Solved: EPG Query _L3Out

NDP · ‎04-06-2018

We have 7 EPGs created and mapped to 7 different bridge domains ( one to one mapping)

one L3Out for all these bridge domains

There is currently one EPG created with 0.0.0.0 for L3Out Networks and provided & consumed a default standard contract ( VRF enforced mode)

created new EPG & Bridge domain which required ISOLATED VLAN Access ( like permit only few external access( AD & DNS Servers which are reachable through L3Out and deny rest all).

We had plan to:-

(1) create New EPG to add AD & DNS Serevers under L3Out

(2) create new contract and add default filter

(3) provide and consume this new contract in new internal EPG and L3OutEPG

if We configure as above, Would ACI remove AD & DNS Servers from the existing L3Out EPG (which has network 0.0.0.0) and only consider these AD & DNS Servers in new L3Out EPG?

APIC version is 3.1(i). Could someone advise

Thank you in advance

richmond · ‎04-07-2018

That’s right. The L3EPG pcTag and prefixes get programmed on all the leaves with L3Out EPG contracts in the VRF and traffic towards the L3 Outs are evaluates against these prefixes.

You could create the new L3EPG and add the contracts prior to adding the IPs to avoid downtime.

View solution in original post

richmond · ‎04-07-2018

If you add the AD and DNS server IPs to the new L3 EPG then they will be matched there and no longer on the 0.0.0.0 L3 EPG.

NDP · ‎04-07-2018

Ah.. So, one IP can be part of one EPG only.. ! And, ACI would check for longer prefix match while evavluating the EPG membership to apply contracts.

This is actually a typical problem when exeucting changes in prodution infra :-)

Thank you for confirmation and help

richmond · ‎04-07-2018

That’s right. The L3EPG pcTag and prefixes get programmed on all the leaves with L3Out EPG contracts in the VRF and traffic towards the L3 Outs are evaluates against these prefixes.

You could create the new L3EPG and add the contracts prior to adding the IPs to avoid downtime.