Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2538
Views
6
Helpful
3
Replies

How to identify the L3Out and external EPG from where an IP is reached

Go to solution
lecabral
Level 1
Level 1

‎08-23-2022 08:21 AM

Hi everyone,

I wonder if there is a way or CLI command to identify the L3Out and External EPG from where the fabric is reaching and external endpoint.

We have several L3Outs and Ext EPGs and I'm in the need to quickly find from where an IP is being reached in order to verify Contracts.

If anyone can throw some light on this, I will really appreciate.

Thanks!

LeoC.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎08-23-2022 11:59 PM

Hi @lecabral 

The method describe by @jacalzad  is definitely the most appropriate, since you rely on routing table. I was thinking on another method (top-down approach) and is described below. But before that, if I would have to add something to it is how you should check the routes on a non-border leaf.

non-border-leaf# show ip route 10.1.1.1 vrf SD:SD
10.0.0.0/8, ubest/mbest: 2/0
    *via 10.0.14.167%overlay-1, [200/5], 2d08h, bgp-65001, internal, tag 65001
    *via 10.0.14.164%overlay-1, [200/5], 2d08h, bgp-65001, internal, tag 65001

non-border-leaf# acidiag fnvread
      ID   Pod ID                 Name    Serial Number         IP Address    Role        State   LastUpdMsgId
--------------------------------------------------------------------------------------------------------------
     301        1                leaf301    XXXXXXXXXX      10.0.14.164/32     leaf         active   0
     302        1                leaf302    XXXXXXXXXX      10.0.14.167/32     leaf         active   0

What you see above is basically the routing table on a non-border leaf for your desired destination IP (I fabricated the example), and what you see there as next hop is the border leaf VTEP IP address. Once you find the border leaf, you connect to it, and do the checks listed by @jacalzad.

Note: if you do not find the next hop VTEP address in "acidiag fnvread" output, it means that you have a vPC VTEP. To find out the vpc peers, go to Fabric > Access Policies > Switch Policies > Policies > Virtual Port Channel default and you will find there the existing vpc domains. There are other methods to find the peers described in a post somewhere here on community, you can search for it if you want.

 

My approach, as I said initially, it's a top-to-bottom approach, where you check for ExtEPG first.

Disclaimer: There are a couple of things which will make the below method to NOT work:

  • you have multiple L3Outs with 0.0.0.0/0 external subnets for external EPG
  • routing table doesn't match with your extEPG configuration
  • your ExtEPGs are missing the external prefix configured (misconfiguration) 

If you are in one of these situations, then use the method described by @jacalzad. Below method can be used complementary with Jaime's approach.

 

OK, so what you can do:

1. If you are a non-border leaf, find the BL using the method described above.

2. Once you are on a BL, use the following commands and find the ExtEPG pctag:

leaf101#  show system internal policy-mgr prefix | grep SD:SD
2752513 26     0x1a          Up     SD:SD                                 10.0.0.0/8  16387   False  True   False
2752513 26     0x1a          Up     SD:SD                                  0.0.0.0/0   15      False  True   False
2752513 26     0x8000001a    Up     SD:SD                                       ::/0   15      False  True   False

Notes: you can grep (as I did) for your VRF, which has the TN-name:VRF-name format.

3. In the output, you look for the prefix which includes your destination IP.  Once you found it, look at the number next to it (16738 in my case). This is the pcTag of the External EPG. Using it, you can find the name of the ExtEPG.

4. Find the name of ExtEPG. 

apic-01# moquery -c l3extInstP -f 'l3.extInstP.pcTag=="16387"'
Total Objects shown: 1

# l3ext.InstP
name                 : Example_ExtEPG_SD
annotation           :
childAction          :
configIssues         :
configSt             : applied
descr                :
dn                   : uni/tn-SD/out-Example_L3Out_SD/instP-Example_ExtEPG_SD

5. You found the L3Out and ExtEPG. In above example:

L3Out: Example_L3Out_SD

ExtEPG: Example_ExtEPG_SD

 

Stay safe,

Sergiu

 

View solution in original post

3 Replies 3

Go to solution
jacalzad
Cisco Employee
Cisco Employee

‎08-23-2022 08:25 PM

Hi LeoC!

You could use traditional cli commands to find the path to reach the destination coupled with moquery from the apic.

Take the below example from our lab:

I want to find how we reach the IP 10.1.1.1

Leaf-301# show ip route 10.1.1.1 vrf tn1:v1
IP Route Table for VRF "tn1:v1"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%' in via output denotes VRF 

10.1.1.1/32, ubest/mbest: 1/0
    *via 172.16.1.2, eth1/6, [110/5], 5d01h, ospf-default, intra

I then check the associated interface:

Leaf-301# show int e1/6     
Ethernet1/6 is up
admin state is up, Dedicated Interface
  Hardware: 100/1000/10000/25000/auto Ethernet, address: 0022.bdf8.19ff (bia 4006.d583.cd16)
  Internet Address is 172.16.1.1/30
  MTU 1500 bytes, BW 10000000 Kbit, DLY 1 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
<snip>

I can then moquery which L3Out owns this IP:

site2-apic1# moquery -c l3extRsPathL3OutAtt -f 'l3ext.RsPathL3OutAtt.addr=="172.16.1.1/30"'
Total Objects shown: 1

# l3ext.RsPathL3OutAtt
tDn              : topology/pod-1/paths-301/pathep-[eth1/6]
addr             : 172.16.1.1/30
annotation       : 
autostate        : disabled
childAction      : 
configIssues     : 
descr            : 
dn               : uni/tn-tn1/out-L3Out-1/lnodep-L3Out-1_nodeProfile/lifp-L3Out-1_interfaceProfile/rspathL3OutAtt-[topology/pod-1/paths-301/pathep-[eth1/6]]
encap            : unknown
encapScope       : local
extMngdBy        : 
forceResolve     : yes
ifInstT          : l3-port
ipv6Dad          : enabled
isMultiPodDirect : no
lcOwn            : local
llAddr           : ::
mac              : 00:22:BD:F8:19:FF
modTs            : 2022-08-18T23:09:02.614-02:00
mode             : regular
monPolDn         : uni/tn-common/monepg-default
mtu              : 1500
rType            : mo
rn               : rspathL3OutAtt-[topology/pod-1/paths-301/pathep-[eth1/6]]
state            : unformed
stateQual        : none
status           : 
tCl              : fabricPathEp
tType            : mo
targetDscp       : unspecified
uid              : 15374
userdom          : :all:

site2-apic1#

From the above we can see the name of the L3Out in question is 'L3Out-1' and you should be able to find the external EPG under the L3Out.

Screen Shot 2022-08-23 at 11.15.55 PM.png

HTH

Jaime

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎08-23-2022 11:59 PM

Hi @lecabral 

The method describe by @jacalzad  is definitely the most appropriate, since you rely on routing table. I was thinking on another method (top-down approach) and is described below. But before that, if I would have to add something to it is how you should check the routes on a non-border leaf.

non-border-leaf# show ip route 10.1.1.1 vrf SD:SD
10.0.0.0/8, ubest/mbest: 2/0
    *via 10.0.14.167%overlay-1, [200/5], 2d08h, bgp-65001, internal, tag 65001
    *via 10.0.14.164%overlay-1, [200/5], 2d08h, bgp-65001, internal, tag 65001

non-border-leaf# acidiag fnvread
      ID   Pod ID                 Name    Serial Number         IP Address    Role        State   LastUpdMsgId
--------------------------------------------------------------------------------------------------------------
     301        1                leaf301    XXXXXXXXXX      10.0.14.164/32     leaf         active   0
     302        1                leaf302    XXXXXXXXXX      10.0.14.167/32     leaf         active   0

What you see above is basically the routing table on a non-border leaf for your desired destination IP (I fabricated the example), and what you see there as next hop is the border leaf VTEP IP address. Once you find the border leaf, you connect to it, and do the checks listed by @jacalzad.

Note: if you do not find the next hop VTEP address in "acidiag fnvread" output, it means that you have a vPC VTEP. To find out the vpc peers, go to Fabric > Access Policies > Switch Policies > Policies > Virtual Port Channel default and you will find there the existing vpc domains. There are other methods to find the peers described in a post somewhere here on community, you can search for it if you want.

 

My approach, as I said initially, it's a top-to-bottom approach, where you check for ExtEPG first.

Disclaimer: There are a couple of things which will make the below method to NOT work:

  • you have multiple L3Outs with 0.0.0.0/0 external subnets for external EPG
  • routing table doesn't match with your extEPG configuration
  • your ExtEPGs are missing the external prefix configured (misconfiguration) 

If you are in one of these situations, then use the method described by @jacalzad. Below method can be used complementary with Jaime's approach.

 

OK, so what you can do:

1. If you are a non-border leaf, find the BL using the method described above.

2. Once you are on a BL, use the following commands and find the ExtEPG pctag:

leaf101#  show system internal policy-mgr prefix | grep SD:SD
2752513 26     0x1a          Up     SD:SD                                 10.0.0.0/8  16387   False  True   False
2752513 26     0x1a          Up     SD:SD                                  0.0.0.0/0   15      False  True   False
2752513 26     0x8000001a    Up     SD:SD                                       ::/0   15      False  True   False

Notes: you can grep (as I did) for your VRF, which has the TN-name:VRF-name format.

3. In the output, you look for the prefix which includes your destination IP.  Once you found it, look at the number next to it (16738 in my case). This is the pcTag of the External EPG. Using it, you can find the name of the ExtEPG.

4. Find the name of ExtEPG. 

apic-01# moquery -c l3extInstP -f 'l3.extInstP.pcTag=="16387"'
Total Objects shown: 1

# l3ext.InstP
name                 : Example_ExtEPG_SD
annotation           :
childAction          :
configIssues         :
configSt             : applied
descr                :
dn                   : uni/tn-SD/out-Example_L3Out_SD/instP-Example_ExtEPG_SD

5. You found the L3Out and ExtEPG. In above example:

L3Out: Example_L3Out_SD

ExtEPG: Example_ExtEPG_SD

 

Stay safe,

Sergiu

 

Go to solution
lecabral
Level 1
Level 1

‎08-24-2022 09:41 AM

Hi @jacalzad and @Sergiu.Daniluk ,

I appreciate your inputs!

I first tried @jacalzad method, but for some reason, I'm not getting to the same point. Also, this method would show me the L3Out, and I really need to narrow things down to the ExtEPG, since we have many and it is very time consuming to review one by one.

LEAF311# show ip route 10.2.24.49 vrf ST_Prod:ST__VRF
IP Route Table for VRF "ST_Prod:ST__VRF"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

10.2.24.0/22, ubest/mbest: 1/0
*via 10.3.141.197, vlan395, [170/53504], 6d02h, eigrp-default, external, tag 20001000
LEAF311# show int vlan395
Vlan395 is up, line protocol is up, autostate disabled
Hardware EtherSVI, address is 0022.bdf8.19ff
Internet Address is 10.3.141.194/28
MTU 9000 bytes, BW 10000000 Kbit, DLY 1 usec
reliability 255/255, txload 1/255, rxload 1/255
Carrier delay is 10 sec
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA
Last clearing of "show interface" counters never
30 seconds input rate 0 bits/sec, 0 packets/sec
30 seconds output rate 0 bits/sec, 0 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 0 bps, 0 pps; output rate 0 bps, 0 pps
L3 Switched:
input: 0 pkts, 0 bytes - output: 0 pkts, 0 bytes
L3 in Switched:
ucast: 0 pkts, 0 bytes - mcast: 0 pkts, 0 bytes
L3 out Switched:
ucast: 0 pkts, 0 bytes - mcast: 0 pkts, 0 bytes

APIC001# moquery -c l3extRsPathL3OutAtt -f 'l3ext.RsPathL3OutAtt.addr=="10.3.141.194/28"'
No Mos found

Then I tried the method suggested by @Sergiu.Daniluk and it worked!

Thank you both for your inputs and help!

LeoC.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License