## ACI Static Routing L3OUT VPC Secondary IP

Dear Community,

I have a question about L3OUT with static routes. We have the following scenario. The L3OUT is distributed over 4 Leafs, each with 2 VPC pairs (SVI).

The question: Can I assignto the SVIs one secondary IP address for all 4  Leafs, or do I need one Secondary IP per VPC pair?

I Listed both in the following with #1 and #2

#1

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

#2

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address Y

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address Y

It would be good if you also find a document from Cisco describing this.

Kind Regards

Patrick

Beginner

## Re: ACI Static Routing L3OUT VPC Secondary IP

Dear Community,

anyone has a hint on this Topic? :)

Best Reagrds

Patrick

Cisco Employee

## Re: ACI Static Routing L3OUT VPC Secondary IP

Scenario 2 is what you want to go with. Since these are completely different vPCs you would want a unique secondary IP for each vPC. This will basically act the same as a VIP would. Otherwise it can cause undesired routing behavior if you try to point the static route to the secondary IP from the FW perspective.

Beginner

## Re: ACI Static Routing L3OUT VPC Secondary IP

Hi Micgarc2,

ok thanks for explenation.

But how can we accomblish the goal, that the Service connected to the 4 Leafs only route traffic to Secondary Address = IP address X?

We want to have scalalibity, iIf the L3OUT is extended in the future over still several Leafs, the service is not to adapt its static routes, but only to a VIP route.

Is this possible with any solution?

Kind Regards

Patrick

Participant

## Re: ACI Static Routing L3OUT VPC Secondary IP

Hi Patrick

#1 is perfectly fine.

Beginner

## Re: ACI Static Routing L3OUT VPC Secondary IP

Hi Marcel,

many  thanks for your reply.

Micgarc2 told the following:

Scenario 2 is what you want to go with. Since these are completely different vPCs you would want a unique secondary IP for each vPC. This will basically act the same as a VIP would. Otherwise it can cause undesired routing behavior if you try to point the static route to the secondary IP from the FW perspective.

Now i am confused about to go with which kind of solution :)

I configured Scenario1, i works fine. We got no faullt, traffic is working as expected.

But in the future it may lead to problems that we cannot yet foresee? Best Practice about that topic?

Kind Regards

Patrick

Participant

## Re: ACI Static Routing L3OUT VPC Secondary IP

If you do #2 how would you implement the FW? Two identical routes with different next hops?

#1 is fine, from a forwarding perspective the FW ARPs for the next-hop, the resulting MAC is the same for every SVI on your border leaves (I assume you didn't change the MAC of your L3-SVIs in ACI) - so a packet from the firewall will be send to the ACI-MAC - the first leaf hit by the packet will route/forward the packet. I don't see any issues or undesired routing behaviour.

If you configure different MACs for your SVIs, then you will run into issues, but as long as your SVI MACs are identical everything is fine!

Beginner

## Re: ACI Static Routing L3OUT VPC Secondary IP

Hi Marcel,

many Thanks fo the Info.

Correct we will use the Same MAC for the SVIs,

Kind Regards

Patrick

Beginner

## Re: ACI Static Routing L3OUT VPC Secondary IP

Hello Patrick, i have configured the same configuration than you, and it´s working fine. But it doesn´t exist any document regarding it.

