cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
0
Helpful
8
Replies
Highlighted
Beginner

Route Filters for ACI L3_OUT

Hi,

Is there anyway to apply route filters to apply to networks being advertised between a tenant and the common tenant L3_OUT policy.

 

Basically i am trying to overcome a routing issue whereby i am advertising an aggregate address from 1 x tenant A  and a more specific network from another tenant B  using the shared common L3_OUT policy whereby the return traffic for the specific will return to the tenant B.

Traditionally one would be able to use Route-MAPs / filters to over come this issue - is there any process for ACI 

 

Many thanks

 

 

8 REPLIES 8
Highlighted
Cisco Employee

Hi Khashmi,

 

can you provide more detail about your current configuration and topology?  For example, is Tenant A and Tenant B using two separate VRFs or the same one?  

 

You mentioned share common L3out policy, does this means that both tenants are using this L3out to send traffic outside ACI?Or do you have two separate L3outs and are you doing transit routing?

 

How are you advertising this route (the aggregate and the more specific), is this route advertised from a subnet defined in a BD in ACI?

 

Sharing a physical topology of your setup would also be useful.

 

Highlighted

Hi,

 

Thanks for your comments.

 

So both tenants are in different VRF and are using the same l3_OUT in the common tenant to send traffic outside of ACI.

 

The subnets defined are under the respective BD 

 

Thanks

 

 

Highlighted

I am assuming that your L3out  is configured under the common VRF.  Is either tenant A or B configured to use the common vrf?

Highlighted

Some more detailed information.

L3Out in common Tenant in VRF default
BGP to external routers
External Network EPG defined with external subnets
"Any Open" Contract applied to External Network EPG

Tenant1 with VRF_T1, APP_T1, EPG_T1 with static port assigned and physcial domain assigned
Subnets defined in EPG and/or BD (both combinations)
172.16.1.1/24
172.16.2.1/24
"Any Open" contract applied from common tenant

Tenant2 with VRF_T2, APP_T2, EPG_T2 with static port assigned and physcial domain assigned
Subnet defined in EPG and/or BD (both combinations)
172.17.1.1/24
172.17.2.1/24
"Any Open" contract applied from common tenant

The above works fine and as expected. There is not a problem with the above configuration.

The concerning issue is best expressed as an example as follows:

From the external networks, we can ping 172.16.1.1 in T1 which is fine and expected. Now if we define 172.16.1.2/25 as a subnet in T2 this is of course overlapping and should not be done for obvious reasons - but my concern is in the situation where the fabric is providing a service which each Tenant being a different customer. So lets say T2 decides they want some of T1's data.. ??! They define a subnet with more specific prefix (/25) than the /24 in T1, this is set to advertise externally through the shared WAN L3Out. Now pinging 172.16.1.1 from the external network fails because its following the more specific route,  pinging 172.16.1.2 works as its following the more specific into T2.

This is the issue. I want to create a prefix filter in the Tenant providing the shared L3Out for each Tenant. Now we would need to use a different tenant than common at minimum so we can provide a exported contract spcifically for each tenant which would have a prefix filter applied defining the prefixes the tenant is allowed to advertise - the same way we do at the ISP to customer edge to prevent customers advertising prefixes they dont own into the internet routing table.

 

How do we achieve this ?

 

 

Highlighted

Hi Khashmi,

 

The way to manipulate/apply policy to a route in aci, is using route-profiles(see link below), but I don't believe there is any rule that would control routes at the tenant level.

 

Is there any reason why you use an l3out under the each tenant?

 

Cisco ACI and Route Maps Using Explicit Prefix List

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/KB/b_Cisco_APIC_and_Route_Maps_Using_Explicit_Prefix_List.html#id_38976

 

Highlighted

I think you mis-understand? The L3Out is shared, it is configured and shared from tn-common in this case and being used by two or more tenants. I want to filter routes advertised from tenants using the shared L3Out to prevent a tenant advertising a prefix into the L3Out which overlaps with another tenants prefixes.

 

 Attached is a diagram to illustrate the issue - Many thanks BTW for your help and assistance so far 

 

Kind Regards

Highlighted

Hi Khashmi,

 

I just realized that  typed the wrong thing, what I meant to say was 

 

Is there any reason why you CAN’T use an l3out under the each tenant?

 

I understand what you are trying to accomplish, but in ACI is not possible to manipulate the advertised routes at the tenant level from the provider Tenant/VRF where your L3out is located. 

 

Highlighted

All I remember from Cisco  , if L3_OUT is in common Tenant then dont use overlapping Subnets in others Tenants.