interfaces (inside and outside). • Those interfaces are classified into two end point groups (EPGs) based on the physical ports they are attached to. • The same EPGs can also be used for the client and server hosts (i.e. those hosts that logically reside on the “outside” and “inside” of the firewall). • All hosts are using their respective firewall interfaces as the default gateway, rather than the fabric/bridge domain gateways.
Traditional Services Insertion Cont … • When a host residing in the “client” EPG sends a packet to a host residing on the “servers” EPG, the destination IP address will be the IP of the server host. • The destination MAC address however will be the outside interface of the firewall (acting as the gateway). • As the ACI fabric forwards using IP addresses by default, it will expect a policy allowing communication between the “client” and “server” EPGs. • Since there is no such policy, packets will be dropped EPG: “Clients” EPG: “Servers” EPG: “Clients” EPG: “Servers” Firewall BD is forwarding based on IP (default) No direct contract between EPG “client” and “server” BD: “Red” BD: “Blue”
Traditional Services Insertion Cont … • In order to resolve this issue, the default behavior of the bridge domain must be changed to allow forwarding based on MAC address rather than IP address. • Once this behavior is modified, the fabric will recognize that the traffic is destined for the MAC address of the firewall and the fabric will forward • Assuming correct contracts are in place between the EPG’s
Virtual Port Channel • Virtual Port Channel (vPC) is a technology that allows multi-chassis ether channel. • A single port-channel can terminate on two different physical devices. • In the ACI fabric implementation of vPC, there are a number of differences compared to ‘traditional’ vPC deployments.
Virtual Port Channel Cont … • Major difference: • No vPC peer-link is required. • In the ACI implementation of vPC, all peer communication happens via the fabric itself EP1 Source Leaf Spine Spine Leaf Peer communication via fabric VTEP VTEP Anycast VTEPs
Virtual Port Channel Cont … • In order to ensure that traffic can reach a vPC connected end point regardless of the leaf switch it gets sent to, a special anycast VTEP will be used on both leaf switches participating in the vPC • Traffic from other locations in the fabric will be directed towards this anycast VTEP • The spine node will perform a symmetrical hash function for unicast traffic in order to determine which of the leaf nodes to send the traffic to. • Once the traffic reaches the leaf node, it will be forwarded if the vPC is up. EP1 Source Leaf Spine Spine Leaf VTEP VTEP Hash determines that leaf 2 should receive traffic
Virtual Port Channel Cont … • When traffic sent in the egress direction (towards the fabric), the anycast VTEP will be used as the source in the overlay header.
You've reached the end of your free preview.
Want to read all 106 pages?
- Fall '09
- I don't remember
- IP address, ACI, APIC, ACI fabric, EPGs