L2 Interface Policy – Per Port VLAN in Cisco ACI [Explained]
Why do we need L2 Interface Policy:
ACI check VLAN tag on an incoming frame to determine what source End Point Group (EPG) the endpoint belong. But, if we need to use the same Vlan tag for different EPGs.
In the example below:
- VLAN tag 10 used identify EPG1 on interface Ethernet 1/5.
- VLAN tag 10 to identify EPG2 if traffic arrives on interface Ethernet 1/10.
In normal (default setting), this will end with fault in ACI: “Encap already used in another EPG.“
Create L2 Interface Policy:
FABRIC > ACCESS POLICIES > Policies > Interface Policies > Policies > L2 Interface >+ Create L2 Interface Policy.
According to rednectar: (check references)
L2 Interface Policy requires that when applied to two different EPGs on the same switch, those two EPGs must be associated with two different Physical Domains, and each domain linked to a different VLAN Pool.
To keep the separation complete, I also suggest creating two AEPs, although this not strictly necessary – I could have just used one AEP and added both Physical Domains.*
Create Interface Policy Group and select L2 Interface:
In the Interface Policy Groups, chose the AAEP and also select the L2 Interface policy:
One thing to note is that for the same Vlan 10, the Fabric_encap is unique. This fabric_encap is generated based on the VLAN pool/namespace. Thats why its required to have a unique VLAN pool, so that the fabric_encap VXLAN/vnid is unique.
module-1# show system internal eltmc info vlan brief VLAN-Info VlanId HW_VlanId Type Access_enc Access_enc Fabric_enc Fabric_enc BDVlan Type Type ================================================================================== 27 23 BD_VLAN Unknown 0 VXLAN 16416668 27 28 24 FD_VLAN 802.1q 10 VXLAN 9809 27 45 34 BD_VLAN Unknown 0 VXLAN 16416669 45 46 35 FD_VLAN 802.1q 10 VXLAN 10592 45