Share L3 out Configuration

aurlienperrot · ‎04-10-2020

Hello Guys,

I need some help with the ACI configuration. I work on an ACI fabric for a school project and I block on one point of the configuration, so I hope to find some help here.

I want to mount one external L3 out connection to internet and then shared it with the Tenant of the fabric. I start configuring an L3 connection for each Tenant of my fabric and then I think that it will be more practical if I create one connection and then shared it. But obviously, if I’m here I have an issue with that.

I explain my problem :

I have two separates Tenants (A and B), both with Web EPG.
On both, I have one Bridge domain defined with one subnet (192.168.1.254/24) for example). This subnet scope is: Advertised externally and shared between VRFs.
I have the common Tenant with no EPG, and no subnet defined.
I mount an L3 Out connection on the common Tenant, with the external EPGs, 0.0.0.0/0 defined. The scope of this External EPG is :
- External subnets for the external EPG
- Shared route Control Subnet
- Shared Security Import Subnet
- Aggregate Shared
I used EIGRP between my Tenant and my router.
I create a contract with the global scope, I provide this contract on the external EPG on the common EPG, then I consume IT on Tenant A and B.
I configure the spine of my fabric as Route Reflector.

But I have no connection to the outside world. And when I check the route on the common Tenant, I do not see the 192.168.1.254/24 network.

So, if you have any idea about the issue or any advice, I would be glad to hear them!

Best regards

Sergiu.Daniluk · ‎04-10-2020

Hello,

Here are a couple of things that might need some closer look:

1. You mentioned: On both (a.n. Tenants), I have one Bridge domain defined with one subnet (192.168.1.254/24) for example).

Do you mean you have both BDs configured with the same IP address, and you want both Tenants/BDs to use the same shared L3Out? If yes, then I need to point out that shared L3Out can only be used in conjunctions with services that have User-Tenant -> Common-Tenant communication, and no the reverse. Why you might ask? Because the subnets overlap. If you need bidirectional communication with Shared L3out, then you have to change the subnet.

2. This subnet scope is: Advertised externally and shared between VRFs

I do not see it mentioned explicitly, and I would prefer to not assume, though from the context of your post it seems to be like that: you have different VRFs for L3Out, TenantA-BD and TenantB-BD, right?

3. Have you associated the L3Out to the BD subnet? (Tenant -> Network -> Bridge Domain -> BD1 -> Policy -> L3 Configuration -> Associated L3Outs)

4. Do you see the routes learned from L3Out into the user-tenant vrf?

Regards,

Sergiu

aurlienperrot · ‎04-12-2020

Hello,

Thanks for your answer, I hope I will correctly respond to your questions

I have the Tenant A, with one Bridge domain with the subnet 192.168.1.254/24 and the tenant B with a Bridge domain the subnet 192.168.2.254/24 defined. Ans I want if it’s possible to use the L3 defined one the tenant common for these two tenants.
Yes I have two different VRF one on the tenant A (VRF-A) and one on the tenant B (VRF-B)
I do not associate the L3 out on the Bridge domain subnet.
No I do not see routes learned on Tenant A VRF.

Best Regards

Sergiu.Daniluk · ‎04-13-2020

Hi,

You need to associate the L3Out under the BD, but this is one step ahead, because this action is needed for BL to advertise the BD subnet out of the fabric. Problem in your case is that routes are not learned between VRFs.

Let's go further with the investigation:

1/ Do you see any faults associated to L3Out / BDs / VRFs in question? If yes, share them here.

2/ What contract and filter are you using (share all details about them, including flags)?

3/ What routing protocol do you use in your L3Out?

Regards,

Sergiu

aurlienperrot · ‎04-13-2020

Hello,

Sorry for my response time, but I had to be in my school to get access to the fabric.

So, for the first point, I have only to faults on my bridge domain, on the user tenant with the descriptions bellow:

Failed to form relation to MO prof-default of class rtctrlProfile in context uni/tn-A/out-Shared-L3 ( Fault code F0977)
Failed to form relation to MO out-Shared-L3 of class l3extOut in context (Fault Code F0947)

For the second point, I have a contract with no TAG and no filter, I want to allow everything in the first time, maybe in a second time, I will restrict the activity.

For the third point, I use EIGRP between the fabric and my external router, I configure my router, and I see my fabric as a neighbor in it.

My response time should be improve, I have now a VPN to connect to my fabric due to Covid-19 I can’t go to school because everything is closed on my country.

Best regards,

Aurélien

Sergiu.Daniluk · ‎04-14-2020

Hey @aurlienperrot ,

Indeed, we live in a difficult period period now, but we must stay strong and keep the social distancing to slow the spread.

Coming back to your scenario, you need to specify a filter in your contract for routes to be redistributed between VRFs.

Also, from traffic perspective, if you do not create any filters in your contract, the contract will not allow anything. Remember, the ACI fabric works in a whitelist model, meaning it will allow what you explicitly specify. So start by adding IP (to allow anything) then you will progress to more specific filters.

The faults do not look ok, but I am happy to help you resolving them. I will ping you on private.

Regards,

Sergiu

aurlienperrot · ‎04-14-2020

Hello,

I had the default filter and the ICMP filter to the contract. I don’t know if it’s enough.

I do not see where I can add an IP in my contract, if you could help me on this point it will be nice from you.

I saw your private message, I answer you !

Best regards,

Aurélien