Re: ACI L3Out , vPC and OSPF

taytibob · ‎07-26-2019

Hello,

I have a campus network with Distribution layer (one stack) and access layer ( multiple stacks ).

I want the hosts in the campus network to access the servers in the aci datacenter.

I would like to discuss the way to interconnect the 2 networks.

My idea was to use a portchannel on the DIL stack towards 2 aci leafs.

I would use vPC on the 2 leafs by creating a vPC domain. Then one bridge domain for hosting the external EPG (BD-Campus).

I use then ospf to have a neighborship with the DIL and exchange the routes from the campus network.

In the BD i define a subnet 100.0.0.1/24 for ospf and i define an SVI 100.0.0.254/24 on the DIL.

Does all this make sense or do i miss something ?

Is there a better alternative ? L2out for instance or other ?

The diagram attached gives an idea of my plan.

Thank you

stcorry · ‎07-27-2019

Hello! You have mostly the right Idea. What you should do is create 1 L3 External toward your DIL layer w/ OSPF. For the L3 out you would likely configure an SVI with the subnet you mention below this configures the fabric to start a routing protocol on the specified interfaces and exchange routes. You would then configure each VLAN you want to extend into ACI as separate EPGs/BDs. You would configure a static path under the EPG with the VLAN encapsulation of the VLAN on the external Switch.

Hopefully that helps point you in the right direction.

taytibob · ‎07-27-2019

How can aci map the subnets in the campus to EPGs?
The port channel will be a trunk port so need to map vlans from the campus to vlans in the BD

stcorry · ‎07-29-2019

At this point I'll have to take a step back and ask what is the goal of attaching the campus VLANs/subnets directly to ACI BDs/EPGs? Are you going to move the Campus Gateway into ACI? Is it simple for reachability to ACI subnets?

If it's just so the Campus can reach ACI subnets, you should just use the routed L3 External to exchange reachability with the routers/switches between campus and DC.

If you really want to connect the Campus VLANs into ACI, which I don't recommend unless you are migrating the Campus VLANs to ACI, you can map those VLANs over the same Trunk as the L3 external. They get mapped into the BD/EPG with a static path binding.

I recommend reading this doc: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/basic-configuration/Cisco-APIC-Basic-Configuration-Guide-411/Cisco-APIC-Basic-Configuration-Guide-411_chapter_0110.html

taytibob · ‎07-29-2019

The need here’s to provide access from the campus to the servers in the datacenter
Also in order to redirect the traffic from hosts to servers to a firewall for security check ( through service graph)

stcorry · ‎07-29-2019

Ok. I would also suggest taking a step back and learn more about the ACI objects and their use. This document can also help get you started with how to design and use the ACI objects together. https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737909.html

Typically, with any technology, VLANs from the Campus are not extended into the Datacenter, and that is no different here.

I would also suggest taking a look at these Cisco Live presentations:

Introduction to ACI - BRKACI-1000

How to Setup an ACI Fabric from Scratch - BRKACI-2004

Your First 7 Days of ACI - BRKACI-1001