Switching in ACI
Switching in ACI
ACI collects the similar objects in a group called EPGs. EPGs are always member and are associated to particular Bridge domain. The Traffic between different EPG will happen only when it is allowed by Contracts (ACL).
In ACI Layer 2 traffic can be either IP or non-IP traffic. When destination Mac address is not Router mac address than this type of traffic is L2 traffic, the router MAC address refers to the MAC address of the pervasive gateway configured inside the bridge domain.
Layer 2 traffic is already forwarded according to the destination MAC address only, it may or may not involve the spine-proxy database (hardware proxy enabled) lookup. When IP routing is enabled for the bridge domain, Cisco ACI can also forward a packet based on the IP-to-VTEP information.
When the destination MAC address is the bridge domain subnet MAC address (router MAC address) this type of traffic is said to be L3 Traffic. When forwarding ACI looks up the IP address of the packet only for Layer 3 traffic.
Routing in ACI is to host-based routing on the leaf if either /32 or /128 routes exists, and LPM routing is used for external routes. Routing in the spine consists exclusively of /32 and /128 routing based on the mapping database. Spines do not perform LPM routing which is mostly used in routing for external Layer 3 destinations
VNID mapping to Access Port VLANs
ACI uses VLANs to segment traffic, This VLAN tag is locally significant on the access port and is known as the access encapsulation VLAN (encap VLAN), same we can say for VXLAN access encapsulation can also be a VXLAN.
For Bridge Protocol Data Unit (BPDU) forwarding each access encapsulation VLAN has a 1:1 mapping with an FD_VLAN construct, which has a fabric encapsulation segment ID and also used for for the purpose of BPDU flooding.
All traffic other than BPDUs is forwarded in the fabric as bridge domain VLAN (BD_VLAN) fabric encapsulation (VXLAN VNID). The BD_VLAN construct is represented as a VLAN by CLI commands, even though it does not have any access encapsulation VLAN associated with it.
When you issue a show vlan command on the leaf, you see output that resembles the following