Solved: Re: CSCuy16355 - Support traffic routed within same l3extInstP using catch-all 0/0

dland · ‎06-07-2017

Which ACI software release version would fix the issue below?

==========

Support traffic routed within same l3extInstP using catch-all 0/0

CSCuy16355

Description

Symptom:
Traffic is policy-dropped between two L3 devices configured under same L3Out. (Transit routing within same L3Out). Can be verified by issuing "show logging ip access-list internal packet-log" and seeing the packets that are dropped due to policy.

Conditions:
When doing transit routing between two devices configured under the same L3Out and one External EPG with only 0.0.0.0/0 defined. This includes using dynamic or static routing. Providing/consuming the same contract under that External EPG does not resolve the issue.

Workaround:
Put the more specific subnets that are communicating as subnets under the External EPG so that the source/dest can be matched against rules appropriately.
Another workaround involves placing a 0.0.0.0/1 and 128.0.0.0/1 under the Subnets field of the l3extInstP (L3out EPG) will allow traffic to transit.
Another option is to to go unenforced in the VRF.

Robert Burns · ‎06-07-2017

This bug is not yet resolved. Once it is, the integrated releases will be populated.

Robert

View solution in original post

Robert Burns · ‎06-07-2017

This bug is not yet resolved. Once it is, the integrated releases will be populated.

Robert

lindawa · ‎12-07-2017

Before APIC, release 2.3(1f), transit routing was not supported within a single L3Out profile. In APIC, release 2.3(1f) and later, you can configure transit routing with a single L3Out profile, with the following limitations:

If the VRF is unenforced, an external subnet (l3extSubnet) of 0.0.0.0/0 can be used to allow traffic between the routers sharing the same L3EPG.
If the VRF is enforced, an external default subnet (0.0.0.0/0) cannot be used to match both source and destination prefixes for traffic within the same L3EPG. To match all traffic within the same L3EPG, the following prefixes are supported:
- IPv4
  - 0.0.0.0/1—with External Subnets for the External EPG
  - 128.0.0.0/1—with External Subnets for the External EPG
  - 0.0.0.0/0—with Import Route Control Subnet, Aggregate Import
- IPv6
  - 0::0/1—with External Subnets for the External EPG
  - 8000::0/1—with External Subnets for the External EPG
  - :0:0/0—with Import Route Control Subnet, Aggregate Import
Alternatively, a single default subnet (0.0.0.0/0) can be used when combined with a VzAny contract. For example:
- Use a VzAny providing contract and an L3EPG consuming contract (matching 0.0.0.0/0), or a VzAny consuming contract and L3EPG providing contract (matching 0.0.0.0/0).
- And use the subnet 0.0.0.0/0—with Import/Export Route Control Subnet, Aggregate Import, and Aggregate Export.

The external documentation was also updated yesterday by the doc team

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Transit_Routing.html#concept_CBBCBA5750D84E4BB49CD727FDCF547A

The enhancement bug CSCuy16355 is also updated with above details, please feel free to check out.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy16355/?reffering_site=dumpcr

cweinhold · ‎12-13-2017

This is great news! Is this also fixed in ACI 3.0 and, if so, which versions?

-Craig

lindawa · ‎12-13-2017

Craig, transit routing within single l3out would work in any release later than 2.3(1f) with above workaround applied, and it's supported. HTH.