Solved: ACI L2out inband epg

msaa01986 · ‎11-01-2021

Hello all,

I hope all fine

We uses APIC version 4.2 , and we applied L2out to extend inband EPG but no reachability between aci and legacy part .

No faults at all ,and we unfocred vfr scope's contract to eliminate it.

Any one try this approach for versions 4.2 or higher ?

RedNectar · ‎11-02-2021

Hey @msaa01986 ,

IT WORKS!!!!!!

Just needed a little rest.

So here's what happened.

Yesterday I completely cleared a fabric that is not being used this week (normally used for training classes)

Last night, I went through that process (the one at the site that I'm not supposed to refer to because its MY blog) and couldn't get it to work. I reported that result here in my last post

This morning, just for fun, I decided to give myself 5 mins troubleshooting - only to find that ACI must have had a change of mind overnight and decided that it COULD work with L2Out - all is working fine as per the blog post NOW

Here is the management host (as shown in the blog post) with access to the APIC - in this case the APIC is 10.10.2.2

BUT...

Even though I've verified that the process works - it was totally unconventional in that it did NOT work immediately. Clearly something had to happen before ACI decided it was OK to talk to the L2 external host - and whose to say ACI won't change its mind in the future? So I'll stick with my earlier recommendation,

Use a L3Out instead of a L2Out for inband management. Now one more thing to think about is that if you ever integrate with Nexus Dashboard Insights (really good idea) you'll NEED to have a L3Out for your mgmt tenant.

Another approach

(which I did NOT cover in the blog) is to create a contract in the mgmt tenant (make sure it has global scope), have the inb_EPG provide that contract, AND export that same contract to ANOTHER tenant (where you management station is)

You'll also need to make sure the IP address in the inb BD is set to Shared between VRFs as well.

In the tenant where your management station (or vCenter or whatever) create an EPG and give the EPG an IP address (rather than the BD) and also mark that IP as Shared between VRFs as well. Have that EPG do a Consume contract interface and consume the inband management contract.

I hope this helps.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎11-01-2021

Hi @msaa01986 ,

Disclaimer: That's my personal blog that you referred to in your question.

TBH I haven't tried doing a L2Out for inband management since I wrote that article in 2016. I prefer to use a L3Out instead, and tend to avoid L2Outs altogether.

I did check Cisco's latest documentation - seems they still haven't added any documentation about L2Outs (perhaps an indication that the L2Out is going to die sometime...) so I'll try and take a look today if I get time.

In the meantime, maybe someone else has some clues...

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

msaa01986 · ‎11-01-2021

Hello sir ,

Please accept my apologize for referring your personal blog , I removed it .

Your article inspired us to go with L2out for inband EPG as it the best for our environment .

Thank you so much

RedNectar · ‎11-01-2021

Hi @msaa01986 ,

Re

Please accept my apologize for referring your personal blog , I removed it .

there's nothing wrong with YOU referring to my blog (the more referrals the better for me) - it's only ME that shouldn't do that! Hence my disclaimer.

But back to your L2Out question - I agree with @Robert Burns when he says "I'd avoid l2outs entirely".

On the other hand, when it comes to the special inband management EPG, it is a bit tricky getting devices to communicate directly with it. The special inband management EPG is more like a L2Out than an EPG.

I've just started wiping a spare fabric that I can test - but probably won't get a chance till tonight (I have paid work to do!)

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Robert Burns · ‎11-01-2021

Are you doing L2out or an EPG static path? The latter works fine and I'd avoid l2outs entirely.

Robert

msaa01986 · ‎11-01-2021

Hello Sir ,

Yes we did L2out and I think it's the only option alongside l3out for the special inband epg

Robert Burns · ‎11-01-2021

Let me first ask what is your goal. What exactly are you trying to accomplish.

Robert

msaa01986 · ‎11-03-2021

i need to extend the gateway of inband EPG to be outside of ACI

RedNectar · ‎11-02-2021

OK @msaa01986 ,

I've tested the config for the L2Out on ACI v5.2(2f)

It doesn't work - as you said.

Now here's the thing.

L2Outs SUCK - they are clumsy and cumbersome and you can't even get a list of endpoints - and I'm probably NOT going to try and fix my 5 year old blog post for something that I don't think is worthwhile.

I'd urge you to try a L3Out config instead.

Sorry about that - and thanks for drawing it to my attention!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

RedNectar · ‎11-02-2021

Hey @msaa01986 ,

IT WORKS!!!!!!

Just needed a little rest.

So here's what happened.

Yesterday I completely cleared a fabric that is not being used this week (normally used for training classes)

Last night, I went through that process (the one at the site that I'm not supposed to refer to because its MY blog) and couldn't get it to work. I reported that result here in my last post

This morning, just for fun, I decided to give myself 5 mins troubleshooting - only to find that ACI must have had a change of mind overnight and decided that it COULD work with L2Out - all is working fine as per the blog post NOW

Here is the management host (as shown in the blog post) with access to the APIC - in this case the APIC is 10.10.2.2

BUT...

Even though I've verified that the process works - it was totally unconventional in that it did NOT work immediately. Clearly something had to happen before ACI decided it was OK to talk to the L2 external host - and whose to say ACI won't change its mind in the future? So I'll stick with my earlier recommendation,

Use a L3Out instead of a L2Out for inband management. Now one more thing to think about is that if you ever integrate with Nexus Dashboard Insights (really good idea) you'll NEED to have a L3Out for your mgmt tenant.

Another approach

(which I did NOT cover in the blog) is to create a contract in the mgmt tenant (make sure it has global scope), have the inb_EPG provide that contract, AND export that same contract to ANOTHER tenant (where you management station is)

You'll also need to make sure the IP address in the inb BD is set to Shared between VRFs as well.

In the tenant where your management station (or vCenter or whatever) create an EPG and give the EPG an IP address (rather than the BD) and also mark that IP as Shared between VRFs as well. Have that EPG do a Consume contract interface and consume the inband management contract.

I hope this helps.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.