The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
As shown in the figure below, when the leaf switch interface is configured as a bridged
interface, the default gateway for the tenant VNID is the external router.
The ACI fabric is
unaware of the presence of the external router and the
APIC statically assigns the leaf switch
interface to its EPG.
Bridge Domains and
A bridge domain (fvBD) represents a Layer 2 forwarding construct within the fabric. The following figure shows the location of bridge domains (BDs)
in the management information tree (MIT) and their relation to other objects in the tenant.
A BD must be linked to a VRF (also known as a context or private network). With the exception of a Layer 2 VLAN, it must have
at least one subnet (fvSubnet) associated with it. The BD defines the unique Layer 2 MAC address space and a Layer 2 flood domain if such flooding is enabled.
While a VRF defines a unique IP address space, that address space can consist of multiple subnets. Those subnets are defined
in one or more BDs that reference the corresponding VRF.
The options for a subnet under a BD or under an EPG are as follows:
Public—the subnet can be exported to a routed connection.
Private—the subnet applies only within its tenant.
Shared—the subnet can be shared with and exported to multiple VRFs in the same tenant or across tenants as part of a shared service.
An example of a shared service is a routed connection to an EPG present in another VRF in a different tenant. This enables
traffic to pass in both directions across VRFs. An EPG that provides a shared service must have its subnet configured under
that EPG (not under a BD), and its scope must be set to advertised externally, and shared between VRFs.
Shared subnets must be unique across the VRF involved in the communication. When a subnet under an EPG provides a Layer 3
external network shared service, such a subnet must be globally unique within the entire ACI fabric.
BD packet behavior can be controlled in the following ways:
You can enable or disable ARP Flooding; without flooding, ARP packets are sent with unicast.
If the limitIpLearnToSubnets in fvBD is set, endpoint learning is limited to the BD only if the IP address is in a configured subnet of the BD or an EPG subnet
that is a shared service provider.
L2 Unknown Unicast, which can be Flood or Hardware Proxy.
When the BD has L2 Unknown Unicast set to Flood, if an endpoint is deleted the system deletes it from both the local leaf switches as well as the remote leaf switches where
the BD is deployed, by selecting Clear Remote MAC Entries. Without this feature, the remote leaf continues to have this endpoint learned until the timer expires.
Modifying the L2 Unknown Unicast setting causes traffic to bounce (go down and up) on interfaces to devices attached to EPGs associated with this bridge domain.
Unknown IP Multicast
L3 Unknown Multicast Flooding
Flood—Packets are flooded on ingress and border leaf switch nodes only. With N9K-93180YC-EX, packets are flooded on all the nodes
where a bridge domain is deployed.
Optimized—Only 50 bridge domains per leaf are supported. This limitation is not applicable for N9K-93180YC-EX.
L2 Multicast, Broadcast, Unicast
Multi-Destination Flooding, which can be one of the following:
Flood in BD—flood in bridge domain
Flood in Encapsulation—flood in encapsulation
Drop—drop the packets
Beginning with Cisco APIC Release 3.1(1), on the Cisco Nexus 9000 series switches (with names ending with EX and FX and onwards),
the following protocols can be flooded in encapsulation or flooded in a bridge domain: OSPF/OSPFv3, BGP, EIGRP, CDP, LACP,
LLDP, ISIS, IGMP, PIM, ST-BPDU, ARP/GARP, RARP, ND.
Bridge domains can span multiple switches. A bridge domain can contain multiple subnets, but a subnet is contained within
a single bridge domain. If the bridge domain (fvBD) limitIPLearnToSubnets property is set to yes, endpoint learning will occur in the bridge domain only if the IP address is within any of the configured subnets for the
bridge domain or within an EPG subnet when the EPG is a shared service provider. Subnets can span multiple EPGs; one or more
EPGs can be associated with one bridge domain or subnet. In hardware proxy mode, ARP traffic is forwarded to an endpoint in
a different bridge domain when that endpoint has been learned as part of the Layer 3 lookup operation.
Bridge Domain Options
A bridge domain can be set to operate in flood mode for unknown unicast frames or in an optimized mode that eliminates flooding
for these frames. When operating in flood mode, Layer 2 unknown unicast traffic is flooded over the multicast tree of the
bridge domain (GIPo). For the bridge domain to operate in optimized mode you should set it to hardware-proxy. In this case,
Layer 2 unknown unicast frames are sent to the spine-proxy anycast VTEP address.
Changing from unknown unicast flooding mode to hw-proxy mode is disruptive to the traffic in the bridge domain.
If IP routing is enabled in the bridge domain, the mapping database learns the IP address of the endpoints in addition to
the MAC address.
The Layer 3 Configurations tab of the bridge domain panel allows the administrator to configure the following parameters:
Unicast Routing: If this setting is enabled and a subnet address is configured, the fabric provides the default gateway function and routes
the traffic. Enabling unicast routing also instructs the mapping database to learn the endpoint IP-to-VTEP mapping for this
bridge domain. The IP learning is not dependent upon having a subnet configured under the bridge domain.
Subnet Address: This option configures the SVI IP addresses (default gateway) for the bridge domain.
Limit IP Learning to Subnet: This option is similar to a unicast reverse-forwarding-path check. If this option is selected, the fabric will not learn
IP addresses from a subnet other than the one configured on the bridge domain.
Enabling Limit IP Learning to Subnet is disruptive to the traffic in the bridge domain.
Scaled L2 Only Mode - Legacy Mode
In Cisco ACI, the same VLAN ID can be reused for any purpose as long as the VLAN is
deployed on different leaf nodes. This allows the Cisco ACI fabric to overcome the
theoretical maximum number of VLANs 4094 as a fabric. However, to accomplish this,
and also to hide the complexity of underlying VxLAN implementation, each individual
leaf node can contain smaller number of VLANs. This may pose a problem when the
density of VLANs per leaf node is required. In such a scenario, you can enable
Scaled L2 Only mode, formerly known as legacy mode on the
bridge domain. A bridge domain in scaled L2 only mode allows large number of VLANs
per leaf node. However, such a bridge domain has some limitations.
For the number of VLANs or bridge domains supported per leaf node with or without
scaled L2 only mode, see Verified Scalability Guide for your
Limitations for Scaled L2 Only Mode
The following are limitations for legacy mode or scaled L2 only mode.
The bridge domain can contain only one EPG and one VLAN.
Unicast routing is not supported.
Contracts are not supported.
Dynamic VLAN allocation for VMM integration is not supported.
Service graph is not supported.
A QoS policy is not supported.
The bridge domain essentially behaves as a VLAN in standalone Cisco NX-OS.
Scaled L2 Only Mode Configuration
The following are considerations to configure a bridge domain in scaled L2 only
VLAN ID is configured on the bridge domain.
VLAN IDs configured under the EPG are overridden.
Enabling or disabling a scaled L2 only mode on an existing bridge domain will
Cisco APIC will automatically undeploy and redeploy the bridge domain when
the VLAN ID is different from what was used prior to the change.
When the same VLAN ID is used before and after the mode change, Cisco APIC
will not automatically undeploy and redeploy the bridge domain. You must
manually undeploy and redeply the bridge domain, which can be performed by
deleting and recreating the static port configuration under the EPG.
When changing the VLAN ID for scaled L2 only mode, you must first disable the
mode, then enable scaled L2 only mode with the new VLAN ID.
Disabling IP Learning per Bridge Domain
IP learning per bridge domain is disabled when two hosts are connected as active and standby hosts to the Cisco ACI switches.
The MAC learning still occurs in the hardware but the IP learning only occurs from the ARP/GARP/ND processes. This functionality
allows for flexible deployments, for example, firewalls or local gateways.
See the following guidelines and limitations for disabling IP learning per bridge domain:
Layer 3 multicast is not supported because the source IP address is not learned to populate the S,G information in the remote
top-of-rack (ToR) switches.
As the DL bit is set in the iVXLAN header, the MAC address is also not learned from the data path in the remote TORs. It results
in flooding of the unknown unicast traffic from the remote TOR to all TORs in the fabric where this BD is deployed. It is
recommended to configure the BD in proxy mode to overcome this situation if endpoint dataplane learning is disabled.
ARP should be in flood mode and GARP based detection should be enabled.
When IP learning is disabled, Layer 3 endpoints are not flushed in the corresponding VRF. It may lead to the endpoints pointing
to the same TOR forever. To resolve this issue, flush all the remote IP endpoints in this VRF on all TORs.
The configuration change of disabling dataplane learning on the BD doesn’t flush
previously locally learned endpoints. This limits the disruption to existing traffic
flows. MAC learned endpoints age as usual if the Cisco ACI leaf sees no traffic with
the given source MAC for longer than the endpoint retention policy.
Disabling IP dataplane learning means that the endpoint IP information is not
updated as a result of traffic forwarding, but Cisco ACI can refresh the
endpoint IP information with ARP/ND. This means that the aging of the local
endpoints (whether they were learned before the configuration change, or they
are learned after the configuration change) differs slightly from the normal
aging and it depends also from System > System Settings > Endpoint
Controls > IP Aging.
If IP Aging is disabled, traffic from a source MAC that matches
an already learned endpoint MAC, refreshes the MAC addresses information in the
endpoint table, and as a result also refreshes the IP information (this is the
same as IP dataplane learning enabled).
If IP Aging is enabled, ACI ages out endpoint IP addresses
individually (this is no different from what happens with IP dataplane learning
enabled), but differently from configurations with IP dataplane learning
enabled, traffic from a known source MAC and IP that matches an already learned
endpoint, refreshes the MAC address information in the endpoint table, but not
the IP information.
Creating a Tenant, VRF, and Bridge Domain Using the GUI
If you have a public subnet when you configure the routed outside, you must associate the bridge domain with the outside configuration.
On the menu bar, choose Tenants > Add Tenant.
In the Create Tenant dialog box, perform the following tasks:
In the Name field, enter a name.
Click the Security Domains + icon to open the Create Security Domain dialog box.
In the Name field, enter a name for the security domain. Click Submit.
In the Create Tenant dialog box, check the check box for the security domain that you created, and click Submit.
In the Navigation pane, expand Tenant-name > Networking, and in the Work pane, drag the VRF icon to the canvas to open the Create VRF dialog box, and perform the following tasks:
In the Name field, enter a name.
Click Submit to complete the VRF configuration.
In the Networking pane, drag the BD icon to the canvas while connecting it to the VRF icon. In the Create Bridge Domain dialog box that displays, perform the following tasks:
In the Name field, enter a name.
Click the L3 Configurations tab.
Expand Subnets to open the Create Subnet dialog box, enter the subnet mask in the Gateway IP field and click OK.
Click Submit to complete bridge domain configuration.
In the Networks pane, drag the L3 icon down to the canvas while connecting it to the VRF icon. In the Create Routed Outside dialog box that displays, perform the following tasks:
In the Name field, enter a name.
Expand Nodes And Interfaces Protocol Profiles to open the Create Node Profile dialog box.
In the Name field, enter a name.
Expand Nodes to open the Select Node dialog box.
In the Node ID field, choose a node from the drop-down list.
In the Router ID field, enter the router ID.
Expand Static Routes to open the Create Static Route dialog box.
In the Prefix field, enter the IPv4 or IPv6 address.
Expand Next Hop Addresses and in the Next Hop IP field, enter the IPv4 or IPv6 address.
In the Preference field, enter a number, then click UPDATE and then OK.
In the Select Node dialog box, click OK.
In the Create Node Profile dialog box, click OK.
Check the BGP, OSPF, or EIGRP check boxes if desired, and click NEXT. Click OK to complete the Layer 3 configuration.
To confirm L3 configuration, in the Navigation pane, expand Networking > VRFs.
Creating a Tenant, VRF, and Bridge Domain Using the NX-OS Style CLI
This section provides
information on how to create tenants, VRFs, and bridge domains.
Before creating the tenant configuration, you must create a VLAN
domain using the
vlan-domain command and assign the ports to it.
Create a VLAN
domain (which contains a set of VLANs that are allowable in a set of ports) and
allocate VLAN inputs, as follows:
In the following
example ("exampleCorp"), note that VLANs 50 - 500 are allocated.
Once the VLANs
have been allocated, specify the leaf (switch) and interface for which these
VLANs can be used. Then, enter "vlan-domain member" and then the name of the
domain you just created.
In the following
example, these VLANs (50 - 500) have been enabled on leaf 101 on interface
ethernet 1/2-4 (three ports including 1/2, 1/3, and 1/4). This means that if
you are using this interface, you can use VLANS 50-500 on this port for any
application that the VLAN can be used for.
The next section
describes how to add an application profile, create an application endpoint
group (EPG), and associate the EPG to the bridge domain.
Creating a Tenant, VRF, and Bridge Domain Using the REST API
POST succeeds, you see the object that you created in the output.
Create a VRF
and bridge domain.
Address can be an IPv4 or an IPv6 address. For more about details IPv6 gateway
address, see the related KB article,
Creating a Tenant, VRF, and Bridge Domain with IPv6 Neighbor Discovery
If you have a
public subnet when you configure the routed outside, you must associate the
bridge domain with the outside configuration.
Configuring an Enforced Bridge Domain
An enforced bridge domain configuration entails creating an endpoint in a subject endpoint group (EPG) that can only ping
subnet gateways within the associated bridge domain. With this configuration, you can then create a global exception list
of IP addresses that can ping any subnet gateway.
The exception IP addresses can ping all of the bridge domain gateways across all of your VRF instances.
A loopback interface configured for an L3Out does not enforce reachability to the IP address that is configured for the subject
When an eBGP peer IP address exists in a different subnet than the subnet of the L3Out interface, the peer subnet must be
added to the allowed exception subnets. Otherwise, eBGP traffic is blocked because the source IP address exists in a different
subnet than the L3Out interface subnet.
An enforced bridge domain is not supported with the Management tenant, regardless if the VRF instances are in-band or out-of-band,
and any rules to control the traffic to these VRF instances should be configured using regular contracts.
Configuring an Enforced Bridge Domain Using the NX-OS Style CLI
This section provides information on how to configure your enforced bridge domain using the NX-OS style command line interface
Create and enable the tenant:
In the following example ("cokeVrf") is created and enabled.
apic1(config-tenant)# vrf context cokeVrf
apic1(config-tenant-vrf)# bd-enforce enable
Add the subnet to the exception list.
You can confirm if the enforced bridge domain is operational using the following type of command:
apic1# show running-config all | grep bd-enf
bd-enf-exp-ip add 18.104.22.168/24
The following command removes the subnet from the exception list:
apic1(config)# no bd-enf-exp-ip 22.214.171.124/24
apic1(config-tenant)#vrf context cokeVrf
What to do next
To disable the enforced bridge domain run the following command:
apic1(config-tenant-vrf)# no bd-enforce enable
Configuring an Enforced Bridge Domain Using the REST API
Command or Action
Create a tenant.
When the POST succeeds, you see the object that you created in the output.
For adding an exception IP, use the following post:
If you have a public subnet when you configure the routed outside, you must associate the bridge domain with the outside configuration.
The Gateway Address can be an IPv4 or an IPv6 address. For more about details IPv6 gateway address, see the related KB article,
KB: Creating a Tenant, VRF, and Bridge Domain with IPv6 Neighbor Discovery .
Configuring Flood in Encapsulation for All Protocols and Proxy ARP Across Encapsulations
Cisco Application Centric
Infrastructure (ACI) uses the bridge domain as the Layer 2 broadcast boundary. Each bridge domain can include multiple endpoint groups (EPGs),
and each EPG can be mapped to multiple virtual or physical domains. Each EPG can also use different VLAN encapsulation pools
in each domain.Each EPG can also use different VLAN or VXLAN encapsulation pools in each domain.
Ordinarily, when you put multiple EPGs within bridge domains, broadcast flooding sends traffic to all the EPGs in the bridge
domain. Because EPGs are used to group endpoints and manage traffic to fulfill specific functions, sending the same traffic
to all the EPGs in the bridge domain is not always practical.
The flood in encapsulation feature helps to consolidate bridge domains in your network. The feature does so by enabling you
to control broadcast flooding to endpoints (EPs) within the bridge domain based on the encapsulation of the virtual or physical
domain that the EPGs are associated with.
Example of Flood in Encapsulation Use Case with VLAN Encapsulation
Flood in encapsulation is often used when the external device is using Virtual Connect Tunnel mode where one MAC address is
maintained per vNet because of VLAN-agnostic MAC learning.
Using multiple VLANs in tunnel mode can introduce a few challenges. In a typical deployment using Cisco ACI with a single tunnel, as illustrated in the following figure, there are multiple EPGs under one bridge domain. In this case,
certain traffic is flooded within the bridge domain (and thus in all the EPGs), with the risk of MAC learning ambiguities
that can cause forwarding errors.
In this topology, the blade switch (virtual connect in this example)
has a single tunnel network defined that uses one uplink to connect with the Cisco ACI leaf node. Two user VLANs, VLAN 10 and VLAN 11 are carried over this link. The
bridge domain is set in flooding mode as the servers’ gateways are outside the Cisco ACI cloud. ARP negotiations occur in the following process:
The server sends one ARP broadcast request over the VLAN 10 network.
The ARP packet travels through the tunnel network to the external server, which records the source MAC address, learned from
The server then forwards the packet out its uplink to the Cisco ACI leaf switch.
The Cisco ACI fabric sees the ARP broadcast packet entering on access port VLAN 10 and maps it to EPG1.
Because the bridge domain is set to flood ARP packets, the packet is flooded within the bridge domain and thus to the ports
under both EPGs as they are in the same bridge domain.
The same ARP broadcast packet comes back over the same uplink.
The blade switch sees the original source MAC address from
blade switch has the same MAC address learned from both the downlink port and uplink
port within its single MAC forwarding table, causing traffic disruptions.
The flood in encapsulation option is used to limit flooding traffic inside the bridge domain to a single encapsulation. When
EPG1/VLAN X and EPG2/VLAN Y share the same bridge domain and flood in encapsulation is enabled, the encapsulation flooding
traffic does not reach the other EPG/VLAN.
Beginning with Cisco Application Policy Infrastructure
Controller (APIC) release 3.1(1), on the Cisco Nexus 9000 series switches (with names ending with EX and FX and onwards), all protocols are
flooded in encapsulation. Also, when flood in encapsulation is enabled under the bridge domain for any inter-VLAN traffic,
Proxy ARP ensures that the MAC flap issue does not occur. It also limits all flooding (ARP, GARP, and BUM) to the encapsulation.
The restriction applies for all EPGs under the bridge domain where it is enabled.
Before Cisco APIC release 3.1(1), these features are not supported (proxy ARP and all protocols being included when flooding within encapsulation).
In an earlier Cisco APIC release or earlier generation switches (without EX or FX on their names), if you enable flood in encapsulation it does not
function, no informational fault is generated, but Cisco APIC decreases the health score by 1.
Beginning with Cisco APIC release 3.2(5), you can configure flood in encapsulation for EPGs associated with VXLAN encapsulation. Previously, only VLANs
were supported for flood in encapsulation for virtual domains. You configure flood in encapsulation when you create or modify
a bridge domain or an EPG.
The recommended solution is to support multiple EPGs under one bridge domain by adding an external switch. This design with
multiple EPGs under one bridge domain with an external switch is illustrated in the following figure.
Within the same bridge domain, some EPGs can be service nodes and other EPGs can have flood in encapsulation configured. A
load balancer resides on a different EPG. The load balancer receives packets from the EPGs and sends them to the other EPGs
(There is no Proxy ARP and flood within encapsulation does not take place).
Multi-Destination Protocol Traffic
The EPG/bridge domain level broadcast segmentation is supported for the following network control protocols:
STP-BPDU (flooded within EPG)
ARP/GARP (controlled by ARP Proxy)
Flood in Encapsulation Limitations
The following limitations apply when using flood in encapsulation for all protocols:
Flood in encapsulation does not work in ARP unicast mode.
Neighbor Solicitation (Proxy NS/ND) is not supported for this release.
Because proxy Address Resolution Protocol (ARP) is enabled implicitly, ARP traffic can go to the CPU for communication between
To ensure even distribution to different ports to process ARP traffic, enable per-port Control Plane Policing (CoPP) for ARP
with flood in encapsulation.
Flood in encapsulation is supported only in bridge domain in flood mode and ARP in flood mode. Bridge domain spine proxy mode
is not supported.
IPv4 Layer 3 multicast is not supported.
IPv6 NS/ND proxy is not supported when flood in encapsulation is enabled. As a result, the connection between two endpoints
that are under same IPv6 subnet but resident in EPGs with different encapsulation may not work.
VM migration to a different VLAN has momentary issues (60 seconds). VM
migration to a different VLAN or VXLAN has momentary issues (60
Setting up communication between VMs through a firewall, as a gateway, is not recommended because if the VM IP address changes
to the gateway IP address instead of the firewall IP address, then the firewall can be bypassed.
Prior releases are not supported (even interoperating between prior and current releases).
A mixed-mode topology with older-generation Application Leaf Engine (ALE) and Application Spine Engine (ASE) is not recommended
and is not supported with flood in encapsulation. Enabling them together can prevent QoS priorities from being enforced.
Flood in encapsulation is not supported for EPG and bridge domains that are extended across Cisco ACI fabrics that are part of the same Multi-Site domain. However, flood in encapsulation is still working and fully supported,
and works for EPGs or bridge domains that are locally defined in Cisco ACI fabrics, independently from the fact those fabrics may be configured for Multi-Site. The same considerations apply for EPGs
or bridge domains that are stretched between Cisco ACI fabric and remote leaf switches that are associated to that fabric.
Flood in encapsulation is not supported on EPGs where microsegmentation is configured.
If you configure the flood in encapsulation on all EPGs of a bridge domain, ensure that you configure the flood in encapsulation
on the bridge domain as well.
IGMP snooping is not supported with flood in encapsulation.
There is a condition that causes Cisco ACI to flood in the bridge domain (instead of the encapsulation) packets that are received on an EPG that is configured for flood
in encapsulation. This happens regardless of whether the administrator configured flood in encapsulation directly on the EPG
or on the bridge domain. The condition for this forwarding behavior is if the ingress leaf node has a remote endpoint for
the destination MAC address while the egress leaf node does not have a corresponding local endpoint. This can happen due to
reasons such as an interface flapping, an endpoint flush due to STP TCN, learning being disabled on the bridge domain due
to an excessive amount of moves, and so on.
In the 4.2(6o) and later 4.2(6) releases, 4.2(7m) and later 4.2(7) releases, and 5.2(1g) and later releases, this behavior
was enhanced. If the administrator enables flood in encapsulation on the bridge domain (instead of the EPG), Cisco ACI does
not send out such packets on any encapsulations from downlinks facing external devices on the non-ingress (egress and transit)
leaf nodes. This new behavior prevents the packets from leaking to unexpected encapsulations. When flood in encapsulation
is enabled only at an EPG level, the non-ingress leaf node may still flood packets in the bridge domain instead of the encapsulation.
For more information, see the enhancement bug CSCvx83364.
Configuring Flood in Encapsulation
You configure flood in encapsulation with the NX-OS style CLI, REST API, or the Cisco Application Policy Infrastructure
Controller (APIC) GUI.
Flood in encapsulation that is configured for an EPG takes precedence over flood in encapsulation that is configured for a
bridge domain (BD). When both BDs and EPGs are configured, the behavior is described as follows:
Table 1. Behavior When Both BDs and EPGs Are Configured
Flood in encapsulation at the EPG and flood in encapsulation at the bridge domain
Flood in encapsulation takes place for the traffic on all VLANs and VXLANs the bridge domain.
No flood in encapsulation at the EPG and flood in encapsulation at the bridge domain
Flood in encapsulation takes place for the traffic on all VLANs and VXLANs within the bridge domain.
Flood in encapsulation at the EPG and no flood in encapsulation at the bridge domain
Flood in encapsulation takes place for the traffic on that VLAN or VXLAN within the EPG of the bridge domain.
No flood in encapsulation at the EPG and no flood in encapsulation at the bridge domain
Flooding takes place within the entire bridge domain.
Configuring Flood in Encapsulation Using the Cisco APIC GUI
You configure flood in encapsulation using the Cisco Application Policy Infrastructure
Controller (APIC) GUI when you create or modify a bridge domain (BD) or an endpoint group (EPG).
To configure flood in encapsulation while creating a BD, complete the following steps: