cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6362
Views
20
Helpful
16
Replies

ACI Static Routing L3OUT VPC Secondary IP

PatrickH1
Level 1
Level 1

Dear Community,

I have a question about L3OUT with static routes. We have the following scenario. The L3OUT is distributed over 4 Leafs, each with 2 VPC pairs (SVI).

 

The question: Can I assignto the SVIs one secondary IP address for all 4  Leafs, or do I need one Secondary IP per VPC pair?

 

I Listed both in the following with #1 and #2

 

#1

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

 

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

 

#2

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

 

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address Y

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address Y

 

It would be good if you also find a document from Cisco describing this.

 

Kind Regards

 

Patrick

16 Replies 16

PatrickH1
Level 1
Level 1

Dear Community,

anyone has a hint on this Topic? :)

 

Best Reagrds

 

Patrick

**EDITED** wrote this awhile back in 2019.. and didn't read it fully. Scenario 1 is correct if you plan on using the same routes and NH on FW. Since one FW is standby and not actively sending traffic you wont see any issues. 

 

 

Hi Micgarc2,

 

ok thanks for explenation.

But how can we accomblish the goal, that the Service connected to the 4 Leafs only route traffic to Secondary Address = IP address X?

 

We want to have scalalibity, iIf the L3OUT is extended in the future over still several Leafs, the service is not to adapt its static routes, but only to a VIP route.

 

Is this possible with any solution?

Kind Regards

 

Patrick

Hi Micgarc2,

 

ok thanks for explenation.

But how can we accomblish the goal, that the Service connected to the 4 Leafs only route traffic to Secondary Address = IP address X?

 

We want to have scalalibity, iIf the L3OUT is extended in the future over still several Leafs, the service is not to adapt its static routes, but only to a VIP route.

 

Is this possible with any solution?

Kind Regards

 

Patrick

Marcel Zehnder
Spotlight
Spotlight

Hi Patrick

 

#1 is perfectly fine.

 

 

Hi Marcel,

 

many  thanks for your reply.

 

Micgarc2 told the following:

Scenario 2 is what you want to go with. Since these are completely different vPCs you would want a unique secondary IP for each vPC. This will basically act the same as a VIP would. Otherwise it can cause undesired routing behavior if you try to point the static route to the secondary IP from the FW perspective.

 

Now i am confused about to go with which kind of solution :)

 

I configured Scenario1, i works fine. We got no faullt, traffic is working as expected. 

 

But in the future it may lead to problems that we cannot yet foresee? Best Practice about that topic? 

 

Kind Regards

 

Patrick

If you do #2 how would you implement the FW? Two identical routes with different next hops?

 

#1 is fine, from a forwarding perspective the FW ARPs for the next-hop, the resulting MAC is the same for every SVI on your border leaves (I assume you didn't change the MAC of your L3-SVIs in ACI) - so a packet from the firewall will be send to the ACI-MAC - the first leaf hit by the packet will route/forward the packet. I don't see any issues or undesired routing behaviour.

 

If you configure different MACs for your SVIs, then you will run into issues, but as long as your SVI MACs are identical everything is fine!

Hi Marcel,

 

many Thanks fo the Info.

 

Correct we will use the Same MAC for the SVIs,

 

Kind Regards

 

Patrick

edited my old post, scenario 1 is fine didnt read it fully was back in 2019 when that was posted.

FedeGaibrel
Level 1
Level 1

Hello Patrick, i have configured the same configuration than you, and it´s working fine. But it doesn´t exist any document regarding it. 

 

ksatish01
Level 1
Level 1

Hi,

Thanks for this question. I have also a similar situation. i have 4 leaf switches with 2 VPC to connect with Firewall in Active/standby. I am also going to use your Option#1 which is the same standby IP for all of 4 nodes. 

Since it's a production env I am taking more care of this.. 

 

Could you pls share your experience on having option #1 would create any issues so far? 

Any suggestions/opinions would be greatly appreciated.

 

Thank you in advance

 

no issues read *EDITED* post above

ksatish01
Level 1
Level 1

Hi Micgarc2

Thanks for your reply and confirming that no issues with option#1. 

although technically it works, is this come in best practice design? 

Any potential advantage/disadvantage when we use 4 leafs rather than 2 leafs? kindly shed some light

 

Thank you

no should be fine, i assume all your interfaces are in the same broadcast domain (VLANs) there shouldn't be any issues regardless of 2 leafs or 4.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License