Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
10
Replies

Contracs ACI L3Out

e.yasnitskiy
Level 1
Level 1

‎01-05-2019 04:45 AM

Hello All!

 

Could u help me with contract between two L3Out?

 

I have a very simple topology, one tenant, one VRF and two L3Out.

 

R1 --- Leaf1101 --- ACI --- Leaf1102 --- R2  - something like this.

 

 

I also have loopback on R1 and R2 which I get via ospf to fabric and via M-BGP i can see this route on R1 and R2. In fact it's just transit routing.
I dont any trouble with routing i can see all route and thats good.
But i want to ping from R1 to Loopback on R2, and i cant do that.
 
I got contract for icmp allow between this two L3Out but it didnt help me at all.
Even when  I turn on unenforced state in VRF it doesn't work either.
 
Could you tell me more about what I can do, and how can I check something that will help me solve this problem?
 
1 person had this problem
0 Helpful
10 Replies 10

Andrew Khalil
Spotlight
Spotlight

‎01-05-2019 04:49 AM

Hello 

 

Are you pinging using the extended ping so that you can define the source ?

Also, if you can provide us a drawn topology would be better for us to understand more clearly! 

 

Please don't forget to rate the helpful replies! 

Bst Rgds,

Andrew Khalil

0 Helpful

e.yasnitskiy
Level 1
Level 1
In response to Andrew Khalil

‎01-05-2019 06:12 AM

I attached topology so you can understand what i'm talking abou.

 

No, I'm not using extended ping.

Just ping x.x.x.x

Preview file
19 KB
0 Helpful

Andrew Khalil
Spotlight
Spotlight
In response to e.yasnitskiy

‎01-05-2019 09:41 AM - edited ‎01-05-2019 09:41 AM

Dear e.yasnitskiy!

can you ping from R1 the physical interface of R2 that is connecting R2 to leaf1102 ?

 

Bst Rgds,

Andrew khalil

0 Helpful

e.yasnitskiy
Level 1
Level 1
In response to Andrew Khalil

‎01-05-2019 11:30 AM

No, I cant ping it.

 

but should i ping that interface?

 

Thas's my peering network between R2 and leaf1102.

 

0 Helpful

Andrew Khalil
Spotlight
Spotlight
In response to e.yasnitskiy

‎01-05-2019 12:34 PM

Dear @e.yasnitskiy

 

Please provide us the configuration and I will check it! 

or even the output of #show ip route for all the routers.

 

Otherwise, I can not imagine even what I am troubleshooting! 

Bst Rgds,

Andrew Khalil

0 Helpful

e.yasnitskiy
Level 1
Level 1
In response to Andrew Khalil

‎01-05-2019 01:10 PM

Okay,I attached routes from all diveses.

 

But I dont think the problem is in routing, but if you find something, it will be fine.

 

Preview file
7 KB
0 Helpful

RedNectar
VIP
VIP

‎01-05-2019 06:17 PM

Hi  ,

I don't have time to do a detailed reply just now, but two things:

  1. Have youy read the Cisco APIC Layer 3 Networking Configuration Guide?
  2. In particular, have you made sure that your L3EPGs have the Import and Export route control options set?

Let me know if you need more help

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

e.yasnitskiy
Level 1
Level 1
In response to RedNectar

‎01-06-2019 03:21 AM

1) Yes of course i read it

2) Yes, i'm sure.

 

There are no problems with routing, so I get all the routes, with this all ok.

I just cant ping.

 

PS VRF  -  unenforced state

 

R1#sh ip ro 192.168.100.100
Routing entry for 192.168.100.100/32
  Known via "ospf 10", distance 110, metric 1
  Tag Complete, AS 65535, 4095, type extern 2, forward metric 1
  Last update from 10.44.100.2 on Vlan100, 1d21h ago
  Routing Descriptor Blocks:
  * 10.44.100.2, from 2.2.2.6, 1d21h ago, via Vlan100
      Route metric is 1, traffic share count is 1
      Route tag 4294967295

 

R1#ping 192.168.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

0 Helpful

RedNectar
VIP
VIP
In response to e.yasnitskiy

‎01-13-2019 06:05 PM

HI e.yasnitskiy,

 

Just a follow up - this is still unresolved, but I did get a chance to set this up in the lab last week, and was able to replicate your results. I had hoped that I might have been able to tell you now how to fix it, but unfortuntely I ran out of time.

To me this seems like it should be fundamentally easy, and I'm sure I've done it before. It may be a bug in the 3.2(3o) code.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

RedNectar
VIP
VIP
In response to e.yasnitskiy

‎01-15-2019 03:09 AM

Hi e.yasnitskiy,

I had another shot at this today and started by removing my old config which was a hotch-potch of some old config I had there.  This time is was a breexe, and I documented if for you completely here: https://community.cisco.com/t5/data-center-blogs/aci-transit-routing-in-a-single-vrf/ba-p/3779940

 

BTW - when you were doing the pings from your router, did you specify the source interface? Just a thought!  I think that was my problem when I was fiddling last time.

Anyway - if you follow the blog, you should have better success next time. Let me know if you succeed.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License