Those interfaces are classified into two end point groups EPGs based on the

Those interfaces are classified into two end point

This preview shows page 63 - 70 out of 106 pages.

interfaces (inside and outside). Those interfaces are classified into two end point groups (EPGs) based on the physical ports they are attached to. The same EPGs can also be used for the client and server hosts (i.e. those hosts that logically reside on the “outside” and “inside” of the firewall). All hosts are using their respective firewall interfaces as the default gateway, rather than the fabric/bridge domain gateways.
Image of page 63
Traditional Services Insertion Cont When a host residing in the “client” EPG sends a packet to a host residing on the “servers” EPG, the destination IP address will be the IP of the server host. The destination MAC address however will be the outside interface of the firewall (acting as the gateway). As the ACI fabric forwards using IP addresses by default, it will expect a policy allowing communication between the “client” and “server” EPGs. Since there is no such policy, packets will be dropped EPG: “Clients” EPG: “Servers” EPG: “Clients” EPG: “Servers” Firewall BD is forwarding based on IP (default) No direct contract between EPG “client” and “server” BD: “Red” BD: “Blue”
Image of page 64
Traditional Services Insertion Cont In order to resolve this issue, the default behavior of the bridge domain must be changed to allow forwarding based on MAC address rather than IP address. Once this behavior is modified, the fabric will recognize that the traffic is destined for the MAC address of the firewall and the fabric will forward Assuming correct contracts are in place between the EPG’s
Image of page 65
Virtual Port Channel Virtual Port Channel (vPC) is a technology that allows multi-chassis ether channel. A single port-channel can terminate on two different physical devices. In the ACI fabric implementation of vPC, there are a number of differences compared to ‘traditional’ vPC deployments.
Image of page 66
Virtual Port Channel Cont Major difference: No vPC peer-link is required. In the ACI implementation of vPC, all peer communication happens via the fabric itself EP1 Source Leaf Spine Spine Leaf Peer communication via fabric VTEP VTEP Anycast VTEPs
Image of page 67
Virtual Port Channel Cont In order to ensure that traffic can reach a vPC connected end point regardless of the leaf switch it gets sent to, a special anycast VTEP will be used on both leaf switches participating in the vPC Traffic from other locations in the fabric will be directed towards this anycast VTEP The spine node will perform a symmetrical hash function for unicast traffic in order to determine which of the leaf nodes to send the traffic to. Once the traffic reaches the leaf node, it will be forwarded if the vPC is up. EP1 Source Leaf Spine Spine Leaf VTEP VTEP Hash determines that leaf 2 should receive traffic
Image of page 68
Virtual Port Channel Cont When traffic sent in the egress direction (towards the fabric), the anycast VTEP will be used as the source in the overlay header.
Image of page 69
Image of page 70

You've reached the end of your free preview.

Want to read all 106 pages?

  • Fall '09
  • I don't remember
  • IP address, ACI, APIC, ACI fabric, EPGs

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture