Bridge domains represent the Layer 2 forwarding
domains within the fabric and define the unique MAC
address space and flooding domain for broadcast,
unknown unicast, and multicast frames. Each bridge
domain is associated with only one VRF instance, but a
VRF instance can be associated with multiple bridge
domains. Bridge domains can contain multiple subnets,
which is different from regular VLANs, which are usually
associated with only one subnet each.
Subnets are the Layer 3 networks that provide IP address
space and gateway services for endpoints to be able to
connect to the network. Each subnet is associated with
only one bridge domain. Subnets can be the following:
Public: A subnet can be exported to a routed connection.
Private: A subnet is confined within its tenant.
Shared: A subnet can be shared and exposed in multiple VRF
instances in the same tenant or across tenants as part of a shared
service.External bridged networks connect the ACI fabric to
legacy Layer 2/Spanning Tree Protocol networks. This is
usually needed as part of the migration process from a
traditional network infrastructure to an ACI network.
External routed networks create a Layer 3 connection
with a network outside the ACI fabric. Layer 3 external
routed networks can be configured using static routes or
routing protocols such as BGP, OSPF, and EIGRP.
The tenant policy objects are focused on the policies and
services that the endpoints receive. The tenant policy
consists of application profiles, endpoint groups (EPGs),
contracts, and filters. Figure 9-6 shows how the tenant
policy objects, application profiles, and EPGs are
organized in different bridge domains.