A bridge domain (fvBD) is the logical representation of a Layer 2 forwarding domain within the fabric. A bridge domain is a child of the tenant object and must be linked to a VRF.
The bridge domain defines the unique Layer 2 MAC address space and a Layer 2 flood domain if flooding is enabled. While a VRF defines a unique IP address space, that address space can consist of multiple subnets. Those subnets will be spread across one or more bridge domains contained in the VRF.
Bridge domains will span all switches in which associated endpoint groups are configured. A bridge domain can have multiple subnets. However, a subnet is contained within a single bridge domain.
Figure 4-22 provides an example of a tenant that shows how bridge domains are contained inside of VRFs and how they are linked to endpoint groups and the other elements.
Figure 4-22 Endpoint Group as Part of a Tenant Application Profile
A bridge domain is not a VLAN although it can act similar to one. Think of a bridge domain as a distributed switch, which, on a leaf, can be translated locally as a VLAN with local significance.
From a practical perspective, each bridge domain exists in a particular leaf if there is a connected endpoint that belongs to that endpoint group. Each bridge domain receives a VLAN ID in the leaf switches.
The VLAN ID used is also called the platform-independent VLAN or PI VLAN. This VLAN concept is different from traditional networking and is not used to forward traffic, but as an identifier. Each PI VLAN is then linked to a VXLAN ID that will be used for forwarding purposes inside the fabric.
Endpoint groups are also assigned with a PI VLAN ID that is locally significant in each leaf. This VLAN ID is different from the bridge domain. Therefore, in the Cisco ACI, several VLANs are used for endpoints inside one bridge domain.
When a subnet is defined in a bridge domain, the leaf switches are the default gateway for the endpoint groups using that subnet. If the endpoint groups have endpoints on multiple leaves, each leaf configures the default gateway. In that way, the default gateway for the endpoints is always the first switch of the fabric that is reached, also known as a pervasive gateway. This means that an SVI is configured under the VRF that represents the private network that the bridge domain is linked to. If a bridge domain has several subnets, there is only one SVI per bridge domain, but it uses secondary IP addresses.
Subnets are defined in one or more BDs that reference the corresponding VRF. The options for a subnet under a BD or under an EPG are as follows:
Advertised externally: The subnet can be exported to a routed connection.
Private: The subnet applies only within its tenant.
Shared between VRF: The subnet can be shared with and exported to multiple VRFs in the same tenant or across tenants as part of a shared service. An example of a shared service is a routed connection to an EPG present in another VRF in a different tenant. This enables traffic to pass in both directions across VRFs. An EPG that provides a shared service must have its subnet configured under that EPG (not under a BD), and its scope must be set to advertised externally and shared between VRFs.