Solved: L3OUT from USER Tenant to the FTD needs to share routes from COMMON Tenant.

zafarsohail · ‎04-23-2020

Hello ACI Gurus,

I am new to the ACI and currently stuck at deploying a L3out from User Tenant on a single Layer 3 connection to the FTD with static routes. I currently have other additional tenants sharing their resources via Common Tenant within the fabric. I would like this new USER Tenant to be able to reach Common Tenant in order to access the shared services on other Tenants. I am unable to find any answers via the documentation available online. Please help. I am pasting the current configuration which i have performed already for your guidance.

Step 1:

Create Access Policies

Leaf 204 Gi1/14

Configured switch interfaces

Create a interface policy

Select switches 204

Switch Profile name = switch 204 firepower l3out

Interface type: individual

Interfaces: 1/14

Interface selector name: firepower_l3out

Cdp policy: cdp enable

Lldp policy: lldp enable

Attached Device type: External Routed Devices

Domain Name: Firepower l3out Domain

Vlan Range: vlan# 4003

Save and Submit

Step 2:

Create a Tenant and VRF

Tenants > Add Tenant

Name: Tenant Name

VRF Name: VRF Name.

Create a bridge Domain:

Submit.

Step 3:

Create a vlan pool from pools under fabric access policies.

Static allocation

Vlan 4003

Step 4:

Create external routed networks by right clicking on Networking

Define name.

Tie vrf name.

Tie external routed domain.

Click Nodes Profiles tab.

Add a node profile.

Name it FP-Node-L3out

Click + Select Node.

Provide Node ID. Leaf 204

Add Router ID x.x.x.x

Select Use Router ID as Loopback Address.

Add Static Routes for each specific static routes.

Click ok.

Select Interface Profiles:

Name: FP-interface-profile

Click Next. To Step 2

Click Next. To Step 3

Select Routed interface.

Click + to add the interface.

Node: Select Leaf 204

Path: Select interface eth1/17

Description: FPower L3 interface.

IPv4 Primary: x.x.x.x/xx

Click ok.

Step 5:

Configure the Bridge Domain

Go under L3 configuration

Create subnet

Add x.x.x.x

Select advertised externally

Shared between VRF.

Submit the changes

Step 6:

Create External Network under External Routed Networks

Go under contracts and provide common contract.

Sergiu.Daniluk · ‎04-27-2020

Hello,

From what I see, the EPGs are simply using the contracts defined in common tenant. This does not mean that traffic goes through the common tenant. If you want to reuse them, since you already have the common contracts applied on EPGs, you can simply add them as consumer/provider on your L3Out (plus the rest of the configuration required: associate the L3Out to the BDs + shared between VRF for the BD subnet) and you should have the communication between L3Out and all EPGs configured with common contract.

However, from my perspective, would be best to use a different contract (you can configure this new contract in common tenant as well). This will offer you better flexibility on how you allow communication.

Hope it helps,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎04-23-2020

Hi @zafarsohail

Just to be sure of what you are trying to achieve, you have a L3Out in User Tenant with static routes towards FTD and you want to share the routes to and from a shared L3Out from Common Tenant?

If my understanding is not accurate, maybe will be more helpful if you make a drawing? ^_^

Thanks,

Sergiu

zafarsohail · ‎04-23-2020

Yes so i have a L3OUT configured in User Tenant with static routes towards FTD. I have other tenants x, y, z and they are sharing there services between each other via Common Tenant. What i want to do is make this User Tenant capable of reaching out to those services in x, y, z Tenants by utilizing Common Tenant. So what in essence i am trying to do is anyone coming from FTD firewall into User Tenant wants to access the services on X, Y, Z tenants should be able to do so. The other side of the FTD is another network and users which needs to access the services in X, Y, Z tenant. Hopefully this makes sense. Thank you so much for your time in this.

Sergiu.Daniluk · ‎04-24-2020

Hello,

I have other tenants x, y, z and they are sharing there services between each other via Common Tenant.

Can you be more specific? Do you have a L3Out in Common Tenant which is accessed by all Tenants, or you have a VRF or BDs configured in common tenant and are used by all EPGs in all user tenants? In which VRF is your L3Out and your Tenants X,Y,Z?

I am just trying to understand the layout and how is the traffic flow, and what is the role of common tenant in your case.

In the end, what I understand is that you have some clients behind FTD L3out which needs to access the services behind Tenant X, Y, Z, which is done through the use of contracts. But depending on how you have the configuration and deployments, there might be specific configuration which is needed.

Cheers,

Sergiu

zafarsohail · ‎04-24-2020

YEs Sir! The way they have the other EPG's shared with common Tennant is via the contract. I see both provider and consumer on each EPG under x, y, z tenant contract to common default. Hope this helps. Attached the 2 snapshots of both external EPG's and Internal EPG's with same contracts.

Sergiu.Daniluk · ‎04-27-2020

Hello,

From what I see, the EPGs are simply using the contracts defined in common tenant. This does not mean that traffic goes through the common tenant. If you want to reuse them, since you already have the common contracts applied on EPGs, you can simply add them as consumer/provider on your L3Out (plus the rest of the configuration required: associate the L3Out to the BDs + shared between VRF for the BD subnet) and you should have the communication between L3Out and all EPGs configured with common contract.

However, from my perspective, would be best to use a different contract (you can configure this new contract in common tenant as well). This will offer you better flexibility on how you allow communication.

Hope it helps,

Sergiu

zafarsohail · ‎05-27-2020

Thank you so much. It worked.