My answers are bolded inline:

mmacdonald70 · ‎04-12-2016

I'm having trouble wrapping my head around the purpose for the Port-encap pools and how to use them. When configuring a bare metal server, we still seem to need to assign a vlan to the port even if the traffic will be coming in untagged. How is this port encap vlan pool used and how should it be optimally configured?

As an example, if I had three EPGs. Each of these EPGs contain a base metal server with untagged traffic and a L2 external domain. The end results would be that each server can communicate with a vlan on the NXOS datacenter. In NXOS I would have:

int e1/1
switchport access vlan 5

int e1/2
switchport access vlan 6

int e1/3
switchport access vlan 7

int e1/4
switchport mode trunk

If I was to do this in ACI, would each server be in a different physical domain? Would they all need to use different port-encap pools?

stcorry · ‎04-12-2016

Hello! In this case the simplest way would be to deploy this with a single Domain. The Domain is really just a way to tie physical policy into the security Policy.

You'd configure a vlan pool with the 3 VLANs. The servers would each get a static path specifying the VLAN and 802.1p in their respective EPG.

In each EPG, you'd also configure a path to eth1/4 with the same encap VLAN.

In each EPG, you'd have 2 static paths, one for the server, one for the switch.

In each EPG you'd configure a single domain. The domain would have a VLAN pool that specifies VLANs 5-7 in this case.

lpember · ‎04-12-2016

My answers are bolded inline:

I'm having trouble wrapping my head around the purpose for the Port-encap pools and how to use them. When configuring a bare metal server, we still seem to need to assign a vlan to the port even if the traffic will be coming in untagged. How is this port encap vlan pool used and how should it be optimally configured?

Even though you are going to have the traffic coming in untagged, within ACI we need to consume a vlan encapsulation to map that traffic to an EPG. So you're not tagging the port with that VLAN, you're consuming that VLAN as a hardware resource for that EPG. One thing people will do is choose a higher-numbered VLAN that they won't be trunking within their network to do this.

As an example, if I had three EPGs. Each of these EPGs contain a base metal server with untagged traffic and a L2 external domain. The end results would be that each server can communicate with a vlan on the NXOS datacenter. In NXOS I would have:

int e1/1
switchport access vlan 5

int e1/2
switchport access vlan 6

int e1/3
switchport access vlan 7

int e1/4
switchport mode trunk

If I was to do this in ACI, would each server be in a different physical domain? Would they all need to use different port-encap pools?

In this case each server would not need to be in a different physical domain or VLAN pool. You could make a static VLAN pool with VLANs 5-7 and link it to the same physical domain. Then you would link that physical domain to eth 1/2, eth 1/3, and eth1/4.

mmacdonald70 · ‎04-12-2016

Thanks! I think that I mostly get it. If I understand correctly, port encap is used to identify traffic that enters en EPG. I also seem to recall that we can't use the same vlan for port encap as the vlan tag.

If this is the case, would I use (for example) vlan 2005, 2006,2007 for the vlan pool and assign configure e1/1 with 2005, port mode 802.1p and configure e1/4 with 2005, port mode trunk and tag vlan 5?

If so I assume that if I wanted to add a new bare metal to this EPG, I would also configure it with vlan 2005.

stcorry · ‎04-12-2016

If this is the case, would I use (for example) vlan 2005, 2006,2007 for the vlan pool and assign configure e1/1 with 2005, port mode 802.1p and configure e1/4 with 2005, port mode trunk and tag vlan 5?

Both of the Static Paths in the EPG would get the Same VLAN Encap because they are in the same EPG.

port-encap vs Primary Vlan