Cisco ACI: Understanding Bridge Domain (BD)

Rashmi Bhardwaj | Blog,Cloud & Virtualization

Networking is the foundation for all communications required between applications, systems, functions, services to drive data into mission critical business services across enterprises be it hosted on premises or on multi cloud ecosystems. No longer is the networking requirement confined to a room which is known as a data center having strict physical boundaries. To keep up pace with ever changing landscape Cisco Software Defined Networking (SDN) which is application centric infrastructure came into existence which enabled agility and resiliency in hybrid cloud and multi cloud environments. 

In today’s topic we will learn about Cisco ACI (Application centric infrastructure) a software defined network (SDN) solution and about bridge domains, what is the function of Bridge domain, why are they needed?

What is Cisco ACI?

Before we deep dive into bridge domains (BD) lets understand a bit about Cisco ACI and where this BD fits into the overall scheme of things. Cisco ACI as mentioned earlier is a Cisco Software defined networking (SDN) solution which uses leaf and spine topology. A leaf node is connected to all spine nodes in fabric, having no connectivity between leaves and spine switches. All servers, hosts, services and external connectivity is through leaf nodes. It uses a policy model to define how applications and systems will communicate, system configuration and its administration. 


What is Cisco ACI- Bridge Domain? 

A bridge domain in Cisco ACI is layer 2 forwarding construct in the ACI fabric which is used to define the floodplain. We may think it is similar to VLANs, yet quite so but bridge domains are not constrained by some limitations VLANs will have such as 4096 segment limits. Bridge domains have some additional features as compared to VLANs such as optimized ARP forwarding and unknown unicast flooding feature. 

With Bridge domains we can specify subnets under it. When a subnet is defined under the bridge domain we create an anycast gateway – a gateway address for the subnet. Subnet scope can be public, private or shared depending on the requirement. Private subnet is not advertised to an external entity via L3 (restricted to fabric), Public subnet advertises outside via L3 (e.g. OSPF or BGP) and shared subnet is eligible for advertisement to other tenants within fabric. 

Bridge Domain (BD) Working 

To understand the working of bridge domain, we need to look at VRF and EPG components as well as how they are associated with bridge domain. VRF performs the function of separation of routing instances and its administration. One or more bridge domains could be associated with a VRF instance – a tenant could have multiple VRFs (to define layer 3 address domain).

EPG or endpoint groups are containers for objects that have the same policy to map applications to networks. Policies are fined at EPG and port assignment is done. Post pushing policy to all EPG mapped interfaces they are associated with bridge domains to establish layer 2 boundary. Let’s look at the figure below which demonstrates the relationship between VRF, EPG and BD. 

Each bridge domain is linked to an VRF having at least one subnet as depicted in above figure. (tenant A and tenant B).

Scenario 1 

If the bridge domain is not linked to any VRF then it will function as L2 only and endpoints attached to the BD will not even get registered in Cisco ACI. If endpoints are in the same subnet they will be able to communicate but if they are on different subnets then they would need a router to communicate just like a normal L2 network. 

Scenario 2

In Bridge domain 1 both endpoints are connected to different EPGs (EPG3 and EPG4) as though both are linked to the same bridge domain 1 and both endpoints share the same default gateway still they will not be able to communicate without contact in Cisco ACI. 

Scenario 3 

Bridge domain 2 has two IP addresses (Subnet) which would act as default gateway IP addresses for both endpoints under it. Both are mapped to EPG2 which is linked to BD 2. Both endpoints can communicate freely without a contact in Cisco ACI as both are under EPG2. Bridge domain 2 is linked to VRF B and will exist on any leaf switch to which either or both endpoints are connected within VRF B. 

Continue Reading:

Cisco ACI Multi-Tenant Environment

VRF vs Bridge Domain (BD)


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart