Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1646
Views
1
Helpful
3
Replies

Network Details in ACI

Dinesh Kumar Mariappan
Level 1
Level 1

‎11-16-2022 10:07 AM

Hi All,

How to see what are Networks configured for each VLAN in ACI, I am not see the Network details in ACI, I explored to see that under BD  but dont see any details it was showing some Querier IP address under all BD which was unreachable.

I am new to ACI when learned the ACI concept and try to explore the same in real time all looks different.

There was internet connection terminated on ACI Switches but not sure where NAT control was in place.

I can see there 6 Logical interface profile under L3 out was configured with individual VLAN ,which was firewall IP address context in 2 Firewall which was active active setup.

There was static route pointed for all Networks towards the Firewall. So i assume all NAT was controlled in Firewall

BGP connection was established with P2P connectivity with Remote office and all Address was default route was accepted from this P2P connection.

So quite confusing for me to understand the concept, If some can help to understand this concept or good documents for the same.

May be this  description will difficult to understand, So will go one by one to understand completely.

First details i am looking for where to check Networks configured in ACI for each VLAN then will go more details with rest of questions and queries

 

 

 

 

 

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

RedNectar
VIP
VIP

‎11-16-2022 12:29 PM

Hi @Dinesh Kumar Mariappan ,

Learning ACI is a difficult process - and you need to forget many of the ideas you have already learned - like the link between VLANs and IP addressing, because it is totally different in ACI

Firstly, you may find the answer I gave to another question useful - so take a look at this first: which is the answer to a question "how the traffic go through the ACI from one side user/VM to other side. For example, one vm ip 10.0.0.10 on one side leaf to 10.10.10.10 on other side leaf."

Now let me address some of your items

There was internet connection terminated on ACI Switches but not sure where NAT control was in place.

ACI does not do NAT, so if there is any NAT going on, it will be on the attached routers/firewalls

I can see there 6 Logical interface profile under L3 out was configured with individual VLAN ,which was firewall IP address context in 2 Firewall which was active active setup.

This is a bit more difficult to answer.  6 Logical Interface Profiles IS A LOT OF PROFILES - I would normally expect one or two interface profiles - perhaps some of them are not being used.

In any case - for the L3 Out - look firstly at the the Node Profile(s) this will tell you which nodes are actually doing the routing with the external firewalls, and this is going to be key in your troubleshooting

To troubleshoot L3 in ACI, you need to know

  1. The name of the tenant
  2. Then name of the VRF within the tenant that is linked to the L3Out
  3. The nodes on which the L3Out is configured

So if say the tenant was called Tenant01 , the VRF called Production_VRF and the nodes were 2201 and 2202, then start an ssh session on the APIC and enter this command

fabric 2201,2202 show ip route vrf Tenant01:Production_VRF 

You can of course also issue commands like

fabric 2201,2202 show ip interface brief vrf Tenant01:Production_VRF 

and use 

fabric 2201,2202 show ip ? 

to explore other options

Hopefully this is enough to get you started

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Dinesh Kumar Mariappan
Level 1
Level 1
In response to RedNectar

‎11-17-2022 09:59 AM

Thanks for your time to explain much detail.

I mentioned 6 Logical Interface profile that was not right

Under L3_out There are 6 Logical Interface profile configured towards firewall.

under each Logical Interface Profile there 2 IP configured

Let Say Side A IP address is 10.10.10.2 Side B IP address is 10.10.10.3, Secondary IP address in 10.10.10.1

other IP address Peer is Side A Ip address is 10.10.10.4, Side B IP address is 10.10.0.5 and Secondary IP address is 10.10.10.1

Similar way configured for all Logical Node profiles.

So, under L3 out Total 7 Logical Node Profiles.

1 Profile for P2P connectivity (BGP peering with External EPG with accepting Default route 0.0.0.0/0)

2. Other 6 Profiles are towards Firewall

 

My First question was, I didn't see the Network address under BD, I know under the each VLAN what the network address is 

Let Say, I have VLAN 10, BD for this VLAN 10 is VLAN_10_BD, VRF for this VLAN is VLAN_10_VRF, Tenant is ABC, as per my tracker i know the network address is 100.100.100.0/24 and Gateway of this VLAN is 100.100.100.1 and this was logically behind one my Firewall. But i didnt see where this 100.100.100.0/24 network in ACI was configured with default gateway,

All my network was pointed towards same gateway with 192.168.10.1 which dummy one and not reachable. This value I am checking under Tenant - Application Profile--Networking--BD, my question where i need to Network configured, one of my friends told this L2 BD so no need to configure the network address in ACI.

 

 

 

 

0 Helpful

RedNectar
VIP
VIP
In response to Dinesh Kumar Mariappan

‎11-17-2022 01:20 PM

Hi @Dinesh Kumar Mariappan ,

I'm still finding it hard to picture your setup.  Here are some <random thoughts>

  • You need to understand that BDs and L3Outs are very different things
    • BDs and Application EPGs are linked (every Application EPG must be linked to exactly one BD)
    • L3Outs and External EPGs (L3 EPGs) are linked - in fact the L3EPG is part of the L3Out
  • You have not mentioned anything about what Application EPGs you have - you have only mentioned "BGP peering with External EPG with accepting Default route 0.0.0.0/0"
    • Remember that in ACI, a VLAN is assigned to an Application EPG - so without the details of the Application EPGs you have I'm a bit lost.
  • Endpoints in ACI refer to devices whose traffic enters ACI via an Application EPG
    • And devices whose traffic enters via a L3Out are NOT considered endpoints in ACI
  • There are two ways of attaching Endpoints to ACI
    1. Endpoints are set up with a default gateway that exists on a BD or an EPG in ACI.
      • This is considered the BEST way to make the most of all the features ACI has to offer
      • Note that these default gateway addresses are USUALLY configured on a Bridge Domain, but MAY be configured on an EPG (unusual, but you did say you could not see the IP Address on the BD)
    2. A router or firewall is configured as an endpoint in an EPG, and all the other endpoints in that EPG use that router/firewall as the default gateway.
      • This design is often referred to as a L2 Only design - and as your friend mentioned, in this design ACI has no IP Addresses
        • I suspect that your friend is correct, and this is the design you have
      • However, this design has NO L3Outs - or if they do they have nothing to do with traffic between endpoints
      • so I'm beginning to wonder if your L3Out configuration is simply to allow traffic between the firewalls/routers that serve as the default gateways, and other firewalls/routers that may connect to the Internet of DMZ or such.  Especially since you say you have seven Logical Node Profiles
        • Each Logical Node Profile represents a different node/leaf - so that's seven leaf switches with routers or firewalls attached!

</end of random thoughts>

Now to your questions

My First question was, I didn't see the Network address under BD, I know under the each VLAN what the network address is 

Not in ACI I suspect - probably on a firewall or router

Let Say, I have VLAN 10, BD for this VLAN 10 is VLAN_10_BD,

This does NOT make sense in ACI.  VLANs are associated with EPGs. EPGs are associated with BDs. So perhaps you have VLAN 10 mapped to EPG 10 which is linked to BD 10

VRF for this VLAN is VLAN_10_VRF, Tenant is ABC,

It would be very unusual to have a VRF for just one VLAN - but if this is a L2 design the VRF is totally irrelevant and not even needed.

as per my tracker i know the network address is 100.100.100.0/24 and Gateway of this VLAN is 100.100.100.1 and this was logically behind one my Firewall. But i didnt see where this 100.100.100.0/24 network in ACI was configured with default gateway,

ACI does not need to know anything about the 100.100.100.0/24 network if this is a L2 design - it MIGHT learn it in a L3Out's VRF from an external source, but you won't find any configuration for it on ACI

All my network was pointed towards same gateway with 192.168.10.1 which dummy one and not reachable. This value I am checking under Tenant - Application Profile--Networking--BD, my question where i need to Network configured, one of my friends told this L2 BD so no need to configure the network address in ACI.

I think your friend is correct

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License