Solved: Tenant Limitation to 500 EPG - Migration Option

hamed1900 · ‎08-21-2017

Hi All,

Need to migrate a customer to ACI, couple of thousands VLANs. Normally I assign one Subnet to one Bridge domain and then one EPG. In that case, as there is a limitation of 500 EPG for a tenant, I think I have two options:

- Create one tenant - Within the tenant , I would assign multiple subnet to one Bridge domain and that Bridge domain to one EPG.

Question: The would be a Broadcast ARP with the BD which can impact multiple subnet, I would be able to reduce it by setting a BD to Hardware Proxy vs L2 flooding, right?

- Second option create Multiple Tenants.

What would be the best in terms of managibility and performance?

micgarc2 · ‎08-22-2017

Hello,

This is kind of up to you as far as the design of your bridge domains. Yes, we do contrain 500 EPGs per tenant so splitting up your tenants could definitely alleviate some of the load on one specific tenant.

Bridge domains can have multiple subnets. It is normally a better practice to stick to one subnet per BD. A good scenario for having multiple subnets would be if you have an EPG (let's say Web EPG for ex) that have mutliple VLANs/subnets so you are not contrained to just having a single subnet for your Web EPG.

As far how broadcasts are handled in the BD, if you enable hardware proxy in the BD the ingress leaf will do a local lookup to see if it has information about where the dest IP TEP is. If so, it will unicast the packet to the dest TEP therefore preventing the need to flood the packet in the fabric. If the destination is not known, it will send the packet to the hardware proxy (spine) which has a full table of EP IPs and where they live. If this hardware proxy has this EP information it will unicast the packet. If it does not know the IP it will drop the packet. *Note: You must have IP routing enabled in the BD*.

By disabling the ARP flooding in the BD you will be able to have more efficient forwarding, as ARP/GARP is forwarded as a unicast packet within the fabric.

Let me know if this answers your question.

Thanks,

Michael G.

View solution in original post

micgarc2 · ‎08-22-2017

Hello,

This is kind of up to you as far as the design of your bridge domains. Yes, we do contrain 500 EPGs per tenant so splitting up your tenants could definitely alleviate some of the load on one specific tenant.

Bridge domains can have multiple subnets. It is normally a better practice to stick to one subnet per BD. A good scenario for having multiple subnets would be if you have an EPG (let's say Web EPG for ex) that have mutliple VLANs/subnets so you are not contrained to just having a single subnet for your Web EPG.

As far how broadcasts are handled in the BD, if you enable hardware proxy in the BD the ingress leaf will do a local lookup to see if it has information about where the dest IP TEP is. If so, it will unicast the packet to the dest TEP therefore preventing the need to flood the packet in the fabric. If the destination is not known, it will send the packet to the hardware proxy (spine) which has a full table of EP IPs and where they live. If this hardware proxy has this EP information it will unicast the packet. If it does not know the IP it will drop the packet. *Note: You must have IP routing enabled in the BD*.

By disabling the ARP flooding in the BD you will be able to have more efficient forwarding, as ARP/GARP is forwarded as a unicast packet within the fabric.

Let me know if this answers your question.

Thanks,

Michael G.