cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2251
Views
5
Helpful
8
Replies

Why is it called Export Route Control Subnet?

vv0bbLeS
Level 3
Level 3

Hello all,

In Cisco ACI L3OUT, we have an option called Export Route Control Subnet which is used for Transit Routing (i.e. advertising external routes from one L3OUT to another L3OUT).

My question is, what's with that name? Why is it called Export Route Control Subnet and not something more descriptive of what it's actually doing? I'm trying to come up with a way to remember that that option = Transit Routing, but I can't figure out how to read the name Export Route Control Subnet for it to make sense, like should I read it like:

  • Export something called Route Control Subnet ?
  • Export Route and also something called Control Subnet ?
  • Export something called Route Control and also the Subnet that goes with it?

Does anyone have a good way to help us remember that Export Route Control Subnet = Transit Routing? (And I may be missing something obvious here and if so please tell me :- )  ).

0xD2A6762E
1 Accepted Solution

Accepted Solutions

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @vv0bbLeS ,

I agree.

However, remember that setting is within a Subnet window. When ticking that box "Export Route Control Subnet", it says that this Subnet will Control the Route Export... So reading in reverse can help you!

Alternatively, as you spent 10 minutes to write that post about "Export Route Control Subnet", I am pretty sure that was enough to engrave it in your mind!

Regards

Remi Astruc

View solution in original post

8 Replies 8

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @vv0bbLeS ,

I agree.

However, remember that setting is within a Subnet window. When ticking that box "Export Route Control Subnet", it says that this Subnet will Control the Route Export... So reading in reverse can help you!

Alternatively, as you spent 10 minutes to write that post about "Export Route Control Subnet", I am pretty sure that was enough to engrave it in your mind!

Regards

Remi Astruc

@Remi-Astruc yes thank you! That does help!

Also, I was reading this great post We Don't Need No Stinkin' Flags! ACI External EPG Subnet Flags...Just for Fun! (cisco.com) and it struck me that the term Route Control is akin to the term Route Management , which also helped. So, I can also think of this flag as saying something like "Hey, tell Route Management to Export this Subnet (to this L3Out)" , or "Hey, tell Route Control to Export this Subnet (to this L3Out)."

I guess if you think of Route Control as a thing, and a subnet you want to export as needing to be managed by Route Control (i.e. Route Management), then I guess the subnet you're exporting could be called a "Route Control" subnet , which, if I wanted to Export one of those subnets, I could maybe see where the dev's got the term Export Route Control Subnet , as in I want to Export a "Route Control Subnet" . Maybe? LOL I dunno, it's all kind of a stretch to me! : D

0xD2A6762E

AshSe
VIP
VIP

Export Route Control Subnet (ERCS): Any external subnet learned via L3Out configured on a Border Leaf switch cannot be advertised to a downstream device by another leaf switch, until you configure Export Route Control Subnet.

In the diagram (Transit Routing Lab) below, both the leaf switches are connected to external networks and are advertising external subnets of one another using ERCS.

Prerequisite: Kindly be noted that configuring the BGP Route Reflector is a MUST to make sure that the external subnet must get propagated to all other leaf switches in the ACI fabric.

Screenshot 2024-08-01 at 9.57.11 AM.png

.........Please give your thumps-up if the response convinces you...........

@AshSe per the above article We Don't Need No Stinkin' Flags! ACI External EPG Subnet Flags...Just for Fun! (cisco.com) , I believe Export Route Control Subnet is used for Transit Routing.

In other words, in your diagram above, the external 20.1.1.0/24 subnet from the EIGRP L3Out would be advertised to the other leafs by default (so the rest of the fabric does know "how" to reach that 20.1.1.0/24 external subnet), but that external 20.1.1.0/24 subnet would NOT be advertised OUT to any other L3Out's (e.g. would NOT be advertised OUT to the OSPF L3Out), unless you added that 20.1.1.0/24 external route to the OSPF L3Out External EPG with Export Route Control Subnet checked (i.e. "advertise this 20.1.1.0/24 subnet out to this OSPF L3Out").

Per that article above, for the Export Route Control Subnet flag: "This flag tells ACI to advertise this route out of the fabric at a certain L3Out."

 

The flag you "might" be talking about in your post is the External Subnets for the External EPG flag, whose meaning is basically in the name: "[Add this subnet to the] External Subnets for the (this) External EPG" . In other words, if you're working on this 20.1.1.0/24 subnet in the EIGRP L3Out External EPG above, this flag means "Add this 20.1.1.0/24 subnet to the list of External Subnets for this EIGRP External EPG" , or more succinctly, "Add this 20.1.1.0/24 subnet to this External EPG". This is similar to how we add "internal/regular" subnets to "internal/regular" EPG's!

  • Basically, for a "regular/internal" ACI subnet to even have a chance of being reachable, the subnet needs to be added to a "regular/internal" EPG.
  • It's the exact same story with External subnets and External EPG's!
  • In both cases (internal or external subnets), the fabric already "knows" about the internal/external subnet, so that's not an issue (unless you're doing Import control with external subnets but that's another topic). However, even though the fabric may "know" about the subnet, the subnet won't be reachable until it's linked ("added") to an EPG!
    • This is because the EPG is the security construct that is the "bridge/link/etc" between the Bridge Domain/subnet and the physical fabric (see this great drawing from @RedNectar 's reply in Solved: Cisco ACI and physical switch ports? - Cisco Community , you can see how the EPG is the "link" between the "logical" and "physical" side of ACI for internal/regular subnets). This is why an internal/regular subnet must be linked to an internal/regular EPG, so the subnet object ("logical") can "reach" the "physical" side of the fabric.

 

vv0bbLeS_0-1722520874507.png

 

 

 

It's "kind of" the same idea with external subnets and External EPG's in that the External EPG is still a center-point, except that with external subnets, we focus on the External EPG not so much as a "link" between logical and physical, but more so on the External EPG's "security" abilities and how it can tie to Contracts that can permit/deny traffic (again, taking a diagram from @RedNectar 's blog and pasting below).

  • Here, with the External EPG in the L3Out (the "L3EPG" on either the left or right side), notice how it links to the red Contract that permits the traffic to the fabric.
  • So, if the external subnet isn't "added" to the External EPG, the Contract can't allow traffic to that external subnet, so that external subnet won't be reachable out that L3Out.
  • This is what the External Subnets for the External EPG flag does - it "adds" the external subnet to the External EPG (thus allowing traffic to the external subnet via the Contract linked to the External EPG).
 

vv0bbLeS_3-1722527731610.png

 

 

If I've stated anything incorrectly here, someone please let me know as I'd be glad to learn it! :- )


0xD2A6762E

@vv0bbLeS there needs a small correction in your first sentence >>>: .........the external 20.1.1.0/24 subnet from the EIGRP L3Out would be advertised to the other leafs by default ( ..........

>>>kindly be noted that other leaf switche/s will NOT learn external subnet 20.1.1.0/24 by default, but they will learn by the virtue of BGP RR (Route Reflector) configuration in the spine switches.

And, once again:

Export Route Control Subnet configuration in External EPG will make sure that so and so subnet is duly advertised to L3Out neighbor. Need not say that this option comes as a last step (External EPG) in L3Out Network configuration only.

Also,

External Subnet for External EPG option is equivalent to Network command in Routing Protocol configuration in legacy (non ACI) setup. Under this you need to specify the common shared subnet between ACI Border Leaf and external routing device. And thus, it help in the creation of neighborship between ACI border leaf and external routing device.

@AshSe sure, when I said learned "by default" I was speaking in general terms, not of the specific mechanism (iBGP RR) by which the route is distributed through the fabric. Thanks!

0xD2A6762E

Hi @AshSe ,

Sorry, but your statement about External Subnet for External EPG is wrong.

It actually informs the Fabric which external Subnets are authorized in/out of this L3Out for contracts enforcement.

It has absolutely no effect on routing advertisement, while Network command has.

It is all about Security, while Network command is not.

Finally, I think the initial question about Export Route Control Subnet has been handled and we should avoid mixing subjects in that thread for the sake of clarity.

Regards

Remi Astruc

Hello @Remi-Astruc 

my simple understanding about ESEPG & ERCS is based on the lab test observation. Sorry but I am not able to understand your long story. Would appreciate if you could make your long story short in simple words to understand.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License