Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1765
Views
0
Helpful
4
Replies

Strange case on L3out

compterds
Level 1
Level 1

‎06-06-2017 06:37 AM - edited ‎03-01-2019 05:15 AM

Hello everyone,

I'm currently testing L3out by statical route on my fabric.

I followed many documentation for configuring everything (Tenant, EPG, BD, Subnet, L3out contract, and so on)

I've an endpoint 10.68.36.56 behind one leaf under "test" EPG on interface 1/28 frome leaf 1101.

From that endpoint, I can succesfully ping external network. 10.0.0.0/8 (Contract seems to work)

But from my external network, the only thing that I can do is pinging the gateway from my BD (10.68.36.1) but it doesnt work when I'm trying to ping 10.68.36.56...

If someone got an idea, I would appreciate your help 

Yoann

Labels:
0 Helpful
4 Replies 4

Joseph Young
Cisco Employee
Cisco Employee

‎06-06-2017 10:47 AM

-Are there any other BD SVI's configured in ACI that you can ping from the endpoint? Just to rule out gateway issues. Additionally if you don't have access to the endpoint you can source a ping from a non-connected bd svi using "iping -V <vrf name> <endpoint ip> -S <source ip>". You can get the vrf name with "show vrf".

-Contracts are not applied when pinging an address configured in ACI. If this is not a prod environment you can set the vrf mode for the endpoint to 'unenforced' to see if that causes the flow to work and isolate to a policy issue.

-If you can't change the mode another thing you can do is "show logging ip access-list internal packet-log deny | grep <endpoint ip>" on the border leafs and on the internal leafs to determine if it is being contract dropped.

0 Helpful

compterds
Level 1
Level 1
In response to Joseph Young

‎06-07-2017 12:16 AM

Hello Joseph,

When I used show logging ip access-list internal packet-log deny | grep 10.68.36.56 on my 2 border leaves, it was empty. Whereas on my leaf 1101, there was many lines (as you can see on the attached file issue_leaf1101_endpoint10683656.txt)

My VRF was already in unenforced states.

I've done several commands on my service leaf (where sit the endpoint behind the BD and so on) and the output is in the file called "show_apic_leaf_forissue.txt".

I'm still trying to understand what's wrong with my configuration..

Thank you in advance for your help

Yoann

Preview file
2 KB
Preview file
13 KB
0 Helpful

Joseph Young
Cisco Employee
Cisco Employee
In response to compterds

‎06-07-2017 07:37 AM

Thanks for that output. I don't see any problems just from that. What kind of OS is the endpoint? Can you get a capture going on the host nic to see if traffic is actually making it to that point?

0 Helpful

rgavandi
Cisco Employee
Cisco Employee

‎08-19-2021 05:06 AM

Please verify the BD enforcement in VRF, please remove the tick.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License