Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1920
Views
7
Helpful
4
Replies

Bridge Domains and Subnets

Steven Williams
Level 4
Level 4

‎04-14-2020 10:04 AM

So the word on the street is BDs are NOT vlans, but they kinda are. Question: What would be a reason to put two or more subnets in a single BD? Would these Subnets with each a defined layer3 gateway talk to each other freely? I assume so, so how would you segment them if need be? 

Labels:
0 Helpful
4 Replies 4

stcorry
Cisco Employee
Cisco Employee

‎04-14-2020 11:43 AM

Well! Sometimes I do like to use the analogy where BDs are just like VLANs, except in ACI it's not the whole story... You need to put your EPs into Zones, which are EPGs. This is a requirements. So in a lot of ways BDs are VLANs and EPGs are extra stuff on top.

 

When would you use multiple Subnets under a BD? Sometimes under migration scenarios it might be necessary to merge VLANs or migrate from one Subnet to another. Or if you run out of space in a subnet, you can add another. I don't see this done too much, but it is there and it is simple when you need it. One thing to be aware of is if you use DHCP relay, only the primary subnet will source the DHCP relay message. 

 

Can they communicate freely? BD Subnet/GWs are not part of the zoning so you could theoretically still reach them, but the EPs inside are still subject to the Zoning/EPGs they are a part of and thus subject to the contract rules placed in the EPGs. 

 

At layer 2, if HW proxy is turned off for BUM traffic, that traffic may still reach other EPs depending on the other settings of the EPG/BD (Isolated EPGs will prevent this I believe). 

Claudia de Luna
Spotlight
Spotlight

‎04-14-2020 12:21 PM

Hey @Steven Williams ,

 

I like to think of a BD and an EPG in ACI as the equivalent of a VLAN in the classical ethernet world.   Alternatively, a Vlan is broken up into two parts (an EPG (think encapsulation) and a BD (think L2 forwarding)) in ACI.  You get the idea.    This is a really powerful thing because now I can take a Vlan/Subnet that I have in my data center, turn it into a Bridge Domain in ACI and then associate that one BD (subnet) with many different EPGs. Remember that it is the EPG that is the container with policy and as of ACI 3ish you can control the flooding behavior in a BD (Flood in Encapsulation) so don't think that everything is flooding everywhere.   This ability to segment without changing IPs is one of the features of ACI that I like to stress to my clients.  Many data centers have grown organically and wind up with one Vlan/Subnet with many different services.  You know how server people hate to change IPs.  With ACI they can take that same subnet, (now a BD) move all their services into ACI, keep the same subnet and segment without changing IP.    So now that my policy does not have those old constraints you have many options including one BD associated with many different EPGs for segmentation and as you said, several subnets associated with one BD.

 

With all of this in mind, adding multiple subnets to an BD can simplify things for you.  You can have one BD associated with many EPGs controlling policy at the EPG level with just one BD construct supporting several subnets.  

You can really start to care less about your IP addressing.

 

Also, if you plan on doing micro segmentation and attributes it really simplifies things to use one BD.  It also helps with Automation because many/all of your EPGs use the same BD (but still enjoy all the control and security ACI brings to the table).  

 

By the same token, if you are moving into ACI from an existing data center and you have endpoints that have the same security policy but somehow wound up on two different subnets, again, you can now support them together in one EPG for policy and keep their IPs the same (but different subnets) should you need to.

Steven Williams
Level 4
Level 4
In response to Claudia de Luna

‎04-14-2020 12:36 PM

Phew that was a lot of information. So I understand that you can have two systems in a single EPG that belong to two completely different subnets so they both inherit the policy you need them to have. SO that being said you need those subnets in the same BD? Because an EPG can't belong to more than one BD right?
0 Helpful

Claudia de Luna
Spotlight
Spotlight
In response to Steven Williams

‎04-14-2020 01:14 PM

sorry.. you probably knew alot of that already!

 

But you are exactly right.  Many EPGs to one BD but one BD to one EPG.

 

BD-EPG-2020-04-14_13-05-35.jpg

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License