Re: ACI to Legacy, TCN and Spanning Tree consideration ?

nexus13213 · ‎09-12-2019

Hi,

we plan to migrate legacy network to ACI,
and will have an L2 trunk vpc link from ACI to Legacy.
my question :
- which is the best practice to configure that L2trunk interface ? Extend EPG or L2out?

- do I need to enable spanning-tree bpdu filter on that interface? so that the TCN doesn't flush the endpoint ?

thank you,

regards

dcrown · ‎09-12-2019

I just bring in an extl2 device to the epg.

As for TCN's, you're correct in that you should BPDU filter. As a rule of thumb, we only connect one switch to the EPG since we're effectively disabling spanning tree from passing through the ACI fabric. We also enable BPGU guard on all the ports coming from devices that are not switches.

Take a look at this blog post. Jody has a lot of good stuff on their blog.

https://unofficialaciguide.com/2019/03/28/stp-and-aci-intermittent-packet-loss-due-to-tcns/

peterzhang · ‎09-15-2019

L2 EPG Extension is less flexible but easier to configure,

L2 BD extension is more flexible but takes a bit more effort to configure

If you intend to leverage contract at all at layer 2 for segmentation purpose, you have to use L2 BD extension. The other advantage of L2 BD extension is to reduce the impact of TCN flooding.

BPDUs are flooded within encapsulation, rather than Bridge Domains, which means if you apply a different encap in Application EPG from the L2 BD EPG, you would effectively limit the BPDU flooding to L2 BD EPGs only. You should not use the same encap as legacy VLANs for servers connecting directly to ACI anyways. Eventually, you'll reach to a state where you can't rely on VLAN numbers at all.

However, to completely eliminate the risk of TCN flooding into ACI, you can configure BPDU filter on either ACI or the NX-OS side, but be aware that you if you need to connect any additional L2 devices to ACI, you have to be very careful.

Thanks

Peter