Initial environment:
I have configured 1 EPG “EPG_1” linked to BD “BD_1”. There is a port eth1/29 on the node 201 configured with vlan encap 1709
I have vlan and SVI programmed on the leaf:
Node-201# show vlan extended
VLAN Name Encap Ports
---- -------------------------------- ---------------- ------------------------
4 infra:default vxlan-16777209, Eth1/1
vlan-3914
6 mgmt:inb vxlan-14680064 Eth1/1
7 mgmt:default:In-Band-EPG vlan-299 Eth1/1
13 yusuprun:BD_1 vxlan-16089036 Eth1/29
14 yusuprun:APP:EPG_1 vlan-1709 Eth1/29
Node-201# show vrf
VRF-Name VRF-ID State Reason
black-hole 3 Up --
management 2 Up --
mgmt:inb 7 Up --
overlay-1 4 Up --
Shared:Shared 5 Up --
yusuprun:VRF_1 8 Up --
Node-201# show ip inter br vrf yusuprun:VRF_1
IP Interface Status for VRF "yusuprun:VRF_1"(8)
Interface Address Interface Status
vlan13 15.4.1.129/25 protocol-up/link-up/admin-up
Unicast Routing Enabled/Disabled:
If I disable Unicast routing, then only SVI would be removed, a traffic inside of a broadcast domain would be still forwarded:
Node-201# show ip inter br vrf yusuprun:VRF_1
IP Interface Status for VRF "yusuprun:VRF_1"(8)
Interface Address Interface Status
Node-201# show vlan extended
VLAN Name Encap Ports
---- -------------------------------- ---------------- ------------------------
4 infra:default vxlan-16777209, Eth1/1
vlan-3914
6 mgmt:inb vxlan-14680064 Eth1/1
7 mgmt:default:In-Band-EPG vlan-299 Eth1/1
13 yusuprun:BD_1 vxlan-16089036 Eth1/29
14 yusuprun:APP:EPG_1 vlan-1709 Eth1/29
Node-201#
If I need totally isolate hosts in my EPG, I can’t use this option however, I can use KNOB introduced in 4.0 SW, called “EPG Shutdown”
EPG Shutdown:
Before ACI 4.0, to ensure hosts in an EPG are not able to communicate through ACI fabric, there were two options:
- Remove EPG configuration
- Remove VMM domain/Physical domain & static path EPG
Beginning from ACI 4.0 SW release, there is a new knob that’s being introduced to make EPG operationally down without removing the configuration.
After shutting down the EPG, vlan configuration associated with EPG, SVI and contract programming (if there are zoning-rules configured, then they would be removed from hw as well) would be removed.
As I can see on the output below, all info (including VRF, as I don’t have anything else configured in my VRF) was removed from HW. There is no SVI, VLAN of EPG, VXLAN of BD and VRF left:
Node-201# show ip inter br vrf yusuprun:VRF_1
Bad context entered
Node-201# show vlan extended
VLAN Name Encap Ports
---- -------------------------------- ---------------- ------------------------
4 infra:default vxlan-16777209, Eth1/1
vlan-3914
6 mgmt:inb vxlan-14680064 Eth1/1
7 mgmt:default:In-Band-EPG vlan-299 Eth1/1
Node-201# show vrf all
VRF-Name VRF-ID State Reason
black-hole 3 Up --
management 2 Up --
mgmt:inb 7 Up --
overlay-1 4 Up --
Shared:Shared 5 Up --
Node-201#
It is also very useful to use this feature if you have more than 1 EPG associated with a BD. In this case:
- When there are more, than one EPGs in a BD and not all EPGs are in shutdown mode, default GW on the BD does not get deleted from leaf switches.
- EPG VLAN from the switch will be deleted from leaf switch when EPG which is in shutdown mode
- Since default GW is not down, all EPGs that are not in shutdown mode, will continue to work
I created the second EPG EPG_2 and added vlan encap 1710 for the same interface and associated it with the BD_1
Now I see 1 VXLAN programmed for my BD yusuprun:BD_1 in and two vlans programmed yusuprun:APP:EPG_1 and yusuprun:APP:EPG_2:
Node-201# show vrf all
VRF-Name VRF-ID State Reason
black-hole 3 Up --
management 2 Up --
mgmt:inb 7 Up --
overlay-1 4 Up --
Shared:Shared 5 Up --
yusuprun:VRF_1 9 Up --
Node-201#
Node-201# show ip inter br vrf yusuprun:VRF_1
IP Interface Status for VRF "yusuprun:VRF_1"(9)
Interface Address Interface Status
vlan15 15.4.1.129/25 protocol-up/link-up/admin-up
Node-201# show vlan extended
VLAN Name Encap Ports
---- -------------------------------- ---------------- ------------------------
4 infra:default vxlan-16777209, Eth1/1
vlan-3914
6 mgmt:inb vxlan-14680064 Eth1/1
7 mgmt:default:In-Band-EPG vlan-299 Eth1/1
15 yusuprun:BD_1 vxlan-16089036 Eth1/29
16 yusuprun:APP:EPG_1 vlan-1709 Eth1/29
17 yusuprun:APP:EPG_2 vlan-1710 Eth1/29
Node-201#
Then I disabled EPG EPG_1 and I still see SVI and 1 VLAN programmed:
Node-201# show vrf all
VRF-Name VRF-ID State Reason
black-hole 3 Up --
management 2 Up --
mgmt:inb 7 Up --
overlay-1 4 Up --
Shared:Shared 5 Up --
yusuprun:VRF_1 9 Up --
Node-201# show ip inter br vrf yusuprun:VRF_1
IP Interface Status for VRF "yusuprun:VRF_1"(9)
Interface Address Interface Status
vlan15 15.4.1.129/25 protocol-up/link-up/admin-up
Node-201# show vlan extended
VLAN Name Encap Ports
---- -------------------------------- ---------------- ------------------------
4 infra:default vxlan-16777209, Eth1/1
vlan-3914
6 mgmt:inb vxlan-14680064 Eth1/1
7 mgmt:default:In-Band-EPG vlan-299 Eth1/1
15 yusuprun:BD_1 vxlan-16089036 Eth1/29
17 yusuprun:APP:EPG_2 vlan-1710 Eth1/29
Conclusion: In my opinion, it is more reasonable to use the feature "Shutdown EPG".
Comments
Post a Comment