Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
3
Replies

How to configure L2 VLAN in cisco ACI

ravina-gurav
Level 1
Level 1

‎04-28-2025 01:05 AM - last edited on ‎04-28-2025 02:39 AM by Cisco Employee

Hi need help to create L2 VLAN in Cisco ACI 

also how create L3 VLAN .

Labels:
0 Helpful
3 Replies 3

RedNectar
VIP Alumni
VIP Alumni

‎04-28-2025 02:51 AM - edited ‎04-28-2025 03:15 AM

Hi @ravina-gurav ,

First, some quick answers

Hi need help to create L2 VLAN in Cisco ACI

There no such concept as a L2 VLAN in ACI

also how create L3 VLAN .

There no such concept as a L3 VLAN in ACI

So. That leaves you at the point of need to learn about how ACI maps VLANs and IP subnets. And you are in for quite a journey!

Begin your journey by thinking about a frame arriving at a port on a properly configured ACI interface.

The ACI switch will look at the VLAN tag to determine which End Point Group (EPG) to assign the frame. So the first clue in mapping L2 VLANs in ACI is to realise you'll have to create an EPG for that VLAN. But that is just part of the story - I suggest you start with this blog post (yes, it's MY post. Sorry if I broke the rules) and then work forward.

Back at the frame that's arrived at the switch that by now has been associated with an EPG, the switch next looks at the destination MAC address, which in a pure L2 network, will be the MAC address of another device in the same EPG, so for L2, once you've got that far, you are pretty much sorted.

In summary, to emulate a L2 VLAN in ACI, create an EPG for that VLAN, link it to a Bridge Domain (you read about them in the tutorials I mentioned didn't you?) and a Physical Doman that is linked to a VLAN Pool that contains the relevant VLAN ID, then make sure all ports that carry that VLAN are configured with Access Policies that connect it to the same Physical Domain. Oh - and then make sure all those ports are also mapped to the EPG too. I really do hope you followed those tutorials.

Now, for L3 - all you need to do is add an IP address to the Bridge Domain in the scenario above. Then (getting back to the incoming frame) if the switch recognises that the MAC address is the MAC address of the Bridge Domain (i.e. the default gateway MAC address) then the switch will route the packet, acting like a L3 VLAN with super powers, because a L3 VLAN IP address can exist only one a single switch (or two if using VPCs) whereas in ACI the L3 VLAN IP can exist on MANY switches simultaneously, and whats more, it will assign the L3 IP addresses to the relevant switches dynamically as needed.

Welcome to the wonderful learning journey of ACI.

[Edit: I've been looking for some better references rather than using my own blog (which TBH is not updated for the ACI v5.2+ way of doing things), but nothing I've found is any more up-to-date. However, you may find some of these answers I've given to previous questions helpful:
https://community.cisco.com/t5/application-centric-infrastructure/bd-vrf-and-sebnet-in-aci/m-p/4703964#M12996

https://community.cisco.com/t5/application-centric-infrastructure/aci-vlan-pool-aaep-and-domain-best-practises/m-p/4756185#M13440]

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

ravina-gurav
Level 1
Level 1
In response to RedNectar

‎04-28-2025 04:56 AM - edited ‎04-28-2025 04:59 AM

Thanks For the help.

One more question is there if I am creating VLAN Pool Under Access Policy like 10,20,30 and so on. then I have to create physical domain for every VLAN separately.

 

0 Helpful

RedNectar
VIP Alumni
VIP Alumni
In response to ravina-gurav

‎04-28-2025 02:29 PM

Hi @ravina-gurav ,

One more question is there if I am creating VLAN Pool Under Access Policy like 10,20,30 and so on. then I have to create physical domain for every VLAN separately.

No. A VLAN Pool can contain many VLANs, so VLANs 10,20,30 and so on could all be in the same VLAN Pool, called say MappedVLANs_VLAN.Pool

You could then have a Physical Domain called say MappedVLANs_PhysDom linked to that VLAN Pool, and an Attachable Access Entity Policy (I still don't know what that means) called say HostLinks_AAEP linked to that Physical Domain. And you'd need an Access Port Policy Group called say SA.Host_APPG linked to that Attachable Access Entity Policy  (or AAEP)

[Note: If the hosts are attached via a VPC, you'll have to have created a VPC Interface Policy Group rather than an Access Port Policy Group]

RedNectar_3-1745874253729.png

With this in place, you could then (and this advice differs from my blog, and is based on ACI v5.2g or later) navigate to Fabric > Access Policies >> Interfaces Configuration 

From there, in the work pane, click Actions > Configure Interfaces

The wizard dialogue that appears will take you through the process of linking the physical interfaces where your L2 (or L3) VLANs exist to the appropriate Access Port Policy Group (or VPC Interface Policy Group)

RedNectar_4-1745875568446.png

[Note: If using SA (Stand Alone or Single Attached - including Active/Passive dual attached), you can use the same Access Port Policy Group for multiple physical ports. If you are using VPCs, you'll need a VPC Interface Policy Group for EVERY VPC*]

*Not strictly true, but trust me, believe it is true for now and explore the alternative in a couple of years time

Once that is done, you'll be ready to start configuring your Tenant, which is where you configure the Bridge Domain and EPG that I mentioned before, as well as a VRF and an Application Profile which I didn't mention before.

Have fun

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents