Designing Cisco ACI Fabric Access Policies

Cisco ACI Fabric Access Policy Design Strategy

Here is a strategy I have used for many Cisco ACI deployments for mid-size to enterprise customers. I found this strategy effective for customers who have a handful of data center VLANs which need to be migrated into Cisco ACI as well as allow the customer to leverage other VLANs for hybrid/application-centric operating modes.

Before I go into detail, I want to stress the importance of VLAN Pool design with these design principles:

  • Do not attach overlapping VLAN Pools to the same AEP: This creates a risk for loops occurring in the fabric under certain deployment conditions. This can cause issues with BPDU forwarding through the fabric if the domains associated to an EPG have overlapping VLAN block definitions. It is best to ensure VLAN pools are unique when attaching to the same AEP.
  • For any single End Point Group (EPG), do not bind endpoints using overlapping VLAN Pools: A VXLAN ID is generated for each VLAN ID in a VLAN pool. Two overlapping VLAN Pools will have different VXLAN IDs assigned to each VLAN. If there are endpoints connecting to the same EPG attached with different overlapping VLANs, data forwarding problems will occur when switches get rebooted, replaced, or added to fabric as VXLAN IDs may not match and assignment is indeterministic.
  • Please watch this for more information:

I developed this strategy by first focusing on the end-state. The end-state is how I envisioned the operational end-state of the Cisco ACI fabric with also being able to support network-centric migration initiatives. This strategy does not include any in-band, multi-pod or multi-site fabric access policies. Those I can tackle in another post.

Leave a Reply