cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2198
Views
0
Helpful
2
Replies

Questions on tenants, vrf's and shared l3out. Do I understand these 4 scenario's correctly?

jgesualdi
Level 1
Level 1

I have some questions on tennants , vrf's and shared l3outs and how the routing of packets occurs.  I need to know if I understand the scenario's below correctly. I have 4 different scenario's.

 

1.  I have two different tenants and inside these tenants I have epg's and bridge domains. Both tenant BD's use a VRF and l3out that's in the common tenant. No overlapping ip space. The vrf is in unenforced mode. I'm assuming hosts inside these different tenants can comminucate freely and the switching of these packets is totaly inside the fabric, not through the  l3out. Is this a correct statement?

 

2. Same scenario as above but this time the  vrf is in enforced mode. Again hosts inside these different tenants can comminucate freely and the switching of these packets is internal to the fabric. However, I do need the appropriate contracts in place to allow it? Is this a correct statement?

 

3. Two different tenants. BD's, EPG's and vrf's in each tenant. Both tenant BD's use a shared l3out that's in the common tenant. No overlaping IP's.  Subnets are avertised externally.  Hosts inside these different tenants can comminucate but the traffic needs to be routed by the l3out. Packets go out one tenant, to a router and deleivered to the other tenant. Is this a correct statement? Not sure what I would need for contracts or how they would work in this scenario.

 

4. Two different tenants. BD's, EPG's, vrf's and l3out's  in each tenant. No overlaping IP's.  Subnets are avertised externally.  Hosts inside these different tenants can comminucate. I'm assuming the routing of packets is similar to scenario 3?

 

Am I correct? Is there anything else you can add to claify things for me?

 

Thanks

 

 

 

 

 

2 Replies 2

Jason Williams
Level 1
Level 1

1. I have two different tenants and inside these tenants I have epg's and bridge domains. Both tenant BD's use a VRF and l3out that's in the common tenant. No overlapping ip space. The vrf is in unenforced mode. I'm assuming hosts inside these different tenants can comminucate freely and the switching of these packets is totaly inside the fabric, not through the l3out. Is this a correct statement?

Yes, both EPGs are in the same VRF. That VRF is unenforced so no need to apply contracts for these 2 EPGs to communicate.

2. Same scenario as above but this time the vrf is in enforced mode. Again hosts inside these different tenants can comminucate freely and the switching of these packets is internal to the fabric. However, I do need the appropriate contracts in place to allow it? Is this a correct statement?

Correct, you would need contracts in place for this to work.

3. Two different tenants. BD's, EPG's and vrf's in each tenant. Both tenant BD's use a shared l3out that's in the common tenant. No overlaping IP's. Subnets are avertised externally. Hosts inside these different tenants can comminucate but the traffic needs to be routed by the l3out. Packets go out one tenant, to a router and deleivered to the other tenant. Is this a correct statement? Not sure what I would need for contracts or how they would work in this scenario.

May need some further clarification on this scenario. If I understand correctly, there are 3 VRF's involved. VRF-1 in User Tenant-1; VRF-2 in User Tenant-2; Common-VRF in Common Tenant. The EPG/BDs in each user tenant can communicate with the same L3 out in the Common-VRF (BD subnet in VRF-1 and BD subnet in VRF-2 will be leaked into Common-VRF). If this assumption is correct, then it should not work as there will be overlap in subnets. The Common-VRF would see the EPG-1 subnet twice (once from route leaking by VRF-1 and again by the L3 out in the Common-VRF).

If the traffic from EPG-1 (Tenant-1) must reach EPG-2 (Tenant-2) via L3 out, then you will need a minimum of 2 different L3-outs and both L3-outs cannot be in the same VRF with one another. You could so L3-out-1 in VRF-1 which has external routes to reach EPG-2. Same configuration goes for Tenant-2. L3-out-2 in VRF-2 which has external routes to EPG-1.

4. Two different tenants. BD's, EPG's, vrf's and l3out's in each tenant. No overlaping IP's. Subnets are avertised externally. Hosts inside these different tenants can comminucate. I'm assuming the routing of packets is similar to scenario 3?

This would be what I mentioned above in scenario 3. For the host to communicate, then make sure EPG-1 has a contract with L3-out-1. EPG-2 needs a contract with L3-out-2. No route leaking. 

-JW

For scenario 3 I'm not leaking any routes.

3 VRF's involved. VRF-1 in User Tenant-1; VRF-2 in User Tenant-2; Common-VRF in Common Tenant. The EPG/BDs in each user tenant use the same L3 out in the Common-VRF. My question is can hosts in tenant 1 communicate with hosts in tenant 2? If yes, is it the external router on the other side of the l3out that is routing the packets? So basically the router is acting like a router on a stick?

Thx.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License