cisco aci best practices

This ensures that, when the traffic leaves the fabric from an EPG, the CoS of the packet is set to the same value as the original frame, unless you configured a Custom QoS policy to overwrite it. You can do this in two ways: From Tenant > Application Profiles > Application EPGs > EPG by using Static Ports or Static Leafs, From Fabric >Access Policies > Policies > Global > Attachable Access Entity Profiles > Application EPGs, Layer 2 Connectivity to the Outside with Network Centric Deployments. Upon reboot, this assignment could be different. The bridge domain Multi Destination Flooding option can be set to flood in encapsulation. There are two L3Outs or a single L3Out that uses different VLAN encapsulations for data center 1 (DC1) and data center 2 (DC2). Configure an L3Out under the common tenant and associate it with the VRF instance. uSeg EPG is also part of vzAny and supports preferred group, intra EPG isolation, intra EPG contract, and other configurations per EPG. The following are examples of supported deployment scenarios if each vDS uses a different set of uplink VMNICs: vDS (unmanaged by Cisco APIC) and vDS (managed by Cisco APIC) on the same host: This is a common scenario for migrating from a deployment other tha Cisco ACI to Cisco ACI. Tenant configurations: These configurations are the definition of the logical constructs, such as application profiles, bridge domains, and EPGs. Additionally, the Route Summarization Policy (OSPF and BGP) or Route Summarization (EIGRP) option must be selected, along with the Export Route Control option. Most of the time, each type of policy has a default policy that is referenced by all related objects unless specified otherwise. In summary, if you are using first-generation leaf switches, you can have EPGs with both access and trunk ports by configuring access ports as type Access (IEEE 802.1p). You can assign a workload to an EPG as follows: Static port: Map an EPG statically to a port and VLAN. 3. Network-centric and Application-centric Designs (and EPGs Compared with ESGs). For more information about VLAN re-use, see the "EPG and VLANs" section. At 75% of the endpoint retention timer, a directed ARP is sent to the IP component of the endpoint, and if unanswered, ACI will allow the IP endpoint to age out. Observer: The monitoring subsystem of the Cisco APIC; serves as a data repository for Cisco ACI operational state, health, and performance information. This design approach is often referred to as an application-centric design. Understanding VLAN Use in Cisco ACI and to Which VXLAN They Are Mapped. Some data that is dynamically generated and is not saved in the configurations may be in the fabric, but not on the remaining Cisco APICs. When connecting a Cisco ACI leaf switch using a port channel to other switching devices such as a separate physical switch or a blade switch, we recommend that you ensure that the LACP suspend individual port is enabled. Learn how to design ACI using naming conventions, policy management, access policies, tenants, and best practices. Even if MCP detects loops per VLAN, if MCP is configured to disable the link and if a loop is detected in any of the VLANs present on a physical link, MCP then disables the entire link. Consider the example shown in Figure 32. You can also to have a loop on the outside networks connected to the Cisco ACI fabric, and these loops could also have an impact on the Cisco ACI fabric. Strict Mode allows MD5 authentication connections only. From a user perspective, the FD VNID is relevant for three reasons: o The ability to forward spanning tree BPDUs, o A feature called "Flood in Encapsulation". Cisco ACI optimizes the use of hardware and software resources by programming the hardware with VRF instances, bridge domains, SVIs, pervasive routes, EPGs, and contracts only if endpoints are present on a leaf switch that is associated with these. Because of this, if you downgrade from Cisco ACI 3.2 to a previous release, you must disable this feature. In this case, remote users can access L3Out 4 through Tenant 3. For design considerations related to using leaf switches for both the L3Out function and to connect servers to it, refer to the "Placement of outside connectivity / using border leafs for server attachment" section. 2. do you prefer to enable endpoint dataplane learning under BD since this is L3 BD? At the bottom right of Figure 79, you can see the resulting configuration on the vDS managed by Cisco APIC: that is the definition of a Link Aggregation Group (LAG). If you use a policy group type vPC with MAC pinning, the resulting configuration is a combination of a port channel and MAC pinning. However, if a subnet is configured, the bridge domain can send an ARP request for the endpoint whose endpoint retention policy is about to expire, to see if it is still connected to the fabric. You can find more information about this topic in the "VRF sharing design considerations" section. Based on virtual machine attributes. The standby interface is up from a link connectivity perspective, so the VLAN(s) required for forwarding are programmed including the FD_VLAN. With an endpoint retention policy defined, you can either tune the timers to last longer than the ARP cache on the servers, or, if you have defined a subnet IP address and unicast routing on the bridge domain, Cisco ACI will send ARP requests to for the hosts before the timer has expired, in which case the tuning may not be required. The L3Out is configured for dynamic routing with an external device. We recommend that you enable port tracking. These timers are configurable in two different configuration locations: As part of the bridge domain configuration: Tenant > Networking > BD > Policy > General > Endpoint Retention Policy, As part of the VRF configuration: Tenant > Networking > VRF > Policy > Endpoint Retention Policy. It requires Cisco Nexus 9300-EX or later switches. When you use a VMM domain, the VLAN allocation is dynamic and maintained by the Cisco APIC. Next, in the design section, we will see how to design for a segmentation project. The "Connecting EPGs to External Swiches" section provides additional details about connecting a bridge domain to an external Layer 2 network. Storm control applies both to regular dataplane traffic destined to a broadcast address or to an unknown unicast address, as well as to "control plane" traffic, such as ARP, DHCP, and ND. Minimize the scope of Spanning Tree Topology Changes. For more information, refer to the following documents: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_Multipod_QoS.html, https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739609.html. Base EPGs and uSeg EPGs must be in the same bridge domain and the bridge domain must have an IP address subnet. Microsoft Network Load Balancing (MNLB). As of Cisco ACI 5.1(1h), the bridge domain-level feature is located under Tenant > Networking > Bridge Domain > Policy > Advanced Troubleshooting. The debounce timer is a default 100msec timer that is in place between the moment when the loss of signal is detected on a link and when this is considered a link-down event. In other words the FD VNID is a function of the VLAN encapsulation number and the VLAN pool object. Published on 09-13-2022 06:11 AM by atxteambot | Updated on 11-07-2022 05:05 AM. Other features help minimize the impact of loops on the fabric itself: storm control, control plane policing per interface per protocol (CoPP), endpoint move dampening, endpoint loop protection, and rogue endpoint control. If some Cisco ACI ports are configured as a static port channel and other ports are configured as LACP active, it is not clear which NIC teaming configuration must be assigned to a vDS port group that encompasses these ports. "IP-based EPG" is also the terminology used to define EPG classification based on the IP address for hosts directly attached to the leaf switches. This is to cover a scenario where fabric ports on a given leaf switch are up, but the leaf switch has lost reachability to other Cisco ACI switches for another reason. System Settings > Endpoint Controls > IP Aging. Enforce Domain Validation: this validation prevents traffic forwarding on the {port, VLAN} specified by an EPG static port if the EPG doesnt have a domain configured for that VLAN. In the example in Figure 109, putting a check in the Inter-Area Enabled box means that area range will be used for the summary configuration. With failback enabled, if theres a reload of a leaf switch, once the leaf switch comes back up, the VMs vNICs are pinned back to where they were prior to the failover. The left of the figure shows how the L3ext is configured in Cisco ACI; it is under the L3Out. Remember that on a given leaf switch, a given VLAN can only be used by one EPG in a bridge domain, unless the port local VLAN scope is used. As you can see from this example, more than one contract between any two EPG/ESGs is not generally required. If the unicast routing option in the Layer 3 Configurations tab is set and if a subnet address is configured, the fabric provides the default gateway function and routes the traffic. For instance, if EPG1, port 1/1, is configured to match VLAN 5 from a switch, another port of that switch for that same Layer 2 domain can be connected only to EPG1 using the same encapsulation of VLAN 5. As highlighted in figure 1 above, there are four major sections in this document. This timer is the longer bounce timer in the endpoint retention policy of the bridge domain and the VRF. Resolution and Deployment Immediacy are configuration options that are configured when an EPG is associated with a physical domain or a VMM domain. This enables a border leaf switch with Cisco cloud ASIC (that is, a second generation or later switch) to support a large number of LPM routes, larger than what GOLF can support on spine switches. With the host route advertisement feature, each pod can advertise its local endpoints as /32 host routes on top of the bridge domain subnets. This section illustrates the most common classification criteria, which is the criteria based on port and VLANs. Third-party trademarks mentioned are the property of their respective owners. This use of PTP doesnt require an external PTP GM clock because the purpose of PTP here is to calculate the time delta between ACI switches for latency measurements, but not to show the accurate time. BFD is particularly useful in environments where Layer 3 routing protocols are running over shared Layer 2 connections, or where the physical media does not provide reliable failure detection mechanisms. Having said that, the per-VRF IP address dataplane learning configuration automatically sets GARP detection, so whether you configure this option or not is not important. Although one could proactively provision the L3Out and neighbor configuration on all leaf switches, it would be inefficient. Figure 60 provides an example that helps understanding how external Layer 2 networks can be connected to Cisco ACI and how Spanning Tree running in the external network can keep the topology free from loops, as well as how a wrong configuration on the outside network could introduce a loop. This may cause the traffic to be black-holed. With NICs connected to two upstream leaf switches that are part of the same explicit VPC protection group, this option works with the Cisco ACI policy group type vPC with the port channel policy set to Static mode on. In the vSwitch, policy you can define multiple enhanced LAG policies, and you can choose among multiple load balancing algorithms and the number of uplinks. Enabling port tracking also helps in the case of Cisco ACI leaf switch uplink failure. Based on the network and mask or IP address for traffic originating outside the fabric. Contracts and Filters in the Common Tenant. As you can see, this configuration is not useful because the provider (server) would generate traffic from port 80 and not to port 80. Also please check out the Official Cisco ACI Best Practices guide on CCO! Servers configured with NIC teaming active/active, such as Transmit Load Balancing (TLB) (Linux bonding mode 5), send the same source IP address from multiple NIC cards with different MAC addresses. The peer keepalive function is achieved via IS-IS: the ACI software compoment called vPC manager registers with URIB for peer route notifications. IEEE 802.3ad link aggregation provides redundancy as well as the verification that the right links are bundled together, thanks to the use of LACP to negotiate the bundling. As a result of this configuration, when a TCN event occurs on the external Layer 2 network, this TCN reaches the leaf switches and it flushes the local endpoints on the VLANs listed. Cisco ACI by default selects both options: Apply Both Directions and Reverse Filter Ports. In fact, this feature has been designed to be used mainly in conjunction with floating SVI with the main goal of avoiding suboptimal traffic flows through a non-anchor leaf switch. Refer to the "Endpoint Learning Considerations" section for more information. Which leaf switches are part of a vPC pair is determined by the configuration of what ACI calls (depending on the software version) a vPC Protection Group, a virtual Port Channel Policy, or virtual Port Channel Security. Cisco ACI considers the frequent move of an IP address from one MAC address to the other and potentially between ports as a misconfiguration. Note: VLAN 4048 is being used by vsan 1. This configuration can use static or dynamic routing (Figure 52). For inter-VRF (and inter-tenant) traffic to flow, two factors must be addressed. The deployment of a VLAN (from a VLAN range) on a specific interface is performed using EPG static path binding (and other options that are covered in the "EPG and VLANs" section), which is analogous to configuring switchport access vlan x or switchport trunk allowed vlan add x on an interface in a traditional Cisco NX-OS configuration. Cisco ACI leaf switches learn MAC and IP addresses and update the spine switches through COOP. There is no need to create a loopback interface with a router ID for OSPF, EIGRP, and static L3Out connections. The multicast tree in the underlay is set up automatically without any user configuration. As Figure 64 illustrates, the forwarding between endpoints is based on routing and switching as defined by the configuration of VRF instances and bridge domains. LLDP is always enabled on the UCS fabric interconnects uplinks. In both cases, what happens is that a multidestination frame would be replicated infinite times, causing both a surge in the amount of traffic on all the links that transport the bridge domain traffic and MAC address flapping between the ports where the source MAC of the frame really comes from and the ports where this traffic is replicated (the ports causing the loop). Providing the out-of-band contract from the out-of-band EPG and consuming the contract from the external management instance profile. This section explains why. GIR is performed from "Fabric > Inventory > Fabric membership" in the GUI. Remote users may also need to use this L3Out connection, as in the case of Tenant 3. You should periodically export the entire XML configuration file. If there are multiple IP addresses for the same MAC address as in the case of a device that performs Network Address Translation (NAT), these are considered to be the same endpoint.