Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7388
Views
5
Helpful
4
Replies

Using different Physical Domains between EPG and Interface PolicyGroup ?

Go to solution
swapnendum
Level 1
Level 1

‎10-04-2016 06:25 AM - edited ‎03-01-2019 05:03 AM

Is it ok to use different Physical Domains between EPG and Interface Policy Group ?

Use case:

A Blade Enclosure has multiple balde servers (bare metals).

Uplinks are configured as VPC on ACI.

Uplinks will allow all vlans except Infra vlan (e.g. 1-28, 30-4094)

EPGs will have only a subset of vlans , e.g. EPG-A will have 10,11,12 ; EPG-B will have 20,21,22

For the above use case, different Physical Domains will be created. On AEP, all vlans will be allowed linked to VPC, while EPG will only allow subset of vlans linked via Physical Domain and Static Path Binding.

Is this allowed ?

We can see some Faults related to VLANs on EPG.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Williams
Level 1
Level 1
In response to swapnendum

‎10-05-2016 06:27 PM

"If one EPG is created with encapsulation VLAN402 and both Firewall and Server VPCs are linked as Static Paths, which physical domain should we link in this EPG?"

You could use the same physical domain for all static bindings under the follow conditions:

1. The domain must map to a VLAN pool containing VLAN 402

2. The domain must be defined under the AEP(s) mapped to each VPC

"To clear all faults (listed below), we changed AEP for all Server uplinks to AEP_Trunk."

If this is the case, then I would recommend verifying the access policies from Policy Group all the way down to the VLAN Pool. At the bottom of this post is a logical diagram of the static path validity check. If the validity check fails, then we raise fault code F0467.


"If we do this, this can pose a security risk as we are allowing all VLANs on the VPC connected to the Server."

Not necessarily true. Associating the server's access policies to a VLAN pool of Encaps 2 - 4094 does not allow all VLANs to be reachable by the servers. If the physical domain (using VLAN range 2 - 4094) is associated to an EPG, the user still must have to create a static binding that specifies which VLAN will be programmed on which interface/VPC.

Example: The VPCs for servers are associated to a VLAN pool (2 - 4094), but you only want to allow VLANs 402 - 403 on those physical links. If you create EPG-VLAN-2 and associate physical domain tied to the servers, then VLAN 2 will not program onto the server VPC interfaces until you create a static binding mapping the VPC(s) to VLAN-2.


"What’s the best way to restrict vlans on Server uplinks, should we create different EPGs for Firewall and Servers, with different VLAN encapsulations?"

As mentioned in the previous answer, you can still tie them to the same physical domain (VLAN pool), but do not create static bindings to the servers using VLAN IDs outside of 402 - 403.

Typically, the best practice is to map 1 VLAN :: 1 EPG. If multiple VLANs are trunked on the same physical links of a L2 device such as a switch or firewall, then map 1 VLAN :: 1 EPG :: 1 BD since mapping Many EPG :: 1 BD could potentially lead to MAC flaps.

View solution in original post

4 Replies 4

Go to solution
Jason Williams
Level 1
Level 1

‎10-04-2016 02:25 PM

Multiple Encap VLANs can be configured under 1 EPG; however, there is a mapping 1 VLAN to many ports under same EPG. Each new VLAN (under the same EPG) will need to be trunked on a different interface.  The only way to add multiple VLANs to the same physical interface is to configure a new EPG for each VLAN. 

This sounds like your fabric has raised fault code F0467. It's a good idea to verify the EPG and access policy configuration when observing this fault.

Checking EPG

Physical domains : Verify that the appropriate domains are associated to the EPG. The physical domain must map to the VLAN pool which contains the VLAN you would like to trunk 

Encap VLAN usage: Verify that the Encap VLAN is not used across multiple EPGs

Checking access policies   

Map physical domain to interface policies: Check the VLAN pool <> Physical domain mapping. Check the Physical domain <> Attachable Entity Profile mapping. Make sure that AEP is mapped to the policy group of your interface(s). This will verify that the VLAN valid for the interface. 

If this does not assist with solving your issue, then would you be able to provide some detail about your lab environment? Sending a screen shot of the fault details would be a good start. 

Jason

0 Helpful

Go to solution
swapnendum
Level 1
Level 1
In response to Jason Williams

‎10-05-2016 01:29 AM

Thanks, but I couldn't get a clear answer.

In our network –
1. Firewall is common for tenants so the vPC connecting to the Firewall has AEP+Physical Domain that allows all vlans (2-4094). Let’s call it AEP_Trunk.
2. Server uplinks are configured as VPC with AEP+Physical Domain allowing VLAN402-403 ; let’s call it AEP_Server.

If one EPG is created with encapsulation VLAN402 and both Firewall and Server VPCs are linked as Static Paths, which physical domain should we link in this EPG?

To clear all faults (listed below), we changed AEP for all Server uplinks to AEP_Trunk. If we do this, this can pose a security risk as we are allowing all VLANs on the VPC connected to the Server.

What’s the best way to restrict vlans on Server uplinks, should we create different EPGs for Firewall and Servers, with different VLAN encapsulations ?

 Some faults:

Configuration failed for uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402 node 504 vPC157_SP1R08C10LPLXHMG02 due to Invalid Path Configuration
minor
uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402
F0467
configuration-failed
2016-10-04T23:58:24.329+04:00

Configuration failed for uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402 node 503 vPC157_SP1R08C10LPLXHMG02 due to Invalid Path Configuration
minor
uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402
F0467
configuration-failed
2016-10-04T23:58:01.021+04:00

Configuration failed for uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402 node 503 vPC152_XXXLPLXHMG01 due to Invalid Path Configuration
minor
uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402
F0467
configuration-failed
2016-10-04T23:58:01.015+04:00

Configuration failed for uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402 node 504 vPC152_XXXLPLXHMG01 due to Invalid Path Configuration
minor
uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402
F0467
configuration-failed
2016-10-04T23:57:33.444+04:00

Configuration failed for uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402 node 503 vPC151_XXXLPLXMYS03 due to Invalid Path Configuration
minor
uni/tn-CA/ap-APP-PROF_01/epg-EPG-VLAN402
F0467
configuration-failed
2016-10-04T23:57:33.421+04:00

0 Helpful

Go to solution
Jason Williams
Level 1
Level 1
In response to swapnendum

‎10-05-2016 06:27 PM

"If one EPG is created with encapsulation VLAN402 and both Firewall and Server VPCs are linked as Static Paths, which physical domain should we link in this EPG?"

You could use the same physical domain for all static bindings under the follow conditions:

1. The domain must map to a VLAN pool containing VLAN 402

2. The domain must be defined under the AEP(s) mapped to each VPC

"To clear all faults (listed below), we changed AEP for all Server uplinks to AEP_Trunk."

If this is the case, then I would recommend verifying the access policies from Policy Group all the way down to the VLAN Pool. At the bottom of this post is a logical diagram of the static path validity check. If the validity check fails, then we raise fault code F0467.


"If we do this, this can pose a security risk as we are allowing all VLANs on the VPC connected to the Server."

Not necessarily true. Associating the server's access policies to a VLAN pool of Encaps 2 - 4094 does not allow all VLANs to be reachable by the servers. If the physical domain (using VLAN range 2 - 4094) is associated to an EPG, the user still must have to create a static binding that specifies which VLAN will be programmed on which interface/VPC.

Example: The VPCs for servers are associated to a VLAN pool (2 - 4094), but you only want to allow VLANs 402 - 403 on those physical links. If you create EPG-VLAN-2 and associate physical domain tied to the servers, then VLAN 2 will not program onto the server VPC interfaces until you create a static binding mapping the VPC(s) to VLAN-2.


"What’s the best way to restrict vlans on Server uplinks, should we create different EPGs for Firewall and Servers, with different VLAN encapsulations?"

As mentioned in the previous answer, you can still tie them to the same physical domain (VLAN pool), but do not create static bindings to the servers using VLAN IDs outside of 402 - 403.

Typically, the best practice is to map 1 VLAN :: 1 EPG. If multiple VLANs are trunked on the same physical links of a L2 device such as a switch or firewall, then map 1 VLAN :: 1 EPG :: 1 BD since mapping Many EPG :: 1 BD could potentially lead to MAC flaps.

Go to solution
swapnendum
Level 1
Level 1
In response to Jason Williams

‎10-06-2016 12:22 AM

Thank you for the detailed explanation.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License