cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
256
Views
3
Helpful
6
Replies

Why do we need to define Application EPG under AAEP ?

Nitesh_A
Level 1
Level 1

Hello,

Good Day Everyone,

Could someone please help me understand what is the use of defining Application EPG's under AAEP, whereas we are already associating Physical domain under it which consist of AAEP, epgs  & vlans.Untitled.png

2 Accepted Solutions

Accepted Solutions

RedNectar
VIP
VIP

Hi @Nitesh_A ,

You don't DEFINE EPGs under the AAEP. EPGs are defined in the Tenant space.

However, if you have some EPGs defined in some Tenants, the AAEP provides you with an option to by-pass the normal practice of mapping those EPGs to physical ports within the EPG by mapping the EPG to the AAEP.

The normal mapping of EPGs to Physical ports (Tenant > Application Profiles > Your_AP > Application EPGs > Your_EPG > Static Ports) is often referred to as Mapping Down

The process of mapping EPGs to the AAEP (Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs [+ Add EPG]) is often referred to as Mapping Up

The BIG advantage of Mapping Up is that EVERY physical port (both current and future) that is linked back to this AAEP will accept traffic for the defined EPG/VLAN combination avoiding the necessity of individually mapping the ports within the EPG. including adding extra mappings should a new port be added to the system carrying that VLAN.

There are several disadvantages of Mapping Up. Here are a couple:

  1. Troubleshooting/tracing a particular VLAN gets much harder - particularly if there are multiple ports mapped back to the same AAEP but only SOME of them carry the VLAN you are trying to trace.
  2. Ports that are mapped up do NOT show in the list of ports underTenant > Application Profiles > Your_AP > Application EPGs > Your_EPG > EPG Members

So, if I was configuring a system I had to maintain in the future, I'd use Mapping Down all the time. If I was under pressure to get a job done quickly, I'd use Mapping Up, with the good intention of coming back later and adding in the Mapping Down configs. BTW - you can do BOTH mapping up AND Mapping down without error. This solves problem 2 I mentioned above, but not problem 1.

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

Hi @Nitesh_A ,

I have seen people define multiple VLANs and keep "Mode" as Access Untagged  under--> Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs.  

BAD IDEA ... this forces EVERY PORT that links to that AAEP to be an access port = NO TRUNK PORTS ALLOWED

Let's say i define 2 EPG to AAEP, both EPG's are having different VLANs and defined as Access Untagged.

CAN'T BE DONE! - you've NEVER been allowed to have two access VLANs on the same port, so I believe trying to configure this will throw an error.

Now when i call this AAEP to eth1/1 on Leaf 1. Now how one port can carry 2 Untagged VLANs ?

EXACTLY - one port CAN'T carry 2 untagged VLANs

Tell whomever you saw define multiple VLANs and keep "Mode" as Access Untagged when mapping up that they are crazy.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

6 Replies 6

RedNectar
VIP
VIP

Hi @Nitesh_A ,

You don't DEFINE EPGs under the AAEP. EPGs are defined in the Tenant space.

However, if you have some EPGs defined in some Tenants, the AAEP provides you with an option to by-pass the normal practice of mapping those EPGs to physical ports within the EPG by mapping the EPG to the AAEP.

The normal mapping of EPGs to Physical ports (Tenant > Application Profiles > Your_AP > Application EPGs > Your_EPG > Static Ports) is often referred to as Mapping Down

The process of mapping EPGs to the AAEP (Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs [+ Add EPG]) is often referred to as Mapping Up

The BIG advantage of Mapping Up is that EVERY physical port (both current and future) that is linked back to this AAEP will accept traffic for the defined EPG/VLAN combination avoiding the necessity of individually mapping the ports within the EPG. including adding extra mappings should a new port be added to the system carrying that VLAN.

There are several disadvantages of Mapping Up. Here are a couple:

  1. Troubleshooting/tracing a particular VLAN gets much harder - particularly if there are multiple ports mapped back to the same AAEP but only SOME of them carry the VLAN you are trying to trace.
  2. Ports that are mapped up do NOT show in the list of ports underTenant > Application Profiles > Your_AP > Application EPGs > Your_EPG > EPG Members

So, if I was configuring a system I had to maintain in the future, I'd use Mapping Down all the time. If I was under pressure to get a job done quickly, I'd use Mapping Up, with the good intention of coming back later and adding in the Mapping Down configs. BTW - you can do BOTH mapping up AND Mapping down without error. This solves problem 2 I mentioned above, but not problem 1.

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Hi @RedNectar  I have seen people define multiple VLANs and keep "Mode" as Access Untagged  under--> Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs.  

Let's say i define 2 EPG to AAEP, both EPG's are having different VLANs and defined as Access Untagged. Now when i call this AAEP to eth1/1 on Leaf 1. Now how one port can carry 2 Untagged VLANs ?

Thankyou

Hi @Nitesh_A ,

I have seen people define multiple VLANs and keep "Mode" as Access Untagged  under--> Fabric > Access Policies > Policies > Global > Attachable Access Entity Profiles > Your_AAEP >| Application EPGs.  

BAD IDEA ... this forces EVERY PORT that links to that AAEP to be an access port = NO TRUNK PORTS ALLOWED

Let's say i define 2 EPG to AAEP, both EPG's are having different VLANs and defined as Access Untagged.

CAN'T BE DONE! - you've NEVER been allowed to have two access VLANs on the same port, so I believe trying to configure this will throw an error.

Now when i call this AAEP to eth1/1 on Leaf 1. Now how one port can carry 2 Untagged VLANs ?

EXACTLY - one port CAN'T carry 2 untagged VLANs

Tell whomever you saw define multiple VLANs and keep "Mode" as Access Untagged when mapping up that they are crazy.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Hi @RedNectar  One last question Sir. Let me know whether my below understanding is correct or not.

Under AAEP, we have Physical domain and Application EPG.

Physical domain consist of VLANs and EPG consist of BD which contains subnets. So defining both Physical Domain & Application EPG's means we are linking L2 that is (vlan) & its respective L3(subnet) together here under AAEP ?

I mean what if i miss to define anyone of them ? Is it mandatory to define both here if MAPPING UP is considered. ?

Thankyou

Nitesh

 

 

Hi @Nitesh_A ,

Let's do this in pictures.  Here's a generalised tenant construct:

image.png

The L3 part of your design is defined either in a BD or an EPG, but (most importantly) viewed via the related VRF.  The picture above is probably way more complicated than we need, but you'll notice that there are no PHYSICAL PORTS in the picture, and that's because it is just a MODEL - if I define those objects in ACI they exist ONLY as a model on the APIC, no switch knows anything about this model (YET)

Here's a generalised Access Policy Chain:

image.png

Here, the physical ports are defined by the Access Port Selector and assigned a set of policies via the Interface Policy Group - my illustration shows only Access Port Policy Groups and a Port Channel Interface Policy Group - but it is likely to also have VPC Interface Policy Groups

Most Importantly, this policy group is allocated a set of permitted VLAN IDs by virtue of the fact that the Interface Policy Grouplinks to an AAEP which links to a Physical Domain which links to a VLAN Pool which defines a set of VLAN ID THAT CAN BE USED ON THOSE LINKED PHYSICAL PORTS.

NOTE: The VLAN Pool is a collection of VLAN IDs that will be used to classify traffic into EPGs. It has NOTHING TO DO WITH Layer2. I suspect this is a flaw in your thinking when I read

Physical domain consist of VLANs and EPG consist of BD which contains subnets. So defining both Physical Domain & Application EPG's means we are linking L2 that is (vlan) & its respective L3(subnet) together here under AAEP ?


So to answer that question - NO this does NOT mean we are linking L2 VLANs (because the VLAN Pool and Physical Domain have nothing to do wth L2) & its respective L3(subnet) together here under AAEP.

Linking of L2 and L3 happens at the Bridge Domain (even if the subnet is defined on the EPG) and the related VRF.

Now, to complete my pictorial journey, let me finish by saying that the two models above are just models as they stand. There are two very crucial pieces missing. 

  1. The EPG needs to be connected to the Physical Domain - this is configured under the EPG. The moment an EPG is linked to a Physical Domain, all the Physical Ports and VLAN ID that appear in that chain are available for use by the EPG, but are not able to be used until step 2. 
    [Sidenote: If the Domain was a VMM Domain instead of a physical Domain, step 2 would happen automatically]
  2. At least one port and VLAN ID must be assigned to the EPG. This can be done two ways
    1. Mapping Down (as discussed earlier)
    2. Mapping UP (as discussed earleir)

Here's one last picture (that took me over a week to draw in 2015 when I was trying to get my head around this stuff)

image.png

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Nitesh_A
Level 1
Level 1

@RedNectar  Thankyou for sharing your knowledge

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License