ACI Static Routing L3OUT VPC Secondary IP - Cisco Community

6370

Views

20

Helpful

16

Replies

Dear Community,

I have a question about L3OUT with static routes. We have the following scenario. The L3OUT is distributed over 4 Leafs, each with 2 VPC pairs (SVI).

The question: Can I assignto the SVIs one secondary IP address for all 4 Leafs, or do I need one Secondary IP per VPC pair?

I Listed both in the following with #1 and #2

#1

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

#2

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address Y

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address Y

It would be good if you also find a document from Cisco describing this.

Kind Regards

Patrick

16 Replies 16

Dear Community,

anyone has a hint on this Topic? :)

Best Reagrds

Patrick

**EDITED** wrote this awhile back in 2019.. and didn't read it fully. Scenario 1 is correct if you plan on using the same routes and NH on FW. Since one FW is standby and not actively sending traffic you wont see any issues.

Hi Micgarc2,

ok thanks for explenation.

But how can we accomblish the goal, that the Service connected to the 4 Leafs only route traffic to Secondary Address = IP address X?

We want to have scalalibity, iIf the L3OUT is extended in the future over still several Leafs, the service is not to adapt its static routes, but only to a VIP route.

Is this possible with any solution?

Kind Regards

Patrick

Hi Micgarc2,

ok thanks for explenation.

But how can we accomblish the goal, that the Service connected to the 4 Leafs only route traffic to Secondary Address = IP address X?

We want to have scalalibity, iIf the L3OUT is extended in the future over still several Leafs, the service is not to adapt its static routes, but only to a VIP route.

Is this possible with any solution?

Kind Regards

Patrick

Hi Patrick

#1 is perfectly fine.

Hi Marcel,

many thanks for your reply.

Micgarc2 told the following:

Scenario 2 is what you want to go with. Since these are completely different vPCs you would want a unique secondary IP for each vPC. This will basically act the same as a VIP would. Otherwise it can cause undesired routing behavior if you try to point the static route to the secondary IP from the FW perspective.

Now i am confused about to go with which kind of solution :)

I configured Scenario1, i works fine. We got no faullt, traffic is working as expected.

But in the future it may lead to problems that we cannot yet foresee? Best Practice about that topic?

Kind Regards

Patrick

If you do #2 how would you implement the FW? Two identical routes with different next hops?

#1 is fine, from a forwarding perspective the FW ARPs for the next-hop, the resulting MAC is the same for every SVI on your border leaves (I assume you didn't change the MAC of your L3-SVIs in ACI) - so a packet from the firewall will be send to the ACI-MAC - the first leaf hit by the packet will route/forward the packet. I don't see any issues or undesired routing behaviour.

If you configure different MACs for your SVIs, then you will run into issues, but as long as your SVI MACs are identical everything is fine!

Hi Marcel,

many Thanks fo the Info.

Correct we will use the Same MAC for the SVIs,

Kind Regards

Patrick

edited my old post, scenario 1 is fine didnt read it fully was back in 2019 when that was posted.

Hello Patrick, i have configured the same configuration than you, and it´s working fine. But it doesn´t exist any document regarding it.

Hi,

Thanks for this question. I have also a similar situation. i have 4 leaf switches with 2 VPC to connect with Firewall in Active/standby. I am also going to use your Option#1 which is the same standby IP for all of 4 nodes.

Since it's a production env I am taking more care of this..

Could you pls share your experience on having option #1 would create any issues so far?

Any suggestions/opinions would be greatly appreciated.

Thank you in advance

no issues read *EDITED* post above

Hi Micgarc2

Thanks for your reply and confirming that no issues with option#1.

although technically it works, is this come in best practice design?

Any potential advantage/disadvantage when we use 4 leafs rather than 2 leafs? kindly shed some light

Thank you

no should be fine, i assume all your interfaces are in the same broadcast domain (VLANs) there shouldn't be any issues regardless of 2 leafs or 4.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community