Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1844
Views
0
Helpful
2
Replies

ACI Transit - contract issue

gsidhu
Level 3
Level 3

‎09-30-2017 05:06 AM - edited ‎03-01-2019 05:20 AM

Hi

 

Multi- Pod deployment, with 2 Data Centers, DC1 and DC2.

 

Configured OSPF L3Out/area 0 at each Data Center over SVI:

 

DC1 SVI subnet 10.13.254.0/29

DC2 SVI subnet 10.13.254.8/29

 

I have applied Tenant common default contract which I understand is the equivalent of permit 'ip any any'

 

However only ping works; telnet fails which implies issue is with contract.

 

See attachment for further information.

 

Please could somebody tell me how this issue can be resolved?

 

Thanks

 

 

 

Labels:
Preview file
392 KB
Preview file
384 KB
0 Helpful
2 Replies 2

Jason Williams
Level 1
Level 1

‎10-04-2017 11:57 AM

Let’s gather some more information about the configuration and the test traffic by providing the following information. 

 

1. What is the source IP address?

 

2. Who owns the source IP address? In other words, is this the IP address of the directly attached router? IP of the leaf interface? Is this a host behind the router? 

 

3. What is the destination IP address?

 

4. Who owns the destination IP address? (Same as above: leaf IP? router IP? external host IP behind router?)

 

When talking about contract enforcement with L3 out, it is crucial to identify where the IP is located (directly attached subnet or subnet behind the router) because policy can be handled differently depending on where the subnet is located. 

 

5. I see some faults in both of the L3 out EPGs. Click on the faults tab in both external EPGs to see if there are any issues with ACLQOS prefix programming or reports of duplicate prefixes. 

 

6. Log into all border leafs in the L3 outs and check to see if there are policy drops. You can do this by running the following show command.

 

show logging ip access-list internal packet-log deny

 

If there are a high number of packet drops on the leaf, then it might be easier to add a | more to the end of command. This will list the packet logs page by page instead of flooding your CLI with the entire output. Press space bar to go down a page after executing the command. Press q or ctrl+c to exit the output, if needed. 

 

show logging ip access-list internal packet-log deny | more

 

This command output displays any policy drops on the fabric on that leaf. You will get visibility on the source and destination IP addresses along with the source and destination TCP/UDP ports. If TCP or UDP is not used, then you should still be able to see the IP protocol used in that packet. 

If you see any drops reported on any of the relevant border leafs for traffic between the tested source and destination then this confirms that ACI is dropping the packet based on contracts. 

Once you confirm and upload the requested info we should be able to make some progress. 

 

-JW

 

0 Helpful

gsidhu
Level 3
Level 3
In response to Jason Williams

‎11-20-2017 05:17 AM

Problem resolved. Issue was down to changes made to the Tenant Common default contract which I was unaware of.

Thanks for your help
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License