
There are really no problems with having multiple EPGs in one BD. The only concern i would have is all the flooding since the gateway is outside and kind of defeats a couple of the nice features ACI provides (distributed default gateway and directed ARPs) but the flooding should be no more than any traditional network so no problems, concerns or consequences occur to me immediately.
What other questions do you have?
04-03-2015 01:43 PM
Thanks dpita for your quick response.
What is the technical need of contracts between the EPGs when these EPGs have different subnets and gateways are outside the fabric e.g. Firewall is the gateway. These EPGs are belong on one BD.
Routing should be handle by the firewall for between the subnets. Do we still need the contracts?
Regards,
Anser
02-14-2017 07:12 PM
I have BD1=EPG1=192.168.1.0/24=APP, BD2=EPG2=192.168.2.0/24= DB. If my ACI is acting as layer 2 for the EPGs and Firewall is connected to ACI acting as a gateway for all the EPGs connected to the ACI.
Do We need contract between the EPGs ?
02-14-2017 08:36 PM
Hapham2517,
If FW is the gateway for both EPGs, then simply place the FW into both EPG. Each BD would be pure L2 (disable unicast routing) and set unknown L2 unicast mode to flood.
No need for contracts for 2 reasons:
1. The BDs would be L2. There would be no way that the endpoints could talk outside of the BD without an external L3 device plugged in
2. ACI would not apply policy for traffic between FW and endpoints because it is intra-EPG
02-14-2017 08:59 PM
Tks so much :)
04-03-2018 10:08 PM
hey is it a validated design? is there any doc for that ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide