Re: Do we need to configure two L3 Out on ACI if connected with 2 L3 devices on the same Leaf Switch

dseth · ‎07-31-2020

We have two leaf and spines and 3 controllers in our setup, currently we have configured static routes on L3-out and Leaf switches are connected with two L3 devices, one is with WAN Router and once is with Firewall. However we are using only one L3-out to route to point either side and both side hosts are able to connect.

Now we are planning to implement EIGRP in our ACI setup and will remove static. So do we need to configure two L3 out for EIGRP and attach onto two L3 devices connected interfaces or we can attach the same L3 out on both interfaces. Have attached diagram for reference.

Appreciate your advise on this

Thank You

NAGA1 · ‎07-31-2020

Hi,

ACI Fabric L3Out

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html

Limitations and guidelines
● EIGRP (IPv4) has been supported since APIC Release 1.1(1).
● EIGRP (IPv6) has been supported since APIC Release 1.2(2).
● Only one EIGRP L3Out can be deployed on a border leaf per VRF. This is because one EIGRP L3Out represents one EIGRP AS.

NAGA1 · ‎07-31-2020

Hi,

As per Cisco, Only one EIGRP L3 out per leaf switch - irrespective of number of L3 devices.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_010010.html

General Guidelines for Multiple External Connectivity through Multiple or Single L3Out Objects

The L3Out object defines the protocol and some protocol parameters that will be used by all nodes and interfaces configured under the L3Out.
- For OSPF L3Outs, the OSPF area is defined at the L3Out level. If an OSPF L3Out will connect to multiple external devices on the same border leaf, one L3Out should be configured.
- Similarly, the EIGRP AS is configured at the L3Out level. If connecting to multiple EIGRP devices in the same AS from the same leaf, one L3Out should be used.
- A different L3Out must be used when connecting to OSPF neighbors in different areas or when connecting to EIGRP neighbors in different AS.
- For BGP L3Outs the peer-connectivity profile is configured under the node (for peering to loopback addresses) or under the physical interface (for direct connection peering). Multiple BGP peers can be defined under the same L3Out.

dseth · ‎08-04-2020

@NAGA1 Appreciate your quick response. it was very helpful.

Will ACI negotiate as two neighborship with adjacent devices as we have two leaf switches or adjacent device will see only one neighbor.

Thank You.!!

tuanquangnguyen · ‎08-01-2020

Hi @dseth,

You would configure only one L3Out, but multiple L3Out Interface Profiles within it. One would contain paths connecting to the routers, and one would contain those connecting to the firewalls.

Still need to be aware of L3Out transit routing in this case.

Cheers,

dseth · ‎08-04-2020

@tuanquangnguyen Yes, will use ACI as transit device.

Thank You.!!

jgomezve · ‎08-07-2020

Hello
Could you please elaborate your question? I do not see the reason why you would like to to have two L3OUTs. Think of the Border leaf as an additional EIGRP router in rout AS Domain. You would use two different L3 OUTs in case you want to have different sets of policies but as NADA pointed out, you can only have one L3OUT running EIGRP per VRF