07-18-2020 03:24 PM
Hi
We have 2 L3outs configured on the fabric on VRF-A.
- L3Out A using OSPF to the firewall with an external EPG A with subnet 0.0.0.0/0. Contract applied is permit-ip any.
- L3Out B with a 6500 switch using static route with an external EPG B with subnet 10.0.0.0/8. Contract applied is permit-ip any.
The issue is the leaf switch only has a static route for 10.0.0.0/24 via L3Out B. For all other subnet in 10.0.0.0/8 the leaf switch uses default route to the firewall.
So for traffic to 10.1.1.14, leaf switch routing table matches the route via L3Out A.
How will ACI behave, will it treat it as traffic for EPGA and apply policies for EPG A and route it to the firewall?
OR
will ACI treat it as traffic for EPGB because of LPM and apply policies for EPG B and try to route it to the 6500 switch?
Thanks,
Rohan
Solved! Go to Solution.
07-19-2020 11:23 PM - edited 07-19-2020 11:26 PM
"The issue is the leaf switch only has a static route for 10.0.0.0/24 via L3Out B. For all other subnet in 10.0.0.0/8 the leaf switch uses default route to the firewall. "
The routing will always happen based on the routing table. If the dIP matches the route to L3Out-B, the packet will be forwarded to L3Out-B. Same with l3Out-A.
The policy enforcement on the other hand, will happen based on this:
Leaf111# vsh_lc -c "show system internal aclqos prefix" Vrf Vni Addr Mask Scope Class Shared Remote ======= ============== ======== ===== ====== ====== ====== 2261000 0.0.0.0 ffffffff 2261000 15 FALSE FALSE 2261000 10.0.0.0 ffffff 2261000 49155 FALSE FALSE Leaf111# show zoning-rule | grep "Rule\|==\|49155" Rule ID SrcEPG DstEPG FilterID operSt Scope Action Priority ======= ====== ====== ======== ====== ===== ====== ======== 4107 32770 49155 8 enabled 2261000 permit fully_qual(7)
The dIP will try to match on the prefix to get the destination pcTag (destination EPG). Once it knows the DestEPG, it will be able to apply the policy enforcement.
In your case, because you have configured 10.0.0.0/8 subnet in L3out-B, the policy enforcement will match on contract EGP-Server -> L3Out-B even if the packet is destined to L3Out-A.
To avoid this problem, you will have to change the subnet to match with the routing table.
Let me know if you have any questions.
best regards,
Sergiu
07-19-2020 11:23 PM - edited 07-19-2020 11:26 PM
"The issue is the leaf switch only has a static route for 10.0.0.0/24 via L3Out B. For all other subnet in 10.0.0.0/8 the leaf switch uses default route to the firewall. "
The routing will always happen based on the routing table. If the dIP matches the route to L3Out-B, the packet will be forwarded to L3Out-B. Same with l3Out-A.
The policy enforcement on the other hand, will happen based on this:
Leaf111# vsh_lc -c "show system internal aclqos prefix" Vrf Vni Addr Mask Scope Class Shared Remote ======= ============== ======== ===== ====== ====== ====== 2261000 0.0.0.0 ffffffff 2261000 15 FALSE FALSE 2261000 10.0.0.0 ffffff 2261000 49155 FALSE FALSE Leaf111# show zoning-rule | grep "Rule\|==\|49155" Rule ID SrcEPG DstEPG FilterID operSt Scope Action Priority ======= ====== ====== ======== ====== ===== ====== ======== 4107 32770 49155 8 enabled 2261000 permit fully_qual(7)
The dIP will try to match on the prefix to get the destination pcTag (destination EPG). Once it knows the DestEPG, it will be able to apply the policy enforcement.
In your case, because you have configured 10.0.0.0/8 subnet in L3out-B, the policy enforcement will match on contract EGP-Server -> L3Out-B even if the packet is destined to L3Out-A.
To avoid this problem, you will have to change the subnet to match with the routing table.
Let me know if you have any questions.
best regards,
Sergiu
07-20-2020 02:27 AM
Thank you Sergiu for clarifying this, "so packets will still be forwarded to L3Out A if the contract applied on more specific external EPG allows communication" ?
Appreciate all the efforts Sergiu!!
Regards
Rohan
07-20-2020 03:13 AM
That's correct. The zoning (contract enforcement) is decoupled from routing.
Stay safe,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide