Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2473
Views
0
Helpful
3
Replies

Extend VLAN through ACI Fabric

thirodmorais
Level 1
Level 1

‎12-03-2020 04:31 PM - edited ‎12-03-2020 04:59 PM

Hi Folks,

 

I am facing a challenger and I need some help to know how I do to extend a public VLAN (1710) from the firewall to the L3 Switch over the ACI fabric. The devices are connected in the leaf switches as below:

 

FW1 (VLAN1710) <------ > LEAF103 - ACI Fabric - LEAF101/102 (vPC) <------> L3 Switch.

FW2 (VLAN1710) <------ > LEAF104 - ACI Fabric - LEAF101/102 (vPC) <------> L3 Switch.

 

As in the above topology, the L3 switch is connected in the leaf 101 and 102 in vPC mode and I have two L3Out configured to provide static routing using an SVI interface. One from Leaf 101 and 102 to the L3 Switch and the other from Leaf 103 and 104 to the Firewall.

 

I would like to use the same interfaces of the L3Out to extend the VLAN toward the L3 Switch. I don't know if is possible or not, but I would like to hear some advice about it.

 

Thanks in advance.

 

Best regards,

TM

Labels:
0 Helpful
3 Replies 3

6askorobogatov
Level 1
Level 1

‎12-03-2020 05:41 PM - edited ‎12-03-2020 05:54 PM

Not completely clear, please correct me if Im wrong.  You have a VRF with 2 L3Out, one toward L3 switch and another toward L3 FW. 

You also what to provision L2 connection from FW to Switch. Correct ?

It is doable, but you cannot use the same wire VLAN ID,  otherwise ACI will never know where to send packet, to L2 interface, or L3 interface. 

 

0 Helpful

thirodmorais
Level 1
Level 1
In response to 6askorobogatov

‎12-03-2020 06:29 PM

The two L3Out belong to the same vrf.

 

The firewall is the L3 of the VLAN1710, but the servers that are connected in the L3 Switch will access the Internet using that VLAN ID. I am considering finding a way to use the same L3Out interfaces because I am using the SVI and the L3 Switch is configured as a trunk interface. 

0 Helpful

Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee

‎12-04-2020 12:05 AM

Hi @thirodmorais,

Yes, you can use the same interfaces of the L3Out to extend the Layer 2 between your Firewall and your L3 Switch.

But you need to use one single L3Out to connect with both, your Firewall and L3 Switch. You cannot use 2 different L3Outs for this use-case.

As long as on the same L3Out the encap VLAN (in your case 1710) is the same for all the respective SVIs that connect with your Firewall and L3 Switch under the L3Out's Logical Interface Profile, the Layer 2 should be stretched. Also, make sure that you have all the respective ACI nodes (in your case Leaf switches 101, 102, 103 and 104) defined in the L3Out's Logical Node Profile.

 

Please refer to the bellow documentation:

L3Out bridge domain

When an L3Out SVI is instantiated, Cisco ACI creates a bridge domain (BD) internally for the SVI to provide a Layer 2 flooding domain. This BD is called the L3Out BD or external BD, and is not visible to the user as a normal BD in APIC. An L3Out BD is created internally for each access-encap VLAN for an L3Out SVI. This L3Out BD may span across multiple border leaf switches if other border leaf switches also use the same access-encap VLAN for the L3Out SVI in the same L3Out.

source:

ACI Fabric L3Out Guide

 

I hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License