Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1715
Views
0
Helpful
2
Replies

ACI Transit Routing - 2 x L3 Outs Same VRF

darreng
Level 1
Level 1

‎12-01-2017 08:17 AM - edited ‎03-01-2019 09:32 AM

Hi,

 

I have read:

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Transit_Routing.html

I have 2 x border leaf switches into which I have 2 x separate L3 out connections. Both are in the same VRF.

Layer 3 Out one goes to a WAN router, Layer 3 Out two goes to a Firewall. The L3 Outs are both configured with OSPF.

I learn OSPF routes from a DMZ interface (attached to the Firewall) on the WAN router (set using Export Route Control Subnet in Networks under Firewall L3 outs). Additionally, I learn the WAN routes on the Firewall using the same method for the WAN L3 Out.

I can’t ping a host on the DMZ from the WAN side, so I suspected it was to do with transit routing limitations or Contracts. However, my design currently allows all EPG’s to talk (set under the VRF).

The Firewall ACL config permits the private WAN source network to connect to DMZ.

Can someone point me in the right direction please. I'm missing something obvious.

 

Regards

 

Darren

Labels:
0 Helpful
2 Replies 2

Carlo Schmidt
Cisco Employee
Cisco Employee

‎12-02-2017 09:58 AM

Hi Darren,

What subnets are you using in your external EPG for the two L3Outs? Try using a more specific subnet for one of them. There is also a specific forum for ACI:

 

https://supportforums.cisco.com/t5/application-centric/bd-p/12206936-discussions-aci

 

-Carlo 

0 Helpful

darreng
Level 1
Level 1
In response to Carlo Schmidt

‎12-04-2017 09:06 AM

Hi Carlo,

 

Thanks for your kind reply.

 

Long story short. My server Admin had some routes on the server which were incorrectly configured. We've since amended and now I can ping the device needed. Quite frustrating but nonetheless glad it's sorted. 

 

Regards

 

Darren

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents