Hello Chris,

tlequertier · ‎04-04-2017

Hello,

my Customer have some limitations on its Firewalls so a limited number of Subinterfaces can be configured. So i can't define all the needed L3OUT.

My Customer wants that teh traffic between 2 Tenants (between 1 VRF 1 Inside a Tenant 1 to 1 VRF 2 Inside Tenant 2) goes through its external Firewalls.

I analyse the ACI's Shared L3OUT possibility but i have a doubt:

Can i configure Shared L3OUT (instead of 1 L3OUT for each VRF ) on my Common Tenant to interconnect to the Customer FW with my VRFs whithout creating a security issue : i don't want (and my Customer also) that VRF 1 (in Tenant 1) could flow traffic to VRF 2 (in Tenant 2) using the Common VRF Tenant. It will reduce to null my effort because Customer wants that inter (Tenant - VRF) flows through its Firewalls.

I attach a drawing to show the target design i see but also my doubt in it.

Thanks a lot in advance for your help.

robert.brady · ‎04-06-2017

I have pretty much the same issue. Was looking at doing some sort of taboo contract on a subnet on the L3out but this doc seems to specify this is not allowed..

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/basic_config/b_APIC_Basic_Config_Guide_2_x/b_APIC_Basic_Config_Guide_2_x_chapter_0110.html

RedNectar · ‎04-06-2017

Hi tlequertier,

I don't quite see your problem. Just because the routes from the two tenants share the routing table in the common vrf doesn't mean traffic WILL flow between the endpoints located in the two tenants that share the L3Out. You've said nothing about what contracts you've configured nor the L3EPGs (L3 Networks) that you plan to put in place.

If you don't have a contract between the two Tenants, they won't pass traffic between each other. I'd suggest that you create a contract in each Tenant that allows traffic to and from the Firewall only.

Chris Welsh [aka RedNectar]

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

tlequertier · ‎04-06-2017

Hello Chris,

i agree with your approach, but how can we define Contracts in each Tenant (for EPGs in my Tenants) that will allow only EPG (client Tenant) to L3OUT (L3out Tenant common or else) traffic?

The "Shared L3OUT" is already based on a specific Contracts - Interface Contract - (Export from Tenant that held the L3OUT and Import in the Tenant that consumes the L3OUT).

Must i add another contract that will be use as Consumer by my EPGs (that want to use thens shared L3OUT) or must i add a subject in the already defined Export/Import Contract (contract interface) that is used in fact to do the Leaking between the Tenants?

Thanks in advance for your advice.

RedNectar · ‎04-07-2017

Firstly this is a quick response because I'll be off travelling over the next couple of days and might not see any more replies for a while - and without the time to try this I may have overlooked something.

But here's the way I see it.

HTH - again sorry if I can only follow this thread sporadically over the next few days

Chris [RedNectar]

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

robert.brady · ‎04-07-2017

My problem is that the upstream internet router learns about the Tenant A subnets and Tenant B subnets from the same ACI l3out and in its wisdom routes between them as you would expect. ACI appears to allow traffic because we defined 0.0.0.0/0 as the external subnet!

I have a l3out with 0.0.0.0/0 defined as the external network which allows this flow to happen.

Tenant A -> VRF A: Subnet IP -> L3out .> External Router -> L3out -> VRF B:Subnet IP: Tenant B

Cheers

PS. sorry for piggybacking but I'm thinking we are talking the same thing :)

Can i declare SHARED L3OUT and deny Tenant to Tenant traffic inside ACI?