Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3942
Views
15
Helpful
2
Replies

ACI Static L3 Out : Issue

Go to solution
jwendling
Level 1
Level 1

‎07-16-2017 03:51 AM - edited ‎03-01-2019 05:17 AM

Hello,

my setup is as the following one:

we are using a network centric approach so each endpoint is in a single bridge domain (bd is the default gw for each endpoint) and single epg which encaps the specific vlan (static path). The internal connection within the Fabric is permitted, so I created a contract between the EPGs that allows all connections.

Everything is in the same VRF and the router (cisco 881) is configured as a (external routed network) routed interface with 0.0.0.0/0 as a static route.

The goal is that if I am on endpoint vlan 210 and I want to ping some ip on the internet e.g. 8.8.8.8 then the connection should go to the external router because of the static route. But this one does not work although I can reach the external router via his interal ip (192.168.144.1). I monitored the traffic and my problem is that the packets (dest: 8.8.8.8) did not arrive at the router and I think the problem is based on the static route. I created contracts between the epgs and external epg to allow any connection.

Do I need to turn of the Unicast Routing within the Bridge Domains and use the external Router as default gw to make this work? Or are there any other conditions which are restricting me to use a static route?

Hope this is not too confusing at all. Thanks in advance
Jan

Labels:
Preview file
16 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RedNectar
VIP
VIP

‎07-17-2017 01:58 AM

Hi Jan

Firstly, thanks for the great diagram.

To get routing working between ACI and an external router can be a bit tricky, partly because we normally think of ACI as a single box - but when it comes to routing to the outside world, it is no longer a single box - the leaf that connects to the external router needs to distribute routes to the other leaves.

So, here are some questions.  If the answer to any is not "yes" then fix it and move on.

Q1. Have you enabled BGP Routing? This requires several steps - defining an AS, choosing a Route Reflector, creating a policy, creating a policy group etc. I assume this is done, but I need to cover all bases.

Q2. You have clearly created a L3Out, but have you returned to the subnet under the Bridge domain and added the L3Out to the Subnet? (And if you were using a routing protocol, you would also make the subnet as being eligible to be "Advertised Externally").  This is an easy one to miss, because conceptually you think that because a Bridge Domain is linked to a VRF, and the L3Out is linked to the same VRF, so there should be no need to link the Subnet to a L3Out - but the thing is, you can have multiple L3Outs linked to the same VRF (say one for BGP, one for EIGRP...), so you have to specify which ones (up to three) the subnet is allowed to use!

Q3. Is unicast routing enabled for the BD?

That will do for a start. Let me know how you get on. Oh, and to answer your questions:

Do I need to turn of the Unicast Routing within the Bridge Domains

Yes

and [Do I need to] use the external Router as default gw to make this work?

No

RedNectar
aka Chris Welsh

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

2 Replies 2

Go to solution
RedNectar
VIP
VIP

‎07-17-2017 01:58 AM

Hi Jan

Firstly, thanks for the great diagram.

To get routing working between ACI and an external router can be a bit tricky, partly because we normally think of ACI as a single box - but when it comes to routing to the outside world, it is no longer a single box - the leaf that connects to the external router needs to distribute routes to the other leaves.

So, here are some questions.  If the answer to any is not "yes" then fix it and move on.

Q1. Have you enabled BGP Routing? This requires several steps - defining an AS, choosing a Route Reflector, creating a policy, creating a policy group etc. I assume this is done, but I need to cover all bases.

Q2. You have clearly created a L3Out, but have you returned to the subnet under the Bridge domain and added the L3Out to the Subnet? (And if you were using a routing protocol, you would also make the subnet as being eligible to be "Advertised Externally").  This is an easy one to miss, because conceptually you think that because a Bridge Domain is linked to a VRF, and the L3Out is linked to the same VRF, so there should be no need to link the Subnet to a L3Out - but the thing is, you can have multiple L3Outs linked to the same VRF (say one for BGP, one for EIGRP...), so you have to specify which ones (up to three) the subnet is allowed to use!

Q3. Is unicast routing enabled for the BD?

That will do for a start. Let me know how you get on. Oh, and to answer your questions:

Do I need to turn of the Unicast Routing within the Bridge Domains

Yes

and [Do I need to] use the external Router as default gw to make this work?

No

RedNectar
aka Chris Welsh

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Go to solution
jwendling
Level 1
Level 1
In response to RedNectar

‎07-17-2017 09:12 AM

Hey Chris,

thank you very much for your help.

Your first question pretty much solved the problem. I forgot to reference the policy...

Q2: Everything with the contracts and associations was fine
Q3: Unicast is enabled

I configured OSPF instead of using just static routes.

Its really amazing how you support the community! Thank you :-) !

Jan

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License