Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2388
Views
0
Helpful
3
Replies

ACI L3 inter Tenant

Chris010
Level 1
Level 1

‎07-23-2019 10:49 AM

Hello,

 

Why my EPG "Apache" from my Tenant PROD cannot communicate with my L3 OUT (RO) configured in my Tenant common ?

 

My EPG provide PING/HTTP contract (global shared) and my EN_L3_OUT consume it (consumed contract interface because its a import from Tenant Prod)

I can ping my L3 out from my Tenant COMMON but not from my Tenant PROD

I can ping SVI node profile leaf interface from COMMON and not from PROD.

 

Best regards

0 Helpful
3 Replies 3

Jayesh Singh
Cisco Employee
Cisco Employee

‎07-23-2019 06:10 PM

Hi Chris,

I am assuming your internal EPG and L3out are in 2 different tenants and VRFs as well.

Need you to check two things:

1. In external EPG (networks section) under L3 out config, can you please check if you have following tick marks enabled for external prefixes ---> "shared route control subnet" and "shared security import subnet" (by default, only one tick mark is enabled i.e. external subnets for external epg). Enable them if not already.

2. Do you have tick marks enabled for "advertised externally" and "shared between VRFs" for subnets under BD which is associated with "Apache" EPG in "PROD" tenant. Enable them if not already.

Often these are the knobs to check in a broken Shared L3out setup.

Best Regards,

Jayesh

 

***Rate all posts that are helpful. Mark it as a solution if that solves your problem, it may help other users who have the same query.***

0 Helpful

Chris010
Level 1
Level 1
In response to Jayesh Singh

‎07-24-2019 04:42 AM

Hi Jayesh,

 

1. In external EPG (networks section) under L3 out config, can you please check if you have following tick marks enabled for external prefixes ---> "shared route control subnet" and "shared security import subnet" (by default, only one tick mark is

 

-> IT's OK, all Tick are marked as enabled

 

enabled i.e. external subnets for external epg). Enable them if not already.

2. Do you have tick marks enabled for "advertised externally" and "shared between VRFs" for subnets under BD which is associated with "Apache" EPG in "PROD" tenant. Enable them if not already.

 

-> IT's OK

 

I can't find my External Network IP in my VRF_PROD and also in my VRF_COMMON, I only see my SVI IP
I can ping my External EPG from VRF COMMON but not from VRF PROD

 

Externally,  I found echo request echo reply from my EPG APACHE (thanks to tcpdum) when I ping from L3out computer but  nI dont see echo reply. routing problem on VRF

 

Thanks for your help

0 Helpful

gkumark
Cisco Employee
Cisco Employee

‎07-25-2019 11:09 AM

Hi Chris,

 

You can refer to https://community.cisco.com/t5/data-center-documents/aci-inter-vrf-tenant-route-leaking-configuration-example/ta-p/3221879 

 

Looks like you haven't configured the subnet under the provider EPG which is required. Other way would be to provide and consume the contract in EPG and external EPG. 

 

-Ganesh

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License