Solved: Joel,

bcn-jbrooks · ‎09-07-2016

Hi All,

I successfully set up an L3Out and managed to get a USER tenant routing out through it to the Internet - big thanks to Tomas for his help!

I'm confused about one part though. In the instructions Tomas provided, it says that you have to Associate the USER tenant Bridge Domain to the L3Out. This is done in <User Tenant> -> Networking -> Bridge Domains -> <User Bridge Domain>, L3 Configurations tab.

However, it seems that my User Tenant is able to route out to the Internet even when the Bridge Domain is not associated with the L3Out. The only setting that seems to matter is on the Subnets options, specifically the "Shared between VRFs" checkbox (found at <User Tenant> -> Networking -> Bridge Domains -> <User Bridge Domain> -> Subnets -> <User Subnet>).

In other words, it appears as if there is no need to Associate the User Tenant Bridge Domain with the L3Out.

I can get my User Tenant to reach the Internet simply by checking the Shared between VRFs option, and I can break it by unchecking that option.

(note that I still have the contract consumed within the User Tenant. I haven't tried removing that yet)

**Edit: I just deleted the Consumed contract (a contract in Common Tenant with global scope), and that also broke the routing. So it seems the Associated L3 Outs list box has no effect, but the contract and the Shared between VRFs options do.

So, my question is, what is the magic that allows my User Tenant to route out through the L3Out? Does the "Assoicated L3 Outs" list box actually have any effect on anything?

Thanks,

Joel

Jason Williams · ‎09-13-2016

Joel,

Please see inline.

"So, my question is, what is the magic that allows my User Tenant to route out through the L3Out?"

Assuming that you're implementing Shared L3 these are the requirements to route leak from User Tenant's VRF to the L3 out VRF.

User Tenant Requirements:

Subnet defined in either the EPG or BD with "Shared between VRF" and "Advertised Externally" enabled

L3 out requirements:

External EPG subnets need the following features enabled:

External Subnets for the External EPG :: This defines the external subnets that we want to apply policy to

Shared Route Control Subnet :: External subnet(s) to be leaked into EPG's VRF

Shared Security Import Subnet :: Apply policy to the leaked subnet(s)

Contract configuration:

Provider/Consumer direction is based on how the User Tenant's subnet is defined (defined under the BD or under the EPG?)

-> If subnet is defined under BD :: L3 out must provide a contract to the EPG, at minimum, to allow routes to be leaked in both directions

-> If subnet is defined under the EPG :: Contract provide/consume is fine in either direction as long as one side is provider and one side is consumer

Condition:

If an EPG within a context is consuming a shared service contract, do not enable that context to be a vzAny provider. Enabling vzAny provider could allow unintended traffic.

"Does the "Assoicated L3 Outs" list box actually have any effect on anything?"

This only applies to Bridge domains that need to communicate with L3 outs in the same VRF. If you're doing inter-VRF, then it is not necessary.

If this does not answer your question(s), please provide some more detail about about L3 out <> EPG configuration and what is the unexpected observation so that we may better assist.

Jason

View solution in original post

Jason Williams · ‎09-13-2016