EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

US

Application Profile & EPG Configuration

Application Profile & EPG Configuration

Application Profile & EPG Configuration

EPG:

EPG is group of object that require similar policies. EPGs are logical entity containing a collection of endpoints with common policy requirement example Security , L4-L7 Services etc. Traffic from endpoints is grouped in to EPGs based on various configuration, and these endpoints are classified in to three types.

  • Physical Endpoints
  • Virtual Endpoints
  • External Endpoints

It must be distinguished how hardware classifies and how the transport on the wire keeps traffic. Now we will see how Hardware or administrative based on configuration classify the traffic.

  • Hardware (based on ASIC model) can classify the traffic as follows:
  • Based on VLAN or VXLAN encapsulation
  • Based on port-VLAN or Port-VXLAN
  • Based on network and mask or IP address for traffic originated outside the fabric, these traffic can be considered as part of L3 external traffic.
  • Based on source MAC address.

Now from administrative perspective, following traffic classification configuration possibilities is used for incoming traffic to the leaf as follows:

  • Based on VLAN encapsulation
  • Based on port and VLAN
  • Based on network and mask or IP address for traffic originated outside the fabric, these traffic can be considered as part of L3 external traffic.
  • Based on source IP address or subnet
  • Based on source MAC address.

EPG mapping options

An EPG in child Object of an Application Profile in MIT and is represented by fvEPg.

There are some methods by which an EPG can be extended down to Connected End Point devices and begin classifying that traffic within EPG.

  • When an EPG is binded to entire Switch (Leaf), by statically mapping VLAN to the node.
  • When an EPG is binded to individual port (Static Port), by adding a VLAN to that particular port.
  • When an EPG is binded to group of ports across multiple switches by adding a VLAN to attachable access entity profile (AAEP).
  • When an EPG is binded to VMM domain, it pushes the policies to VMM Controller called vCenter and ensures that traffic of that particular virtual network is associated to EPG.

When a Leaf switch is configured as Static Leaf under an EPG, below are some restriction, described as follows:

  • Static binding cannot be overridden with static port, since static leaf deployment was deployed first.
  • Interface in that switch cannot be used for routed external network configuration using routed interface or sub interface, because ports is configured as SwitchPort.

If you configure EPG mapping to a VLAN switch wide (using a static leaf binding), Cisco ACI configures all leaf ports as Layer 2 ports. If you then need to configure an L3Out connection on this same leaf, these ports cannot then be configured as Layer 3 ports. This means that if a leaf is both a computing leaf and a border leaf, you should use EPG mapping to a port and VLAN, not switch wide to a VLAN.

Connecting EPG to External Switch:

If two external switches are connected to two different EPGs within the fabric, you must ensure that those external switches are not directly connected outside the fabric. It is strongly recommended in this case that you enable BPDU guard on the access ports of the external switches to help ensure that any accidental direct physical connections are blocked immediately.

Below is the figure to describe this.


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.