The reason of this post is I am confused by Cisco documents regarding the architecture of the transport network between ACI on-prem DC and ACI Cloud in AWS. Let me explain:
The description is very brief but the diagram clearly shows either the IPSec tunnel OR directconnect transport should be connected to the spine switch in on-prem DC. I understand this connection between Spine and customer routing device would be configured L3Out.
2. From CiscoLive session PSODCN-2557, slide#28, it shows the transport is connected to the border leaf as L3Out specifically for the DirectConnect option... https://www.ciscolive.com/global/on-demand-library.html?search.event=ciscoliveus2019&search.event=ciscoliveanz2019&search.event=ciscolivelatam2019&search.event=ciscoliveemea2019&search=PSODCN-2557#/session/1552944518476001XKHw
3. The same inconsistency continues in Ciscolive session BRKACI-2690, slide#46-47..https://www.ciscolive.com/global/on-demand-library.html?search.event=ciscoliveus2019&search.event=ciscoliveanz2019&search.event=ciscolivelatam2019&search.event=ciscoliveemea2019&search=BRKACI-2690#/session/1542224297262001rxGz
I just hope someone can provide a clear answer regarding the architecture regarding the connection of the transport (IPSec or DX) in on-prem DC to AWS... Not looking for how to configure it.
I can reply to the IPSEC part...but I struggle to see why DX would be any different. I will claim that I have never used DX, so be gentle if there is something special about it that I am unaware of.
It helps to look at Cloud APIC as another type of site in a multisite design (b/c it is a site). With that in mind, we know that for multisite to work, the spines need to set up some kind of control plane relationship with something in the cloud...in this case the CSR1Kvs in AWS. So for IPSEC access to AWS, you would always have your path via the spines for CP and for DP.
While I have not dug deeper than a precursory glance at it, I don't think DX would be any different. This is to say the spines set up OSFP to some WAN device you control (your ISN). That WAN device has some way to reach AWS (using IPSEC or DX, they are just paths). Once OSPF is up on the spine-to-ISN, the spines will set up MP-BGP to the CSR1Kv pair you spun up in AWS in your infra VPC.
The thing that throws me (and probably you too) is the slides you reference specifically call out "border leaf". My understanding of multisite says that cannot work. We need the spines to translate things like VNIDs and S-Class. So, maybe we dare to call that a "marketing slide" and not how you actually do it? I will ask some of my colleagues on Monday for clarity and try to add it here.
Thanks, i think we are on the same page regarding the confusion...Please let me know if you got any further clarification internally.
Ok, I asked a Distinguished Engineer, so the source is solid. In either case, you must always go via the spines, just as we thought. The slide is wrong. We will ask them to fix it. Thanks for being specific about the CLIVE decks. It helps.