Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3275
Views
0
Helpful
9
Replies

Extend the EPG Out of the ACI Fabric using static path config

Go to solution
Thushan Pramod
Level 1
Level 1

‎04-04-2017 01:59 AM - edited ‎03-01-2019 05:11 AM

Hi All,

Can we configure more than one vlan encap in static path binding to a leaf port to extend the traffic to outside of the ACI topology which is similar to vlan trunk configuration in legacy L2 switch configuration?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gmonroy
Cisco Employee
Cisco Employee
In response to Thushan Pramod

‎04-07-2017 11:16 AM

Thushan,

Your last paragraph is a bit hard to follow, but I will try breaking it down here:

My understanding:
You plan to use static bindings across multiple EPGs to encompass the same IP subnet. Your Gateway for this subnet will exist on a firewall L2 to the ACi fabric.

Thoughts:

a. If all EPGs are sharing the same BD, then traffic within that BD can potentially be flooded within the ACI fabric (depending on BD settings). These endpoints will only need to hit the GW on the FW when they need to get outside of their subnet.

b. Every EPG to EPG traffic needs to have a contract to be allowed to pass through ACI. This applies regardless of whether the EPs are in the same/diff subnet. Assuming you have EPG-A and EPG-B both with 192.168.x.x hosts, you will need to put a contract between them to allow them to talk, otherwise it will be dropped by default.

c. A Static binding is essentially your trunk/access port definition. The subnet(s) within the EPG have no bearing on what ACI will program. It will, however, force you to think about your traffic flow in reference to how it can reach its gateway to get outside of its own subnet.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Claudia de Luna
Spotlight
Spotlight

‎04-04-2017 06:12 AM

Hi [@thushan@n-able.biz] ,

Absolutely.  In most environments I see a set of access interfaces or say a host vPC uplink with a static path binding to multiple EPGs (vlan encap) in mode Trunk or in mode Access (802.1P) if we need to have that encap across a variety of EPGs in both Trunk and "Access" mode.

See this link for a little more detail on that.

Example in the attached little drawing.

Preview file
109 KB
0 Helpful

Go to solution
Thushan Pramod
Level 1
Level 1
In response to Claudia de Luna

‎04-04-2017 07:02 AM

Hi Claudia,

We need to have a setup like this.One EPG will have vlan 10/11 and another EPG will have vlan 10/20 in the same BD. Default GW is defined in the external firewall as well. Since we can use static path binding as trunk in the ACI side what is required from FW end.

0 Helpful

Go to solution
Claudia de Luna
Spotlight
Spotlight
In response to Thushan Pramod

‎04-04-2017 07:23 AM

Hi,

It all depends on how you are connecting your firewall to the fabric and how you are integrating into the fabric (non integrated where you are just using the fabric for L2, unmanaged, or managed).  

Lets say you are not integrating and the firewall uplink to the fabric is a VPC (or a set of vPCs for an active/passive deployment but they would look the same).  Its going to be the same model as with the hosts.  You will do static path bindings to extend those vlans down to the firewall.   A few suggestions if this is your design:

- disable unicast routing on your BD (or use 'Limit IP Learning to Subnet' but in these situations I just disable unicast routing)

- enable all the normal behavior on your BD (Arp flooding etc.) - basically disable the optimized behavior on the BD

Think of it as your normal vlan stitching but you are using ACI to do it.

0 Helpful

Go to solution
Thushan Pramod
Level 1
Level 1
In response to Claudia de Luna

‎04-04-2017 07:30 AM

Hi Claudia,

Thanks for the quick reply. Our setup is like 2spine switches and 2leaf switches use VPC to connect FW from 2 leaf switches. We will use same vlan in different epgs as well and to extend those clans we are going to use static path binding. What is required from FW end in order to provide communication among different epgs in ACI.

0 Helpful

Go to solution
Claudia de Luna
Spotlight
Spotlight
In response to Thushan Pramod

‎04-04-2017 07:44 AM

Hi,

Once you have configured the "paths" and mapped your vlans to the right "security zone" or however your firewall terms that mapping then its going depend on the policies on your firewall.  

I suspect will will look something like:

host1 on vlan 10 <-static path binding encap 10 on both host1 interface and fwl interface-> FWL Gateway -> FWL Policy -> <static path binding encap 20 on both host2 interface and fwl interface-> host2 on vlan 20 

If your FWL Policy allows say ssh, then host 1 whose gateway is the FWL will be able to ssh to host 2.

Hopefully I understood your question.  Actually configuring the firewall (regardless of vendor) is not something I tend to do much of so I can be of little help there!

0 Helpful

Go to solution
Thushan Pramod
Level 1
Level 1
In response to Claudia de Luna

‎04-04-2017 07:58 AM

Hi Claudia,

Thanks and it was really helpful.

0 Helpful

Go to solution
Thushan Pramod
Level 1
Level 1
In response to Claudia de Luna

‎04-05-2017 03:09 AM

Hi Claudia,

There is one thing I need to clear, We can use static binding for different IP subnet to extend and can control through FW policies. but if we use same IP subnet in different EPGs how can the communication occurs since the default GW is defined in the fw? Can we control that traffic through contracts without extending that traffic to FW? Please assist.

0 Helpful

Go to solution
gmonroy
Cisco Employee
Cisco Employee
In response to Thushan Pramod

‎04-07-2017 11:16 AM

Thushan,

Your last paragraph is a bit hard to follow, but I will try breaking it down here:

My understanding:
You plan to use static bindings across multiple EPGs to encompass the same IP subnet. Your Gateway for this subnet will exist on a firewall L2 to the ACi fabric.

Thoughts:

a. If all EPGs are sharing the same BD, then traffic within that BD can potentially be flooded within the ACI fabric (depending on BD settings). These endpoints will only need to hit the GW on the FW when they need to get outside of their subnet.

b. Every EPG to EPG traffic needs to have a contract to be allowed to pass through ACI. This applies regardless of whether the EPs are in the same/diff subnet. Assuming you have EPG-A and EPG-B both with 192.168.x.x hosts, you will need to put a contract between them to allow them to talk, otherwise it will be dropped by default.

c. A Static binding is essentially your trunk/access port definition. The subnet(s) within the EPG have no bearing on what ACI will program. It will, however, force you to think about your traffic flow in reference to how it can reach its gateway to get outside of its own subnet.

0 Helpful

Go to solution
Thushan Pramod
Level 1
Level 1
In response to gmonroy

‎04-10-2017 10:01 PM

Hi gmonroy,

Thanks for the detailed reply, it was really helpful.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License