Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6800
Views
0
Helpful
8
Replies

VLAN to EPG to BD mapping

Go to solution
Antonio Macia
Level 3
Level 3

‎04-04-2019 07:28 AM - edited ‎04-04-2019 07:29 AM

Hello,

 

Trying to understand the best practice for VLAN to EPG to BD mapping and leaf connectivity.

 

Let's say we have a number of virtual machines running on different VMware hosts all connected to the same leaf. These VMs belong to the same VLAN. The VLAN pool is static since we don't have distributed virtual switches (no VMware enterprise license). We want to separate the VMs in different EPGs. Per the recommendations below I should create one physical domain per server to make this possible, right? There's no way to reduce the number of physical domain objects if all the servers will share the same VLAN pool?

 

What if the hosts are connected in VPC fashion to two leaves?

 

ACI.png

 

Regards.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Oleksandr Mamenko
Level 1
Level 1
In response to Antonio Macia

‎04-05-2019 11:54 AM

There could be a few scenarios:

1) You need to map one vlan to one EPG. So, on every server Vlan5 would represent EPG_Vlan5. In this case we would have one Physical Domain.

2) You need to map same vlanid on different swithes to different EPGs. So, Vlan5 on leaf-1 would represent EPG_vlan5 and Vlan6 on leaf-2 would represent EPG_vlan5. For this requirements we need one physical domain. 

3) Same vlan on one switch and different EPGs to map - you have to create separate vlan pool, physical domain and l2policy for Per Port Vlan. 

 

Hope it would help. 

 

Regards,

Oleksandr Mamenko

 

 

View solution in original post

0 Helpful

Go to solution
RedNectar
VIP
VIP
In response to Antonio Macia

‎04-09-2019 09:27 PM

@Antonio Macia wrote:

I see your point RedNectar. So in a brownfield deployment in network centric mode, having the port-group to VLAN-BD-EPG mapping and the gateway configured in the BD, to move to application centric mode I would have to create additional port-groups mapped to new VLANs and EPGs within the same BD

Correct

so there's no need to change the VMs IPs which is critical in a production environment.

Correct

I would just need to connect the VMs to the new port-groups.

Correct

Am I right?

Indeed you are

Thanks.

No Problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Oleksandr Mamenko
Level 1
Level 1

‎04-05-2019 05:03 AM

Hi,

 

If all the servers are using the same vlan scope you could create just one Physical domain and map to it your static vlan pool.

You will need a separate PhysDom/VlanPool if you have to use Per Port Vlan feature (In case if vlan X on server A is not vlan X on server B).

 

Regards,

Oleksandr

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Oleksandr Mamenko

‎04-05-2019 10:04 AM

Hello Omamenko,

 

Thanks for your reply. 

Having a single physical domain wouldn't match the scenario at the bottom left of the image which is not possible in ACI? Did you try this set up and work?

On the other hand, the use of the per-port VLAN feature is precisely to deal with scenario where the same VLAN is used in the same switch for different EPGs, am I right?

 

Regards.

0 Helpful

Go to solution
Oleksandr Mamenko
Level 1
Level 1
In response to Antonio Macia

‎04-05-2019 11:54 AM

There could be a few scenarios:

1) You need to map one vlan to one EPG. So, on every server Vlan5 would represent EPG_Vlan5. In this case we would have one Physical Domain.

2) You need to map same vlanid on different swithes to different EPGs. So, Vlan5 on leaf-1 would represent EPG_vlan5 and Vlan6 on leaf-2 would represent EPG_vlan5. For this requirements we need one physical domain. 

3) Same vlan on one switch and different EPGs to map - you have to create separate vlan pool, physical domain and l2policy for Per Port Vlan. 

 

Hope it would help. 

 

Regards,

Oleksandr Mamenko

 

 

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Oleksandr Mamenko

‎04-05-2019 01:44 PM

Thanks, option 3 is the scenario I'm looking for. It corroborates my suspicions then, but I was hoping that there was some way to minimize the number of physical domains per server.

0 Helpful

Go to solution
RedNectar
VIP
VIP

‎04-05-2019 01:54 PM

Hi Antonio,

For my answer I'm going to foucus on the "Best Practices" part of your question.

And by far, the BEST PRACTICE to solve your problem is to use VMware to solve your problem, even if you don't have an Enterprise licence.

In other words, it is still a BEST PRACTICE to put each VM that you WANT to have unrestricted communication in the same VLAN - this can be done eihter by allocating them to a sinlge vSwitch which is allocated a VLAN or (better) by creating Portgroups on a vSwitch on each ESXi host and assigning a VLAN to each portgroup. Portgroups are then given a 1-to-1 mapping to EPGs, making each Portgroup an EPG in ACI.

VMs that need RESTRICTED access to other VMs are put into different Portgrous (and therefore assigned to different VLANs and ultimately different EPGs)

In other words, avoid the problem you are facing with the use of the L2 Interface Policy (VLAN Scope attribute) and multipel Bridge Domains and Physical Domains by designing your network correctly the first time.

I believe trying to go down the path you seem to be setting off on is only gonig to lead to continued misery.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to RedNectar

‎04-09-2019 02:21 PM

I see your point RedNectar. So in a brownfield deployment in network centric mode, having the port-group to VLAN-BD-EPG mapping and the gateway configured in the BD, to move to application centric mode I would have to create additional port-groups mapped to new VLANs and EPGs within the same BD, so there's no need to change the VMs IPs which is critical in a production environment. I would just need to connect the VMs to the new port-groups. Am I right?

 

Thanks.

0 Helpful

Go to solution
RedNectar
VIP
VIP
In response to Antonio Macia

‎04-09-2019 09:27 PM

@Antonio Macia wrote:

I see your point RedNectar. So in a brownfield deployment in network centric mode, having the port-group to VLAN-BD-EPG mapping and the gateway configured in the BD, to move to application centric mode I would have to create additional port-groups mapped to new VLANs and EPGs within the same BD

Correct

so there's no need to change the VMs IPs which is critical in a production environment.

Correct

I would just need to connect the VMs to the new port-groups.

Correct

Am I right?

Indeed you are

Thanks.

No Problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to RedNectar

‎04-10-2019 09:32 AM

Thanks mate!
0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License