Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13273
Views
45
Helpful
18
Replies

Subnet on EPG and/or BD for Co-existence of Network-centric and application-centric mode

Go to solution
clement_cheung
Level 1
Level 1

‎09-21-2017 12:04 AM - edited ‎03-01-2019 05:20 AM

Hi experts

 

I have an ACI fabric currently designed based on network-centric mode and needs inter-VRF route leaking.  Therefore there is one-one mapping among subnet, EPG and BD, and the subnet is defined under EPG rather than the BD.  This design is aimed for ease of migration of endpoints from classical network to ACI.

 

I however foresee that after migration, we may need to 'rewire' some migrated endpoints, without changing IP addresses, to new EPG which acts as Application Component Group so special contracts can be applied for micro-segmentation.

 

How to do that ? Where should the subnets be placed EPG and/or BD ?

 

Regards

Labels:
0 Helpful
18 Replies 18

Go to solution
Jason Williams
Level 1
Level 1
In response to clement_cheung

‎11-06-2017 08:54 AM

Clement, 

The consumer leaf will have a pervasive route for the provider BD installed (nexthop = Spine IPv4 proxy) due to the route leaking. If the provider endpoint isn't learned on the consumer leaf, then it will simply punt the packet to spines with some specific values in the outer iVXLAN header. The sclass of the consumer EPG will be included and the VRF VNID of the provider will be marked too. Spines will do IPv4 lookup for the destination IP within the provider VRF (due to the VNID in the outer iVXLAN header) and handle the packet appropriately. Once the destination leaf (provider leaf) receives the packet, it will use the sclass in the outer iVXLAN header to determine the source EPG. The destination class is derived from the locally learned endpoint information. From there the destination leaf should be able to apply policy. 

-JW   

Go to solution
clement_cheung
Level 1
Level 1
In response to Jason Williams

‎11-06-2017 07:09 PM

Thanks for the explanation!

0 Helpful

Go to solution
randreetta
Level 1
Level 1
In response to Jason Williams

‎10-30-2020 06:20 AM

exactly !!!

But if this is the case, why do I need the provider EPG necessarily having the subnet defined as its son ? why can't the subnet be defined under the bridge domain to which the provider EPG is associated to ? If everything is based on conversational learning, than it should work. You filter packets based on contracts on innter leafs when you can and already know the destination EPG, otherwise the work will be done on the egress leaf (using spine proxy).

 

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License