11-27-2017 08:13 AM - edited 03-01-2019 05:23 AM
Hi,
Is there anyway to apply route filters to apply to networks being advertised between a tenant and the common tenant L3_OUT policy.
Basically i am trying to overcome a routing issue whereby i am advertising an aggregate address from 1 x tenant A and a more specific network from another tenant B using the shared common L3_OUT policy whereby the return traffic for the specific will return to the tenant B.
Traditionally one would be able to use Route-MAPs / filters to over come this issue - is there any process for ACI
Many thanks
11-27-2017 08:49 AM - edited 11-27-2017 08:50 AM
Hi Khashmi,
can you provide more detail about your current configuration and topology? For example, is Tenant A and Tenant B using two separate VRFs or the same one?
You mentioned share common L3out policy, does this means that both tenants are using this L3out to send traffic outside ACI?Or do you have two separate L3outs and are you doing transit routing?
How are you advertising this route (the aggregate and the more specific), is this route advertised from a subnet defined in a BD in ACI?
Sharing a physical topology of your setup would also be useful.
11-27-2017 09:00 AM
Hi,
Thanks for your comments.
So both tenants are in different VRF and are using the same l3_OUT in the common tenant to send traffic outside of ACI.
The subnets defined are under the respective BD
Thanks
11-27-2017 10:49 AM
I am assuming that your L3out is configured under the common VRF. Is either tenant A or B configured to use the common vrf?
11-27-2017 02:34 PM
Some more detailed information.
L3Out in common Tenant in VRF default
BGP to external routers
External Network EPG defined with external subnets
"Any Open" Contract applied to External Network EPG
Tenant1 with VRF_T1, APP_T1, EPG_T1 with static port assigned and physcial domain assigned
Subnets defined in EPG and/or BD (both combinations)
172.16.1.1/24
172.16.2.1/24
"Any Open" contract applied from common tenant
Tenant2 with VRF_T2, APP_T2, EPG_T2 with static port assigned and physcial domain assigned
Subnet defined in EPG and/or BD (both combinations)
172.17.1.1/24
172.17.2.1/24
"Any Open" contract applied from common tenant
The above works fine and as expected. There is not a problem with the above configuration.
The concerning issue is best expressed as an example as follows:
From the external networks, we can ping 172.16.1.1 in T1 which is fine and expected. Now if we define 172.16.1.2/25 as a subnet in T2 this is of course overlapping and should not be done for obvious reasons - but my concern is in the situation where the fabric is providing a service which each Tenant being a different customer. So lets say T2 decides they want some of T1's data.. ??! They define a subnet with more specific prefix (/25) than the /24 in T1, this is set to advertise externally through the shared WAN L3Out. Now pinging 172.16.1.1 from the external network fails because its following the more specific route, pinging 172.16.1.2 works as its following the more specific into T2.
This is the issue. I want to create a prefix filter in the Tenant providing the shared L3Out for each Tenant. Now we would need to use a different tenant than common at minimum so we can provide a exported contract spcifically for each tenant which would have a prefix filter applied defining the prefixes the tenant is allowed to advertise - the same way we do at the ISP to customer edge to prevent customers advertising prefixes they dont own into the internet routing table.
How do we achieve this ?
11-28-2017 03:43 PM
Hi Khashmi,
The way to manipulate/apply policy to a route in aci, is using route-profiles(see link below), but I don't believe there is any rule that would control routes at the tenant level.
Is there any reason why you use an l3out under the each tenant?
Cisco ACI and Route Maps Using Explicit Prefix List
11-29-2017 12:52 AM
I think you mis-understand? The L3Out is shared, it is configured and shared from tn-common in this case and being used by two or more tenants. I want to filter routes advertised from tenants using the shared L3Out to prevent a tenant advertising a prefix into the L3Out which overlaps with another tenants prefixes.
Attached is a diagram to illustrate the issue - Many thanks BTW for your help and assistance so far
Kind Regards
12-01-2017 05:46 PM
Hi Khashmi,
I just realized that typed the wrong thing, what I meant to say was
Is there any reason why you CAN’T use an l3out under the each tenant?
I understand what you are trying to accomplish, but in ACI is not possible to manipulate the advertised routes at the tenant level from the provider Tenant/VRF where your L3out is located.
06-22-2018 12:24 AM
All I remember from Cisco , if L3_OUT is in common Tenant then dont use overlapping Subnets in others Tenants.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide