Dual L3out External EPG Config

MPT3 · ‎04-12-2023

I have a customer with 2x L3outs configured in their fabric, both under the common tenant & default vrf. One is for management traffic, the other is for production traffic.

Within each L3out, their External EPG configs have the following:

0.0.0.0/0 route configured and only checked to allow External Subnets for External EPG. My understanding says this should allow endpoints in the fabric to reach any external network (contracts are not in play here).
A 10.X.X.X/20 route configured and checked to allow External Subnets for External EPG, as well as Export Route Control Subnet (no other options selected).

Per my understanding, the Export Route Control Subnet allows a subnet from one L3out, to be advertised out another L3out (transit routing). The interesting thing is that I don't see the 10.X subnet being learned from either L3out, yet I do see it advertised out both L3outs. It's also not a network associated with a BD within the fabric. Is it getting advertised out both L3outs due to being set under both External EPGs?

My other questions is, does having 0.0.0.0/0 configured on both L3Outs a concern? Since it is only set to External Subnets for the External EPG, this leads me to believe it is not since its just allowing fabric internal endpoints to reach all external routes.

ecsnnsls · ‎04-13-2023

Hi,

It is not recommended to have 0.0.0.0/0 configured under multiple L3OUTs under the same VRF. You can refer to https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html#Pg101 to understand why this is the recommendation.

Can you check if there are static routes configured anywhere in the fabric for 10.X.X.X/20? Maybe that's why it is getting advertised out through the L3outs.

HTH