M2 BD EPG

  1. bridge doman

broadcast doman

click to edit

tenant

preconfigured 3 tenenat

common tenant

DNS, DHCP and AD

Mgmt tenant

out of band

click to edit

infra tenant

sw to sw, AVS, AVE

VRF

same address space

enforce

inter EPG need contract

bridge domain

unknow MAC

1st method

Flooding

Method 2: proxy lookup

prevasive GW

path binding

physical domain

bare metal

VM without VMM integration

without associate domain to EPG

error F0467

Create Application EPG

intra EPG policy

enforced (default)

Means allow

Prefered group exclude (default)

Exclude from use internal contract group

Disabled flood in encapuslation (defualt)

disable flooding

statically link

Associate to VM domain

Means static path binding

Means VMM domain

step 2 leaves/path slide

Path: Node Id/FEXID /card ID/ port ID

Mode (traffic From host)

trunk

default

access

untag

tag 802.1p

port encap

Means vlan ID

any leaf can provide gateway function for endpoints

Lab 4

Vswitch

Configure route based on IP hash

compatible with static on mode on port channel

route based on original virtual port ?

load balance per VM

used without VPC

used with VPC

1.Explain

configure EPG for web-server

assign vlan 11

verfiy inter-EPG

ping between cat3560 (vlan 21)and web-server (vlan 11)

result: can ping

cat 3560 and web server same subnet, but different vlan

unicast routing disabled in BD

Means no route in VRF (disable L3)

ACI can't learn IP but can learn MAC address

click to edit

click to edit

In other words, in a leaf, inside the same EPG, VLANs can be tagged (trunk or access 802.1P) or untagged, but not both. Or, if a VLAN is defined inside a trunk, it cannot be defined as access (in the same leaf, in the same EPG).

click to edit

802.1P refers to a QoS implementation using 802.1Q protocols. In other words, a port in Access (802.1P) should send and receive frames tagged with VLAN 0 (using 802.1Q).

Untagged ports should send and receive frames untagged (without 802.1Q). Most of modern operating system should be able to manage tagged frames with VLAN 0 like untagged frames.

even if subnet is configured on BD, it has no effect

Means distributed GW has disabled

Bridge domains can span multiple switches.

A bridge domain can contain multiple subnets, but a subnet is contained within a single bridge domain. Subnets can span multiple
EPGs; one or more EPGs can be associated with one bridge domain or subnet.

image

2 IP and 2 MAC

1 is virtual and 1 is non-virtual

similar like HSRP

leaking

best practise

put multiple BD under 1 VRF

EPG to vlan rules

click to edit

■ You can map two EPGs of different bridge domains to the same VLAN on different switch

click to edit

■ You cannot map two EPGs of the same bridge domain to the same VLAN on different ports of the same leaf.

refer to diagram

Analogy to SVI in IOS CLI

VRF enforced

click to edit

unicast routing enabled ?

click to edit

f this setting is enabled and a subnet address is configured, the

fabric provides the default gateway function and routes the traffic. Enabling unicast

routing also instructs the mapping database to learn the endpoint IP-to-VTEP mapping for this bridge domain. The IP learning is not dependent upon having a subnet

configured under the bridge domain

Flooding

L2 unknow unicast

click to edit

When set to Flood, unknown unicast frames are flooded in the BD.

When set to Hardware Proxy, unknown unicast frames are sent to the spine

proxy for a lookup.

Note: Modifying the L2 Unknown Unicast setting causes the BD to get

redeployed on the leaf switches. This means there is a slight disruption in

service when making this change

unknown L3 multicast

click to edit

When set to Flood, if an L3 multicast packet is received, the packet is

flooded to all interfaces in the BD, even if there are no receivers.

When set to Optimized, if an L3 multicast packet is received, the packet is

sent only to router ports. If there are no router ports, the packet is dropped.

Multidestination Flooding

click to edit

When set to Flood in BD, floods the packet in the BD.

When set to Flood in Encapsulation, floods the packet only in the VLAN

encapsulation it was received in.

When set to Drop, drops the packet