cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9422
Views
31
Helpful
13
Replies

EPG without a physical domain association

glezJos91986
Level 1
Level 1

Hello community,

It is required to assign a physical domain to an EPG? Is not the static path assignment enough? In that case what exactly is the purpose of assign a physical domain to an EPG?

As I understood when I went over some documentation, the domain is necessary because it provides the range of VLANs that we are allowed to use in the static path assignment, this is, if our domain includes vlans from 300-350, we just cannot assign vlan 250 to an EP within that EPG.

 

My confusion came for the fact that in an online ACI course, the engineer forgot to include a domain in the EPG and he was still able to assign a vlan under the static port assignment for both EPs and the EPs were also able to communicate with each other with no problem at all, and no domain defined for the EPG at that point!!!

 

Is that the way that is supposed to be? Am I missing something here?

1 Accepted Solution

Accepted Solutions

Robert Burns
Cisco Employee
Cisco Employee

[Edited: Corrected statement on feature name per Chris' catch]

Yes its going to work without assigning a domain to the EPG.  I raised the enhancement to correct this behavior many years ago and we introduced the "Enforce Domain Validation" feature under the System Settings - Fabric Wide Settings - Enforce Domain Validation.  With this enabled (best practice to turn this on) it will NOT program the VLAN on the interface.  Instead it will raise a fault.  Even running with the configuration you have, ACI will still raise a fault on the EPG, but the programming will stuff be applied on the interface.  Obviously this isn't a good idea as the Domain becomes an RBAC control point where an Infrastructure/Access Policy Admin can restrict Tenant Admins from mistakenly assigning VLANs to interfaces they shouldn't be.

Robert

View solution in original post

13 Replies 13

Robert Burns
Cisco Employee
Cisco Employee

[Edited: Corrected statement on feature name per Chris' catch]

Yes its going to work without assigning a domain to the EPG.  I raised the enhancement to correct this behavior many years ago and we introduced the "Enforce Domain Validation" feature under the System Settings - Fabric Wide Settings - Enforce Domain Validation.  With this enabled (best practice to turn this on) it will NOT program the VLAN on the interface.  Instead it will raise a fault.  Even running with the configuration you have, ACI will still raise a fault on the EPG, but the programming will stuff be applied on the interface.  Obviously this isn't a good idea as the Domain becomes an RBAC control point where an Infrastructure/Access Policy Admin can restrict Tenant Admins from mistakenly assigning VLANs to interfaces they shouldn't be.

Robert

Thank you Robert ! I did not know about that "Enforce EPG VLAN Validation" option,  it all makes sense now !

By the way, is that feature enabled the default behavior for ACI? Or we actually need to have in mind to enable it as a best practice like you mentioned?

 

Thanks again!

Since it wasn't a day-one feature, it must be enabled manually. By default this feature is disabled.

Robert

Got it, Thank you so much Robert! 

I was really struggling with that since I noticed it by mistake.

Accident or not, that's a good catch to notice this behavior.  It shows you're verifying your policy deployment then questioning its operation - which I love to see.  Anytime your team configures Tenant policies always check the configured object itself (EPG/BD etc) or the parent Tenant (which they all roll up into) for any faults.  Quick and easy way to find & avoid issues.

Let us know if you have any other Qs.

Robert 

Thank you so much, I really appreciate it!!

RedNectar
VIP
VIP

Hi @glezJos91986 ,

Just three points to add to Robert's explanations.

Firstly, @robert is not EXACTLY right when he says:

"Enforce Domain Validation" feature under the System Settings - Fabric Wide Settings - Enforce EPG VLAN Validation (previously called Domain Validation)

because it is STILL called Enforce Domain Validation - AND there is a DIFFERENT option to Enforce EPG VLAN Validation.

image.png

So, @glezJos91986 - the feature that you really need is indeed the Enforce Domain Validation - NOT the Enforce EPG VLAN Validation.

Secondly, you need to understand that IF you have taken APIC Fabric backups or snapshots BEFORE you flick the ACI Enforce Domain Validation option on, you will NOT be able to restore them once the option has been toggled. This is because once it's turned on, you can't turn it off. And if you were to restore a Fabric backup, it would be attempting to turn the switch off.

And thridly, and this is really cosmetic - I want to make sure you know about the best App you can add to ACI - it's called the Policy Viewer - and when installed, you can look at your EPGs and see the whole Tenant AND Access Policy Chain - but ONLY after the EPG has been linked to the Domain. It is just AWESOME.

image.png

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Thank you so much Chris for the aclaration/explanation and pictures.

I am really curious about this policy viewer, I will dig into it since it seems pretty useful.

 

Thanks!

Hi,

I have one question on enabling Enforce Domain Validation . Currently in our ACI  fabric it's not enable. If I want to enable it it will impact on currently EPG traffic flow ? like MAC flapping or no MAC receive on EPG . please answer my question as soon as so I can take decision to enable that parameter at out ACI.

Robert Burns
Cisco Employee
Cisco Employee

I can always count on Chris to keep me honest!  Serves me right trying to answer from memory.  Updated my original response to keep the information accurate.

Robert

I appreciate your time in clarify this matter, thanks a lot.

BertiniB
Level 1
Level 1

Hello, sorry for reviving such an old post. But is this behaviour possible because it is a Port-Channel or a vPC, since you specify the Policy Group which itself is linked to the VLAN Pool?

BertiniB_0-1694324625339.png

Because if I try this with an Individual Port which I only specify the interface, no Policy Group, it requires the Domain to work.

Just trying to understand how ACI thinks. Didn't want to create another Post.

 

 

Hi @BertiniB ,

This post is already answered. If the answer didn't answer your question, ask a new one (with reference to this one if necessary)

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License