All Cisco CCNP Data Center certification exam dumps, study guide, training courses are prepared by industry experts. Cisco CCNP Data Center certification practice test questions and answers, exam dumps, study guide and training courses help candidates to study and pass hassle-free!

ACI Packet Forwarding

9. BD & VRF Forwarding Scope

The next important topic is At this point, we must comprehend the forwarding ASA. We know that we may have L-2 traffic or L-3 traffic. If it is L-2 traffic, the scoop will be within the BD or bridge domain. If the packet needs to do a route lookup, then the scope will be at the level of VR as well. So let's try to understand the forwarding scope. Before that. You can see here that we have something called a "progressive gateway." And what's the definition of progressive gateway? We know that the system is going to assign one VLAN; that's nothing; but the Pi-VLAN is a platform-independent VLAN, and that Pi-VLAN for BD is used to represent pervasive gateway VI. If you go to the bridge domain, you can see the logistics. So you can go to the networking. Actually, inside that, you can go to the "bridge domain," and you can give any name to that bridge domain.

And now you can go and define the subnets. Now, I will show you how the subnets look logically in the next slide. But the gateways that you're defining for the endpoints are nothing but permissive gateways, and those gateways are actually working as default gateways as well. You will see it. Now there is a difference between the default gateway and this pervasive gateway. Suppose this is my switch normal 3850 switch. And I now have several users connected here. Suppose all these users are inside VLAN 10. We know that I can go to the interface VLAN 10, and then I can define a gateway for all those users. And these ports are also part of access VLAN 10. Correct.

Now there is a problem with this design in that we don't have flexibility. Now, what if I have so many switches and maybe one of the users here and another user here are in the same village, for example, villain ten, villain ten, and then we are defining the gateway because all these switches are different independent switches? Suppose if you go and create interface VLAN 10, obviously your IP for that villain will get changed, and also the interface villain's IP will get changed. There are so many things on which you need to concentrate and focus while you're designing a network that can move. So what about the virtual endpoint, and what about the VM motion? And again, what about if you have a mix of virtual endpoints and physical endpoints?

A pervasive gateway will be used to help us define the gateway answer for all of these. Now, before going there, you can see that you can go and check your IP route with that VRF, and you can give that VRF name, and you can see that the pervasive keyword will be there. Most of the issues will be resolved simply by identifying the PIV land used for the privacy gateway in this diagram. Please take a pause here. Even if you make a snapshot, you can always refer to it later. Or even you can draw in your notebook and you can understand this is the logical diagram on top. And then you have the physical diagram. So this is the logical diagram, and then you have the physical diagram as well. Now you can see that in the logical diagram I have a higher scope; that's a VRF. Inside that VRF I have bridge domain, I have other VRF, another bridge domain. Now these bridge domains that you can see here, they are different in the bridge domain.

So, within VRF, the first VR has two bridge domains, bridge domain one, and the other two VRFs have only one bridge domain, bridge domain three. You can now see forwarded domain one and forwarded domain two. and it's very interesting. And now you can see the flexibility. And again, all the time you can refer, bothare the same diagram, the logical and the physical. So you can see that I have end points A, B, and C, but they all have the same IP range, correct? End point. D possesses an IP address. And for that very reason, you can see the gateway IP as well. So you have two gateway IPs. One gateway IP is for 0x254, one is for 1254. Correct. Likewise, you can go and refer to BD 2 and BD 3. BD three is nothing, but you can think of this as an external network, maybe L three out or the external network BD two. Here, you can see that you have BG 2. And let me clean up a little bit so you can understand this more. As you can see, BG 2 has subnet five, while BG 3 has subnet ten.

Okay? And this you can think as your external network. But this is the diagram that you are seeing here. So, on the leaf switches, we know that in the leaf switch, you can define the end point group and correct the EPG. So here we have EPG ones, twos, and threes. If different EPGs are there and we need to make contact, the same EPG will go and communicate without any problem. Correct? So what is the scope now at this point in time? I hope you understand the typology and the IP's schema as well.

So the end point is 100, with 0 being the gateway, 5001 being the gateway, and you can also markdown the VR and the BD. Now that we have all this information and you can see the note that if Lee has an EPG for BD, a progressive gateway will be programmed, is that correct? So that's okay. And now again, if you have the contact, then only they will go and communicate. So let me quickly go to the next slide here. And now you can see again that we have four to five more slides where you will understand the communication scope.

So basically, we try to understand this scope. here scope means if you have at wo packet, how they will communicate, if you havel three packet, how they will communicate etcetera. What will the scope be? scope at the bridge domain level scope at the level of VRF. So when the packet will go and forward it at the level of bridge domain, nothing but the VLAN and at the level of VRF means it's a routed packet. So it will cross its boundary, check the route, lookup, and it can go out and come back in.

Correct. So here we are, well-versed in the diagram. Now suppose into out out in so what will happenthat the outside subnet will programme to all the switch. Basically, it will get programmed, for example, into your Epic. And then Epic will go and write these things to all the hardware again, where you want to do the communication. Correct. Likewise, these gateways, these pervasive gateways, will also get programmed. We also have a restriction that allows only routes to SBI to be pushed.

So where you want to do the communication, those details will get pushed to the leaf switch. Leaf switches understand how to connect to 192 networks, and these leaf switches also understand how to connect to 50 or 100 networks. Correct. So here is the note for you: If contract is linked to EPG, a different EPG indicates that contract is required. So if the contract is tied, perverse routes are exchanged across leaves within the same VRF. Correct. Keep in mind within the VRF one. So if you have a contract in between here and there, obviously a different DPG should need it. Then the route exchange will happen.

Then, actually, the route will get exchanged and the communication will occur again. We are looking at the scope of this. We are going to discuss the scope after this slide. So here you can see that pervasive routes are required for a spine proxy. If you don't have a pervasive route, the spine proxy will not happen because you are querying your gateway, and then the gateway will reach the spine, and from there the query will happen, correct?

As you can see, if there is no privacy route and no remote endpoint, this is very important, so how will we get to the remote endpoint? From your local endpoint, you need the permissive gateway. So you can just take this as a note that if you want to reach a remote endpoint, you should have a pervasive gateway. Otherwise, you will not reach in other. If pervasive routes are there, that is actually mandatory for a spine proxy, correct? Now, again, if you have a different EPG, you need to contact So with the contact, ACI knows that we need to reach out to this outside subnetwork spine proxy 45001.

What will happen? It may be either dropped or forwarded to L three out if a default route exists greatest stuff Let's finally discuss the scope. What will be the scope? Now here you can see the diagram, and we are going to discuss the scope.

So, what happens if I'm inside APG 1 and end point A and end point B want to communicate? So here you can see—let me clean this up so you can see—that end point A and end point B can communicate easily. They are the L-2 traffic; same-subnet uses only Mac; hence, BDLOOK Bdlook up. Because this is the left to traffic. Again, we're looking into L-2 and L-3 traffic. Because it is L2 traffic, it will perform an IP lookup. So the scope will be inside the bridge domain.

Now, if we have the LC traffic and we want to communicate from zero to one, so EPA to EPD, is that correct? And if it is healthy traffic, then the scope will be VR available even though the endpoints are in the same bridge domain; remember, they are inside bridge domain BD one, but it is still traffic. So the IP lookup will happen, and the lookup that happens inside the VR scope will be the VR VNID. Now, if you are doing the communication between end point A and outside correct. In that case, the scope will also exceed the level of VR because you will be communicating outside of your regime anyway.

So this was a very important section in which we learned what the pervasive gateway is and what happens if it is not present. If the gateway is not there, then you will not communicate with the outside end point because the spine proxy will not work. That's a very important thing. The important thing is about layer two and layer three traffic. For layer 2 traffic within the BD, obviously the communication will happen, meaning the scope will be inside the bridge domain. However, if it is layer-3 traffic, whether within the BD, across the BD, or across, you may be redoing layer-3 in all cases. If it is L3 or IP traffic, an IP lookup will be performed, and the scope will be extended.

10. ACI BD Forwarding option

The next important topic is the ACIP forwarding option. Now here, you can see that we have a total of five options. We have unicorn routing, L-two unknown, unicorn, L-three unknown, multicast flooding, multidestination flooding, and our flooding. So let's learn all these options one by one. Let's just start with the first option, which is unicast routing. Now again, the configuration you can see is very straightforward. You can go inside the bridge domain. Once you're inside the bridge domain, you can see that you have options here that are circled, and we are going to learn about all these options one by one. So let's just start with unicast routing.

Now, if I go and check the unicast routing and you can see that you have the checkbox, you can go and check that, which means that you are enabling the unicast routing as opposed to if you uncheck that, which means you are disabling the unicorn routing. Now, if you uncheck that, what will happen?

That means that you don't want any L-3 routing. Again, what does it mean? It means that the EPGs have an endpoint inside the EPG; in the diagram, you can see that EPA can communicate with EPB and again with EPC. So these communications will happen. But suppose you want to leave your gateway and communicate with another EPG, or if you want to leave your VRF. In this case, we are in the same VR, so leave that VRF decision alone. However, if you attempt to connect to another subnet, you will be denied. So here you can see that EPA A is not able to go to D. First of all, it's the same domain, but these are the routed packets, and then again, A is not able to reach the outside. Again, this is the routed packet. The simple meaning is that you are disabling the routing. The routing will not happen within the same BD or across different BD breeze domains. We now have flooding as our next option.

This is flooding in the sense that once you enable our flooding, it will obviously occur within the same bridge domain. Correct? And if the routing is off, it will do this find proxy, which means it will go and query that particular endpoint for the spine switch. And inside the spine switch, obviously, you have the database, from which you'll get the answer, and then you can communicate to the end. Now here, you can see that points are listed. So first of all, you will go and try to communicate; if you don't, then you will query the spine, and suppose the spine doesn't have the database, then you will do the ARP clean. What exactly does "ARP green" mean? We'll see in the upcoming section. So first of all, if your flood is enabled, this is the L-2 flood. You will flood the bridge domain. Now the third option we have is L, an unknown unicost. You can see that you have two options inside L-2 unknown unicast: flood and hardware proxy. The hardware proxy is nothing but this fine proxy. So you can see here that the L-2 unknown unicast flood option will go and flood within the same BD. So, whether it's our flooding or L-2's unintended flooding, both will occur within the same BD. Now, there is one use case for this option: it is the good option.

When there are silent L-2 hosts, some of the hosts are not registering themselves with a spine. So that is one of the good options. And again, if you want to use this ACIfabric or ACI fabric purely as L2, you can go and use the flood method. Whether it's our flood or L2's unknown flood, the hardware proxy will be used if you don't have the entry, and we will do an inquiry with the spine. If the spine lacks that entry, it will go and drop it. The L-3 unknown multicast flooding is the fourth option. Again, there are two options: you can either do the flood or the optimised flood. So "flood" means that we know that they will go and do the flooding inside the multicast group. Correct. And optimise flood implies that they will only flood the routed ports. I'd like to concentrate solely on second generation behaviour because you'll notice that we're now using second generation Essic everywhere. As you can see, in the event of a flood, the water will spread all the way inside the multi-gas group. Only the ports on the routed interface are flooded in the case of the optimised flood. Great. Then you have the final option, which is multi-destination flooding. Now, in the case of multi-destination flooding, you can see that we have three options for flooding in the bridge domain: drop, flood, and encapsulation. This flood of encapsulation has been added recently. Let's go over each of these points one by one.

So flood the bridge domain. Obviously, you are doing the flooding within the same bridge domain across different leaf flooding encapsulations, but you are flooding only those places where you have access to the encapsulation VLAN. So you have access to the encapsulation VLAN in this leaf; you have other leaves and the same BD; you have access to the cap VLAN. So those places are flooded. And then the last option is the drop. That means that you simply want to drop the packet. Correct. So these are the five options we have. These are the five forwarding options we have inside the ACI domain.

11. Spine-Proxy & Arp Glean

The following topic is spine proxy and ARP clean. Now we have a summary slide as well, and here you can see how this spine proxy works and how this arc cleaning works. So let's try to understand this flowchart at the bottom. You can see that the package is coming. Once the packet comes, what will happen? First and foremost, it will determine whether it is L 2 or L 3. Now if it is L2, then leaf knows the destination Mac.

If destination Mac is on the local leaf, then forward to the local port; if not, then forward to the remote leaf; this is very simple and correct. Once again, we are discussing L-2. If the destination is not known to lift at that time, what is your setting? It's a flood inside the BD, as all of the hardware proxying indicates, and you can see the sequence flood inside the BD here.

If this is a hardware proxy, you will go and query this file about the destination Mac. So this first half is related to how this L-two packet forwarding will happen now that we have the L three.Now that I'm using the terms "L-2 packet" and "L-3 packet," you'll know that L-2 is generally the frame and L-3 is the packet. Now coming back to the L3, what are the options?

So the first thing is that the leaf knows the destination IP. So we are checking destination IP versus destination Mac. So if you know the destination IP, is that destination IP on the local network? If yes, forward to the local port; if no, forward to the remote leaf; as you can see, this is very similar to the Mac and IP Mac. The mechanism is very similar.

What is the next step if Leaf does not know the destination IP? So Leaf has a Bridgey subnet because you should configure the Bridge domain subnet, then it will go for the spine proxy. You have a spine proxy related to l two here, and we have a spine proxy related to l three correct. So it will do the spine proxy if the destination IP is not L3 out, which means do you have the destination IP in an outside domain? Now, if you have them, obviously, forward to the border leaf; this will be the border.

This is the yes condition, and if it's not, then drop it, correct? These are the actual steps, and clearly here you can see where this fine proxy is coming into the picture. When you have l 2 forwarding and then l 3 forwarding, as well as this red arrow and this red arrow arrow, you can follow the sequence for this fine proxy that is related to l 2 and l 3. Now let's quickly understand the ARP glean as well.

And what is happening in the case of an ARP claim? It's very important to understand this: what if the spine coop doesn't know the destination? Suppose you are looking for the destination IP, and again, in that case, you are querying the spine, and the spine doesn't know the destination. So here you can see unicast IP hit the pervasive route. The pervasive gateway spine proxy should be installed. Inside the spine proxy, you don't have the endpoint entry. Drop it now. Here you can see clearly that the Arclean is happening for L-3 traffic. If it is L-2 traffic and Spine doesn't have the entry, then it will drop it.

But here we are going to the spine, and the spine is going to do the ARP gleaning. What exactly does "our plane" mean? Generate a new package called ARP Glen for an unknown IP. So what you're going to do is what is fine is doing, which is generating some new package on behalf of the leaf and then sending the query to all the other leaves. Whoever leaves has that destination IP inside them. So it will go and do the query for all the leaves, and you can see that. Assume I have a destination here, and it will go and respond to that request. Correct. So in this way, the harp cleaner will first of all come into the picture, and in this way, it will work.

12. Forwarding Software Architecture & ASIC Generation

The next important topic we have relates to forwarding software architecture and ASIC generation. Now here, you can see the architecture that we have for the Leaf. Let me emphasize: we have the leaf, and within that leaf, you obviously have the data plane and the control plane. Now imagine that you have the Nexus switch, and if you check the Nexus switch, you'll find that you have the supervisor engine, and then you have the line card. Now that supervisor engine is nothing but a control plane for that particular Nexus, and the line card is actually doing the actual data forwarding.

Now with respect to control plane we have the term EPM, that is the endpoint managerunicast rib and the policy manager. When they write information inside the line card, the communication between EPM and the line card is EPMC, which stands for endpoint manager client. Then there's the Rib to Fib entry. That's the actual dynamic entry you have. And then you have the ACL QS entries as well. The Hal hardware abstraction layer is an important component of the line card. What is the use? They are used to send messages between the hardware ASIC and the software.

So you can think that the conversion is actually happening with the abstraction layering between the software and the hardware. If you want to check the CLI command related to all these entities related to the control plane and the data plane, So we have showendpoint or show system internal EPM for EPM. For unicostery. We can show the IP route and VRF. and the name of that VRF. We have the Show system internal policy manager for policy managers. Likewise, you can go and check theline card-related commands as well. With EPMC, we have Show system internal EPMCshow forwarding for the dynamic table; Show system internal Aclqs for Aclqs; and for the hardware abstraction layer, we have Show platform internal Hal. Next, what we want to understand here is that we want to understand the AC generation with respect to leaf and spine.

So first of all, we have the Leaf AC generation. We know that we have generation one and generation two. In generation 1, you have Cisco, ASIC, and Broadcom. So you have two circulations. And again, you can see where you are putting different types of entries. So let me show you in the next image that obviously if you are in this fine, then the database is storing and the TEP information is in the line card. Let me go back and quickly show you the Nexus Switch series as well. Who is supporting the first generation and the series? Who is supporting the second generation? One of the more popular Essic leaf switches is this ninek, and the other switches are also in use.

Now, in this architecture, you have one cloud-scale essay correct. And, in this cloud-scale essay, all of those things—programming, automation, and TEP data—are happening in relation to the lift switch. Now if you go and check the spine, obviously there is a spine where they have to store the client database. So you can check Gen 2 where you have the fabric card with the coup database and then Line Card with the TP 10 and line point information, and then you can check the line card boxes fine and the fabric card series as well. So at this point in time, we understand how the actual forwarding is happening behind the scenes: how the leaf switches are learning the endpoints, then passing that information to the spine inside the COP database.

And suppose if you don't know, meaning if the leaf doesn't know the destination, then this fine proxy and ARP cleaning are happening, and then finally they are forming the dynamic VXLAN channel, and then communication is happening now behind the scene feature. Is that how the Essex are helping with this particular communication or transaction?

So we have, for example, Gen 2 ASIC, where everything is collapsed inside a single ASIC rather than in Gen 1. You have a square-broadcom ASIC and a cloud-scale ASIC where this information is programmed. And for that reference, this is how the EPM unica strip and policy manager are helping the line card to programme the dynamic entry. And then the forwarding is happening from one leaf to the other, or from the source to the destination.

13. ACI Packet Walk

This is the last session in Section 2, where we have to learn and understand the life of a packet going through ACI. So let's start by understanding this. We now have the logical and physical diagrams. So I've got one VRF and one VRF. Inside that, I have one BD. Inside that BD, I have primary and secondary SVIS. So one is 02541 and one is 1254, and then I have two different endpoints, EPG one and EPG two, and then I have two different endpoints as well. In this case, we have flooding turned off and unicast routing enabled because we need to route from one subnet to another, and unicast is required for that.

So what we want to do here is communicate between end points A and B, which are 192.168.0 and 192.168.1 on the IP. So we want to communicate from here to here. And now, how are we going to do the communication? What are the steps involved that we want to discuss? In the physical diagram, you can see again that we have the leaf switch, and then these leaf switches have the gateway. So BD one, BD one, BD one, BD one. Obviously, all the leaf switches have the gateway assigned. So we have two different subnets assigned to each leaf. Now what is happening? We want to facilitate communication between the EPA and the EPB. So first of all, the end point will send the ARP request, and it will get the reply from the leaf switch itself.

First of all, this leaf switch has to learn the end point information. So what's the IP? What's the Mac? If it is the IP packet, then it will learn the IP and the Mac, and it will build the endpoint table. So here you can see that it is building the endpoint table. I'll show you on the next slide. And here we have notes as well. So the ARP request to the default gateway, whose gateway is 0254 leaf one, learns the Mac IP from the ARP leaf one, and notifies this through the spine with the coupe. Leaf one sends an ARP reply to end point A. Okay, so let's move on to the next slide. So now what is happening here is that the leaf is sending the request to the spine because they don't have the destination. But first, he's constructing the endpoint table and sending it to the coup database. So now the spine knows from where the package is coming.

However, Spine is unsure where to send it because he does not yet know the destination end point. So what will happen? Now here you can see point number two, which is that ICMP from EPA to EPB. ACI Mac's destination map is now available. Obviously, we have the BDSV. So, step three, a lookup will happen within the VR, and because the spine doesn't know the destinations, it will do the spine proxy correction, so what will happen is that this fine is going to send the request package from himself to the destination. Correct, and we know that that process is known as ARP lanes.

So the spine is going to send an ARP packet on behalf of leaf one, and that's our plane, and that packet will go to both the leaf switches. We know that the destination is my end point now that leaf number two has been assumed. So here you can see that once he receives that particular ARP clean packet, he will start the ARP request and he will get the ARP reply, and in this way, the leaf will learn the endpoint B entry. Now, when the leaf learns the end point B entry again, it will send that information to the spine and the COUP database, so you can see that I have both entries in my COUP database on the top. So now the spine knows that this is the end point A, and this is the end point B.

When the second ICMP packet arrives, the spine knows where it is going, so he can tell the leaf switch how to send the packet. So this time what will happen is that the spine will not go and look inside the VX landheaders inside the inner header, but although it will simply forward, it will check the outer header. This is the destination I have to forward. As a result, this will go ahead and forward the packet from this location to this location from leaf one to leaf two, knowing that this information will be sent from the coupling to the end point again. Remember, we have one corner case here: the coup database. If you do the query, then it will tell you, "Okay, this is the information, and you can get it." In this case, a fine-coordinate lookup for a second ICMP will occur.

That one is now good to go; send it to Lifto Lift to learn EPA. As you can see, lift two is determining that endpoint A is a remote endpoint. The packet is routed, and they leave to send it to EPB. This way, actually, the communication is happening behind the scenes, and finally the ARP request will go out. Let me show you the rest of the slide. So you have done the ARP query, so your ARP request is going on, and then the response will come into the picture. As you can see, this leaf is learning EPA. He knows he has to do the ARP query after learning the EPA because he already knows the end point.

So he has his local entry and then a remote entry that comes from the other leaf. When he responds, he knows that the destination will go at least to the end point because he knows what the destination is in relation to EPB. And you can see that the package has been solved here. There are numerous steps involved. All of the steps can be broken down into smaller, more manageable chunks here. And you can see that this fine is helping. to get the endpoint information. Once they have the end point information, they will only check the outer header the next time the packet goes wirelessly. They will not check the inner header. And then inside the VX land tunnel, the communication will happen inside the ACA fabric.

CCNP Data Center certification practice test questions and answers, training course, study guide are uploaded in ETE files format by real users. Study and pass Cisco CCNP Data Center certification exam dumps & practice test questions and answers are the best available resource to help students pass at the first attempt.