Solved: ACI Tranist between leafs

Mark Potter · ‎10-15-2015

Hello Experts,

I am trying to configure a router connected to leaf 106 L3out-3 and export static routes to another router on leaf 101 L3out-1 running OSPF area 0.

We already have transit working within the same L3out-1 on different interfaces, but when trying the same thing from another L3out I can see the exported routes from leaf106 on leaf101 but can ping from that leaf.

Both L3outs are in 'common' tenant.

(20.20.20.10/24)host --(20.20.20.1/24)router1 -- L3out-1(leaf101) -- L3out-3(leaf106) -- router2(10.10.10.1/24) --lo0(10.10.10.10/24)

I have Setup Networks in L3out-3 which match prefix exactly and import/export this subnet, and have the same any/any contract consumed and permitted on both L3out EPgs.

Can ping router2 from leaf106 on common:vrf on the connected link which also isn't showing up in remote routing tables but does on leafs101 and 106.

Cant ping 10.10.10.1 on router2 from leaf106

show ip route on Leaf101 shows a overlay-1 route to this subnet 10.10.10.0/24 and to the connected link from leaf106 to router2

Both are routed interfaces, not SVI/sub-interface.

Any hints on where to look next, I'm getting stumped.

Regards

Edit:

Originally I thought I had this fixed but during testing I've had both interfaces in the same L3out, with closer inspection is noted in 'KB Transit Routing' that this works without flaw.

However, now I'm more concerned that transit routing between two L3outs in the same common tenant, and Private Network is not possible.

Can anyone answer this definitively?

Tomas de Leon · ‎11-02-2015

Mark,

Sorry for the delay. In the current releases of ACI, transit routing is supported between L3 Outs within the "SAME" VRF\Private network. There is no VRF to VRF transist routing at this time. In the next major Release, yoy will be able to Route Leak (not transit) between L3 Outs. The feature will be calls Shared L3 Outs.

If you need to route between VRFs today, you will need to have use an L3 Out to a shared connected device (router) for each VRF.

With you issue listed above and from the description of issue, your issue may be to discontigous networks. You mentioned that you are using a routed interface for your connections.

Since this looks like a lab or test configuration, try the following:

Host (20.20.20.10/24)host
--(20.20.20.1/24)
eth0
router1
eth1
--(1.1.1.1/30)
--(1.1.1.2/30)
eth1/x
L3out-1(leaf101)

\ Fabric\

L3out-3(leaf106)
eth1/x
--(2.2.2.2/30)
--(2.2.2.1/30)
eth1
router2
eth0
--(10.10.10.1/24)
lo0
--(10.10.11.1/24)

On the External Network definition if each L3 Out, make sure you define the subnet 0.0.0.0/0 with Scope:
Export Route Control Subnet
Security Import Subnet
Aggregate Export

all configured.

Then trying your pings again. This should work.

Cheers!

T.

View solution in original post

Tomas de Leon · ‎11-02-2015

Mark,

Sorry for the delay. In the current releases of ACI, transit routing is supported between L3 Outs within the "SAME" VRF\Private network. There is no VRF to VRF transist routing at this time. In the next major Release, yoy will be able to Route Leak (not transit) between L3 Outs. The feature will be calls Shared L3 Outs.

If you need to route between VRFs today, you will need to have use an L3 Out to a shared connected device (router) for each VRF.

With you issue listed above and from the description of issue, your issue may be to discontigous networks. You mentioned that you are using a routed interface for your connections.

Since this looks like a lab or test configuration, try the following:

Host (20.20.20.10/24)host
--(20.20.20.1/24)
eth0
router1
eth1
--(1.1.1.1/30)
--(1.1.1.2/30)
eth1/x
L3out-1(leaf101)

\ Fabric\

L3out-3(leaf106)
eth1/x
--(2.2.2.2/30)
--(2.2.2.1/30)
eth1
router2
eth0
--(10.10.10.1/24)
lo0
--(10.10.11.1/24)

On the External Network definition if each L3 Out, make sure you define the subnet 0.0.0.0/0 with Scope:
Export Route Control Subnet
Security Import Subnet
Aggregate Export

all configured.

Then trying your pings again. This should work.

Cheers!

T.

Mark Potter · ‎11-02-2015

Thanks Tomas,

I've ended up working thorught this with Cisco Advanced Services.

We ended up using exactly what you've put in your post with 0.0.0.0/0 and aggregate export and consolidating our L3out EPgs.

My initital problem was two L3outs on different leafs didn't seem to work the same as two L3outs on same leaf with redistribution of static routes into OSPF, due to it not being a static route when going across leafs becuase of MP-BGP.

BU - This is expected behaviour.

Cheers
Mark.

EDIT: Note there is a bug in 1.1(3f) with Aggregate Export not being displayed in GUI as selected when editing the object in Firefox.

If you hit submit on page it _will_ unselect Aggregate Export from config.

CSCuw96869