Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
1
Replies

Best Practice / WWYD - Isolated L2 Bridge Domains

KELLEYD
Level 1
Level 1

‎01-22-2019 11:24 AM - edited ‎03-01-2019 05:45 AM

Lately, I've had a number of requests for isolated VLANs, non-routed subnets, etc. Call them what you will, they are all pretty much the same concept. Historically, we've honored such requests by simply creating a new VLAN and, if requested, providing a subnet / IP range for the requester to use that will not overlap, should they ever change their mind and decide they want it routed. Not that it's ever happened, of course. :D

With that said, we haven't changed much with ACI. But my gut tells me there's a better way to do it. What we do is to create a new bridge domain, flood in the BD, and disable unicast routing. Then create a new EPG for that BD, exclude it from the preferred group, neither provide nor consume any contracts, then call it a day.

As I stare at two requests in our queue right now, both asking for a new isolated VLAN, my first thought is to, at the very least, create a separate VRF for these bridge domains. Then I question my own sanity, as there actually won't be any L3 interfaces configured, thus making a VRF a moot point.

Another thought I had was that, for some use cases at least, I could at least reuse an "Isolated" bridge domain and just create the new EPGs, again, no contracts. We have all 2nd-gen switches, so I could flood the encap instead of the bridge domain. In most cases, these are untagged (802.1p), so the encap isn't relevant anyway.

You see where I'm going with this. Any thoughts? How do you do it?

Labels:
0 Helpful
1 Reply 1

Remi Astruc
Level 1
Level 1

‎01-22-2019 02:48 PM

Hello,

You could create a VRF or use an existing one (in case you need someday to integrate in routing), that's no big deal.

Regarding the creation of 1 BD for several isolated Vlans made with EPGs, I would not do that way. Even if no contract, the EndPoints could still be visible to some traffic like ARP or L2 Uknown Unicast set to Flood (as recommended in L2 BD).

 

Remi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License