- VLAN Encapsulation in ACI – Deep Dive
VLAN Encapsulation in ACI
There are two types of VLANs used in ACI
- External VLAN: Used for External Communication and Integration
- Internal VLAN: It is also called as Platform Independent Vlan whose scope is local to each leaf. ACI has no control how Platform VLAN is allocated to traffic going via leaf. APIC allocates PI VLAN per EPG, Per BD and these allocation is local to leaf and is different to each Leaf.
Cisco ACI fabric internally does not use VLANs as traditional switches but it translates externally connected VLANs to Flooding Domain, Bridge Domain and VXLANs. All of this is happening at the ingress to the fabric.
Here we can see the ACI has allocated the Platform VLAN to each VLAN which its receives from ingress port. Example from port Eth1/11, Traffic comes to Leaf with encapsulation of Ethernet vlan 1675 and upon receive, it allocates VLAN 12 randomly on that leaf switch.
show vlan extended output command you can see how internal VLANs are encapsulated to VXLANs or external VLANs. With this command, you can easily see which external VLANs are used on the particular leaf switch.
There are various Internal Platform VLAN used by ACI on each Leaf and they are independent to each other. Several VLANs exist on a leaf switch. There are two commands most commonly used for troubleshooting purposes: show vlan extended and show system internal eltmc info vlan brief . In the output of the later command you can see a table with several different VLANs:
Different Platform VLANs used in ACI are:
VlanId : is the PI (platform independent) VLAN of the system and is locally significant to each switch. This is the same VLAN as seen in the output of the command show vlan.
Hw_VlanId: is the VLAN used in ASICs but is usually not relevant for a user.
BD-VLAN : is used to represent a bridge domain and can link multiple FD-VLANs (encap VLANs) together with multiple hardware VLANs and internal VLANs. It is one forwarding aspect used by the Broadcom ASIC to determine if traffic should be locally switched or forwarded to the Northstar ASIC for processing. The BD-VLAN connects different local FD-VLANs to a single bridge domain, and is used on the Broadcom ASIC to determine the Layer 2 broadcast domain. If for example two different access_enc VLANs have the same BDVlan ID it means they belong to two EPGs that are part of the same BD.
LEAVE A COMMENT
Table of contents.
- ACI Hardware Component
- ACI Hardware Installation
- ACI Fabric Discovery
- ACI Terminology
- Access & Fabric Policies
- VXLAN Forwarding in ACI
- L2 DataPath – Deep Dive
- Switching in ACI
- Routing in ACI
- L3 Datapath – Deep Dive
- Traffic Filtering in Cisco ACI
- Tenant Network Configurations
- VRF Network Configuration
- Bridge Domain Configuration
- Filters & Contracts Configuration
- Application Profile & EPG Configuration
- Integrating With VMware
- VPC for ESXi-1 & ESXi-2
- Compute & Storage Connectivity In ACI
- L2 external network with ACI
- Layer 3 Outside & External Routed Networks
- L3Out-Subnet Flags
- MP-BGP Spine Route-Reflector in ACI
- ACI Initial Fabric Configuration
- ACI Configure Tenant VRF & Bridge Domain
- ACI Configure Filters and Contracts
- ACI Configure Three-Tier Application Profile
- ACI Configure Baseline Interface Policies
- ACI Integration with VMWARE
- ACI Inter Tenant Connectivity
- ACI Extend Bridge Domain by External Layer 2 Connection
- ACI External Network Connectivity to External Switch via Trunk
- ACI Static Routing for External Layer 3 Connectivity
- ACI OSPF Routing for External Layer 3 Connectivity
- ACI EIGRP Routing for External Layer 3 Connectivity
- ACI EBGP Routing for External Layer 3 Connectivity
- IPN Configuration
- ACI Automation & Scripting
- ACI Multipod Overview
- ACI Multi-Pod Building Control Plane
- ACI Multi-Pod Data Traffic Flow
- Multi-Pod Connectivity via External L3
- Host Tracking Subnet Check & Limit IP Learning
- Service Graph Introduction
- BD VRF & EPG Design consideration – Service Chaining
- IP Routing & VRF Design Consideration – Service Chaining
- L3Out for Routing to L4-L7 Devices
- Routed Mode ( Go-To mode ) for L4-L7 Appliance
- Transparent & One ARM mode for L4-L7 Appliance
- Policy Based Redirect in ACI
- Monitoring ACI Fabric
- Monitoring ACI via REST API
- OOB & In-Band Management
- Syslog-SNMP-SPAN-Netflow Configuration
- ACI Multi-Site Architecture
- Multi-Site Bridge Domain Configuration Approach
- Multi-Site ISN Design
- ACI Multi-Site Control Plane
- ACI Multi-Site Data Plane Communication
- ACI Multi-Site Connectivity to External Layer 3 domain
- ACI Multi-Site Intersite L3Out
- ACI Multi-Site Integration
- Remote Leaf Architecture
- Bits & Bytes of Remote Leaf
- Traffic Forwarding between RL pair before ACI 4.1(2) & After 4.1(2)
- Multi-Site With Remote Leaf
- Remote-Leaf Integration
- Remote Leaf Failure Handling Scenarios
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
- Cisco Certification – A Closer Deep-Dive Look
- Cisco DNA-Spaces : Monitoring IOT Network
- Compute in AWS Cloud
- Software Development
- Managed IT Services
- Cloud Computing Services
- Hybrid Data Center & Hybrid Cloud Services
- Cyber Security Services
- DevOps Services & Solutions
- IT Consulting Services
- Audit & Assessment Services
- Disaster Recovery Services
- People in Zindagi
- Zindagi Insights
- Case Studies
- Company Profile
- Managed IT and Cybersecurity
- Careers at Zindagi
- Employee Benefits
At Zindagi, our focus is to create value for our customers by applying our deep industry experience, technical expertise, and business intelligence.
- Zindagi Technologies Pvt. ltd. 301-302, 3rd Floor 40-41 Bakshi House Nehru Place, New Delhi 110019
How To Configure A VLAN On A Port In An ACI Fabric?
In this blog, we will explain how different policies are configured to assign VLAN on a port in an ACI fabric . We do not configure VLAN directly on a port but use policies that will allow us to scale configuration and apply similar behavior to switches or ports.
Let’s see the below use cases where Layer 2 switch is connected to ACI Fabric on port 1/5 of Leaf-1 and Server connected to LACP port-channel are connected to Leaf-1 and Leaf-2 on 1/10 port respectively.
In the above scenario following features need to be configured for the communication.
- Switch Profile
- Interface Profile
- Interface Policies
- Interface Policies Group
- Attachable Access Entity Profile
- Tenant, Application Profile, and EPG
What is a Switch Profile?
Switch Profile defines the switches which need to be configured.
Steps to create Switch Profile
Path- Fabric>Access Policies>Switches>Leaf Switches >Profile >Create Leaf Profile>Right Click
Note : “Switch101-Profile” will be for a switch profile containing node-101 and “Switch101-102_Profile” for a switch profile containing switches 101-102 which are part of a vPC domain.
For the above scenarios, we will create two switch profiles one for Leaf-101 and the other for Leaf-101 and Leaf-102 being part of vPC.
What is Interface Profile?
The interface profile contains 1 or more access port selectors which require the configuration.
Steps to create Interface Profile
Path- Fabric>Access Policies>Interface>Leaf Interface>Profile>Create Leaf Interface Profile>Right Click
Note : A single interface profile can be created per physical switch and one interface profile for each vPC domain.
Switch101_Profile_ifselector will be the interface profile for per physical switch and Switch101-102_Profile_ifselector for the vPC domain.
What are Interface Policies?
Interface Policies are the characteristics that we can define for the ports in the switch and these interface policies are further called in the Interface Policy Group.
Steps to Create Interface Policies
Path-Fabric>Access Policies>Policies>Interfaces>CDP Interface>Right Click
Similarly make policies such as LLDP, Port-Channel, etc.
Steps to create Interface Policy Group
Path-Fabric>Access Policies>Interfaces>Leaf Interface>Policy Groups>Leaf Access Port>Right Click
Note : Access Port IPG is created for the port which is not a member of the port channel. In the above scenario Access port, IPG will be made for Leaf 101.
Note: We can select another characteristic too which needs to be deployed on the interface.
Path-Fabric>Access Policies>Interfaces>Leaf Interface>Policy Groups> vPC Interface >Right Click
Note : vPC Interface IPG is created for the port which is a member of the port channel.
Steps to bind switch profile with interface profile
Path-Fabric>Access Policies>Switches>Leaf Switches>Profile>Select Switch Profile Created
Steps to bind interface policy group with interface
Path-Fabric>Access Policies>Interfaces>Leaf Interfaces>Profile>Select Interface Profile>Access Port Selector
Note- The interface policies which are called in IPG are now bound to the interface which requires the mentioned characteristic.
Steps to create a VLAN pool
Path-Fabric>Access Policies>Pools>VLAN>Right Click
Note: Static VLAN pool is created for static deployment and a Dynamic pool is created for dynamic deployment (VMM).
What is Domain?
A domain defines the ‘scope’ of a VLAN pool and where that pool will be used. Physical Domain is used for Bare Metal. For most deployments, a single physical domain is sufficient for static path deployment and one routed domain for L3Outs.
Steps to Create Domain
Path- Fabric>Access Policies>Physical and External Domains>Physical Domains>Right Click
Map the domain with the VLAN pool.
What is AAEP?
Attachable Access Entity Profile is used to map the domain to the interface policies group with the end goal of mapping VLAN to the interface. Single AEP should be used for static paths and additional AEP per VMM domain.
Steps to create Attachable Access Entity Profile
Path: Fabric>Access Policies>Policies>Global>Attachable Access Entity Profile>Right Click
Map AAEP with the domain
Map AAEP with the IPG
Steps to create a vPC domain and Explicit vPC Protection Group
Path-Fabric>Access Policies>Policies>Switch>VPC Domain>Right Click
Note – One VPC Domain is created where we define Peer Dead Interval. VPC Explicit Protection Group is created where we call vPC peer device. Once created, a VTEP IP for the peer device is assigned automatically by APIC.
Path-Fabric>Access Policies>Policies>Switch>Virtual Port Channel default>Right Click
What is Tenant in ACI?
Tenant is the main Container of policies where all L2 and L3 policies will be constructed, access rules, and services. It is used for the separation of management. There are two kinds of tenants- user define and pre-defined or default.
Three pre-defined tenants are
- Infra Tenant- It will have policies related to internal fabric communication.
- Common Tenant- It will have policies/services which can be used by the rest of the tenant.
- Management Tenant- It will be responsible for Inband and OOB management.
Steps to creating a Tenant
Path- Tenants>Add Tenant>Click>Submit
What is Bridge Domain?
A bridge domain is a container of subnets. Under B.D we define subnet for the VLAN. The bridge domain will be part of VRF and VRF will be part of the tenant.
Steps to create VRF and Bridge Domain
Path- Tenants>PROD-TENANT>Networking>Click on it>Drag and drop VRF
Path- Tenants>PROD-TENANT>Networking>Click on it>Drag and drop Bridge Domain
What are Application Profile and EPG?
Application Profile is a container of EPG. It contains one or more EPGs. The Endpoint Group is a logical entity that contains a collection of endpoints that may be in different VLANs or subnets.
Steps to Create Application Profile
Path- Tenant>PROD-TENANT>Application Profile>Right Click
Note: – Under the application profile, EPG created will be used for the physical domain (bare metal) and VMM domain.
Steps to Create EPG
Path- Tenant>PROD-TENANT>App-Profile>Application EPG>Right Click
EPG is created and bound with Bridge Domain. The next step is to bind EPG with the domain and bond either with the entire leaf or the ports of the leaf.
Path- Tenants>PROD-TENANT>Application Profile>App-Profile>Application EPG>EPG-1>Domain>Right Click
Note: – In the below dashboard static port option within the EPG is used to bind ports to an EPG and the static leaf option within the EPG is used to bind the entire leaf to that EPG.
Path- Tenants>PROD-TENANT>Application Profile>App-Profile>Application EPG>EPG-1>Static Ports>Right Click
Note: – Mapping VLAN to an individual port of a leaf.
Note: – Static Port binding for the vPC is shown below
In the next blog, we will see how traffic flows between endpoints in ACI fabric. For more information regarding ACI deployment, you can follow Setting Up an ACI Fabric: Initial Setup Configuration Example.
Zindagi Technologies is an IT consulting and cybersecurity company in Delhi having engineers with decades of experience in planning, designing, and implementing Data Centers along with Managed IT Services , cybersecurity, and cloud services. Not just this, we also deal in many other services that will help you in finding out bugs in your IT infrastructure. If you want to secure your network, we are just a call away. Please ping us at +91-9773973971 or drop us a mail. To get the latest updates on our organization, you can follow us on LinkedIn . Author Jainul Khan Associate Consultant
Marathonbet yukle Azərbaycanda Sürətli və rahat mərc üçün Marathon Bet yukl
Cederquist rådgivare till styrelsen för leovegas vid mgm: s offentliga uppköpserbjudand, comment (1), traffic flow in aci | zindagi technologies.
[…] moving forward to see how traffic flows in the ACI environment let’s have a look at a few terminologies which are required to understand the traffic […]
Leave a comment Cancel reply
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Zindagi Technologies is a leading IT consulting and Managed Services Provider serving commercial enterprises across the globe.
- Sales: +91-9773973971
- Careers: +91-7217744680
- Email: [email protected]
Copyright © 2023 Zindagi Technologies . All Rights Reserved.
Subscribe to our latest updates!
- CCNA 200-301
- CCNA 200-301 Labs
- CCNP 350-401 ENCOR
- CCNP 350-401 ENCOR Labs
- CCNP 300-410 ENARSI
- CCIE Enterprise Infrastructure
Cisco Packet Tracer Lab Course
- NRS II IRP Course
- NRS II MPLS Course
- NRS II Service Architecture
- Nokia Configuration Course
- Nokia SRC Program
- JNCIA Junos
- HCIA (HCNA)
- HCIA Configuration Course
- What is Huawei R&S Certification?
- Huawei ICT Certifications
- Python Course
- IPv6 Course
- IP Multicast Course
- NRS I Configuration Course
- Cisco Packet Tracer How To Guide
- Online Courses
- Udemy Courses
- CCNA Flashcard Questions
- Protocol Cheat Sheets
- Subnetting Cheat Sheet
- Linux Cheat Sheet
- Python Cheat Sheet
- CLI Commands Cheat Sheets
- Miscellaneous Cheat Sheets
- Cisco Packet Tracer Labs
- Cisco GNS3 Labs
- Huawei eNSP Labs
- Nokia GNS3 Labs
- Short Config Videos
- Network Tools
- IPCisco on Social Media
- Network Engineer Interview Questions
- Personality Interview Training
- Sign In/Up | Members
- Lost password
- Sign In/Sign Up
- ENROLL HERE
- VLAN Mapping (VLAN Translation) on Cisco
On Cisco devices, VLAN mapping term is used for mentioning the swap of incoming VLAN id to a new VLAN id. In the below configuration examples, we will see Cisco configuration for this swapping. Lets check this configuration for a Cisco switch. The related congfiguration steps are:
And to verify, the below command scan be used:
As an example, we can configure the customer 10,20,30 and 40 VLANs(C-VLAN s) to the Service provider vlans(S-VLAN s),110,120,130 and 140.
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
- Cisco Router Password Recovery
- Common Cisco Router Configuration on Packet Tracer
Routing Protocol Configurations (IPv4)
- BGP Configuration Example with Packet Tracer
- ISIS Configuration Example on Cisco IOS
- EIGRP Configuration With Packet Tracer
- Cisco Single Area OSPF Configuration
- RIP Configuration With Packet Tracer
- Static Route Configuration on Cisco Routers
Routing Protocol Configurations (IPv6)
- ISIS For IPv6 Configuration Example on Cisco IOS
- EIGRP For IPv6 Configuration On Cisco IOS
- OSPFv3 Configuration Example on Cisco IOS
- RIPng Configuration Example on Cisco IOS
- IPv6 Static and Default Route Configuration on Cisco IOS
- Basic Multipoint Frame Relay Configuration
- Basic Frame Relay Point-to-Point Configuration
- Basic Frame-Relay Configuration with both Inverse-ARP and Frame-Relay Map Command
- PPP Configuration on Cisco
- HDLC Configuration on Cisco
DHCP and NAT Configurations
- Dynamic NAT Configuration with Packet Tracer
- PAT Configuration with Packet Tracer
- Static NAT Configuration with Packet Tracer
- Router DHCP Configuration with Packet Tracer
Security and ACL Configurations
- Extended Access List Configuration With Packet Tracer
- Standard Access List Configuration With Packet Tracer
- Switch Port Security Configuration with Cisco Packet Tracer
- Basic Cisco Router Security Configuration
- SNMP Configuration On Cisco IOS
- Packet Tracer VLAN Configuration Example 2
- Private VLAN Cisco Configuration Example
- Switch Virtual Interface Configuration on Packet Tracer
- Inter VLAN Routing Configuration on Packet Tracer (Router on Stick)
- Packet Tracer VLAN Configuration Example
Spanning Tree Configurations
- RSTP Configuration on Packet Tracer
- STP Portfast Configuration with Packet Tracer
- STP (Spanning Tree Protocol) Example on Packet Tracer
Neighbor Discovery Configurations
- LLDP Configuration on Cisco
- CDP Configuration with Packet Tracer
- LACP Configuration on Cisco Devices
First Hop Redundancy Configurations
- VRRP Configuration on Cisco
- GLBP Configuration on Cisco
- HSRP Configuration on Cisco IOS
- uRPF (Unicast Reverse Path Forwarding) Part of: CCNP Enterprise 350-401 ENCOR
- Conditional debugging Part of: CCNP Enterprise 350-401 ENCOR
- Cisco Terminal Monitor and Cisco Logging Monitor Part of: CCNP Enterprise 350-401 ENCOR
- Cisco Debug Command Part of: CCNP Enterprise 350-401 ENCOR
- Packet Tracer VLAN Example 2 Part of: CCNA 200-301
- Packet Tracer VLAN Configuration Example 2 Part of: Cisco Packet Tracer Lab Course
- Container vs Virtual Machine Part of: CCNP Enterprise 350-401 ENCOR
- Virtual Switching and Virtual Switch (vSwitch) Part of: CCNP Enterprise 350-401 ENCOR
- Policy Based Routing (PBR) Part of: CCNP Enterprise 350-401 ENCOR
- Virtual Extensible LAN (VXLAN) Part of: CCNP Enterprise 350-401 ENCOR
- More Lessons
Latest Blog Posts
WHAT YOU WILL FIND?
- 250.000+ Students All Over The World
- 8.000+ Questions & Answers
- 100+ Lab Files & Cheat Sheets
- 30+ IT/Network Courses
- A Real Desire To Help You
- Daily Social Media Shares
- %100 Satisfaction
- CISCO Courses
- NOKIA Courses
- HUAWEI Courses
- JUNIPER Courses
- PYTHON Course
- KEY Courses
- VIDEO Courses
- UDEMY Courses
- Cheat Sheets
- Configuration Files
- Interview Questions
- IPCisco On Social Media
- Pärnu mnt. 139c – 14, 11317, Tallinn, Estonia
- [email protected]
- Routing & Switching
- Service Provider
- Data Center
You are here
Dc0014 - aci l2out (part 3).
- EPG Extension
- Virtual Port-Channel
- Mis-Cabling Protocol (MCP)
- ARP Flooding
- Extended Bridged Network (L2OUT)
- L2OUT Contract
- Server Migration
- Log in or register to post comments
L2OUT VLAN MAPPING
First of all, thank you for this great series of videos!
I have one question about those vlan changes that you did. Do we have to use different vlans only if the L2OUT Port and Endpoint port are on the same Leaf?
If we have a dedicated leaf for L2OUT and others dedicate leafs for endpoint connectivity, is it possible to use the same vlan mapping?
Top 5 videos.
- Lab Minutes Main Website
- Reset Password