cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
259
Views
0
Helpful
1
Replies

Traceroute in Inter-vrf leaking in ACI

adolfo.cabrera1
Level 1
Level 1

Hi,

I Have a interleak configuration in Tenant common for share a L3out for different Tenants, and a have a contract with a subject ANY, everything works fine except the trace route from client hosts. 

it this behavior normal? or I need a additional configuration to do. 

$ traceroute 10.200.18.1
traceroute to 10.200.18.1 (10.200.18.1), 30 hops max, 60 byte packets
1 10.223.10.73 (10.223.10.73) 0.418 ms 0.629 ms 0.867 ms  <--- This is the LEAF Gateway
2 * * *
3 * * *

1 Reply 1

RedNectar
VIP
VIP

Hi @adolfo.cabrera1 ,

Sorry I didn't get to this earlier, I had the page opened but never got around to answering.

Firstly, welcome to the community! I hope you visit often - subscribing to a feed like this one often gives you insights into problems you may face in the future.

Now back to your problem.

  1. Most importantly you need to make sure the Scope of the contract you have between the L3_EPG and the EPGs in the Tenants is set to Global - if it already is set to global, then read on
  2. Your contract description is a bit vague - the Subject name is not relevant - what we need is the filters that are applied in the Subject ANY - not just the name of the filter, but the actual protocol filter(s) used.  Typically if a contract is created to permit all traffic it uses the default filter in the common tenant - but you need to also sure no-one has changed the default filter in the common tenant - it should be just EtherType=unspecified

Perhaps the best way to show us your config is from the CLI:

  • IF I assume that the contract you referred to with a subject named ANY:
    • is called ANY_Ct
    • is defined in the common tenant
  • THEN the output of the following commands will tell us what we need to know.
apic1# show run tenant common contract ANY_Ct
# Command: show running-config tenant common contract ANY_Ct
# Time: Tue Jun  4 01:54:38 2024
  tenant common
    contract ANY_Ct
      scope exportable
      subject ANY
        access-group IP_Fltr both
        exit
      exit
    exit

NOTE the name of the filter(s) under the subject ANY, (in my case, it is IP_Fltr, in your case it is likely to be default) and use the name you find there in the next command

apic1# show run tenant common access-list IP_Fltr
# Command: show running-config tenant common access-list IP_Fltr
# Time: Tue Jun  4 02:00:08 2024
  tenant common
    access-list IP_Fltr
      match ip
      exit
    exit

if the filter used is the default filter, you'd expect:

apic1# show run tenant common access-list default
# Command: show running-config tenant common access-list default
# Time: Tue Jun  4 02:06:58 2024
  tenant common
    access-list default
      match row default
      exit
    exit

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License