Cisco ACI Layer 2 Out (L2Out)

In addition to the Layer 3 outside connection to the outside network, you can also extend a Layer 2 domain beyond the ACI fabric to the existing Layer 2 network, or you can extend the Layer 2 domain to a data center infrastructure (DCI) platform that provides Layer 2 DCI service to a remote site. Sometimes there is a need to assign a port to an EPG in order to connect a switch to the ACI fabric or to connect a hypervisor to the fabric.

There are two common ways of extending a Layer 2 domain outside the Cisco ACI fabric:

• Extend the EPG out of the ACI fabric: You can extend an EPG out of the ACI fabric by statically assigning a port (along with VLAN ID) to an EPG, as shown in Figure 9-4. The leaf will learn the endpoint information, assign the traffic (by matching the port and VLAN ID) to the proper EPG, and then enforce the policy. The endpoint learning, data forwarding, and policy enforcement remain the same whether the endpoint is directly attached to the leaf port or is behind a Layer 2 network (provided the proper VLAN is enabled in the Layer 2 network). This is great for the migration scenario. STP TCNs from the external Layer 2 network may impact ACI internal EPs in the same VLAN. This scenario is avoided by using different VLANs for Layer 2 external network and internal EPs.

Figure 9-4 EPG (VLAN) Extension

• Extend the bridge domain out of the ACI fabric: Another option to extend the Layer 2 domain is to create a Layer 2 outside connection (or L2Out, as it’s called in the APIC GUI) for a given bridge domain, as shown in Figure 9-5. It effectively extends the bridge domain to the outside network. The external Layer 2 network belongs to its own dedicated EPG. In this scenario, STP TCN from the external Layer 2 network does not affect any internal EPs, which is good for complete separation.

Figure 9-5 Bridge Domain Extension