Here are my study notes on the topic ACI Bridge Domains
Bridge Domain: Concepts
- A Bridge Domain is a unique MAC address space
- Is also a L2 flooding domain, if flooding is enabled.
- Points to one and only one VRF. In the configuration menu of the Bridge Domain you are allowed to choose only one VRF to associate to. It can be configured initially without a VRF (APIC GUI allows it), which can be added later.
- If you don’t specify a VRF during the Bridge Domain configuration, it is later assigned by default the VRF default from the tenant common:
- A Bridge Domain can be created through context menus (on the left) or graphically with drag and drop. If there is more than one VRF already created, then you must pay attention while dragging the bridge domain symbol: you must release the bridge domain symbol over the desired VRF.
- Is a container of 0, 1 or more subnets; i.e. we define the IP subnets here.
- if subnet(s) are defined, we define also its/their the gateway IP addresse(s)
- We can group subnets altogether in a same bridge domain, or separate them in different bridge domains.
- The second approach is necessary if you need to place firewall policies between subnets
- The Bridge Domain learns by default all endpoint IP addresses and endpoint MAC addresses in the local (EPG to EPG within the Bridge Domain), inbound and outbound traffic that crosses it. It is however recommended in some cases to restrict the learning process to only subnets local to the Bridge domain. This is performed simply by activating a checkbox
- A Bridge Domain is associated with a Multicast group called GIPO (Global IP Outside). Each Bridge Domain has its unique associated GIPO.
- We say a Bridge Domain is “activated” if an endpoint connects to one of its EPGs.
- BUM traffic:
- = Broadcast, Unknown unicast and Multicast traffic. All these types of traffic are considered multidestination traffic: one sends, many receive. Each Bridge Domain is a BUM domain
- When an endpoint in an EPG in the Bridge Domain has BUM traffic to send, it sets the GIPO associated with the Bridge Domain as the destination address in the frame. The leaf forwards the BUM traffic to the spine that is part of a multicast tree associated with the Bridge Domain. The Spine forwards the BUM traffic to all leaf nodes. Only the EPGs that are part of the Bridge Domain associated with the GIPO will receive the BUM traffic.
- is transported in VXLAN multicast frames
- ARP traffic in the ACI fabric is handeled in two ways:
- flood: MAC addresses are learned from the L2 traffic
- Unicast routing: MAC addresses are learned from L2 traffic and IP addresses are learned from L3 traffic
- A Bridge Domain.presents the possibility to enable or disable ARP flooding within it:
- ARP Flooding enabled: the ACI leaf performs traditional ARP protocol operations
- ARP Flooding disabled + Unicast Routing enabled: the ACI leaf forwards ARP traffic as unicast packets.
- Unicast Routing allows the spines to learn endpoint IP-to-VTEP information and insert it in the Mapping database.
- if both ARP flooding and Unicast Routing are disabled, ACI forwards traffic as flooding anyway.
Bridge Domain Types
- A Bridge Domain can be configured as:
- Legacy Bridge Domain:
- maps to only one VLAN.
- leveraged in the network-centric deployment mode.
- L2-only Bridge Domain: simply a Bridge Domain with no subnets.
- L3 Bridge Domain
- normal Bridge Domain
- external Bridge Domain: connects an external device to the fabric.
- Legacy Bridge Domain:
Handling L2 Unknown Unicast Traffic
- proposes two configurable methods to handle L2 Uknown Unicast traffic:
- Hardware Proxy: the ACI leaf forwards the unknown unicast packet to a spine, which leverages the MAC-to-VTEP information residing on the Mapping database to determine to which leaf is the destination endpoint attached and sends the packet to it. If the spine finds no information, it discards the packet.
- L2 Unknown Unicast flooding: this function uses multicast technology to flood the L2 uknown unicast traffic.The multicast tree has its base on one of the spines.
Configuring Bridge Domains
On the APIC, a Bridge Domain is configured under Tenant -> Networking -> Bridge Domains. Rightclick then click on Create Bridge Domain:
I point my new Bridge Domain to the VRF I desire. I leave the rest of the parameters to their defaults and click Next:
By default the following settings are enabled:
- Unicast Routing
- Limit IP Learning to Subnet
Configuring Bridge Domains visually
A Bridge Domain can be configured with drag and drop. Simply drag the Bridge Domain icon onto the desired VRF (im my example Pommy_VRF) and the configuration menu will appear:
Configuring Subnets in the Bridge Domain
If you need to define subnets, you can do it within the Bridge Domain configuration menu (clicking on the + sign), or later afterwards. Simply rightclick on the Bridge Domain to add subnets:
Then add the Gateway IP address of the desired subnet:
You can review the subnets configured under each Bridge Domain:
Enabling Legacy Mode
The Legacy Mode option is not visible during the initial configuration menu of the Bridge Domain. But enabling it is a couple of clicks to do:
Then you must define the VLAN encapsulation: