Nice job for the most part, but you confused me when you said to think of BOTH a bridge domain and the EPG as a VLAN. So now I'm scratching my head lol But I did like the drawing. That DID help my understanding quite a bit.
Thaaaaaaaank you. You don’t know confusing ACI is to a network engineer. The bridge domain concept was so confusing and every training Ive been to kept saying BDs are not vlans but can represent and L2 boundary which exactly what vlan does.
lol - Would be much easier if people just call things like they are. It's not a vlan I swear seriously it's NOT a vlan, but hey, listen.....it's just like a vlan
I've yet to find much logic in ACI that makes sense to me. It's this but it's not. Why does Cisco keep making crappy interfaces and solutions with poor logic. ISE is another example.
Steve Eyler You are correct.. They don’t even explain it well. They are losing market share for a reason. I love their switches and routers - but ACI has a long way to go. I’d explain it this way -> if you know traditional networking: VRF -> unique routing table - traditional networking Bridge Domain -> PRIMARY VLAN (it’s a private VLAN) EPG’S -> Secondary VLAN. So if you have flat 10.1.1.1/24 network where 10.1.1.1 is your gateway - Then this is a primary VLAN gateway. Now your Endpoint groups are in the same layer 3 domain 101.1.2-254 - But as they are secondary VLAN’s their ability to talk to each other is controlled by their status as either isolate or community VLANS. If 10.1.1.2 and 10.1.1.3 are in the same endpoint group - then they are community VLAN - they talk to each other and to the primary VLAN gateway - 10.1.1.1 -> The Bridge domain address. If 10.1.1.2 and 101.1.3 are in different endpoint groups then they are either isolated vlans or in different communities. The point being they can still talk the Primary VLAN gateway, but they cannot talk to each other. *All of this ACI MESS is really about achieving this logical result.* You want to decouple the communications and security from the IP ADDRESSING. Now you can move DataCenter devices all day (VMotion) - and they keep the same address and security parameters. Finally the application profile defines the relationship between the application and the secondary VLAN’S. 10.1.1.2 - 3 and 4 might be Web, App and DB where App is in the primary VLAN and Web And DB are in isolated VLANS. Therefore App (primary) can talk to Web and DB (secondary isolated) but Web and DB cannot talk directly to each other. *App profile* You can then have another group of VRF’s for other Tenants rinse repeat. The way I learned ACI - was to build the logic using NX-OS. Then you begin to see Cisco has just built a sloppy Joe abstraction on top of it.
So well explained, very clear thank you !
It is very clear thanka
Nice job for the most part, but you confused me when you said to think of BOTH a bridge domain and the EPG as a VLAN. So now I'm scratching my head lol But I did like the drawing. That DID help my understanding quite a bit.
Thaaaaaaaank you. You don’t know confusing ACI is to a network engineer. The bridge domain concept was so confusing and every training Ive been to kept saying BDs are not vlans but can represent and L2 boundary which exactly what vlan does.
lol - Would be much easier if people just call things like they are. It's not a vlan I swear seriously it's NOT a vlan, but hey, listen.....it's just like a vlan
Because it’s not really a VLAN. It’s based on VXLAN and has the functionality of a private VLAN.
I've yet to find much logic in ACI that makes sense to me. It's this but it's not. Why does Cisco keep making crappy interfaces and solutions with poor logic. ISE is another example.
Steve Eyler You are correct.. They don’t even explain it well. They are losing market share for a reason. I love their switches and routers - but ACI has a long way to go.
I’d explain it this way -> if you know traditional networking:
VRF -> unique routing table - traditional networking
Bridge Domain -> PRIMARY VLAN (it’s a private VLAN) EPG’S -> Secondary VLAN.
So if you have flat 10.1.1.1/24 network where 10.1.1.1 is your gateway - Then this is a primary VLAN gateway.
Now your Endpoint groups are in the same layer 3 domain 101.1.2-254 - But as they are secondary VLAN’s their ability to talk to each other is controlled by their status as either isolate or community VLANS.
If 10.1.1.2 and 10.1.1.3 are in the same endpoint group - then they are community VLAN - they talk to each other and to the primary VLAN gateway - 10.1.1.1 -> The Bridge domain address.
If 10.1.1.2 and 101.1.3 are in different endpoint groups then they are either isolated vlans or in different communities. The point being they can still talk the Primary VLAN gateway, but they cannot talk to each other. *All of this ACI MESS is really about achieving this logical result.* You want to decouple the communications and security from the IP ADDRESSING. Now you can move DataCenter devices all day (VMotion) - and they keep the same address and security parameters.
Finally the application profile defines the relationship between the application and the secondary VLAN’S.
10.1.1.2 - 3 and 4 might be Web, App and DB where App is in the primary VLAN and Web And DB are in isolated VLANS. Therefore App (primary) can talk to Web and DB (secondary isolated) but Web and DB cannot talk directly to each other. *App profile*
You can then have another group of VRF’s for other Tenants rinse repeat.
The way I learned ACI - was to build the logic using NX-OS. Then you begin to see Cisco has just built a sloppy Joe abstraction on top of it.
Summer Tyme Thanks for making the horribly complicated ACI building blocks easy to understand.
Amazing.