07-27-2018 07:44 AM - edited 03-01-2019 05:36 AM
Hello,
I have realized a L3 out with OSPF between Router and ACI. My problem is that my ping don't comeback from my external network. Tcpdump show the reply in my endpoint and after nothing arrive to my firewall. my packet is lost or drop, i dont know, in my fabric even if i have create an external L3 epg...
I create L3 contract and OSPF Work perfectly. and I can ping all my fabric from my router but not from my external network.
Thanks !
Solved! Go to Solution.
07-27-2018 01:04 PM - edited 07-27-2018 01:17 PM
Yes its 1.0.15.0/24 in my external epg subnet + static routing, then its works...
07-27-2018 07:51 AM
@Chris010, did you create a contract on your L3 EPG to allow traffic?
07-27-2018 07:59 AM
Thanks for reply,
Yes I have create a contract ping from
External Routed Networks -> Networks -> My L3 Epgs -> Contracts -> provide ping contract
and the other to my EPG (Application profile)
I can see the ping in my endpoint thanks to tcpdump but the packet stay block ordrop in my fabric. nothing in my router.
Thanks
07-27-2018 08:21 AM - edited 07-27-2018 08:39 AM
Router table:
----------
22.0 via 17.254 router id 1.1.1.1
Vrf Table :
---------
22.0 via overlay
17.0 via 17.254
17.254 via 17.254
External epg :
-----------
subnet 15.0/24
scope external subnets
contract ping.
07-27-2018 11:27 AM - edited 07-27-2018 09:53 PM
Hi guys,
Quick question, do you need to define any subnets in the bridge domain of External EPG of the L3Out? If so what network would it be ?
Application EPGs have subnets in their BD but not the External EPG.
07-27-2018 12:26 PM
Hi Mohamed,
I need to define any subnets in my bridge domain in order to route thanks to unicast routing and to share routes between VRFs in my fabric, I have activate externaly and shared between vrfs in my BD then I have declared a subnet for each epgs.
Subnet for L3 EPG advertise to ACI where/what is my external network 0.0.0.0/0 or 1.0.15.0/24 ( I don't find it in my VRF common result ) and without it ospf is broken. If I want to share my l3 out with another tenant I have to declare in the subnet the scope shared control route, I'm wrong ?
I retrieve ACI routing table from my router ( I dont want to import my routing table in ACI), then I put a static route in ACI to indicate where is the next hop ( when you declare the router ID number) and now its works ! I found the static route in my vrf. (show ip route vrf common:Vcommon)
OK so external l3 EPG is not good enough for external routing or i miss something ?
07-27-2018 12:44 PM
Hi Chris, so adding that static route + subnet in BD fixed your problem?
Do you have also a subnet in External EPG ?
07-27-2018 01:04 PM - edited 07-27-2018 01:17 PM
Yes its 1.0.15.0/24 in my external epg subnet + static routing, then its works...
07-27-2018 01:25 PM
Great , I'm having a problem using the L3Out in the common tenant and trying to share it with other tenant.
Problem is each time I try to assigne the L3Out profile to the EPG it gives an error not able to form MO relation ... seems like a bug to me but not sure.
I have already exported the contract from common to ther tenant so this part is done but not able to bind the EPG with the L3Out!
07-27-2018 01:54 PM
You just need to add L3 Configuration association in your BD (other tenant) and have BD Shared between VRFs + Externaly
07-27-2018 01:59 PM
07-27-2018 02:29 PM - edited 07-27-2018 02:33 PM
Do you have something in l3 route profile field in your bd subnet ? I have already saw this message when you declare something who doesnt exist for making relation.
Your contract have scope position to Global ?
07-27-2018 02:51 PM
There is no associated L3out listed on the BD; when we use an Inter-vrf Shared L3out, we do not need to associate the user Tenant BDs with the L3out in Tenant Common. If you had a Tenant-specific L3out, it would still be associated to your BDs in your respective Tenants.
07-27-2018 09:41 PM - edited 07-27-2018 09:48 PM
Yep, in the BD subnet if I open the drop down menu I can see my L3Out from the common tenant already but even if I select it it gives the same error... selecting both gives the same error "L3 Route Profile and L3Out associated profile". My contract is global scope too and I can't ping outside ACI from EPG but I do have filters to allow all.
regarding your last message does it mean that my shared L3 Out does not need to be associated with other Tenants and the EPG in the other tenants can use it by default? By the way the Subnet of the BD in the other tenant "I keep calling it other tenant" or user tenant is already advertised outside ACI with no association of the L3Out so I think that proves that association is not needed when the L3Out is in the common tenant. I'm just wondering what if you want to use a specific L3Out when you have two L3Outs in the common tenant ? assoication will fail as I tried with no success.
07-28-2018 12:08 AM
I think that, if you share vrf common with another tenant, you must not indicate l3 out association on the other tenant since you share routes. you need just to activate externaly and shared between vrf on bd and EPGs with an global consume contract interface in order to ping your EPGs from external network.
You can use tcpdump to see if routing is ok and arrive in your EPGs.
If you can also list route vrf of the other tenant to see if you have shared it correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide