we're about to deploy ACI at a customer and our design currently makes use of EPG-through-AEP deployment. We see several advantages using this approach, one of which is that the customer is currently making use of nexus-based port-profiles in his datacenter, which we can simulate using a dedicated aaep that corresponds to a single port-profile. Adding/removing EPGs from the AAEP would correspond to add/remove vans from the corresponding port-profile.
Customer is having a lot of servers which are currently configured by using port-profiles, where the vlans allowed on the trunk interfaces are configured in the port-profile. Since there is quite some movement in the assigned vlans, it is very handy to just modify the port-profile (instead of every single trunk-port...).
At another customer we spoke to the BU about using EGP-through-AEP deployment and it was fine for the BU to go that way...
However, one of my colleagues recently got feedback from cisco advanced services and they strongly disagreed to making use of epg-through-aep deployment. Unfortunately, we didn't get more feedback, since this was a different customer...
However, if you google-around you find quite some blogs/posts (even here in the cisco community) that strongly recommend to use static-path-binding instead of epg-through-aep, however, it's almost all the time without strong arguments, most of the time "it's not best practices" is mentioned ?!
So is there anybody that could explain what the problem with this approach could be, or are there any bad experiences?
Thanks for any reply and best regards,
I have seen both approaches in the field so far.
No bad experiences with either of those.
I just personally prefer to set the Static Ports in the EPG, because for myself, this simplifies troubleshooting and information gathering via the APIC GUI a little bit.
This is also the way which I see much more used in the field. It is not that often that I see the EPG Bindings directly with the AEP.
But in my experience at the end of the day.. technically it should not make any difference.
thanks for sharing your experiences. Good to know, that the epg-through-aep way is not completely insane
Would be good to get the thoughts of other community members as well!
Hello, @abourges ,
I was just getting ready to post almost this exact same question. We are just now deploying our second ACI fabric. The first time was for a rather uniformly-used DC for HPC, whereby it made a lot of sense to deploy EPGs using AEP bindings because almost every port on almost every switch dumped into the same VLAN, and we were able to tightly control which physical ports on each switch needed any given network.
Our latest deployment is for a more general-use DC, such that port to network assignments could generally be all over the place. As such, I have opted to deploy network attachments through static paths. This approach seems to lend itself well to more API-driven configuration such that it becomes pretty easy to repeat certain object naming, numbering, and description components, but we are still working on our Ansible-backed API workflows. In the same vein, this approach works toward one of my design goals of reducing policy and configuration messiness in the UI.
However, what has really struck me when demonstrating to my co-workers how to operate this thing with the GUI is that our current practice is really just kind of clunky. I mean, when you follow some others' recommended practices of creating and assigning policies with uniform granularity, it really becomes a "slog" to move around in the GUI to several places to assign several ports to one or more EPGs. I would really like port configurations and assignments to be much easier or done more lazily. The downsides it seems are the potential for AEP and interface policy configuration sprawl and the potential to ultimately limit our ability to implement efficient API workflows.
I would really like to hear some others' opinions about this based on their own experiences. Maybe someone out there has some misgivings about proceeding one way or the other.
in the last few years I also see both approaches in the field. But mainly in our projects we saw EPG static path binding.
With the EGP-through-AEP approach there comes from my perspective (and feedback from customer) more complexity into the design. But never see any problems (w/o human errors) because of EGP-through-AEP mapping.
I see this is an old topic but may be it will be useful.
I am also looking for the best solution to this problem.
I found this note about epg-through-aep.
EPG association with the AEP without static binding does not work in a scenario when you configure the EPG as Trunk under the AEP with one end point under the same EPG supporting Tagging and the other end point in the same EPG does not support VLAN tagging. While associating AEP under the EPG, you can configure it as Trunk, Access (Tagged) or Access (Untagged).
It is a little restriction in usage.