As we mentioned earlier, ACI fabric provides tenants with default gateway functionality to route traffic between the ACI fabric VXLAN networks. The ACI does this at the ingress interface of the first leaf switch connected to the endpoint. All of the ingress interfaces across the fabric share the same router IP address and MAC address for a given tenant subnet.
The ACI fabric decouples the tenant endpoint address and its identifier from the location of the endpoint that is defined by its locator or VXLAN tunnel endpoint (VTEP) address. Forwarding within the fabric is between VTEPs. Figure 4-35 shows the decoupled identity and location in ACI.
VXLAN uses VXLAN tunnel endpoint (VTEP) devices to map tenant end devices to VXLAN segments and to perform VXLAN encapsulation and decapsulation. Each VTEP function has two interfaces:
A switch interface on the local LAN segment to support local endpoint communication through bridging
An IP interface to the transport IP network
The IP interface has a unique IP address that identifies the VTEP device on the transport IP network known as the infrastructure VLAN. The VTEP device uses this IP address to encapsulate Ethernet frames and transmit the encapsulated packets to the transport network through the IP interface. A VTEP device also discovers the remote VTEPs for its VXLAN segments and learns remote MAC Address-to-VTEP mappings through its IP interface.
Figure 4-35 ACI Decouples Identity and Location
The VTEP in the ACI maps the internal tenant MAC or IP address to a location using a distributed mapping database. After the VTEP completes a lookup, the VTEP sends the original data packet encapsulated in VXLAN with the destination address of the VTEP on the destination leaf switch. The destination leaf switch decapsulates the packet and sends it to the receiving host. With this model, ACI uses a full-mesh, single-hop, loop-free topology without the need to use the Spanning Tree Protocol to prevent loops.
The VXLAN segments are independent of the underlying network topology. ACI routes the encapsulated packets based on the outer IP address header, which has the initiating VTEP as the source IP address and the terminating VTEP as the destination IP address. Figure 4-36 shows how routing within the tenant is done.
Figure 4-36 Layer 3 VNIDs Transport ACI Intersubnet Tenant Traffic
For each tenant VRF in the fabric, the ACI assigns a single Layer 3 VNID. The ACI transports traffic across the fabric according to the Layer 3 VNID. At the egress leaf switch, the ACI routes the packet from the Layer 3 VNID to the VNID of the egress subnet.
Traffic arriving at the fabric ingress that is sent to the ACI fabric default gateway is routed into the Layer 3 VNID. This provides very efficient forwarding in the fabric for traffic routed within the tenant. For example, with this model, traffic between two VMs belonging to the same tenant on the same physical host but on different subnets only needs to travel to the ingress switch interface before being routed (using the minimal path cost) to the correct destination.