Accepted Solutions
To be honest, I'm still not exactly 100% sure WHAT you are trying to achieve. i.e, which EPGs do you want to communicate, and which EPGs do you wish to be NOT allowed to communicate.
You've asked a lot of "can I do this?", "what happens if I do...?" questions, but you haven't actually stated WHAT you WANT to happen.
You have 6 EPGs described
- EPG-A in VRF_01
- EPG-B in VRF_01
- EPG-C in VRF_01
- a L3EPG for L3Out_A in VRF_01 [BADLY labelled on my original diagram as 10.111.10.0:24_L3Out - it SHOULD have been 10.111.10.0:24_L3EPG - so from now on I'll refer to it as ext1 to match the labelling of the L3EPG for L3Out_B]
- a L3EPG for L3Out_A in VRF_01 - labelled on the diagram as ext2
- EPG02 in VRF_02
Here's a new picture
All the EPGs in VRF_01 can communicate because they are all in the Preferred Group for VRF_01 - however, the external L3EPGs (ext1 and ext2) will not be able to communicate with the internal EPGs unless you make sure the internal subnets of EPG-A, EPG-B and EPG-C are advertised externally AND the corresponding BDs for these EPGs are linked to L3OUT_A and/or L3OUT_B as required.
Furthermore, if you want ext1 to communicate with ext2 - you will need to set up transit routing between the two L3Outs.
You have NOT said you want EPG02 in VRF_02 to be able to communicate with anything except ext1, however, your question HINTS at the possibility of wanting EPG02 to communicate with ext2
Let's see if I can answer your Questions.
Am I right that there will be no problem with data communication between EPGs in VRF_01 and L3Out_A external EPG after I apply contract to external EPG to leak the route?
If you mean
... between EPGs in VRF_01 and L3Out_A external EPG after I apply contract between EPG02 and L3Out_A external EPG (ext1)
Then no - the route leaking part won't affect anything in VRF_01. But as I said above, you'll need to mark your subnets as [x] Advertised externally for the external router for L3Out_A to learn them.
What about default route? ... Do I need create a new external EPG under L3out_B and map it to 0.0.0.0/0
No new external EPG required for route leaking - your External L3EPG for L3Out_B (ext2) includes ALL IP addresses with the existing two prefixes. Don't complicate things by adding more. The 0.0.0.0/1 and 128.0.0.0/1 prefixes are a long story, just leave them as they are.
Do I need create a new external EPG under L3out_B and map it to 0.0.0.0/0 and leak it with contract into VRF_02?
No, you don't need to create a NEW external EPG under L3out_B - the one you have already will do just fine - for the purposes of route-leaking
Or there is another method to leak the default route?
You are confusing routes with L3EPGs
L3EPGs define a set ip IP addresses with which you wish to communicate with - much like ACLs
And just like ACL have nothing to do with routes, L3EPGs have nothing to do with routes.
If the external router advertises 0.0.0.0/0, then it will be redistributed into VRF_01 - but you are using a static route - for that I need to do an experiment, but I think that will work too. I'll edit this post when I find out for sure.
HOWEVER - if you want the contract to allow communication with specific IP subnets/prefixes - and not the entire 0.0.0.0/0 world, or the part of the 0.0.0.0/0 world that exists via L3OUT_B, then you will need to create another L3EPG to define those, and put your contract between it and whatever you wish it to communicate with
If I leak default route from VRF_01 into VRF_02, then I do not need to leak specific subnets?
Correct. So long as you DO add a contract between ext2 and EPG02 in VRF_02
VRF_02 will send all the traffic to the VRF_01 and VRF_01 will route it according to its routing table. Am I right here?
Hold on. I'm lost now.
VRF_02 will not "send" traffic anywhere unless
- it knows the route to the destination
- there is a contract that allows traffic to go to that destination
And it's not VRF_02 that "sends" traffic. It is the leaf switches - sooooo many people get confused about traffic flow in ACI - remember every policy in ACI is implemented by the leaves - you have to look at all traffic flows from the viewpoint of the relevant leaf.
I'm out of time - got to post this now
I hope this helps.
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.
Hi @Amal Ahmadov ,
I'm sorry no-one has answered this - but let's hope I can fix that today.
Route leaking is a tricky business, but let me start by suggesting you see if you can find the Cisco Live session BRKACI-3101. It has a wealth of information.
Perhaps the reason no-one answered is you didn't do a picture. I can't even begin to think about this without a picture, so let me add one (stolen from BRKACI-3101 mentioned above, then modified)
From your description, (like a Cisco exam question) L3Out-B is just a distraction - UNLESS you are learning 0.0.0.0/0 from both L3Out-A and L3Out-B. But you didn't say that.
Preferred groups have nothing to do with contracts and are local to the VRF, so the contract (as described in the diagram) will have no effect on the Preferred groups.
Does this answer the question?
Hi Chris,
Thank you very much for your inputs. Special thanks for your other ACI articles. They are all very helpful and insightful. I apologize for not including the picture visualizing my question. I will take your advice into consideration in my further questions regarding ACI. I also would like to apologize for my late response. I was reading BRKACI-3101.
I just added some additional elements to the diagram.
Am I right that there will be no problem with data communication between EPGs in VRF_01 and L3Out_A external EPG after I apply contract to external EPG to leak the route? I think slides 161-162 from BRKACI-3101 explains it. I would appreciate your input.
What about default route? I know that weird subnets (0.0.0.0/1 and 128.0.0.0/1) were mapped to the external EPG. Do I need create a new external EPG under L3out_B and map it to 0.0.0.0/0 and leak it with contract into VRF_02? Or there is another method to leak the default route?
And the last question. If I leak default route from VRF_01 into VRF_02, then I do not need to leak specific subnets? VRF_02 will send all the traffic to the VRF_01 and VRF_01 will route it according to its routing table. Am I right here?
Thank your very much in advance! Take care and stay safe!
To be honest, I'm still not exactly 100% sure WHAT you are trying to achieve. i.e, which EPGs do you want to communicate, and which EPGs do you wish to be NOT allowed to communicate.
You've asked a lot of "can I do this?", "what happens if I do...?" questions, but you haven't actually stated WHAT you WANT to happen.
You have 6 EPGs described
- EPG-A in VRF_01
- EPG-B in VRF_01
- EPG-C in VRF_01
- a L3EPG for L3Out_A in VRF_01 [BADLY labelled on my original diagram as 10.111.10.0:24_L3Out - it SHOULD have been 10.111.10.0:24_L3EPG - so from now on I'll refer to it as ext1 to match the labelling of the L3EPG for L3Out_B]
- a L3EPG for L3Out_A in VRF_01 - labelled on the diagram as ext2
- EPG02 in VRF_02
Here's a new picture
All the EPGs in VRF_01 can communicate because they are all in the Preferred Group for VRF_01 - however, the external L3EPGs (ext1 and ext2) will not be able to communicate with the internal EPGs unless you make sure the internal subnets of EPG-A, EPG-B and EPG-C are advertised externally AND the corresponding BDs for these EPGs are linked to L3OUT_A and/or L3OUT_B as required.
Furthermore, if you want ext1 to communicate with ext2 - you will need to set up transit routing between the two L3Outs.
You have NOT said you want EPG02 in VRF_02 to be able to communicate with anything except ext1, however, your question HINTS at the possibility of wanting EPG02 to communicate with ext2
Let's see if I can answer your Questions.
Am I right that there will be no problem with data communication between EPGs in VRF_01 and L3Out_A external EPG after I apply contract to external EPG to leak the route?
If you mean
... between EPGs in VRF_01 and L3Out_A external EPG after I apply contract between EPG02 and L3Out_A external EPG (ext1)
Then no - the route leaking part won't affect anything in VRF_01. But as I said above, you'll need to mark your subnets as [x] Advertised externally for the external router for L3Out_A to learn them.
What about default route? ... Do I need create a new external EPG under L3out_B and map it to 0.0.0.0/0
No new external EPG required for route leaking - your External L3EPG for L3Out_B (ext2) includes ALL IP addresses with the existing two prefixes. Don't complicate things by adding more. The 0.0.0.0/1 and 128.0.0.0/1 prefixes are a long story, just leave them as they are.
Do I need create a new external EPG under L3out_B and map it to 0.0.0.0/0 and leak it with contract into VRF_02?
No, you don't need to create a NEW external EPG under L3out_B - the one you have already will do just fine - for the purposes of route-leaking
Or there is another method to leak the default route?
You are confusing routes with L3EPGs
L3EPGs define a set ip IP addresses with which you wish to communicate with - much like ACLs
And just like ACL have nothing to do with routes, L3EPGs have nothing to do with routes.
If the external router advertises 0.0.0.0/0, then it will be redistributed into VRF_01 - but you are using a static route - for that I need to do an experiment, but I think that will work too. I'll edit this post when I find out for sure.
HOWEVER - if you want the contract to allow communication with specific IP subnets/prefixes - and not the entire 0.0.0.0/0 world, or the part of the 0.0.0.0/0 world that exists via L3OUT_B, then you will need to create another L3EPG to define those, and put your contract between it and whatever you wish it to communicate with
If I leak default route from VRF_01 into VRF_02, then I do not need to leak specific subnets?
Correct. So long as you DO add a contract between ext2 and EPG02 in VRF_02
VRF_02 will send all the traffic to the VRF_01 and VRF_01 will route it according to its routing table. Am I right here?
Hold on. I'm lost now.
VRF_02 will not "send" traffic anywhere unless
- it knows the route to the destination
- there is a contract that allows traffic to go to that destination
And it's not VRF_02 that "sends" traffic. It is the leaf switches - sooooo many people get confused about traffic flow in ACI - remember every policy in ACI is implemented by the leaves - you have to look at all traffic flows from the viewpoint of the relevant leaf.
I'm out of time - got to post this now
I hope this helps.
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.
