cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
5
Helpful
1
Replies

Looking for help regarding ACI L3out profile

Pradeep S
Level 1
Level 1

Hi All Expert, 

I am a beginner in ACI 

I am looking for a solution regarding ACI, I hope you will help in this regard.

In my scenario, I have One tenant with 5 BD with a single VRF and it communicates to the external network through L3-Out which is connected to the FortiGate firewall, Now as my FortiGate firewall migration is going on, I wanted to change that firewall with a new one but business criticality not getting full down time.  

Now the question is can I create one more L3out profile with the same VRF in the tenant and move BD one by one by applying a new l3out to each BD towards my new firewall?

It will be very helpful if you respond to this.  eagerly waiting for your reply. 

1 Reply 1

anirukas
Cisco Employee
Cisco Employee

Hi Pradeep,

You can definitely create a new l3out in the same VRF, and associate this to the BD's which require external connectivity. This could be your interim L3out until work on the existing FortiGate is complete. One thing you have to keep in mind is the external EPG subnets. Since you are using the existing L3out in  multiple BD's  most likely your current L3out will have an external EPG with network 0.0.0.0/0. Now when you create new L3out, and assign it the same external network, your policy and/or traffic classification might not work. This is documented in -  https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html

So as a workaround, you can add specific subnet (usually the most important ones) in the new L3out so that you don't encounter traffic classification or policy issues.

Hope this helps!