09-30-2017 05:06 AM - edited 03-01-2019 05:20 AM
Hi
Multi- Pod deployment, with 2 Data Centers, DC1 and DC2.
Configured OSPF L3Out/area 0 at each Data Center over SVI:
DC1 SVI subnet 10.13.254.0/29
DC2 SVI subnet 10.13.254.8/29
I have applied Tenant common default contract which I understand is the equivalent of permit 'ip any any'
However only ping works; telnet fails which implies issue is with contract.
See attachment for further information.
Please could somebody tell me how this issue can be resolved?
Thanks
10-04-2017 11:57 AM
Let’s gather some more information about the configuration and the test traffic by providing the following information.
1. What is the source IP address?
2. Who owns the source IP address? In other words, is this the IP address of the directly attached router? IP of the leaf interface? Is this a host behind the router?
3. What is the destination IP address?
4. Who owns the destination IP address? (Same as above: leaf IP? router IP? external host IP behind router?)
When talking about contract enforcement with L3 out, it is crucial to identify where the IP is located (directly attached subnet or subnet behind the router) because policy can be handled differently depending on where the subnet is located.
5. I see some faults in both of the L3 out EPGs. Click on the faults tab in both external EPGs to see if there are any issues with ACLQOS prefix programming or reports of duplicate prefixes.
6. Log into all border leafs in the L3 outs and check to see if there are policy drops. You can do this by running the following show command.
show logging ip access-list internal packet-log deny
If there are a high number of packet drops on the leaf, then it might be easier to add a | more to the end of command. This will list the packet logs page by page instead of flooding your CLI with the entire output. Press space bar to go down a page after executing the command. Press q or ctrl+c to exit the output, if needed.
show logging ip access-list internal packet-log deny | more
This command output displays any policy drops on the fabric on that leaf. You will get visibility on the source and destination IP addresses along with the source and destination TCP/UDP ports. If TCP or UDP is not used, then you should still be able to see the IP protocol used in that packet.
If you see any drops reported on any of the relevant border leafs for traffic between the tested source and destination then this confirms that ACI is dropping the packet based on contracts.
Once you confirm and upload the requested info we should be able to make some progress.
-JW
11-20-2017 05:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide