Layer 2 External Access in Cisco ACI

Most likely when you start moving to an ACI fabric you’re not going to forklift your entire network and put in a new one. That’s just not realistic. More likely you will start migrating lines of business or certain applications to ACI, but these applications will need to be able to communicate with end point devices in your legacy network. We can do this in a couple different ways, depending on what needs we have. We can have a layer 3 external or layer 2 external (or both). For this article I’m going to go through the layer 2 external access configuration. We might need this for anything that requires extending VLANs, high availability, things like database clusters, or custom applications that may not consider layer 3.

We can even create the outside network to essentially appear as an End Point Group. This will allows to actually have contracts between End Point Groups in the ACI Fabric and End Points outside the fabric. For example, if I only want http/s access between my web servers and the public internet, I can put in a contract between them just as I would inside the ACI fabric.

In a previous post, I talked about creating a bridge domain to a Nexus 5000 series switch. We’ll be building off the VLAN and bridge domain created in that post within this article. We will need to be in a certain tenant for this configuration. So click on Tenants and select the tenant in which you want this layer 2 external access to be created.

  1. Expand Networking
  2. Click on External Bridged Network
  3. Click Actions and select Create Bridged Outside
  4. Give it a name such as L2-Ext-VLAN-1200
  5. Choose the External Bridge Domain that was created in the post I mentioned earlier from the drop down.
  6. Choose the Bridge Domain which has already been created. For more information see this post.
  7. Enter your VLAN, in this example we’re using vlan-1200.
  8. Click the + Sign to specify which node profiles to use.
  9. Give the node profile a name, such as L2-Ext-1200-NodeProf
  10. Click the + Sign to create an Interface Profile.
  11. Give it a name such as L2-1200-IntProf
  12. Click the + sign to add Interfaces
  13. Click on Virtual Port Channel
  14. Add the VPC created in the previous post for the N5K
  15. Click OK three times to get back to the original wizard

Image

This takes care of the first part of the wizard. Again, if you were confused on how we got some of things like port profiles or bridge domains please go back and read the previous articles in the links above.

  1. Click Next
  2. Click the + Sign to configure External EPG Networks
  3. Give it a name such as L2-Ext-1200-EPG
  4. You don’t need to specify QoS, but may configure that here if you like.
  5. Click Finish

Image

As with everything in ACI, this can all be done in an automated way using REST APIs. For more information on using the API Inspector, check out this post. So, let’s see what it takes to create an L2 External EPG using APIs and the Postman REST client.

Payload from API Inspector:

{
   "l2extOut":{
      "attributes":{
         "dn":"uni/tn-Test/l2out-L2-Ext-VLAN-1200",
         "name":"L2-Ext-VLAN-1200",
         "rn":"l2out-L2-Ext-VLAN-1200",
         "status":"created"
      },
      "children":[
         {
            "l2extInstP":{
               "attributes":{
                  "dn":"uni/tn-Test/l2out-L2-Ext-VLAN-1200/instP-L2-Ext-1200-EPG",
                  "name":"L2-Ext-1200-EPG",
                  "rn":"instP-L2-Ext-1200-EPG",
                  "status":"created"
               },
               "children":[
 
               ]
            }
         },
         {
            "l2extLNodeP":{
               "attributes":{
                  "dn":"uni/tn-Test/l2out-L2-Ext-VLAN-1200/lnodep-L2-Ext-1200-NodeProf",
                  "name":"L2-Ext-1200-NodeProf",
                  "rn":"lnodep-L2-Ext-1200-NodeProf",
                  "status":"created"
               },
               "children":[
                  {
                     "l2extLIfP":{
                        "attributes":{
                           "dn":"uni/tn-Test/l2out-L2-Ext-VLAN-1200/lnodep-L2-Ext-1200-NodeProf/lifp-L2-Ext-1200-IntProf",
                           "name":"L2-Ext-1200-IntProf",
                           "rn":"lifp-L2-Ext-1200-IntProf",
                           "status":"created"
                        },
                        "children":[
                           {
                              "l2extRsPathL2OutAtt":{
                                 "attributes":{
                                    "tDn":"topology/pod-1/protpaths-101-102/pathep-[N5K-Int-vPC-Pol-Grp]",
                                    "status":"created"
                                 },
                                 "children":[
 
                                 ]
                              }
                           }
                        ]
                     }
                  }
               ]
            }
         },
         {
            "l2extRsL2DomAtt":{
               "attributes":{
                  "tDn":"uni/l2dom-N5K-L2-Ext-BD",
                  "status":"created"
               },
               "children":[
 
               ]
            }
         },
         {
            "l2extRsEBd":{
               "attributes":{
                  "tnFvBDName":"BD1",
                  "encap":"vlan-1200",
                  "status":"created,modified"
               },
               "children":[
 
               ]
            }
         }
      ]
   }
}

This is useful because we can actually create several L2 External EPGs to go to various places outside the ACI fabric. All you need to do is go through the code and decide which names you’ll need to change in order to create a new EPG. For example, the code:

"dn":"uni/tn-Test/l2out-L2-Ext-VLAN-1200"

Says the distinguished name of the Layer 2 External Out access is L2-Ext-VLAN-1200, just as we described in Step 4 on the first page of the wizard. It’s contained in the tenant Test. If we wanted to create a Layer 2 External Out called L2-Ext-VLAN-1100 in the tenant Prod, it should look like this:

"dn":"uni/tn-Prod/l2out-L2-Ext-VLAN-1100"

“tn” is the managed object name for tenant and “l2out” is the managed object name for a layer 2 external out connection. Most of the names for constructs are very simple to understand so that you don’t need to become a master of XML or JSON to understand how to tweak the code.

Please watch the video to see the steps at the beginning of this article. If you have any questions reach out to me in the comments below or via twitter @Malhoit.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top