EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFEndpoint Learning Introduction
Endpoint Learning in ACI
In a traditional network, three tables are used to maintain the network addresses of external devices:
-
A MAC address table for Layer 2 Forwarding
-
A Routing Information Base (RIB) for Layer 3 forwarding
-
An Address Resolution Protocol (ARP) table for the association of IP addresses and MAC addresses
Cisco ACI replaced the MAC address table and ARP table with a single table called the endpoint table. This change implies that Cisco ACI learns that information in a different way than in a traditional network. Cisco ACI learns MAC and IP addresses in hardware by looking at the packet source MAC address and source IP address in the data plane instead of relying on ARP to obtain a next-hop MAC address for IP addresses. This approach reduces the amount of resources that are needed to process and generate ARP traffic. It also allows detection of IP address and MAC address movement without the need to wait for Gratuitous Address Resolution Protocol (GARP) if some traffic is sent from the new host.
Forwarding table lookup order:
- Endpoint table (
show endpoint) - RIB (
show ip route)
A leaf switch has two types of endpoints:
- Local endpoints
- Remote endpoints
To learn the EP and map them into a correct EPG, ACI has a component called static path binding or dynamic path binding.
-
Static Path Binding: You statically bind VLAN and interface to an EPG manually.
-
Domain Type: Physical Domain
-
-
Dynamic Binding: you define a pool of VLAN ID and interfaces; APIC will dynamically select and bind appropriate VLAN and interfaces based on communication with a third-party VMM controller such as vCenter and SCVMM.
-
Domain Type: VMM Domain
-
The endpoint is learned and mapped to an EPG when the packet reaches a leaf. Hence, the endpoint that is sourcing the traffic may or may not be connected to ACI directly. ACI just learns the source MAC and/or source IP address of the packet as an endpoint and map them to an EPG based on the VLAN and interface, which means a Layer 2 switch or a server blade switch such as Cisco UCS Fabric Interconnect can be in between a leaf and endpoints. In this type of scenario, the intermediate switch needs to be manually configured with the same VLAN as ACI Static/Dynamic Path binding so that the traffic from endpoints reaches a leaf with a correct VLAN ID. Once the packet reaches a leaf, ACI maps it to an EPG, and bridging is performed within the associated bridge domain.
How Bare-Metal Servers is added to Endpoint Groups
Look at the explanation of an example of static path binding that does:
- Trunk a VLAN on an interface
- Map VLAN/interface to an EPG
Static path binding is used to connect a bare-metal server, VMs without ACI VMM integrations, or any endpoints that do not have dynamic integration with ACI such as VMware vCenter or Microsoft SCVMM, and so on.
Create a static path binding and specify the leaf port and VLAN that will be associated with the EPG.
There are three bare-metal servers that have their own VLAN for network connectivity. Server A uses VLAN A, server B uses VLAN B, and so on. Here, ACI needs to classify these servers into appropriate EPG based on VLAN and the interface. To classify server A into WEB_EPG, a static path binding with VLAN A and Leaf101 eth1/10 needs to be configured on the WEB_EPG.
Hence there will be three static path bindings:
-
VLAN A and Leaf 101 Eth1/10 on WEB_EPG for server A
-
VLAN B and Leaf 102 Eth1/10 on APP_EPG for server B
-
VLAN C and Leaf 103 Eth1/10 on DB_EPG for server C
These VLANs could have the same VLAN ID because they are deployed on different leaf switches. As mentioned before, VLAN ID needs to be unique only per leaf since it is translated to EPG and its BD on each edge (=leaf).
The high-level EPG configuration procedure involves these steps:
-
Create an application profile.
-
Add the defined EPGs (in this case, WEB_EPG, APP_EPG, and DB_EPG).
To connect a bare-metal server via static path binding the required EPG configurations from the previous figure are:
- Name: EPG name
- Bridge Domain: Layer 2 domain for this EPG
- Statically Link with Leaves/Paths: To configure static path binding in the next page.
The following are additional advanced parameters:
-
Intra-EPG isolation: Intra-EPG endpoint isolation policies provide full isolation for virtual or physical endpoints in the same EPG; no communication is allowed between endpoints in an EPG that is operating with isolation being enforced. This policy is used when there are many endpoints that need to access the same EPG that provides a common service while each endpoint is not allowed to talk to each other. Without this feature, each endpoint needs to be configured in different EPGs to block the traffic between them. And, each EPG needs to have a contract to the common service EPG separately.
-
Preferred group member: If an EPG is marked as Include in a Preferred Group Member, it is put into an internally created contract group where all members of the group are allowed to communicate with each other without requiring a contract between them. The default is Exclude.
-
Flood in encapsulation: When enabled, a Layer 2 flood domain for this EPG becomes each VLAN encapsulation like a normal switch instead of a BD.
-
Statically link with leaves/paths: When this check box is enabled, the next wizard becomes a configuration for static path binding.
-
Associate to VM domain profiles: When this check box is enabled, the next wizard becomes a configuration for VMM Domain association for dynamic path binding.
Next, choose a physical domain from the Physical Domain drop-down list. A domain is a component that bundles VLAN Pool and Attachable Access Entity Profile (set of interfaces). By associating a domain, this EPG is allowed to use VLANs and interfaces from the domain for static path binding.
Then, from the Paths table, static path binding can be configured. The following are the parameters required for static path binding:
-
Path: An interface path on which the VLAN should be trunked. This path is in the form of Node ID/[FEX ID]/Card ID/Port ID for a physical interface.
-
Deployment immediacy: The preference of this path association. The deployment options are Immediate or On Demand. The default is On Demand.
-
Mode: VLAN encapsulation mode. The mode can be the following:
-
Trunk: The default deployment mode. Choose this mode if the traffic from the host is tagged with a VLAN ID.
-
Access (Untagged): Choose this mode if the traffic from the host is untagged (without a VLAN ID).
-
Access (802.1p tag): Choose this mode if the traffic from the host is tagged with an 802.1p tag.
-
-
Port encap: The port encapsulation block in form of
vlan-vlan ID.
How to Check Endpoint Learning Status
There are several methods to check the endpoints in Cisco ACI. The first is by using Cisco APIC user interface. With the user interface, you can check which EPG has which endpoint and on which leaf switch and interface the endpoint was learned.
There are four different main endpoint types in Cisco ACI.
Comment
TABLE OF CONTENTS
RECENT POSTS
- Cisco UCS Solutions — Unified Computing Knowledge
- Navigating the SD-WAN Revolution: Insights for Modern Network Architects
- Cisco Data Center Career: Getting Started with Nexus Training
- Lock Down Your Networks in a Digital World: The Ultimate Guide to Learning Mastering Cisco Identity Services Engine (ISE)
- How to Become an AWS Solution Architect — Your Ultimate Guide to Cloud Mastery
- The Docker Training Course Outline - Your Guide to Becoming a Docker Expert
- Develop Next-Level Azure Networking Skills with AZ-700 Training
- Reasons to Choose DClessons for Your SD-WAN Velocloud Training Needs
- Learn to Network: Get More Out Of Cisco ACI and DCACIA with DClessons
- Learn Cisco CCIE Data Center, Certified data center professional with DClessons in Data Center Technologies
LEAVE A COMMENT
Please login here to comment.