topic Re: Issue Configuring L3 Handoff on second border node on same VLAN in Software-Defined Access (SD-Access)

Issue Configuring L3 Handoff on second border node on same VLAN

techno.it — Fri, 22 Nov 2024 00:40:04 GMT

Hello Everyone,

We are building an SDA network with two separate border and control plane nodes ( collated both roles on same device) that are connected by BGP to a fusion firewall (Active/Standby). When DNAC configures the L3 border handoff, I provided manual /29 subnet between the Border Node and the external device. There is a L2 trunk between the border nodes and from each border node there is a L2 trunk towards the firewall. I want to use the same transit VLAN on both Border nodes for the connection with the firewall. BN1 and Firewall already have L3 handoff configured with VLANs 3001 for VRF-X. When attempting to create an L3 handoff between BN2 and Firewall using the same transit VLAN 3001, DNAC throws an error message "

"Layer 3 Handoff VLAN 3002 is already being used for another Layer 3 Handoff. Change the VLAN and retry."

Any suggestions what could be the issue?

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Andrii Oliinyk — Fri, 22 Nov 2024 07:28:14 GMT

i've totally forgotten about this limitation of the DNAC. u need to configure L3-handoff on the BN|CP#2 manually.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Torbjørn — Fri, 22 Nov 2024 08:39:28 GMT

Alternatively you can use separate VLANs per border node.

Are your borders connected directly to your fusion nodes? If not you should keep in mind that STP could become an issue.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Andrii Oliinyk — Fri, 22 Nov 2024 09:14:53 GMT

he has intermediate L2-switch in the middle. it's exactly for the purpose to simplify BN|CP<>FN peering. STP has nothing to do with this issue. it's limitation of DNAC to produce multiple peering in the same L3-handoff VLAN.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

techno.it — Fri, 22 Nov 2024 10:29:29 GMT

That's correct. We have Nexus vPC for L2 transit and making adjacency between Border and Fusion Firewall.

Kindly confirm and to be precise, what is the exact manual config needs to be done on borders to overcome this.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Andrii Oliinyk — Fri, 22 Nov 2024 11:34:13 GMT

BGP. it will be similar to one u have on BN|CP#1 but with use of BN|CP#2 specific IPs.
Another option would be to fallback to double peering from FW side in 2 different VLANs (per BN|CP). Quick Q: does your FW A/S require unique IPs for A & S units per directly attached subnet? if so, then u have to stay with /29 per transfernet per BN|CP.

UPD: try to trick DNAC & provide dummy not used VLAN for the L3-handoff for BN|CP#2. May be even in different subnet & then via configuration preview grab stuff which DNAC prepared & discard L3-handoff workflow. then tweak collected config with IP's/VLANs u need & apply it manually

Re: Issue Configuring L3 Handoff on second border node on same VLAN

techno.it — Fri, 22 Nov 2024 18:53:38 GMT

Good idea @Andrii Oliinyk Thank you for the suggestion.

Thank you @Torbjørn for your inputs as well.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Torbjørn — Sat, 23 Nov 2024 12:42:33 GMT

I agree that this mainly is a question regarding how to handle the handoff configuration.

I do however think @techno.it should account for STP when planning his handoff in this case. Convergence could be limited by STP if the L2 topology results in blocking ports, which sounds like it would be the case if there's L2 switching over the trunk between the border nodes. This can be avoided by either converting the link between the borders to routed links, or he could manually prune the VLANs such that there won't be any blocking ports in the STP topology. Please do correct me if you see something that I don't regarding this @Andrii Oliinyk.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Andrii Oliinyk — Sat, 23 Nov 2024 13:00:12 GMT

not sure it worth any discussing coz whatever L2 in the middle he will switch dedicated VLAN(s) with only 2 isls (per BN|CP) connected to vPC. do u think STP will block any of ports connected to FW & BN|CPs keeping in mind that BN|CPs have no isl between them?

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Torbjørn — Sat, 23 Nov 2024 13:25:12 GMT

From the original post: "There is a L2 trunk between the border nodes and from each border node there is a L2 trunk towards the firewall. I want to use the same transit VLAN on both Border nodes for the connection with the firewall.". I interpret this as that the link between his borders are regular trunks carrying the handoff VLANs as well.

Assuming that the connected switch/another upstream switch being the root bridge for the handoff VLANs. Wouldn't this result in one of the ports on the link between the border nodes to be in blocking state during regular operation and rely on STP convergence in case of certain failure states? It might not matter for all I know, I might just be making faulty assumptions as I haven't tried configuring the handoff in this specific manner before.

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Andrii Oliinyk — Sat, 23 Nov 2024 13:46:21 GMT

it seems to be worthless dispute. "Wouldn't this result in one of the ports on the link between the border nodes" - No, there is no L2 links between BN|CPs

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Torbjørn — Sat, 23 Nov 2024 13:54:56 GMT

I misinterpreted the OP.
No L2 link = no issue. Thank you for clarifying!

Re: Issue Configuring L3 Handoff on second border node on same VLAN

Andrii Oliinyk — Sat, 23 Nov 2024 14:03:56 GMT

no issues. hopefully u will help me some day with API'ing SDA - i have a lot of challenges exactly there :0)