09-26-2024 06:47 AM
Hello,
Good Day Everyone,
Could someone please help me understand what is the use of defining Application EPG's under AAEP, whereas we are already associating Physical domain under it which consist of AAEP, epgs & vlans.
Solved! Go to Solution.
09-26-2024 01:27 PM
Hi @Nitesh_A ,
You don't DEFINE EPGs under the AAEP. EPGs are defined in the Tenant space.
However, if you have some EPGs defined in some Tenants, the AAEP provides you with an option to by-pass the normal practice of mapping those EPGs to physical ports within the EPG by mapping the EPG to the AAEP.
The normal mapping of EPGs to Physical ports (Tenant > Application Profiles > Your_AP > Application EPGs > Your_EPG > Static Ports) is often referred to as Mapping Down
The process of mapping EPGs to the AAEP (Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs [+ Add EPG]) is often referred to as Mapping Up
The BIG advantage of Mapping Up is that EVERY physical port (both current and future) that is linked back to this AAEP will accept traffic for the defined EPG/VLAN combination avoiding the necessity of individually mapping the ports within the EPG. including adding extra mappings should a new port be added to the system carrying that VLAN.
There are several disadvantages of Mapping Up. Here are a couple:
So, if I was configuring a system I had to maintain in the future, I'd use Mapping Down all the time. If I was under pressure to get a job done quickly, I'd use Mapping Up, with the good intention of coming back later and adding in the Mapping Down configs. BTW - you can do BOTH mapping up AND Mapping down without error. This solves problem 2 I mentioned above, but not problem 1.
10-01-2024 02:17 AM
Hi @Nitesh_A ,
I have seen people define multiple VLANs and keep "Mode" as Access Untagged under--> Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs.
BAD IDEA ... this forces EVERY PORT that links to that AAEP to be an access port = NO TRUNK PORTS ALLOWED
Let's say i define 2 EPG to AAEP, both EPG's are having different VLANs and defined as Access Untagged.
CAN'T BE DONE! - you've NEVER been allowed to have two access VLANs on the same port, so I believe trying to configure this will throw an error.
Now when i call this AAEP to eth1/1 on Leaf 1. Now how one port can carry 2 Untagged VLANs ?
EXACTLY - one port CAN'T carry 2 untagged VLANs
Tell whomever you saw define multiple VLANs and keep "Mode" as Access Untagged when mapping up that they are crazy.
09-26-2024 01:27 PM
Hi @Nitesh_A ,
You don't DEFINE EPGs under the AAEP. EPGs are defined in the Tenant space.
However, if you have some EPGs defined in some Tenants, the AAEP provides you with an option to by-pass the normal practice of mapping those EPGs to physical ports within the EPG by mapping the EPG to the AAEP.
The normal mapping of EPGs to Physical ports (Tenant > Application Profiles > Your_AP > Application EPGs > Your_EPG > Static Ports) is often referred to as Mapping Down
The process of mapping EPGs to the AAEP (Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs [+ Add EPG]) is often referred to as Mapping Up
The BIG advantage of Mapping Up is that EVERY physical port (both current and future) that is linked back to this AAEP will accept traffic for the defined EPG/VLAN combination avoiding the necessity of individually mapping the ports within the EPG. including adding extra mappings should a new port be added to the system carrying that VLAN.
There are several disadvantages of Mapping Up. Here are a couple:
So, if I was configuring a system I had to maintain in the future, I'd use Mapping Down all the time. If I was under pressure to get a job done quickly, I'd use Mapping Up, with the good intention of coming back later and adding in the Mapping Down configs. BTW - you can do BOTH mapping up AND Mapping down without error. This solves problem 2 I mentioned above, but not problem 1.
09-30-2024 11:19 PM
Hi @RedNectar I have seen people define multiple VLANs and keep "Mode" as Access Untagged under--> Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs.
Let's say i define 2 EPG to AAEP, both EPG's are having different VLANs and defined as Access Untagged. Now when i call this AAEP to eth1/1 on Leaf 1. Now how one port can carry 2 Untagged VLANs ?
Thankyou
10-01-2024 02:17 AM
Hi @Nitesh_A ,
I have seen people define multiple VLANs and keep "Mode" as Access Untagged under--> Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs.
BAD IDEA ... this forces EVERY PORT that links to that AAEP to be an access port = NO TRUNK PORTS ALLOWED
Let's say i define 2 EPG to AAEP, both EPG's are having different VLANs and defined as Access Untagged.
CAN'T BE DONE! - you've NEVER been allowed to have two access VLANs on the same port, so I believe trying to configure this will throw an error.
Now when i call this AAEP to eth1/1 on Leaf 1. Now how one port can carry 2 Untagged VLANs ?
EXACTLY - one port CAN'T carry 2 untagged VLANs
Tell whomever you saw define multiple VLANs and keep "Mode" as Access Untagged when mapping up that they are crazy.
10-01-2024 03:07 AM
Hi @RedNectar One last question Sir. Let me know whether my below understanding is correct or not.
Under AAEP, we have Physical domain and Application EPG.
Physical domain consist of VLANs and EPG consist of BD which contains subnets. So defining both Physical Domain & Application EPG's means we are linking L2 that is (vlan) & its respective L3(subnet) together here under AAEP ?
I mean what if i miss to define anyone of them ? Is it mandatory to define both here if MAPPING UP is considered. ?
Thankyou
Nitesh
10-01-2024 01:58 PM
Hi @Nitesh_A ,
Let's do this in pictures. Here's a generalised tenant construct:
The L3 part of your design is defined either in a BD or an EPG, but (most importantly) viewed via the related VRF. The picture above is probably way more complicated than we need, but you'll notice that there are no PHYSICAL PORTS in the picture, and that's because it is just a MODEL - if I define those objects in ACI they exist ONLY as a model on the APIC, no switch knows anything about this model (YET)
Here's a generalised Access Policy Chain:
Here, the physical ports are defined by the Access Port Selector and assigned a set of policies via the Interface Policy Group - my illustration shows only Access Port Policy Groups and a Port Channel Interface Policy Group - but it is likely to also have VPC Interface Policy Groups
Most Importantly, this policy group is allocated a set of permitted VLAN IDs by virtue of the fact that the Interface Policy Grouplinks to an AAEP which links to a Physical Domain which links to a VLAN Pool which defines a set of VLAN ID THAT CAN BE USED ON THOSE LINKED PHYSICAL PORTS.
NOTE: The VLAN Pool is a collection of VLAN IDs that will be used to classify traffic into EPGs. It has NOTHING TO DO WITH Layer2. I suspect this is a flaw in your thinking when I read
Physical domain consist of VLANs and EPG consist of BD which contains subnets. So defining both Physical Domain & Application EPG's means we are linking L2 that is (vlan) & its respective L3(subnet) together here under AAEP ?
So to answer that question - NO this does NOT mean we are linking L2 VLANs (because the VLAN Pool and Physical Domain have nothing to do wth L2) & its respective L3(subnet) together here under AAEP.
Linking of L2 and L3 happens at the Bridge Domain (even if the subnet is defined on the EPG) and the related VRF.
Now, to complete my pictorial journey, let me finish by saying that the two models above are just models as they stand. There are two very crucial pieces missing.
Here's one last picture (that took me over a week to draw in 2015 when I was trying to get my head around this stuff)
09-30-2024 07:43 PM
@RedNectar Thankyou for sharing your knowledge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide