External EPG subnet with multiple L3Outs

its-networking · ‎05-16-2018

Hi All,

My ACI multipod deployment consists of two pods, with each pod having its own L3Out. Each L3Out contains a 0.0.0.0/0 external EPG.

I wish to create a second external EPG (e.g. Admin) containing the /32 IP addresses of certain systems and workstations that require additional access above what is provided to the 0.0.0.0/0 external EPG. For example; this external EPG may consume a contract allowing SSH/RDP to select EPGs.

This second external EPG would be created under both L3Outs as we would wish to maintain the same access for the external systems in the event of an L3Out failure, or if an L3Out association of an EPGs BD was changed, or if the external system was routed via the second L3Out.

However, from what I understand, it appears that this configuration - i.e. creating the same /32 IP address/subnet in an external network under different L3Outs within the same multipod fabric - is not supported and will result in a "Prefix Entry Already Used in Another EPG" fault message.

With this in mind, is there any way in which such access (consistent policy applied to a /32 address in an external EPG) can be configured for a fabric with multiple L3Outs, or is this a fundamental limitation?

Cheers,

-Luke

its-networking · ‎05-31-2018

Bump - really kind of surprised that there does not appear to be a way in which to consistently classify external EPG subnets to enforce contracts in ACI regardless of which L3Out those endpoints ingress form.

thanpham01 · ‎08-12-2019

I have the same problem. I am running ACI v3.2 in Multi-pod. When I configured the subnets in two external EPGs in two L3Outs in different Pod and provide a contract. When another internal EPG consumes this contract. the error reports the subnets were used in another EPG. The strange thing is that it seems to work.