Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4056
Views
30
Helpful
4
Replies

Cisco ACI: ACI Configurations Best Practices - 1

melgebal
Cisco Employee
Cisco Employee

‎10-18-2017 01:31 AM - edited ‎03-01-2019 05:21 AM

Hi All,

 

I wanna share with you some of the best practices that should be applied on ACI:

 

Bridge-Domains Config Best Practices:

1- Always enable Unicast Routing even if it is a L2-BD (That's help in learning the IPs so it will help in troubleshooting if you are looking for the IP)

2- Disable enforce-subnet learning feature (Maybe someone configured multiple interfaces with different IPs in the same EPG so you could not see them)

3- Endpoint Dataplane Learning should always be enabled

 

Contracts Config Best Practices:

1- Filters should be created under the common tenant to be re-used in other tenants instead of duplicating them more and more.

2- Contracts and subjects must be created under its own tenant and its name should include the source and destination EPGs: e.g. "WEB_APP", and it will contain the filters from the common tenant 

 

I hope this helps

Thanks

 

Labels:
0 Helpful
4 Replies 4

gmonroy
Cisco Employee
Cisco Employee

‎10-18-2017 09:53 AM

Hello Melgebal,

    I think it would be helpful for all potential consumers of your outlined practices to understand the context and situation in which you would recommend the above, and specifically what caveats you are introducing by doing such. I would go so far as to mention there are some practices that have worked for you in your deployment, but should be taken with a grain of salt for other deployments. I mention this with the following in mind

 

1. There is a Cisco Best Practices Guide for ACI which was vetted by both TAC and TMEs which contains recommendations which go against some of what you mention.

a. One example is that if you are using an L2 only BD, it is strongly recommended to NOT enable unicast routing, as this has potential to cause problems related to IP learning and routing occurring through the fabric if not properly accounted for during design.

b. Another is related to "Limit learning to IP subnets", specifically why it became the default setting for new BDs. In general, if you are defining a subnet in ACI, you are having that IP act as a gateway for that subnet. The implication of learning IPs outside of that subnet is that either some external device is sending traffic to an unexpected VLAN, or a gateway configuration is missing on ACI that should be there to account for this subnet. I have not yet personally seen any scenarios where a user of ACI is purposefully learning IPs outside of the configured subnets.

c. Endpoint Dataplane Learning is on by default, and is an option with a very specific purpose (PBR for L4-l7).

 

Again, some context around why those settings work for you (and perhaps some insight into what your fabric was doing, maybe L2 only?) and what value you got from them would allow others to judge them truly for their setups.

 

-Gabriel

melgebal
Cisco Employee
Cisco Employee
In response to gmonroy

‎10-18-2017 11:03 AM

Hi Gmonroy,

 

Yes you are right and I am totally agree with you and if you checked my post you will find when we can use those settings and how it can help, but again let's see when it can be applied:

 

1. a. Learning IP would help everywhere specially in Migrations while extending the VLANs as a phase and after that moving the GW to ACI

 

b. From operation and troubleshooting ACI environments point of view, many servers with multiple interfaces configured under the same EPG but have different IPs that maybe not related to the EPG like data traffic and heart beats so that's would help in troubleshooting.

 

At the end, I totally agreed with you but as you know, ACI is a new technology and not all the customers have the same environments that's why we should share our findings with them.

 

0 Helpful

peterzhang
Level 1
Level 1
In response to melgebal

‎10-27-2017 06:52 AM

I kinda disagree with "enable Unicast Routing even if it's L2". When doing migration, where the GW resides outside of ACI, enabling unicast routing for L2 BDs have caused unexpected traffic flow for me in the past. So my question is:

When ACI know the IP address in its mapping data base, but the gateway for that IP is outside of the fabric, will ACI still send the packet to the gateway as expected ? How does ACI work exactly in this scenario?

 

Peter

0 Helpful

melgebal
Cisco Employee
Cisco Employee
In response to peterzhang

‎10-30-2017 11:18 PM

When configured as a pure L2 BD without unicast routing when there is an unknown unicast traffic that had to be forwarded, there are 2 possible behavior depending on the configuration applied.

 

Hardware proxy : the device sends the packet to the spine proxy for lookup
Flood : the packet is flooded in the fabric and reaches all the devices where the BD is present and can then go out of the appropriate port where the endpoint is present (the gateway in your case)

 

Broadcast ARP request are always flooded. When unicast routing is enabled, the device will learn endpoints IP based on ARP payload.

 

Please review https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_010.html#d25e1721a1635 for more details

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License