Solved: Re: L2 out in ACI

Anuj Singhi · ‎09-07-2017

Hi Guys,

I have a question regarding L2 out in ACI. Normally there are two ways by which we can extend the L2 network to outside the fabric. One is adding a physical domain or extending EPG and second one is adding a l2 bridged domain or extending the BD to outside network.

Now while extending the BD to outside the fabric, we extend all the EPG which are part of the BD to the external network. Whatever documents I have read is talking about one BD having a single subnet although its shared by one or more EPG in the BD which makes it easy to describe but what if there are different Subnets in the BD corresponding to the number of EPG's(EPG1, EPG2, EPG3, Subnet 1.1.1.0/24, 2.2.2.0/24 and 3.3.3.0/24).

Now in L2 out, we can only associate one vlan through the external bridged network and associate that vlan to the external EPG which can talk to our EPG in the BD through contracts but the other side should be in the same vlan segment (Lets say 1.1.1.0/24).

What if the external network is trunk and I want to have multiple vlans talk to the fabric. Can I extend the same BD more then once using the same L2 out profile but different vlans? In that way I can have different subnets configured in the BD talked to the external subnets falling in the same range?

Thanks,

Anuj

RedNectar · ‎09-07-2017

Mapping external vlans to their respective EPG-do you mean using physical domain wherein I can mapped multiple EPG's to one leaf port hence configuring as trunk?
This is the easiest way but is there any other way or a "difficult" way to do it?

Yes, this is the easiest way. Using a physical domain where you can map multiple EPG's to one leaf port. All ports in ACI are Trunks (unless you map an EPG to a port as untagged). And using L2Outs is definately more difficult.

"No. You have to create multiple L2Outs - like you say, one per VLAN."
Let me describe here a bit- So while creating L2out, you need to define a static vlan pool which normally has only one VLAN (Vlan-X)

No it doesn't. The VLAN Pool can have as many VLANs in it as you want.

which gets associated with the BD

Not quite. The VLAN Pool is associated with the L2 External Domain which is linked to the External Bridged Network which is linked to the BD. So same result I guess.

when we define External Bridged Network and it maps one EPG to Vlan-X and through external communication takes place.

Correct

Now can if I define a second vlan pool (Vlan-Y) and associate the lead interface with the same AEP.

Yes, you could do that, but you are making it more complicated. Far easier to have just one VLAN Pool.

So while configuring External Bridged Network, can I select same L2out Profile but Vlan-Y this time to mapped second EPG on the same leaf port?

No. You need a new L2Out for EVERY VLAN. But you can have multiple L2Outs linked to the same Bridge Domain, which...

Which eventually lead me have two external vlan communication to two EPG inside the BD with different subnet?

...will eventually lead you to have two external VLANs inside the BD with different subnets. Each VLAN will need a contract to talk to any other VLAN.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎09-08-2017

You can't create a vlan pool with more then one vlan and associate it with External Bridge Domain profile if I am not wrong.

Sorry. But you are wrong :)

Not really, I think confused is a better expression. And why wouldn't you be confused, with so much inconsistency with Cisco naming? Even "L2Out" is not actually used anywhere "officially". In the Tenant space, you have External Bridged Networks - which is so cumbersome, no one uses that term, instead opting for the far simpler L2Out. You can only have one VLAN associated with an External Bridged Network. But VLAN Pools are associated with Domains, the relevant type of Domain in this case being an External Bridged Domain. [Not "External Bridge Domain profile" a Profile contains a list of things, so if there was such as thing as "External Bridge Domain profile" it would be a "list of External Bridge Domains" - OMG - we have one of those, its called an Attachable Access Entity Profile. Sorry. I digesss - not to be critical but to hopefully clear this up]. Now, an External Bridged Domain. is linked to just ONE VLAN Pool, but that VLAN Pool can have multiple entries, each with multiple VLANs.

Here's a little picture of the relationships that I just happen to be working on right now. It may help.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎09-07-2017

Hi Anuj,

Here are some comments.

Now while extending the BD to outside the fabric, we extend all the EPG which are part of the BD to the external network. Whatever documents I have read is talking about one BD having a single subnet although its shared by one or more EPG in the BD which makes it easy to describe but what if there are different Subnets in the BD corresponding to the number of EPG's(EPG1, EPG2, EPG3, Subnet 1.1.1.0/24, 2.2.2.0/24 and 3.3.3.0/24).

The easiest way to achive this is by simply mapping the external VLANs to their respective EPGs without using L2Outs, assuming each VLAN corresponds to a subnet and EPG. Is there a special reason why you want to use L2Outs?

Now in L2 out, we can only associate one vlan through the external bridged network and associate that vlan to the external EPG which can talk to our EPG in the BD through contracts but the other side should be in the same vlan segment (Lets say 1.1.1.0/24).

I'm not quite sure what you are getting at here, but there's nothing stopping you from having multiple VLANs mapped to the same Bridge Domain if that's what you want to do.

What if the external network is trunk and I want to have multiple vlans talk to the fabric. Can I extend the same BD more then once using the same L2 out profile but different vlans?

No. You have to create multiple L2Outs - like you say, one per VLAN.

In that way I can have different subnets configured in the BD talked to the external subnets falling in the same range?

If you want to map multiple VLANs to the SAME EPG, don't use L2Outs. Use a regular Application EPG. Or you could use multiple L2Outs mapped to the same BD. In eitehr case, the BD would be configured with multiple IP addresses.

I hope this helps

RedNectar
aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Anuj Singhi · ‎09-07-2017

"The easiest way to achive this is by simply mapping the external VLANs to their respective EPGs without using L2Outs, assuming each VLAN corresponds to a subnet and EPG. Is there a special reason why you want to use L2Outs?"

Mapping external vlans to their respective EPG-do you mean using physical domain wherein I can mapped multiple EPG's to one leaf port hence configuring as trunk?

This is the easiest way but is there any other way or a "difficult" way to do it?

"No. You have to create multiple L2Outs - like you say, one per VLAN."

Let me describe here a bit- So while creating L2out, you need to define a static vlan pool which normally has only one VLAN (Vlan-X) which gets associated with the BD when we define External Bridged Network and it maps one EPG to Vlan-X and through external communication takes place.

Now can if I define a second vlan pool (Vlan-Y) and associate the lead interface with the same AEP. So while configuring External Bridged Network, can I select same L2out Profile but Vlan-Y this time to mapped second EPG on the same leaf port? Which eventually lead me have two external vlan communication to two EPG inside the BD with different subnet?

RedNectar · ‎09-07-2017

Mapping external vlans to their respective EPG-do you mean using physical domain wherein I can mapped multiple EPG's to one leaf port hence configuring as trunk?
This is the easiest way but is there any other way or a "difficult" way to do it?

Yes, this is the easiest way. Using a physical domain where you can map multiple EPG's to one leaf port. All ports in ACI are Trunks (unless you map an EPG to a port as untagged). And using L2Outs is definately more difficult.

"No. You have to create multiple L2Outs - like you say, one per VLAN."
Let me describe here a bit- So while creating L2out, you need to define a static vlan pool which normally has only one VLAN (Vlan-X)

No it doesn't. The VLAN Pool can have as many VLANs in it as you want.

which gets associated with the BD

Not quite. The VLAN Pool is associated with the L2 External Domain which is linked to the External Bridged Network which is linked to the BD. So same result I guess.

when we define External Bridged Network and it maps one EPG to Vlan-X and through external communication takes place.

Correct

Now can if I define a second vlan pool (Vlan-Y) and associate the lead interface with the same AEP.

Yes, you could do that, but you are making it more complicated. Far easier to have just one VLAN Pool.

So while configuring External Bridged Network, can I select same L2out Profile but Vlan-Y this time to mapped second EPG on the same leaf port?

No. You need a new L2Out for EVERY VLAN. But you can have multiple L2Outs linked to the same Bridge Domain, which...

Which eventually lead me have two external vlan communication to two EPG inside the BD with different subnet?

...will eventually lead you to have two external VLANs inside the BD with different subnets. Each VLAN will need a contract to talk to any other VLAN.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Anuj Singhi · ‎09-08-2017

Thanks mate..!!!

Anuj Singhi · ‎09-08-2017

One last thing:

"No it doesn't. The VLAN Pool can have as many VLANs in it as you want"

I guess vlan pool is only possible when you are creating a VMM domain. When you create a pool for L2out there has to be only one VLAN in the vlan pool and allocation as "static"and that gets associated with one EPG.

You can't create a vlan pool with more then one vlan and associate it with External Bridge Domain profile if I am not wrong.

RedNectar · ‎09-08-2017

You can't create a vlan pool with more then one vlan and associate it with External Bridge Domain profile if I am not wrong.

Sorry. But you are wrong :)

Not really, I think confused is a better expression. And why wouldn't you be confused, with so much inconsistency with Cisco naming? Even "L2Out" is not actually used anywhere "officially". In the Tenant space, you have External Bridged Networks - which is so cumbersome, no one uses that term, instead opting for the far simpler L2Out. You can only have one VLAN associated with an External Bridged Network. But VLAN Pools are associated with Domains, the relevant type of Domain in this case being an External Bridged Domain. [Not "External Bridge Domain profile" a Profile contains a list of things, so if there was such as thing as "External Bridge Domain profile" it would be a "list of External Bridge Domains" - OMG - we have one of those, its called an Attachable Access Entity Profile. Sorry. I digesss - not to be critical but to hopefully clear this up]. Now, an External Bridged Domain. is linked to just ONE VLAN Pool, but that VLAN Pool can have multiple entries, each with multiple VLANs.

Here's a little picture of the relationships that I just happen to be working on right now. It may help.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Anuj Singhi · ‎09-08-2017

Thanks a lot..you are right and I just figured it out while on lift :)....We can create multiple vlans in a vlan pool and select the allocation as static. Then while configuring External Bridged Network, I can associate any vlan out of that pool to my external EPG which will then communicate with my internal EPG in that domain.

Like wise we can repeat the same process and create another External Bridged Network and associate other vlan from the pool and associate it with another external EPG which will again talk to my second internal EPG in that particular BD.

Vlan Pool- 2,3

External Bridged Domain- A1

External Bridged Network- C1, C2

AEP- A2

BD- BD1

Now the association would be:

A1 associated with Vlan Pool associated with AEP(A2) associated with C1 associated with BD1 with vlan2

A1 associated with Vlan Pool associated with AEP(A2) associated with C2 associated with BD1 with vlan3

Is it right?

RedNectar · ‎09-08-2017

@Anuj Singhi wrote:
Thanks a lot..you are right and I just figured it out while on lift :)....We can create multiple vlans in a vlan pool and select the allocation as static. Then while configuring External Bridged Network, I can associate any vlan out of that pool to my external EPG which will then communicate with my internal EPG in that domain.
Like wise we can repeat the same process and create another External Bridged Network and associate other vlan from the pool and associate it with another external EPG which will again talk to my second internal EPG in that particular BD.
Vlan Pool- 2,3
External Bridged Domain- A1
External Bridged Network- C1, C2
AEP- A2
BD- BD1
Now the association would be:
A1 associated with Vlan Pool associated with AEP(A2) associated with C1 associated with BD1 with vlan2
A1 associated with Vlan Pool associated with AEP(A2) associated with C2 associated with BD1 with vlan3

Is it right?

You got it. In fact, EPGs don't even have to be linked to be the same BD to be able to talk to each other, the only requirement is contracts between EPGs

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.