Re: Overlapping of same subnet(Application Centric Infrastructure)

otgnwp · ‎06-30-2024

We have deployed following set up on ACI

Example:

Tenant A -----> VRF A------> BD 1-----> EPG A, EPG B, EPG C(Production)
Tenant A -----> VRF A------> BD 2-----> EPG D

Now , We have a new requirement to use Same IP of EPG A which is not communicate to anyone under Non Production

Same IP will be use on both Production and Non Production(should communicate only to Specific resource)

What is the Best Practice configuration to achieve above requirement on ACI.

if it is possible, Please share a configuration guide.

Thanks in Advance

Regards ,

Mohammed Asif

RedNectar · ‎06-30-2024

Hi @otgnwp

Assuming Tenant_A is your Production tenant, the easiest way (and best practice) to re-use the Same IP that exists in VRF_A is to create a new tenant, say Tenant_B

Inside Tenant_B you create a whole new VRF (called VRF_A if you like) with a new set of BDs and EPGs - again, you can use the same BD names and EPG names in Tenant_B as you have in Tenant_A if you want.

Another way of doing this is to have a new VRF, say VRF_B inside Tenant_A. You'll need a new BD as well to hold the duplicated IP subnet.

It troubles me a little that you say:

Same IP will be use on both Production and Non Production(should communicate only to Specific resource)

Do you expect this Specific resource to be able to communicate with two different devices that share the same IP subnet? One in Tenant_A and the other in Tenant_B? If so, you'll need to NAT those duplicate IP subnets, and to do that, you'll need to go via a L3Out - which complicates the design greatly.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

otgnwp · ‎07-09-2024

Hi Chris,

find an attachment of my requirement. Please go through and suggest option to achieve.

Another way of doing this is to have a new VRF, say VRF_B inside Tenant_A. You'll need a new BD as well to hold the duplicated IP subnet.

How we can do this Another Way.Please Share ACI guide

otgnwp · ‎07-09-2024

Hello Chris,

Correctly Said,

Do you expect this Specific resource to be able to communicate with two different devices that share the same IP subnet? One in Tenant_A and the other in Tenant_B? If so, you'll need to NAT those duplicate IP subnets, and to do that, you'll need to go via a L3Out - which complicates the design greatly.

I want to communicate through BD3 resource.

Thanks in Advance

Regards,

Mohammed Asif

AshSe · ‎07-10-2024

For a better clarity and response; kindly validate your proposed topology as below:

otgnwp · ‎07-10-2024

Hello AshSe,

Thanks for Sharing Topology.

Above Topology is my requirement.

Can i use existing L3 out which use for Prod_VRF or i can configure new L3 out to communicate Outside World through EPG3.

Please suggest

Thanks in Advance

Regards,

Mohammed Asif

AshSe · ‎07-10-2024

Hi @otgnwp , the above topology as required by you is not possible as there is 1 to 1 connection between a BD and VRF. In other words, you can not attach one BD with two VRFs.

Below are the diagrams of two options as suggested by @RedNectar . I will also suggest you to opt first as the best topology for your requirement:

PS: Regarding your L3Out connectivity, we will discuss once you are comfortable adopting the legitimate topology.

HTH

otgnwp · ‎07-10-2024

Hello Ashse,

Thanks for response

i can opt for option 2 . same subnet with different BD Id.

Thanks in advance

Regards,

Mohammed Asif

AshSe · ‎07-11-2024

Hello @otgnwp , now since you have selected Option-2. Kindly check the below diagram and approve the understanding:

As per my Understanding from your explanation (and the same is drawn in the diagram)

Jump Host server is residing in EPG-3
Jump Host clients are residing in EPG-4 (can also be in EPG-1 & 2 as well)
L3Out is configured for communication with non-ACI fabric
BD-3 only should be connected (advertise) to outside world.

Requirement:

BD-4 in Non-Prod-VRF doesn't want to communicate outside world except BD-3 (That act as a Jump host to connect to BD-4 resource and outside World)

Solution:

> will suggest once you confirm/modify above understanding/requirement.

otgnwp · ‎07-11-2024

Hello AshSe,

Thanks for Understanding my requirement.

It is confirmed below mentioned topology is my requirement.

Thanks in Advance

Regards,

Mohammed Asif

AshSe · ‎07-11-2024

Hello Asif,

If all configurations (BGP-RR, Access Policy, Logical Setup, L3Out etc.) duly configured then you need to:

Check - "Advertise Externally" in BD-3/Subnet
Associate - L3Out_Nw in BD-3
Create a Contract and Apply in between EPG-3 and External EPG

PS: I hope you are clear of the concept of "External Subnet for External EPG".

HTH

otgnwp · ‎07-11-2024

Hello Ashse,

Can you share reference Link or Document to configure :

BGP-RR

Logical Setup

L3Out

Associate - L3Out_Nw in BD-3

External Subnet for External EPG

Thanks in Advance,

Regrads

Mohammed Asif

AshSe · ‎07-11-2024

Hello Asif,

You can search and buy this book:

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

Available at Amazon: Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

RedNectar · ‎07-11-2024

@AshSe wrote:

Hello Asif,

You can search and buy this book:

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

Available at Amazon: Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

I have a copy I'll GIVE you if you want to pick it up - but let me tell you that book is quite out of date now! Possibly worth it if you move the decimal point 3 places to the left.

P.S. i've had this post marked for a while to do a decent reply to, might get time on the weekend, but @AshSe seems to be doing a great job so hopefully I won't need to!

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

otgnwp · ‎07-12-2024

Hello Ashse,

Can i use existing(Prod_Vrf) below L3 Out for Non-Prod_Vrf

Two VRF Deployment (Inside and Outside).
o Outside VRF is deployed between 1) Campus Core and ACI Border Leaf 2) ACI
Border Leaf and FTD Firewall(Data center Firewall)

o Inside VRF is deployed between Border Leaf and FTD firewall(Data center Firewall)

Thanks in Advance

Regards,

Mohammed Asif