Solved: Re: Why I use multiple VLAN pools?

ckronk · ‎01-10-2020

Why should I have multiple VLAN pools for multiple tenants?

From what I understand is that I can create a VLAN pool that includes all of the VLANs except the infrastructure VLAN. That pool can be assigned to multiple physical domains. When creating EPGs with static end points, you select the VLAN that's assigned to that end point.

Can I then assign the same VLAN to an end point in another tenant? If I do, will it use the same VLAN or will is consider it separate because it's in a separate tenant? If it is separated between the two tenants where traffic doesn't co mingle, why should I create a separate VLAN pool?

RedNectar · ‎01-10-2020

Hi @ckronk ,

Why should I have multiple VLAN pools for multiple tenants?

Great observation. You are entirely right, there is no reason why you couldn't create a VLAN Pool containing VLANs 1-4095 and associate it with every Physical/L2/L3 Domain in the system. In many ways this is how we work today on standard switches. Every switch has every VLAN available to it.

However ACI does give you the abilty to restrict a range of VLANs for a particularPhysical/L2/L3 Domain if you want. And from an administrative point of view, if you want to keep track of which physical parts of the system have been opened up to which Tenants, a well structured naming sytem in your Access Policy Chain can help with maintaining that system. And as such you might want to consider one Static VLAN Pool per tenant (which is my standard Best Practices answer).

Here are a couple of cases where you might want to think about not including every VLAN in a VLAN Pool

Dynamic VLAN Pools

If you use, or EVER intend to use VMM integration, you VMM domain will need a dynamic range. What ever VLANs are in this range will be allocated randomly, so once a range has been allocated, it is near impossible to change

My advice: Allocate a small but sufficient number of VLANs to the dynamic pool. It is VERY easy to add more VLANs to the pool at a later stage, but neigh on impossible to remover them.

And on that thought, you don't ever want anyone statically allocating one of those possibly dynamiclly allocated VLANs to a resource - so to prevent this, you can make sure there no overlap between your dynamic and static VLAN pools.

Shared Resources

You may wish to have some VLANs reserved for shared resources. You may wish to ensure that a tenant doesn't allocate a VLAN that is intened for shared resources. Again, the way you can implement this in ACI is to make sure there no overlap between your reserved shared VLANs and tenant static VLAN pools.

VLAN Pool Summary

So think about what VLANs you may wish to reserve for VMM integration, and decide if you want to have a single VLAN pool that all tenants use for static allocation, or whether you want to keep separate VLAN pools per tenant. If you have full control over the entire system, a single pool is probably easier.

Other questions

Can I then assign the same VLAN to an end point in another tenant?

You certainly can. However, if that other Tenant has interfaces on the same switch as the original Tenant, make sure you include a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains

If I do, will it use the same VLAN or will is consider it separate because it's in a separate tenant?

So long as you have included a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains, it will consider it as separate

If it is separated between the two tenants where traffic doesn't co mingle, why should I create a separate VLAN pool?

Why indeed!

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎01-10-2020

Hi @ckronk ,

Why should I have multiple VLAN pools for multiple tenants?

Great observation. You are entirely right, there is no reason why you couldn't create a VLAN Pool containing VLANs 1-4095 and associate it with every Physical/L2/L3 Domain in the system. In many ways this is how we work today on standard switches. Every switch has every VLAN available to it.

However ACI does give you the abilty to restrict a range of VLANs for a particularPhysical/L2/L3 Domain if you want. And from an administrative point of view, if you want to keep track of which physical parts of the system have been opened up to which Tenants, a well structured naming sytem in your Access Policy Chain can help with maintaining that system. And as such you might want to consider one Static VLAN Pool per tenant (which is my standard Best Practices answer).

Here are a couple of cases where you might want to think about not including every VLAN in a VLAN Pool

Dynamic VLAN Pools

If you use, or EVER intend to use VMM integration, you VMM domain will need a dynamic range. What ever VLANs are in this range will be allocated randomly, so once a range has been allocated, it is near impossible to change

My advice: Allocate a small but sufficient number of VLANs to the dynamic pool. It is VERY easy to add more VLANs to the pool at a later stage, but neigh on impossible to remover them.

And on that thought, you don't ever want anyone statically allocating one of those possibly dynamiclly allocated VLANs to a resource - so to prevent this, you can make sure there no overlap between your dynamic and static VLAN pools.

Shared Resources

You may wish to have some VLANs reserved for shared resources. You may wish to ensure that a tenant doesn't allocate a VLAN that is intened for shared resources. Again, the way you can implement this in ACI is to make sure there no overlap between your reserved shared VLANs and tenant static VLAN pools.

VLAN Pool Summary

So think about what VLANs you may wish to reserve for VMM integration, and decide if you want to have a single VLAN pool that all tenants use for static allocation, or whether you want to keep separate VLAN pools per tenant. If you have full control over the entire system, a single pool is probably easier.

Other questions

Can I then assign the same VLAN to an end point in another tenant?

You certainly can. However, if that other Tenant has interfaces on the same switch as the original Tenant, make sure you include a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains

If I do, will it use the same VLAN or will is consider it separate because it's in a separate tenant?

So long as you have included a L2 Interface Policy that allows Per port VLAN allocation in your Access Policy Chains, it will consider it as separate

If it is separated between the two tenants where traffic doesn't co mingle, why should I create a separate VLAN pool?

Why indeed!

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

ckronk · ‎01-13-2020

Thanks for this post. It explains a lot. I still have some further questions.

I actually used a portion of your blog (https://rednectar.net/2016/12/11/cisco-aci-per-port-vlan-feature/) to assist with using the same VLAN on multiple EPGs and that's where some of my questions came from.

In your example on that post you created a VLAN pool for all VLANs and one for per port VLANs. Is this necessary for a reason I'm not seeing yet? I was able to create one VLAN pool (with VLAN range 1-4094 for testing purposes) and assign it to two Physical domains, front server and back server. With this I was able to assign the separate physical domains to a front EPG and a back EPG and use the same VLAN for each. At this point, why should I use a separate VLAN pool? If the VLAN pool I created for that tenant is not going to have any reused VLANs, it should be OK, correct? What am I missing here?

My other question is that if I can and decide to use one VLAN pool for each tenant, could I use a dynamic pool and assign static VLANs to that pool as needed and a dynamic range for my VMM VLANs?

RedNectar · ‎01-13-2020

Hi @ckronk ,

To be honest, I have not re-tested my findings from 3+ years ago when I made the discovery that when using the L2 Interface Policy, ACI...

requires that when applied to two different EPGs on the same switch, those two EPGs must be associated with two different Physical Domains, and each domain linked to a different VLAN Pool.

It seems your testing would indicate that although different Physical Domains are required, the same VLAN pool can now be used for each.

Which is good news!

As for your other question:

if I can and decide to use one VLAN pool for each tenant, could I use a dynamic pool and assign static VLANs to that pool as needed and a dynamic range for my VMM VLANs?

It seems this is indeed possible. I just tested it. (The Static part anyway, on v4.4(2f)). I have vague recollections that you used not be able assign a Physical Domain to a dynamic VLAN pool, but I just did that and it didn't break any of my EPGs. To me that sounds like a good plan.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.