07-16-2017 03:51 AM - edited 03-01-2019 05:17 AM
Hello,
my setup is as the following one:
we are using a network centric approach so each endpoint is in a single bridge domain (bd is the default gw for each endpoint) and single epg which encaps the specific vlan (static path). The internal connection within the Fabric is permitted, so I created a contract between the EPGs that allows all connections.
Everything is in the same VRF and the router (cisco 881) is configured as a (external routed network) routed interface with 0.0.0.0/0 as a static route.
The goal is that if I am on endpoint vlan 210 and I want to ping some ip on the internet e.g. 8.8.8.8 then the connection should go to the external router because of the static route. But this one does not work although I can reach the external router via his interal ip (192.168.144.1). I monitored the traffic and my problem is that the packets (dest: 8.8.8.8) did not arrive at the router and I think the problem is based on the static route. I created contracts between the epgs and external epg to allow any connection.
Do I need to turn of the Unicast Routing within the Bridge Domains and use the external Router as default gw to make this work? Or are there any other conditions which are restricting me to use a static route?
Hope this is not too confusing at all. Thanks in advance
Jan
Solved! Go to Solution.
07-17-2017 01:58 AM
Hi Jan
Firstly, thanks for the great diagram.
To get routing working between ACI and an external router can be a bit tricky, partly because we normally think of ACI as a single box - but when it comes to routing to the outside world, it is no longer a single box - the leaf that connects to the external router needs to distribute routes to the other leaves.
So, here are some questions. If the answer to any is not "yes" then fix it and move on.
Q1. Have you enabled BGP Routing? This requires several steps - defining an AS, choosing a Route Reflector, creating a policy, creating a policy group etc. I assume this is done, but I need to cover all bases.
Q2. You have clearly created a L3Out, but have you returned to the subnet under the Bridge domain and added the L3Out to the Subnet? (And if you were using a routing protocol, you would also make the subnet as being eligible to be "Advertised Externally"). This is an easy one to miss, because conceptually you think that because a Bridge Domain is linked to a VRF, and the L3Out is linked to the same VRF, so there should be no need to link the Subnet to a L3Out - but the thing is, you can have multiple L3Outs linked to the same VRF (say one for BGP, one for EIGRP...), so you have to specify which ones (up to three) the subnet is allowed to use!
Q3. Is unicast routing enabled for the BD?
That will do for a start. Let me know how you get on. Oh, and to answer your questions:
Do I need to turn of the Unicast Routing within the Bridge Domains
Yes
and [Do I need to] use the external Router as default gw to make this work?
No
RedNectar
aka Chris Welsh
07-17-2017 01:58 AM
Hi Jan
Firstly, thanks for the great diagram.
To get routing working between ACI and an external router can be a bit tricky, partly because we normally think of ACI as a single box - but when it comes to routing to the outside world, it is no longer a single box - the leaf that connects to the external router needs to distribute routes to the other leaves.
So, here are some questions. If the answer to any is not "yes" then fix it and move on.
Q1. Have you enabled BGP Routing? This requires several steps - defining an AS, choosing a Route Reflector, creating a policy, creating a policy group etc. I assume this is done, but I need to cover all bases.
Q2. You have clearly created a L3Out, but have you returned to the subnet under the Bridge domain and added the L3Out to the Subnet? (And if you were using a routing protocol, you would also make the subnet as being eligible to be "Advertised Externally"). This is an easy one to miss, because conceptually you think that because a Bridge Domain is linked to a VRF, and the L3Out is linked to the same VRF, so there should be no need to link the Subnet to a L3Out - but the thing is, you can have multiple L3Outs linked to the same VRF (say one for BGP, one for EIGRP...), so you have to specify which ones (up to three) the subnet is allowed to use!
Q3. Is unicast routing enabled for the BD?
That will do for a start. Let me know how you get on. Oh, and to answer your questions:
Do I need to turn of the Unicast Routing within the Bridge Domains
Yes
and [Do I need to] use the external Router as default gw to make this work?
No
RedNectar
aka Chris Welsh
07-17-2017 09:12 AM
Hey Chris,
thank you very much for your help.
Your first question pretty much solved the problem. I forgot to reference the policy...
Q2: Everything with the contracts and associations was fine
Q3: Unicast is enabled
I configured OSPF instead of using just static routes.
Its really amazing how you support the community! Thank you :-) !
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide