Understanding VLAN Pool Roles in Cisco ACI: Internal vs External or On-the-Wire

In Cisco ACI, VLAN pools are used to define ranges of VLAN IDs that can be assigned to endpoints. Each VLAN range must be assigned a role, which determines how the VLANs are used within the fabric. There are two primary roles: 'Internal' and 'External or On-the-Wire'. This blog post explains the differences between these roles, their behaviors, and typical use cases.

1. Internal VLAN Pool Role

The 'Internal' role is used for VLANs that are strictly for intra-fabric communication. These VLANs are not exposed outside the ACI fabric and are used for internal encapsulation and mapping EPGs to VXLAN VNIDs.

Use Cases:

·       EPG-to-EPG communication within the fabric

·       Service chaining ( Service Graphs etc.) or internal-only applications

·       solated tenants or test environments

2. External or On-the-Wire VLAN Pool Role

The 'External or On-the-Wire' role is used for VLANs that are visible outside the ACI fabric. These VLANs are preserved on the wire and are used for external connectivity such as L2Out, L3Out, bare-metal servers, and VMM domains.

Use Cases:

·       Integration with legacy VLAN-based networks

·       VMM integration where VLANs must match hypervisor configurations

·       Bare-metal servers requiring specific VLANs

Summary Comparison

Role	Visibility	VLAN ID Preservation	Typical Use Case
Internal	Fabric-only	No	Internal EPGs, service chaining, isolated tenants
External or On-the-Wire	Exposed on physical wire	Yes	L2/L3Out, VMM, bare-metal, legacy integration