L3out visibility

compterds · ‎07-05-2017

Hello,

I'm wondering something about L3out created in common tenant.

We've created 3 different L3 out in common tenant :

L3out-Number1- Security 1

L3out-Number2- Security 2

L3out-Number3- Security 3

It seems that from each new tenant, we could use either Number1,Number2 or Number 3 L3out (because of the common tenant)

What we'd like to do is to share Number1 for several tenant and Number2 for other several tenant and so on..

We're currently working with ACI 2.2(2j) and Openstack Helion.

In Openstack we have a lot of customers who needs to reach external devices depending on the security level of the external device.

As an example :

2 customers : A which is allowed to reach security level 1 and B which is allowed to reach security level 2

2 tenants : A and B (correspond to project A and B for openstack side)

Now in openstack, my customer A can see 3 different L3out and could use Security 1 L3 out as well as Security 3 as example.

There is no limitation on which L3out could be consumed. Everyone could use what they want in common tenant...

Have you any idea ?

Yoann

Jason Williams · ‎07-05-2017

If you want the L3 out to communicate with EPGs within other tenants then you have a couple of options.

Option 1: Configure the EPGs and L3 outs to use the same VRF. To do this, you would need to use a VRF which exists in the common tenant because only VRF existing in the common tenant are visible to other tenants.

For example:

Tenant common

> L3-out-1

> VRF common:vrf1 (naming convention is <tenant-name>:<vrf-name>)

Tenant customer-1

> EPG-1

> BD-1

> VRF common:vrf1

This places the EPG in the same VRF as the L3-out. Once this configuration is complete, then the customer BD would need to be associated to the common L3 out (done in the BD L3 configuration). BD subnet would also need to be set to "Advertised Externally". Use contracts between the L3 out and EPG(s).

Option 2: Use shared l3 out configuration. The customer EPGs would be in a different VRF than the L3 outs in the common tenant. The VRFs would need to leak the routes.

Example:

Tenant common

> L3-out-1

> VRF common:vrf1

Tenant customer-1

> EPG-1

> BD-1

> VRF customer-1:customer-vrf-1

Once this configuration is complete, the EPG/BD subnet must be set to "Advertised Externally" and "Shared between VRFs". No need to associate the BD to the L3 out if they are in different VRFs. The scope of the contract between the EPG(s) and the L3 out must be set to "Global". For successful route leaking, it's best to have both the EPG and L3out doing both providing and consuming of the contract. That would assume the subnet is defined in the bridge domain. If the subnet is defined in the EPG, then only the EPG needs to provide a contract to the L3 out. With this configuration the L3 out can still provide to the EPG (which has the EPG subnet) but it is not required.

In regards to contracts, you could use a contract which is created in the common tenant since that is visible to all other tenants. No requirement to export/import contracts between tenants.

I would recommend reading through the documents below on Shared services and Shared L3 out:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01000.html#id_32325

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/basic-config/b_ACI_Config_Guide/b_ACI_Config_Guide_chapter_0110.html#concept_A3828485EE594C37B2D5E5DA7765EC53

Jason