Hi Chrish,

I tried to do it as cisco guide says but it does not work. Thanks for the reply. Do we need to allocate specific IP segment for in-band IP management for ACI fabric which will not be used in anywhere in the network for other devices to manage in-band.?

And by the way do you have a video of configuring in-band management access via a L3OUT for  which you have described in your blog, it will be great Please do reply and share the video if you can.

To answer your questions:

Do we need to allocate specific IP segment for in-band IP management for ACI fabric which will not be used in anywhere in the network for other devices to manage in-band.?

I'm not quite sure exactly what you are asking, so I'll give several answers

• You will need to allocate an inband IP address to each APIC.

1. If your management station is connected to the same EPG, these IP addresses don't need to be advertised or seen outside this subnet.  As per scenario #1 or #2
• In this case the IP subnet need not be seen anywhere else
2. If you want this IP address range to be advertised outside, then you'll need to configure a L3Out as per scenario #3
• In this case the IP subnet will be seen in your external network

• You will need to allocate an IP address to the inb Bridge Domain, and this will be the default gateway IP for the APIC's inband IP addresses.
• As far as I know, you can't configure the APIC's inband IP address to use an external firewall or router as its default gateway.
• You don't need to allocate inband IP addresses to your leaf or spine switches, but you can do so if you wish via the mgmt tenant

And by the way do you have a video of configuring in-band management access via a L3OUT for  which you have described in your blog, it will be great Please do reply and share the video if you can.

Unfortunately, I don't have any videos.  I have several that I'd like to do, perhaps I'll get time one day.

I hope this helps

RedNectar
aka Chris Welsh

Hello Chris,

I'm a bit stuck in the L3out situation. At the end, I am able to ping all the switches from via the L3out (which is located in the common:default in my case) but I cannot reach the APIC's. 

I can reach the APIC's if I login to the Leaf switches and even via a VM inside the ACI fabric. So all seems fine, except L3outside to the APIC's. 

I'm using SVI on the L3out, and the subnet is redistributed into EIGRP. I verified that it is visible on the outside networks.

Do you have any clue what I am missing? 

regards

Michel

Hi Michel,

I'm not soo sure what your problem is. The only thing that springs to mind quickly is to check that you have set the APIC's managment preference to inband via:

Fabric > Fabric Policies > Global Policies > Connectivity Preferences

However, be careful doing this - it is possible to loose all connectivity with the APIC once this has been set to inband (if your L3 out is not set up correctly)

Hello Chris,

Thanks for your prompt reply. I have changed that option, and I can reach for example vCenter via inband to an EPG inside the Fabric. It's a strange issue, because I can reach all switches on the inband mgmt IP address from outside the Fabric, except for the APIC's

I'm probably going to open a TAC case on Monday, let see what they have to say. I'll let you know what the outcome is

Thanks again

Michel

Hello Chris,

I'm a bit stuck in the L3out situation. At the end, I am able to ping all the switches from via the L3out (which is located in the common:default in my case) but I cannot reach the APIC's. 

I can reach the APIC's if I login to the Leaf switches and even via a VM inside the ACI fabric. So all seems fine, except L3outside to the APIC's. 

I'm using SVI on the L3out, and the subnet is redistributed into EIGRP. I verified that it is visible on the outside networks.

Do you have any clue what I am missing? 

regards

Michel

Were you able to resolve the issue of not being able to ping the APIC in-band IPs from outside the fabric while all the other switches are reachable?