ACI Transit Routing - 2 x L3 Outs Same VRF

darreng · ‎12-01-2017

Hi,

I have read:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Transit_Routing.html

I have 2 x border leaf switches into which I have 2 x separate L3 out connections. Both are in the same VRF.

Layer 3 Out one goes to a WAN router, Layer 3 Out two goes to a Firewall. The L3 Outs are both configured with OSPF.

I learn OSPF routes from a DMZ interface (attached to the Firewall) on the WAN router (set using Export Route Control Subnet in Networks under Firewall L3 outs). Additionally, I learn the WAN routes on the Firewall using the same method for the WAN L3 Out.

I can’t ping a host on the DMZ from the WAN side, so I suspected it was to do with transit routing limitations or Contracts. However, my design currently allows all EPG’s to talk (set under the VRF).

The Firewall ACL config permits the private WAN source network to connect to DMZ.

Can someone point me in the right direction please. I'm missing something obvious.

Regards

Darren

Carlo Schmidt · ‎12-02-2017

Hi Darren,

What subnets are you using in your external EPG for the two L3Outs? Try using a more specific subnet for one of them. There is also a specific forum for ACI:

https://supportforums.cisco.com/t5/application-centric/bd-p/12206936-discussions-aci

-Carlo

darreng · ‎12-04-2017

Hi Carlo,

Thanks for your kind reply.

Long story short. My server Admin had some routes on the server which were incorrectly configured. We've since amended and now I can ping the device needed. Quite frustrating but nonetheless glad it's sorted.

Regards

Darren