09-21-2016 12:05 PM - edited 03-01-2019 05:03 AM
I have an issue where I cannot communicate between external and internal device. I configured shared L3out where the L3OUt connection is configured under Tenant "common". The external router has the route to the internal subnet but the internal Leaf doesn't have the route to the external subnet. I go into the Leaf and notice that the VRF under the Tenant "common" doesn't exist in that leaf. I think this is the problem. Isn't any VRF created under Tenant "common" should be created automatically in all Leaves?
09-21-2016 09:55 PM
Apache_le,
"Isn't any VRF created under Tenant "common" should be created automatically in all Leaves?"
Not necessarily. VRFs are only programmed on a leaf when a local VLAN or L3 interface (associated with the VRF) is in up state. Both VRFs programmed on both the border leaf (L3 out leaf) and compute leaf (EPG leaf) is not a requirement for shared L3 communication.
Based on the provided symptoms, I recommend that you look into the following:
Contracts
Contracts between the EPG/External EPG to allow routing leaking. For shared services, you have two ways of defining a subnet: in either the EPG or BD. Route leaking between VRFs is dependent of contract/provider consumer placement. Failure to observe this could lead to unidirectional route leaking.
If EPG-A subnet is defined in BD
&
EPG-B subnet is defined in BD
then both EPGs must provide and consume a shared services contract
=======
If EPG-A subnet is defined in EPG
&
EPG-B subnet is defined in BD
then EPG-A must provide a contract to EPG-B at minimum
=======
If EPG-A subnet is defined in EPG
&
EPG-B subnet is defined in EPG
then provide/consume direction does not matter. Just need a contract between the two.
=======
In the case of L3 out (External EPGs), we usually treat these as EPG with subnet defined under the EPG. If your internal subnet is defined under the BD, then the external EPG must provide a contract to the internal EPG at minimum.
External EPG Configuration
For external subnets to leak into another VRF, then certain features must be enabled on subnets defined in the L3 out EPG.
External Subnets for the External EPG :: Defines the external subnets that we want to apply policy/contracts to
Shared Route Control Subnet :: External subnet(s) to be leaked into internal EPG's VRF
Shared Security Import Subnet :: Apply policy to the leaked subnet(s)
Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide