Hi @Yong Peng ,
The use of the word Domain in ACI is very confusing. ACI has:
- Bridge Domains
- Security Domains
- Physical Domains
- External Routed Domains
- External Bridged Domains
- Virtual Machine Management Domains
- Fibre Channel Domains
- ...and a couple more that I haven't mentioned
The three that I have highlighted in red are very similar, but there is no real relationship between Bridge Domains and Physical/External Bridged Domains/External Routed Domains.
But back to your mention of PVLANs - if you are looking for the equivalent of a Private VLAN then you should look at the Intra EPG Isolation option within an EPG - but I'm not sure if that's what you are looking for.
So back to the core ACI concepts
Firstly, learn these rules.
- Forget almost everything you have ever learned about VLANs regarding broadcast domains.
- Now think about the 802.1Q tag that is often called called a VLAN tag.
- Cisco uses 802.1Q tags to identify incoming frames into the appropriate End Point Group (EPG)
- More that one 802.1Q tag can be used to identify the same EPG. I.e, frames with 802.1Q tag=10 AND frames with 802.1Q tag=12 might point to the same EPG. A typical case would be where 802.1Q tag=10 is used for say physical Web servers, and 802.1Q tag=12 has been allocated dynamically by the system for Virtual Web servers that are all in the same EPG
- Every EPG is linked to a Bridge Domain.
- Many EPGs can link to the SAME Bridge Domain
- Typically*, default gateway IPs are allocated to the Bridge Domain. This could be ONE IP for many EPGs to share, or many Secondary IP addresses
- This construct means that default gateway IPs are not related to the EPG
- The Bridge Domain is the new equivalent of a broadcast container, but there is some tweaking that can be done here, such as configuring ACI to drop destination unknown MAC frames.
- A common migration strategy is to map each existing VLAN to an EPG, and allocate a new Bridge Domain for every EPG. This strategy is sometimes called Network Centric design. You can read more about Network Centric design in the answer I gave this post.
Now Bridge Domains and EPGs are defined within the tenant object, and form part of the logical design. Somehow you have to tie the logical design to the physical switch ports.
This is where the Physical/External Bridged Domains/External Routed and VMM Domains come in.
These Domains are part of what I call the Access Policy Chain (Google it), and are linked to a Pool of VLAN IDs and to a set of physical ports.
Every EPG needs to be linked to at least one Physical and/or VMM Domain. That link between the EPG and the Physical/VMM Domain defined which VLANs and Ports can be used for that EPG.
There are some good ACI Tutorials that might help - I suggest you google search Cisco ACI Tutorial. You will probably find some I wrote, and some by Adam Raffe that are good, and possbily others.
* Default gateway IPs are typicall allocated to Bridge Domains but can also be asigned to EPGs - Assigning IPs to EPGs is not as flexible but necessary if the EPG needs to provide services to another Tenant. It's OK to have IPs assigned to both Bridge Domains and EPGs - even the same IP if you wish.
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
