Cisco ACI: What Is A Bridge Domain

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
and welcome to Cisco ACI what is a bridge domain Bridget domains are probably one of the more confusing aspects of Cisco a CI as ACI introduces a number of new or not really new but different network constructs and one of those is the bridge domain and I think it's confusing because there's not a real good analog at least one hasn't been presented as an analog into the traditional networking world of VLANs and SV is so but there actually is one so in this little presentation we're going to talk about what a what a bridge domain is and why there is so we're the contrary what as well as why why we have a bridge to man all right so in traditional networking we've got we've got a default gateway because we have layer three let's change the color here so we've got layer three and we've got layer two layer two is primarily VLANs and layer 3 is routers or a lot of times there are actually SV is on multi-layer switches so that's what we've got now take the concept of eel and there is another additional concept with VLANs call the private veal and so with the private VLAN you'll have what's known as a primary VLAN so here's my primary we've had seal and five and then we can have these secondary VLANs inside so this will be VLAN 10 this will be VLAN 20 and we can use this to share a network and share a subnet so share layer 3 network so maybe the primary VLAN is an SPI and we've got 10 1/1 1/24 so it's a classy sized network slice 24 and I've got a host inside of VLAN 10 that's 10 1 111 and 10 1 1 and 12 actually except 13 and then 10 1 1 12 is envy on 20 by default secondary VLANs are isolated from each other so there is no communication between the two but they can both communicate with the promiscuous port or in this case would be an interface VLAN SVI and provide some additional security especially for a DMZ or you can do a multi-tenant environment where you have maybe VLAN 10 is Coke behind Tony's Pepsi and you can put them on the same layer 3 Network and they can interfere with each other they shouldn't not be able to interfere with each other so that concepts have been around for a while we don't tend to use it in data center networking because primarily just because of orchestration I've got these it's going to greatly increase in of our VLANs that you have and you've got to make sure that they're synced and trunk to cross all of your switches and a lot of sites have decided that that's not that's not worth it the additional complexity bit of troubleshooting etc you also have the concept of an isolated private VLAN so this would let's say 10 was isolated VLAN 10 and the host inside each other could not talk to each other either so they can only talk to the outside world so that's popular for DM disease sometimes as well so now we've got now we've got the concept of a bridge domain in a CI you can consider a bridge domain we'll call it bridge domain dmz well first of all quick recap in a CI we've got a couple of new concepts and networking well not really new but not seen the networking generally at least not widespread we have the concept of a tenant a CI was built from the ground up to be a multi-tenant environment so you can have Coke and Pepsi and and so forth inside of ACI and then every tenant is going to have at least one vrf when a CI first came out they're called context or private layer 3 networks but general colloquially now we call them brf's in the 2.0 and 2.1 2.2 code so I think that's probably what's going to continue be called is a VRS a private network and contexts are same concept and then other vrf will have one or more bridge domains so let's create a bridge domain here we call this bridge domain dmz underneath a bridge domain is we're going to have multiple subnets so that's where our networks go so this one will be 10 1 1 1 / 24 and an AC i we use anycast gateways in our leaf and spine and they exist on the Leafs not the spines and traditional networking we'd have our two funky ways up here in ACI the default gateways exist on a relief so if I had 10111 that a host plugged into that leaf down there so let's draw the interconnections every leaf generally will plug into every spine and generally you only plug things into Leafs so these are the spines these are the Leafs or leaves I've seen it spelled those ways I'm going to use Leafs and let's say head to host this one's 10 1 1 13 and this one was 10 1 1 14 when they both are for their default gateway who has 10111 the individual Leafs will respond so 10 not one but one exists on all leaves where there are hosts for that network attached so this is we call this pervasive svi or pervasive gateway so and that's configured underneath a bridge domain so we've got our bridge domain here and then instead of bridge domains we'll have one or more what we call endpoint groups or ETGs so this will be e PG call this web maybe and this will be e PG on database so what is an EPG an EPG is a grouping of servers that are related to each other for policies so for access policy connectivity policy etc to the outside world they are a combination of interface and VLAN or an interface an encapsulation I should say inner case interface and in cap and this one is also a combination of interface and encapsulation so we actually have overlapping encapsulations depending on the configuration but here's the thing a bridge domain you can consider a primary VLAN and then the 10111 here the network you can consider that either in s VI or promiscuous port or however you want to conceive it or conceptualize it but think of the bridge to manage the primary VLAN think of an EPG as a secondary VLAN so this will probably be something like VLAN 10 this will be VLAN 20 and then this will be on Ethernet 1 2 on leaf 101 and this will be Ethernet 1 1 on leaf 1 1 so and this could be attached to a distributed virtual switch or just a regular V switch in VMware or physical host or could be containers doesn't really matter so this begs the question why did cisco go through all the trouble of calling it a bridge domain an EPG when they could have just used primary VLAN and secondary VLAN well the answer is we're no longer dealing with a world of just V land so there is two types of encapsulations that we have in ACI we have VX land and we have VLAN now there's a bit of confusion about how VX lan is used in a CI there's actually two different types of VX land used in a CI one of them is called ivx land and ivx plan is the encapsulation that is used inside of the fabric it is not a VX lamb that you're going to see ever leave the fabric nothing that is connected to a host or to an external network or either layer 2 or layer 3 is going to have an IV X LAN header so this is just internal think of it like a chassis switch as soon as a packet enters in us in a chassis switch and even a regular switch even a non chassis switch when a packet enters a switch it gets an additional header you don't know about that header that header is hidden from you in fact that a chassis switch is probably some sort of routing protocol going from the from one lease or for one line card to another line card and all sorts of magic that goes on inside encapsulations and so forth that happened inside of the switch that never leave the switch so by the time a packet leaves a switch that those headers are stripped that's true for ivx LAN ACI is also capable of dealing with standard IETF VX LAN so this is the standardized VX LAN that all the vendors are using so it's I Triple E VLAN so I Triple E handles VLANs IETF handles VX lands we're not dealing with VLANs anymore as the only encapsulation now I will have to say though that 95 99 percent of all AC I installations today use just VLANs for external connectivity but we're seeing more and more VX labs for things like V switches in hyper-v or in OpenStack and even we're going to start seeing it more I think in the VM our world but either way we can't call it a primary and secondary VLAN because VLANs that's not the that's not the only type of end cap anymore so this e PG could also be instead of a VLAN it could be a native VX LAN 20001 and that way we can normalize the encapsulations one of the ideas of ACI is cisco said you know what we're going to start seeing more than one encapsulation we need to normalize it so when a packet enters in the ACI fabric whatever encapsulation that that packet had or that frame had is going to get stripped and then the ivx line of capsulation is going to get added it's going to get routed instead of the fabric the and then the appropriate encapsulation will be added externally for example if this is a VX land and capsulated packet and this is a VLAN encapsulated packet or capsulated frame frame will enter the switch the via the ietf VX LAN header will be removed see some colors here too to indicate so VX IETF DX LAN will be purple here goes up into the leaf that is removed the ivx LAN which will be represented in red is how the packet gets routed through the fabric and then we're going to use yellow for standard veel and the IE the IV x LAN header gets removed and then a standard IET I Triple E VLAN header gets added and then sent down to the to the hosts there so that is why we have bridge domains it's a very similar concept to what you're used to primary and secondary VLANs we can even do an isolated EPG so that the hosts inside of the EPG can't talk to each other you can use that in conjunction with VMware to create a poor group that's isolated so the reason why we have bridge domains in ACI is because they're essentially primary VLANs but we can't call them primary VLANs because VLANs are not the encapsulation that we're using anymore we're not the only encapsulation that we're using anymore one more quick thing there was a third encapsulation or in this case a fourth called env GRE it was on the roadmap for a CI it has been dropped primarily because the only vendor that was using n VG areas is Microsoft so Microsoft helped create a meteor along with Cisco and Arista and they've decided to drop it in favor of VX lands so Microsoft is now using VX lands that instead of enter vgr er in addition to so it's decided to drop em VG n VG re-support because it's pretty much not going to get used in the data center I think micronauts probably uses it internally for sure or whatever but in terms of data center technologies it's pretty much VX line the VLAN now so I hope this clear some stuff up again my name is Tony Burke you can find me in twitter at t-- burke and i blog and post these videos on datacenter overlords comm hope you enjoy
Info
Channel: Tony B
Views: 53,739
Rating: undefined out of 5
Keywords: Cisco ACI, Private VLAN
Id: cQe0-ODr8Ls
Channel Id: undefined
Length: 13min 29sec (809 seconds)
Published: Thu Mar 02 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.