ACI TALKs

Integrating Switched network with ACI considerations

While integrating Cisco ACI with existing switched network there are many types of connectivity such as:

• Multiple endpoints that are connected via a single leaf port.
• Non-directly connected endpoints.
• Port channels and virtual port channel (vPCs) switches.
• interaction with STP domain.

And there some considerations while connected to these kind of endpoints:

Non-directly connected endpoints:

Cisco ACI can optimize traffic by preventing ARP flooding requests and/or layer 2 unknown unicast packets. This optimization is called Spine-Proxy which allows the packets to be sent only to the interface connected to the destination.

But some times this features need to be turned off so that the Cisco ACI leaf those packets like classical ethernet network does.

Some issues with Spine-Proxy and external Layer 2 network may arise while non-directly connected endpoint via layer 2 switched network. if a link from one switch that is connected to the Cisco ACI fabric fails, this switch will converge to the other link connected to other Cisco ACI leaf if any. at the same time the endpoint learned through the link that failed are cleared from endpoint table and COOP table at spine as well.

So when other endpoint at the same subnet is trying to send traffic to endpoint connected to the switched network it may fail if Cisco ACI has not relearned the cleared endpoints on the new converged interface, the packet may dropped because the other endpoints has ARP cache for the cleared endpoint and no need to send broadcast arp packets. this traffic is called unknown unicast traffic.

it will be dropped if the cleared endpoint is not learned yet at the Spine-Proxy.

But if flood is enabled, this traffic can flood through leaf, spine and external layer 2 without any problems.

So some recommended configuration to be adjusted:

• Layer 2 unknown unicast flooding enabled.
• ARP flooding enabled.

BPDU Handling

You need to remember that Cisco ACI is not participating in STP, and it just like a transparent switch to the external switches.

While connecting External switch to Cisco ACI, you can imagine ACI Fabric like a big switch.

Hint:

Cisco ACI treat BPDU flooding in different way that normal flooding.

Cisco ACI flood the BPDU in the FD-VLAN which is part of vlan types that the encapsulation VLAN (VLAN in the wire) is mapped internally inside Cisco ACI.

You can check the below link for more details about Cisco ACI VLAN-Types:

https://www.dhirubhai.net/pulse/aci-talks-shehab-nagy-mecif/?trackingId=OXacWdOKQZ%2Bye3WEkv%2BSxg%3D%3D

So as long as BPDU can be flooded through ACI and reached to the other port on the external switch, So classical ethernet switch received it and will make its calculation and block this port to avoid loop.

What makes a problem or loop within STP while connecting to Cisco ACI

As we agreed that BPDU forwarding is done withing EPG, and each encapsulation VLAN across the ACI leaf share the same VXLAN-ID, as long as they are on the same EPG.

but due to miss configuration of the same encapsulation VLAN on Cisco ACI as clear below:

Same Vlans (vlan 20) but with different EPG, which is means different VXLAN-ID, So external switch won't receive BPDU from Right Leaf, because BPDU forwarding is done withing the same EPG only.

So for broadcast traffic it will go for a loop and loop and over again and again.

So you need to configure all ACI Leaf ports connecting to external switch within the same EPG.

Integrating MST-Based External Networks

The external switched networks, which use the MST or standard (R)STP, exchange BPDUs in an untagged form. They exchange by using the native VLAN configured on the connected interfaces (the data traffic is carried within other tagged VLANs).

By default, Cisco ACI does not enable a native VLAN on leaf interfaces, which would lead to a loop in such networks due to MST BPDUs (received in a non-provisioned native VLAN) being dropped at the leaf.

To ensure that the Cisco ACI fabric forwards such BPDUs in a native VLAN, the native VLAN needs to be configured on the interfaces that are connected to the external switches. If the native VLAN is already configured for data traffic, BPDUs can flow on the same native VLAN. It is recommended to use VLAN tagging mode “Access (802.1p)”.