Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
5
Helpful
3
Replies

ACI L3out- routing and security policy logic

Go to solution
rohandec1980
Level 1
Level 1

‎07-18-2020 03:24 PM

Hi 

 

We have 2 L3outs configured on the fabric on VRF-A.

- L3Out A using OSPF to the firewall with an external EPG A with subnet 0.0.0.0/0. Contract applied is permit-ip any.

- L3Out B with a 6500 switch using static route with an external EPG B with subnet 10.0.0.0/8. Contract applied is permit-ip any.

 

The issue is the leaf switch only has a static route for 10.0.0.0/24 via L3Out B. For all other subnet in 10.0.0.0/8 the leaf switch uses default route to the firewall. 

 

So for traffic to 10.1.1.14,  leaf switch routing table matches the route via L3Out A.

How will ACI behave, will it treat it as traffic for EPGA and apply policies for EPG A and route it to the firewall?

OR

will ACI treat it as traffic for EPGB because of LPM and apply policies for EPG B and try to route it to the 6500 switch?

 

Thanks,

Rohan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎07-19-2020 11:23 PM - edited ‎07-19-2020 11:26 PM

Hi @rohandec1980 

 

"The issue is the leaf switch only has a static route for 10.0.0.0/24 via L3Out B. For all other subnet in 10.0.0.0/8 the leaf switch uses default route to the firewall. "

 

The routing will always happen based on the routing table. If the dIP matches the route to L3Out-B, the packet will be forwarded to L3Out-B. Same with l3Out-A.

The policy enforcement on the other hand, will happen based on this:

Leaf111# vsh_lc -c "show system internal aclqos prefix"

Vrf Vni Addr           Mask     Scope Class  Shared Remote
======= ============== ======== ===== ====== ====== ======
2261000 0.0.0.0        ffffffff 2261000 15     FALSE FALSE
2261000 10.0.0.0       ffffff   2261000 49155  FALSE FALSE

Leaf111# show zoning-rule | grep "Rule\|==\|49155"
Rule ID         SrcEPG          DstEPG          FilterID        operSt          Scope           Action                              Priority       
=======         ======          ======          ========        ======          =====           ======                              ========       
4107            32770           49155           8               enabled         2261000         permit                              fully_qual(7)

The dIP will try to match on the prefix to get the destination pcTag (destination EPG). Once it knows the DestEPG, it will be able to apply the policy enforcement.

In your case, because you have configured 10.0.0.0/8 subnet in L3out-B, the policy enforcement will match on contract EGP-Server -> L3Out-B even if the packet is destined to L3Out-A.

To avoid this problem, you will have to change the subnet to match with the routing table.

 

Let me know if you have any questions.

 

best regards,

Sergiu

 

View solution in original post

3 Replies 3

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎07-19-2020 11:23 PM - edited ‎07-19-2020 11:26 PM

Hi @rohandec1980 

 

"The issue is the leaf switch only has a static route for 10.0.0.0/24 via L3Out B. For all other subnet in 10.0.0.0/8 the leaf switch uses default route to the firewall. "

 

The routing will always happen based on the routing table. If the dIP matches the route to L3Out-B, the packet will be forwarded to L3Out-B. Same with l3Out-A.

The policy enforcement on the other hand, will happen based on this:

Leaf111# vsh_lc -c "show system internal aclqos prefix"

Vrf Vni Addr           Mask     Scope Class  Shared Remote
======= ============== ======== ===== ====== ====== ======
2261000 0.0.0.0        ffffffff 2261000 15     FALSE FALSE
2261000 10.0.0.0       ffffff   2261000 49155  FALSE FALSE

Leaf111# show zoning-rule | grep "Rule\|==\|49155"
Rule ID         SrcEPG          DstEPG          FilterID        operSt          Scope           Action                              Priority       
=======         ======          ======          ========        ======          =====           ======                              ========       
4107            32770           49155           8               enabled         2261000         permit                              fully_qual(7)

The dIP will try to match on the prefix to get the destination pcTag (destination EPG). Once it knows the DestEPG, it will be able to apply the policy enforcement.

In your case, because you have configured 10.0.0.0/8 subnet in L3out-B, the policy enforcement will match on contract EGP-Server -> L3Out-B even if the packet is destined to L3Out-A.

To avoid this problem, you will have to change the subnet to match with the routing table.

 

Let me know if you have any questions.

 

best regards,

Sergiu

 

Go to solution
rohandec1980
Level 1
Level 1
In response to Sergiu.Daniluk

‎07-20-2020 02:27 AM

Thank you Sergiu for clarifying this, "so packets will still be forwarded to L3Out A if the contract applied on more specific external EPG allows communication" ? 

 

Appreciate all the efforts Sergiu!!

 

Regards

Rohan

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to rohandec1980

‎07-20-2020 03:13 AM

That's correct. The zoning (contract enforcement) is decoupled from routing.

 

Stay safe,

Sergiu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents