Transit routing within a VRF is reasonably straight forward, but when I tried to reproduce a problem described in here, I found that need to a little careful to be sure that the routes from one router are passed on to the other.
Here's the toplogy I built
A single tenant has a single VRF and two External Routed Networks (L3Outs) although the same result could have been achieved using a single L3Out. An Access Policy Chain was set up to allow VLAN 2304 to be configured as an SVI on interface Ethernet1/1 of the left ACI Leaf (Leaf 101) and for VLAN 2308 to be configured as an SVI on interface Ethernet1/1 of on the right ACI Leaf (Leaf 102).
First I created a Tenant called Transit with a VRF called DC_VRF
Then I created the first of the two L3Outs. I called it LeftRtr_L3Out and assigned it regular OSPF area 0.0.0.4 and made sure it was linked to the DC_VRF and the appropriate External Routed Domain that held the interface configuation for Ethernet 1/1 and a VLAN pool with VLAN 2304
I give it a Logical Node profile pointing to leaf 101 and an SVI Interface for VLAN 2304 on Ethernet 1/1 on Leaf 101. I used an IP address of 192.168.4.2/24 as I already had a router attached with an IP address of 192.168.4.1/24 on its G0/1.2304 sub-interface.
Next, before OSPF could begin I needed to add a Network, or L3EPG to describe which source IP addresses would be permitted to enter the ACI fabric from the external router. I kept it simple and defined my network as 0.0.0.0/0 - in other words all source IPs were permitted.
At this stage, it is appropriate to look at the external router configuration. The external router was configured with a VRF to contain the configuration of the LeftRouter - here's the VRF config:
ip vrf LeftRouter
encapsulation dot1Q 2040
ip vrf forwarding LeftRouter
ip address 192.168.40.1 255.255.255.0
encapsulation dot1Q 2304
ip vrf forwarding LeftRouter
ip address 192.168.4.1 255.255.255.0
router ospf 4 vrf LeftRouter
network 192.168.0.0 0.0.255.255 area 0.0.0.4
And by now the LeftRouter and Leaf101 have become neighbors:
And on the router:
LeftRouter#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
188.8.131.52 1 FULL/DR 00:00:38 192.168.4.2 GigabitEthernet0/1.2304
Now things get tricky. Recall from the original diagram that we want Leaf 101 to advertise the 192.168.80.0/24 subnet to the LeftRouter. So we have to tell Leaf101 to advertise this route manually. Here are the steps.
Create a Match Rule for Route Maps (in your Tenant, navigate to Networking > External Routed Networks >+ Create Match Rule for a Route Map)
I Called mine192.168.80:24 and added a Match Prefix of 192.168.80.0/24
Now to tell Leaf101 you want to advertise this prefix, configure the default-export route map and set it to Match Routing Policy Only, and link it to the Match Rule you created earlier. (in your Tenant, navigate to Networking > External Routed Networks > LeftRtr_L3Out > Route Maps/Profiles >+ Create Route Map/Profile)
Name the profile default-export (or pick it from the drop down list) and set the Type to Match Routing Policy Only
Add a context - I called mine 192.168.80.0:24_RtCtrlCtx - and choose the match rule (192.168.80:24 in my case) you created earlier.
Bingo. Your leaf101 is now ready to advertise the 192.168.80.0/24 subnet - except for one small problem - it hasn't learned about that subnet from the RightRouter yet - so now it's time to "Rinse and Repeat" as they say and repeat the above steps for the Right Router and the route map for the 192.168.40.0/24 subnet.
But of course you won't be able to pass any traffic until there is a contract in place. I simply set one of the L3EPGs to provide the default contract in the common tenant, and the other to consume it.
Finally, some testing from the routers to check that the transit routing is working. First the LeftRouter (note that since I didn't bother advertising the rotues connecting the routers to the fabric, I had to specify the source interface)
LeftRouter#show ip route vrf LeftRouter | include /
184.108.40.206/32 is subnetted, 1 subnets
O 220.127.116.11 [110/2] via 192.168.4.2, 02:43:00, GigabitEthernet0/1.2304
192.168.4.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.4.0/24 is directly connected, GigabitEthernet0/1.2304
L 192.168.4.1/32 is directly connected, GigabitEthernet0/1.2304
192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.40.0/24 is directly connected, GigabitEthernet0/0.2040
L 192.168.40.1/32 is directly connected, GigabitEthernet0/0.2040
O E2 192.168.80.0/24
[110/1] via 192.168.4.2, 00:11:01, GigabitEthernet0/1.2304
LeftRouter#ping vrf LeftRouter 192.168.80.1 source GigabitEthernet0/0.2040
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.80.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.40.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Trust me - the RightRouter is the same :) . Here's the config for the Right Router just for completeness sake:
ip vrf RightRouter
encapsulation dot1Q 2080
ip vrf forwarding RightRouter
ip address 192.168.80.1 255.255.255.0
encapsulation dot1Q 2308
ip vrf forwarding RightRouter
ip address 192.168.8.1 255.255.255.0
router ospf 8 vrf RightRouter
network 192.168.0.0 0.0.255.255 area 0.0.0.8
And just in case you want to do it yourself, here is the complete Tenant configuation. If you want to copy it to a text file, you can right-click on a tenant, choose Post and select the text file as the source and /uni as the destination.
Hello,I have a couple of DC power supplies for our 9396px switches - UCSC-PSU-930WDC, however, they are now obsolete and the replacement product is UCSC-PSU2V2-930DC.Does anybody know if UCSC-PSU2V2-930DC is compatible with 9396px given the fact...
Hello,I have different power sources for my 9396px and 9372px and I can mix UCSC-PSU-930WDC together with N9K-PAC-650W, however the Cisco documentation does say in bold text that it should not be done. Does anybody have any idea why? Can we damage th...
The first link says 9200s support PVLANs, the second link doesn't list a maximum. Does the 9200 series support PVLANs and does it match the 16/20 (primary/secondary) that a 9300 supports? Does the 9200 support PVLAN over VXLAN?https://www.cisco....
Hello.I never run Nexus Swithes...So, I have a few questions. In an environment configured with a VPC Can the traffic of the Orphan port connected to the bottom be forwarded through the peer link??? (I wonder if it works like Catalyst's Inter-link.) ...