Cisco ACI Fabric Access Policy Design Strategy
Here is a strategy I have used for many Cisco ACI deployments for mid-size to enterprise customers. I found this strategy effective for customers who have a handful of data center VLANs which need to be migrated into Cisco ACI as well as allow the customer to leverage other VLANs for hybrid/application-centric operating modes.
Before I go into detail, I want to stress the importance of VLAN Pool design with these design principles:
- Do not attach overlapping VLAN Pools to the same AEP: This creates a risk for loops occurring in the fabric under certain deployment conditions. This can cause issues with BPDU forwarding through the fabric if the domains associated to an EPG have overlapping VLAN block definitions. It is best to ensure VLAN pools are unique when attaching to the same AEP.
- For any single End Point Group (EPG), do not bind endpoints using different VLAN Pools: A VXLAN ID is generated for each VLAN ID in a VLAN pool. Two overlapping VLAN Pools will have different VXLAN IDs assigned to them. If there are endpoints connecting to the same EPG attached with different overlapping VLAN pools, data forwarding problems will occur when switches get rebooted, replaced, or added to fabric as VXLAN IDs may not match.
I developed this strategy by first focusing on the end-state. The end-state is how I envisioned the operational end-state of the Cisco ACI fabric with also being able to support network-centric migration initiatives. This strategy does not include any in-band, multi-pod or multi-site fabric access policies. Those I can tackle in another post.