BD VRF & EPG Design consideration – Service Chaining
BD VRF & EPG Design consideration - Service Chaining
Different deployment modes of L4-L7 devices:
There are different modes of deploying L4-L7 devices together with service graph.
Transparent Mode: In this L4-L7 device bridge the traffic between two bridge domains and in ACI it’s called as go-through mode.
Routed Mode: In this L4-L7 device is used for routing the traffic between two bridge domains and in ACI is it called as go-to-mode
One Arm Mode: In the L4-L7 device is connected to fabric via single interface over dedicated bridge domains
Policy Based Redirect (PBR): L4-L7 device is deployed in separate BD and client and server can redirect the traffic based on protocol and port number.
BD Design Consideration:
When we design the BD o for L4-L7 deployment, we generally considers two BD, one for Outside and one BD for inside.
Following are the default BD configuration option mostly used in deployment:
- Unknown Unicast flooding
- AR flooding
- No routing (except if the BD is acting as default gw for Servers or for L4-L7 device)
- No subnet ( except if the BD is acting as default gw for Servers or for L4-L7 device)
Below figure shows the basic deployment solution:
Here Two BD ae there one is connected to outside interface and one is connected to inside interface of L4-L7 device , there are two EPG , One is associated with BD used of outside and one EPG is associated to BD used for Inside. A VRF is associated to each BD which is not used for routing of traffic but used to simply meet the object model of ACI.
Now if you want to use the graph with redirect model, then you need to define one or Two BD on which this L4-L7 device will connect and must have data-plane learning disabled and GARP detection enabled. These BD will not be used to connect the endpoints.
Below figure will demonstrate, as Service Graph example showing on which BD Cisco ACI performs Layer 2 and Layer 3 Forwarding.
In figure, if BD1 has subnet configured and is GW for FW that traffic is switched at Layer 3, Now if BD2 is Next of LB is outside interface of FW and Next hop of FW inbound interface is load balancer in this traffic is switched at layer 2. Now in BD3 GW for Servers is LB so that traffic is switched at Layer 2.
In this scenario, you should enable Limit IP learning on BD1, else mapping DB can learn the IP address of endpoints from BD3, as if they were on BD1.