Solved: Tag VLANs on both Phy domain and L2Out vPCs at the same time?

m1xed0s · ‎10-25-2019

I have a small lab running 4.2(1j) and I am trying to mock up a upcoming customer setup. Diagram is attached below for reference.

I have the access policies, EPG, VRF, BD, L2Out, Phy domains etc. all setup but the issue I have is VLAN tagging not happening unless I have the L2Out vPC path added as static ports under the EPG...For example, in reference to the diagram, the VLAN 16 would not be shown as active VLAN for the L2Out vPC on Leaf101 even I configured External Bridged Networks. The VLAN 16 would be included as active VLAN once I added the L2Out vPC to the static ports under EPG. I do have static bindings for the Phy domain vPC paths though.

If I remembered correctly, if I use Routed Bridge Network for L2Out, I do not need to create the static binding under EPG...Am I wrong or missing some configuration?

OR Simply this kinda setup is not supported by ACI...? If so, why? Is it some kinda hardware limitation? (Like the case that a single leaf can not be used for both tagging and untagging VLANs at the same time?)

m1xed0s · ‎10-28-2019

Here is the reason for my issue (might be yours as well...):

In Cisco ACI, with the default configuration (global), EPGs can use the same VLAN encapsulation as long as EPGs are bound to separate switches. This allows tenants to re-use VLAN encapsulation IDs through the fabric without allowing communication between tenants. However, global configuration assumes that tenants do not share leaf switches and therefore there is no VLAN overlapping within the same leaf.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0110.html

View solution in original post

Claudia de Luna · ‎10-26-2019

Hi @m1xed0s

If I understand your question correctly, I know this is not a problem in the Classical Ethernet world but in the ACI world what you want to do whenever you even think you might want to trunk a Vlan as well as have it "Untagged" on another interface is to always use Access (802.1P) and never used Untagged. Based on your diagram you have this in your Static Path Binding(now Static Ports) for VLAN16-EPG.

Basically in ACI you can't have the same vlan tagged (encapsulated) and untagged on the same leaf. You can manipulate that with using different number in the encapsulation but that tends to be very confusing particularly in a network centric environment.

The option below gets around that by encapsulating everything even the "access" port to your external switch but think of that "encapsulation" as setting the native vlan.

Let me know if I didn't understand the question correctly.

EXAMPLE FABRIC ACCESS

m1xed0s · ‎10-26-2019

I might not state my case clearly....I am aware the restriction/limitation of ACI that one leaf can not do vlan tagging and Untagging at the same time. My case all the vPC path are trunk for VLANs.

what I am trying to figure out is L2out and phy domain co-exists in ACI but connect to external switch and UCS respectively...Both would need to tag the same vlans.

i could treat both connectivities as phy domains and do the static ports which would work...but I prefer to have the switch connection as L2out.

so as I stated in the post, even I configured switch connection as L2out, the vlan tagging not happening until I added the connection as static port...

csco10387876 · ‎10-26-2019

good evening,

for your l2out, do you have the contract defined as well ?

if i remeber correctly that would be the main difference between the l2out and using static paths

Hope t helps

m1xed0s · ‎10-26-2019

Yes, vzAny.

but even i did not do contract, it should not affect Vlan tagging...

Claudia de Luna · ‎10-26-2019

Hi @m1xed0s

Got it. Sorry I missed that. Doubly so because I had exactly the same issue with an L3Out so while I have not tried your scenario with an L2Out, I have with an L3Out. In my case the client design was "vlan16" out to vPCs and trying to trunk "vlan 16" on an L3Out SVI.

At the end of the day, my understanding is that ACI cannot support this with the same encapsulation because it must be able to differentiate those two constructs. In addition, in my case, from TAC "the Policy model of ACI doesn’t allow RP adjacencies between a normal EPG and L3Outs" and I suspect it may be a similar issue with L2Outs.

m1xed0s · ‎10-27-2019

Thanks, I do suspect the issue is either a bug or not supported...But would check with Cisco TSA this week.

m1xed0s · ‎10-28-2019

Here is the reason for my issue (might be yours as well...):

In Cisco ACI, with the default configuration (global), EPGs can use the same VLAN encapsulation as long as EPGs are bound to separate switches. This allows tenants to re-use VLAN encapsulation IDs through the fabric without allowing communication between tenants. However, global configuration assumes that tenants do not share leaf switches and therefore there is no VLAN overlapping within the same leaf.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0110.html

tuanquangnguyen · ‎11-06-2019

Hi @Claudia de Luna,

Apologise for replying to an old discussion, but does this still hold true with the whole fabric being Gen 2 Leaves?

The document said that it's now possible to assign a port in EPG1 as Trunk, then another port (on the same leaf) in EPG1 as Access (Untagged)

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci-fundamentals/Cisco-ACI-Fundamentals-42x/Cisco-ACI-Fundamentals-41X_chapter_011.html#concept_450C8C73C1DE4A4EAF6390E862BD9952