01-10-2020 05:46 AM
Why should I have multiple VLAN pools for multiple tenants?
From what I understand is that I can create a VLAN pool that includes all of the VLANs except the infrastructure VLAN. That pool can be assigned to multiple physical domains. When creating EPGs with static end points, you select the VLAN that's assigned to that end point.
Can I then assign the same VLAN to an end point in another tenant? If I do, will it use the same VLAN or will is consider it separate because it's in a separate tenant? If it is separated between the two tenants where traffic doesn't co mingle, why should I create a separate VLAN pool?
Solved! Go to Solution.
01-10-2020 01:35 PM - edited 01-10-2020 01:37 PM
Hi @ckronk ,
Why should I have multiple VLAN pools for multiple tenants?
Great observation. You are entirely right, there is no reason why you couldn't create a VLAN Pool containing VLANs 1-4095 and associate it with every Physical/L2/L3 Domain in the system. In many ways this is how we work today on standard switches. Every switch has every VLAN available to it.
However ACI does give you the abilty to restrict a range of VLANs for a particularPhysical/L2/L3 Domain if you want. And from an administrative point of view, if you want to keep track of which physical parts of the system have been opened up to which Tenants, a well structured naming sytem in your Access Policy Chain can help with maintaining that system. And as such you might want to consider one Static VLAN Pool per tenant (which is my standard Best Practices answer).
Here are a couple of cases where you might want to think about not including every VLAN in a VLAN Pool
If you use, or EVER intend to use VMM integration, you VMM domain will need a dynamic range. What ever VLANs are in this range will be allocated randomly, so once a range has been allocated, it is near impossible to change
My advice: Allocate a small but sufficient number of VLANs to the dynamic pool. It is VERY easy to add more VLANs to the pool at a later stage, but neigh on impossible to remover them.
And on that thought, you don't ever want anyone statically allocating one of those possibly dynamiclly allocated VLANs to a resource - so to prevent this, you can make sure there no overlap between your dynamic and static VLAN pools.
You may wish to have some VLANs reserved for shared resources. You may wish to ensure that a tenant doesn't allocate a VLAN that is intened for shared resources. Again, the way you can implement this in ACI is to make sure there no overlap between your reserved shared VLANs and tenant static VLAN pools.
So think about what VLANs you may wish to reserve for VMM integration, and decide if you want to have a single VLAN pool that all tenants use for static allocation, or whether you want to keep separate VLAN pools per tenant. If you have full control over the entire system, a single pool is probably easier.
Can I then assign the same VLAN to an end point in another tenant?
You certainly can. However, if that other Tenant has interfaces on the same switch as the original Tenant, make sure you include a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains
If I do, will it use the same VLAN or will is consider it separate because it's in a separate tenant?
So long as you have included a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains, it will consider it as separate
If it is separated between the two tenants where traffic doesn't co mingle, why should I create a separate VLAN pool?
Why indeed!
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
01-10-2020 01:35 PM - edited 01-10-2020 01:37 PM
Hi @ckronk ,
Why should I have multiple VLAN pools for multiple tenants?
Great observation. You are entirely right, there is no reason why you couldn't create a VLAN Pool containing VLANs 1-4095 and associate it with every Physical/L2/L3 Domain in the system. In many ways this is how we work today on standard switches. Every switch has every VLAN available to it.
However ACI does give you the abilty to restrict a range of VLANs for a particularPhysical/L2/L3 Domain if you want. And from an administrative point of view, if you want to keep track of which physical parts of the system have been opened up to which Tenants, a well structured naming sytem in your Access Policy Chain can help with maintaining that system. And as such you might want to consider one Static VLAN Pool per tenant (which is my standard Best Practices answer).
Here are a couple of cases where you might want to think about not including every VLAN in a VLAN Pool
If you use, or EVER intend to use VMM integration, you VMM domain will need a dynamic range. What ever VLANs are in this range will be allocated randomly, so once a range has been allocated, it is near impossible to change
My advice: Allocate a small but sufficient number of VLANs to the dynamic pool. It is VERY easy to add more VLANs to the pool at a later stage, but neigh on impossible to remover them.
And on that thought, you don't ever want anyone statically allocating one of those possibly dynamiclly allocated VLANs to a resource - so to prevent this, you can make sure there no overlap between your dynamic and static VLAN pools.
You may wish to have some VLANs reserved for shared resources. You may wish to ensure that a tenant doesn't allocate a VLAN that is intened for shared resources. Again, the way you can implement this in ACI is to make sure there no overlap between your reserved shared VLANs and tenant static VLAN pools.
So think about what VLANs you may wish to reserve for VMM integration, and decide if you want to have a single VLAN pool that all tenants use for static allocation, or whether you want to keep separate VLAN pools per tenant. If you have full control over the entire system, a single pool is probably easier.
Can I then assign the same VLAN to an end point in another tenant?
You certainly can. However, if that other Tenant has interfaces on the same switch as the original Tenant, make sure you include a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains
If I do, will it use the same VLAN or will is consider it separate because it's in a separate tenant?
So long as you have included a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains, it will consider it as separate
If it is separated between the two tenants where traffic doesn't co mingle, why should I create a separate VLAN pool?
Why indeed!
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
01-13-2020 08:40 AM
01-13-2020 11:08 AM
Hi @ckronk ,
To be honest, I have not re-tested my findings from 3+ years ago when I made the discovery that when using the L2 Interface Policy, ACI...
requires that when applied to two different EPGs on the same switch, those two EPGs must be associated with two different Physical Domains, and each domain linked to a different VLAN Pool.
It seems your testing would indicate that although different Physical Domains are required, the same VLAN pool can now be used for each.
Which is good news!
As for your other question:
if I can and decide to use one VLAN pool for each tenant, could I use a dynamic pool and assign static VLANs to that pool as needed and a dynamic range for my VMM VLANs?
It seems this is indeed possible. I just tested it. (The Static part anyway, on v4.4(2f)). I have vague recollections that you used not be able assign a Physical Domain to a dynamic VLAN pool, but I just did that and it didn't break any of my EPGs. To me that sounds like a good plan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide