Regarding the ACI Anywhere, especailly ACI in AWS/Azure, is there still a higher MTU requirement on the ISN between AWS/Azure and On-prem? If so, what is the required MTU?
With ACI v4.0, the L3Out can do host specific route advertisement. So is there still a need to use GOLF anymore?
Hi @m1xed0s ,
Yes. As long as ACI Anywhere still uses VXLAN encapsulation (and optionally IPSec or CloudSec on top of it), the requirement of "tenant traffic MTU + 100B" is still required.
If using Internet as the ISN, you need to set the servers MTU to <1400B.
An other option is to rely on the IPSec/CSR devices to fragment (because ACI does not).
If using a Direct Connect solution, it may support MTU of 9100B.
Right, the complexity of GOLF is not needed anymore in 4.x (unless very specific requirement).
So just use ACI in AWS as the example and the transport between on-prem and AWS is the Internet with IPSec tunnel:
1. All the servers on-prem and in AWS would have to be tweaked to use 1400 MTU in order to communicate with each other (including migration)? That sounds like a lot of work as a "workaround"...Plus this potentially also affects the on-prem/AWS inter-server and client-server communication, right?
2. If the servers can not be modified to use 1400 MTU OR customer is not willing to do so, the IPSec tunnel termination points (assuming ASR on-prem and CSR in AWS) would need to do fragmentation, right? If so, what would be the performance impact?
Lastly, what would be the specific use case/requirement for using GOLF instead of the L3Out with host specific advertisement?
Hi @m1xed0s ,
2. Right, but you may have other mechanisms available to avoid fragmentation (Path MTU discovery, TCP adjust MSS, ...). But please note that this constraint is not specific to ACI-Anywhere but to any tunneling technology over internet!
Very specific use case for GOLF instead of v4.x Host Advertisement could be scaling up to thousands of VRFs, but you'll better use Host Advertisement in 99% of cases.
Thanks, even with MTU Path discovery or similar feature, that would be a feature on the VPN termination points, not ACI function, right?