04-22-2020 07:37 AM - edited 04-22-2020 07:38 AM
Hi experts,
I have a question regarding how VRF leaking works in ACI. I have a simple topology as follows:
The Border Leaf is learning the route 10.0.0.0/8 via OSPF in the VRF A from the router. I want to leak this route into VRF B so that the VM can reach the 10.x subnet.
My question is: how the route will be leaked in this case. I read this article https://www.cisco.com/c/en/us/support/docs/software/aci-data-center/215128-troubleshooting-unexpected-route-leaking.html
and understand that MP-BGP will be used if I want to leak a L3Out route to a non-Border Leaf. But here I have a Border Leaf with 2 VRFs, will MP-BGP be used in this case or APIC will simply push the 10.0.0.0/8 from VRF A to VRF B (as it does when leaking a BD subnet) . In brief, I do not understand if the route 10.0.0.0/8 will be "learned" from OSPF or MP-BGP in the VRF B.
Any help will be greatly appreciated. Thanks.
04-22-2020 07:51 AM
Hi @suneq
Have you had a chance to review this post:
The last scenario discussed I believe is exactly what you are trying to do.
04-22-2020 09:05 AM
Hi Claudia de Luna,
Thanks for your swift reply. I already read the article you mentioned but unfortunately I think it does not cover my question.
If we take your example, I understand how the L3Out route 200.200.200.200/32 is leaked to the Provider VRF on the non-Border Leaf 201. However, I am not sure how it works on a Border Leaf; let's say that we connect a new server to Leaf 101 (BL) and put it to the Provider VRF, how does the leaking work in this case?
1. The BL 101 learned the route 200.200.200.200/32 via OSPF in the Consumer VRF, export it to MP-BGP and the Provider VRF (always on the same BL) import that route?
2. The BL 101 learned the route 200.200.200.200/32 via OSPF in the Consumer VRF and the APIC simply pushes that route into the Provider VRF (as it does when leaking a BD subnet)?
I hope my question is a bit clearer. Thanks for your help.
04-22-2020 07:17 PM
Route learned in VRF A for from OSPF will use MP-BGP vpnv4 address family to leak the route from one vrf to another.
Pretty much same way how it would happen on MPLE PE b/w two vrf.
When you mark the subnet as shared under the L3out, under the hood we create the prefix-list and update the import RTs.
You can check the following ,show ip bgp process vrf B and you should see the RT of vrf A in import RT list.
04-23-2020 01:09 AM
Hi @Gaurav Gambhir,
Thanks for your reply. That's what I think how it should work but as I cannot test right now, I prefer to have a confirmation. Let me go a bit further with the topology below, if the VRF leaking is done correctly for the L3Out subnet 192.168.1.0/24 from VRF A to VRF B, when I check BGP VPNv4 table on the BL2 I should see 2 iBGP routes and I can force the traffic from VM2 to 192.168.1.0/24 to prefer the route from BL1 (by setting the local preference with interleak policy for example)? Am I correct?
I have a doubt because my colleague told me that in this case, VM2 will always prefer the path BL2-CE2 because of OSPF. I would agree with him if the VM2 is in the VRF A, but here as it is in the VRF B, I think we can force the traffic (from VM2 to 192.168.1.0/24) to take the path BL1-CE1. Am I correct?
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: