04-10-2020 10:06 AM
Hello Guys,
I need some help with the ACI configuration. I work on an ACI fabric for a school project and I block on one point of the configuration, so I hope to find some help here.
I want to mount one external L3 out connection to internet and then shared it with the Tenant of the fabric. I start configuring an L3 connection for each Tenant of my fabric and then I think that it will be more practical if I create one connection and then shared it. But obviously, if I’m here I have an issue with that.
I explain my problem :
But I have no connection to the outside world. And when I check the route on the common Tenant, I do not see the 192.168.1.254/24 network.
So, if you have any idea about the issue or any advice, I would be glad to hear them!
Best regards
04-10-2020 01:06 PM
Hello,
Here are a couple of things that might need some closer look:
1. You mentioned: On both (a.n. Tenants), I have one Bridge domain defined with one subnet (192.168.1.254/24) for example).
Do you mean you have both BDs configured with the same IP address, and you want both Tenants/BDs to use the same shared L3Out? If yes, then I need to point out that shared L3Out can only be used in conjunctions with services that have User-Tenant -> Common-Tenant communication, and no the reverse. Why you might ask? Because the subnets overlap. If you need bidirectional communication with Shared L3out, then you have to change the subnet.
2. This subnet scope is: Advertised externally and shared between VRFs
I do not see it mentioned explicitly, and I would prefer to not assume, though from the context of your post it seems to be like that: you have different VRFs for L3Out, TenantA-BD and TenantB-BD, right?
3. Have you associated the L3Out to the BD subnet? (Tenant -> Network -> Bridge Domain -> BD1 -> Policy -> L3 Configuration -> Associated L3Outs)
4. Do you see the routes learned from L3Out into the user-tenant vrf?
Regards,
Sergiu
04-12-2020 04:32 AM
Hello,
Thanks for your answer, I hope I will correctly respond to your questions
Best Regards
04-13-2020 12:34 AM
Hi,
You need to associate the L3Out under the BD, but this is one step ahead, because this action is needed for BL to advertise the BD subnet out of the fabric. Problem in your case is that routes are not learned between VRFs.
Let's go further with the investigation:
1/ Do you see any faults associated to L3Out / BDs / VRFs in question? If yes, share them here.
2/ What contract and filter are you using (share all details about them, including flags)?
3/ What routing protocol do you use in your L3Out?
Regards,
Sergiu
04-13-2020 11:47 PM
Hello,
Sorry for my response time, but I had to be in my school to get access to the fabric.
So, for the first point, I have only to faults on my bridge domain, on the user tenant with the descriptions bellow:
For the second point, I have a contract with no TAG and no filter, I want to allow everything in the first time, maybe in a second time, I will restrict the activity.
For the third point, I use EIGRP between the fabric and my external router, I configure my router, and I see my fabric as a neighbor in it.
My response time should be improve, I have now a VPN to connect to my fabric due to Covid-19 I can’t go to school because everything is closed on my country.
Best regards,
Aurélien
04-14-2020 12:26 AM
Hey @aurlienperrot ,
Indeed, we live in a difficult period period now, but we must stay strong and keep the social distancing to slow the spread.
Coming back to your scenario, you need to specify a filter in your contract for routes to be redistributed between VRFs.
Also, from traffic perspective, if you do not create any filters in your contract, the contract will not allow anything. Remember, the ACI fabric works in a whitelist model, meaning it will allow what you explicitly specify. So start by adding IP (to allow anything) then you will progress to more specific filters.
The faults do not look ok, but I am happy to help you resolving them. I will ping you on private.
Regards,
Sergiu
04-14-2020 08:20 AM
Hello,
I had the default filter and the ICMP filter to the contract. I don’t know if it’s enough.
I do not see where I can add an IP in my contract, if you could help me on this point it will be nice from you.
I saw your private message, I answer you !
Best regards,
Aurélien
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide