Showing results for 
Search instead for 
Did you mean: 

Best Practice / WWYD - Isolated L2 Bridge Domains

Lately, I've had a number of requests for isolated VLANs, non-routed subnets, etc. Call them what you will, they are all pretty much the same concept. Historically, we've honored such requests by simply creating a new VLAN and, if requested, providing a subnet / IP range for the requester to use that will not overlap, should they ever change their mind and decide they want it routed. Not that it's ever happened, of course. :D

With that said, we haven't changed much with ACI. But my gut tells me there's a better way to do it. What we do is to create a new bridge domain, flood in the BD, and disable unicast routing. Then create a new EPG for that BD, exclude it from the preferred group, neither provide nor consume any contracts, then call it a day.

As I stare at two requests in our queue right now, both asking for a new isolated VLAN, my first thought is to, at the very least, create a separate VRF for these bridge domains. Then I question my own sanity, as there actually won't be any L3 interfaces configured, thus making a VRF a moot point.

Another thought I had was that, for some use cases at least, I could at least reuse an "Isolated" bridge domain and just create the new EPGs, again, no contracts. We have all 2nd-gen switches, so I could flood the encap instead of the bridge domain. In most cases, these are untagged (802.1p), so the encap isn't relevant anyway.

You see where I'm going with this. Any thoughts? How do you do it?

Everyone's tags (1)

Re: Best Practice / WWYD - Isolated L2 Bridge Domains


You could create a VRF or use an existing one (in case you need someday to integrate in routing), that's no big deal.

Regarding the creation of 1 BD for several isolated Vlans made with EPGs, I would not do that way. Even if no contract, the EndPoints could still be visible to some traffic like ARP or L2 Uknown Unicast set to Flood (as recommended in L2 BD).



CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey