cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
1
Helpful
18
Replies

Overlapping of same subnet(Application Centric Infrastructure)

otgnwp
Level 1
Level 1

We have deployed following set up on ACI

Example:

Tenant A -----> VRF A------> BD 1-----> EPG A, EPG B, EPG C(Production)
Tenant A -----> VRF A------> BD 2-----> EPG D

Now , We have a new requirement to use Same IP of EPG A which is not communicate to anyone under Non Production

Same IP will be use on both Production and Non Production(should communicate only to Specific resource)

What is the Best Practice configuration to achieve above requirement on ACI. 

if it is possible, Please share a configuration guide.

Thanks in Advance

 Regards ,

Mohammed Asif

18 Replies 18

RedNectar
VIP
VIP

Hi @otgnwp 

Assuming Tenant_A is your Production tenant, the easiest way (and best practice) to re-use the Same IP that exists in VRF_A is to create a new tenant, say Tenant_B

Inside Tenant_B you create a whole new VRF (called VRF_A if you like) with a new set of BDs and EPGs - again, you can use the same BD names and EPG names in Tenant_B as you have in Tenant_A if you want.

Another way of doing this is to have a new VRF, say VRF_B inside Tenant_A. You'll need a new BD as well to hold the duplicated IP subnet.

It troubles me a little that you say: 

Same IP will be use on both Production and Non Production(should communicate only to Specific resource)

Do you expect this Specific resource to be able to communicate with two different devices that share the same IP subnet? One in Tenant_A and the other in Tenant_B?  If so, you'll need to NAT those duplicate IP subnets, and to do that, you'll need to go via a L3Out - which complicates the design greatly.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Hi Chris,

find an attachment of my requirement. Please go through and suggest option to achieve.

 

Another way of doing this is to have a new VRF, say VRF_B inside Tenant_A. You'll need a new BD as well to hold the duplicated IP subnet.

How we can do this Another Way.Please Share ACI guide

 

 

otgnwp
Level 1
Level 1

Hello Chris,

Correctly Said,

Do you expect this Specific resource to be able to communicate with two different devices that share the same IP subnet? One in Tenant_A and the other in Tenant_B?  If so, you'll need to NAT those duplicate IP subnets, and to do that, you'll need to go via a L3Out - which complicates the design greatly.

I want to communicate through BD3 resource.

 

Thanks in Advance

Regards,

Mohammed Asif

AshSe
Level 3
Level 3

For a better clarity and response; kindly validate your proposed topology as below:

AshSe_1-1720606429357.png

 

 

Hello AshSe,

Thanks for Sharing Topology.

Above Topology is my requirement.

Can i use existing L3 out which use for Prod_VRF or i can configure new L3 out to communicate Outside World through EPG3.

Please suggest 

Thanks in Advance

Regards,

Mohammed Asif

 

Hi @otgnwp , the above topology as required by you is not possible as there is 1 to 1 connection between a BD and VRF. In other words, you can not attach one BD with two VRFs.

Below are the diagrams of two options as suggested by @RedNectar . I will also suggest you to opt first as the best topology for your requirement:

AshSe_0-1720675260505.png

AshSe_1-1720675291644.png

PS: Regarding your L3Out connectivity, we will discuss once you are comfortable adopting the legitimate topology.

HTH

Hello Ashse,

Thanks for response

i can opt for option 2 . same subnet with different BD Id.

otgnwp_0-1720677041075.png

Thanks in advance

Regards,

Mohammed Asif

 

AshSe
Level 3
Level 3

Hello @otgnwp , now since you have selected Option-2. Kindly check the below diagram and approve the understanding:

AshSe_1-1720683260695.png

As per my Understanding from your explanation (and the same is drawn in the diagram)

  • Jump Host server is residing in EPG-3
  • Jump Host clients are residing in EPG-4 (can also be in EPG-1 & 2 as well)
  • L3Out is configured for communication with non-ACI fabric
  • BD-3 only should be connected (advertise) to outside world.

Requirement:

  • BD-4 in Non-Prod-VRF doesn't want to communicate outside world except BD-3 (That act as a Jump host to connect to BD-4 resource and outside World)

Solution:

  • > will suggest once you confirm/modify above understanding/requirement.

Hello AshSe,

Thanks for Understanding my requirement.

It is confirmed below mentioned topology is my requirement.

otgnwp_0-1720686472677.png

Thanks in Advance

Regards,

Mohammed Asif

Hello Asif,

If all configurations (BGP-RR, Access Policy, Logical Setup, L3Out etc.) duly configured then you need to:

  1. Check - "Advertise Externally" in BD-3/Subnet
  2. Associate - L3Out_Nw in BD-3
  3. Create a Contract and Apply in between EPG-3 and External EPG

PS: I hope you are clear of the concept of "External Subnet for External EPG".

HTH

Hello Ashse,

Can you share reference Link or Document to configure :

BGP-RR

Logical Setup

L3Out

Associate - L3Out_Nw in BD-3

External Subnet for External EPG

Thanks in Advance,

Regrads

Mohammed Asif

Hello Asif,

You can search and buy this book:

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

Available at Amazon: Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure 


@AshSe wrote:

Hello Asif,

You can search and buy this book:

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

Available at Amazon: Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure 


RedNectar_0-1720698715471.png

I have a copy I'll GIVE you if you want to pick it up - but let me tell you that book is quite out of date now! Possibly worth it if you move the decimal point 3 places to the left.

P.S. i've had this post marked for a while to do a decent reply to, might get time on the weekend, but @AshSe seems to be doing a great job so hopefully I won't need to!

 

 

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Hello Ashse,

Can i use existing(Prod_Vrf) below L3 Out for Non-Prod_Vrf

Two VRF Deployment (Inside and Outside).
o Outside VRF is deployed between 1) Campus Core and ACI Border Leaf 2) ACI
Border Leaf and FTD Firewall(Data center Firewall)


o Inside VRF is deployed between Border Leaf and FTD firewall(Data center Firewall)

Thanks in Advance

Regards,

Mohammed Asif

 

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License