Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1555
Views
0
Helpful
4
Replies

Nexus 9300 IP subnet defined on management vrf and local VLAN

Go to solution
StevenPhipps35347
Level 1
Level 1

‎01-12-2022 07:36 AM - last edited on ‎01-14-2022 02:48 PM by Community Manager

Hello,

    I'm working with a customer who has a pair of Nexus 9300 for a core switch. They have configured interface mgmt0 as vrf member management, and applied an IPv4 address. They have recently added Meraki MX to the environment to service their branch offices. They have configured their incoming VLANs on the Meraki MX250s with the address of the mgmt0 interface as the gateway. They also have configured a VLAN interface with addresses in the management subnet using hsrp, with a VIP of .1. So the subnet essentially lives in both the default vrf and the management vrf. I can do a "sh ip route" for the management IP inside and outside the vrf. Here is the output. The preference number is high on the VLAN, and zero on the management vrf. I don't like this setup, but since they do have some routes, I need some explanation of the preference, since the documentation lists 1-255 as the range for preference.  

----

Please see attached

 

Any guidance would be appreciated. Thank you.

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to StevenPhipps35347

‎01-13-2022 01:58 AM

Hi there,

You understanding of AD prefence is correct, but remember they are installed in different route tables so a comparison between the two won't take place.

When ever you redistribute rotues between two different Layer3 doamins, on the occassions where you have IP address overlap, NAT should be used between the two to hide this fact. Leaking between the two whilst keeping the overlap could certainly lead to unexpected behaviour.

 

cheers,

Seb.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-12-2022 12:16 PM

Hi there,

A route with an AD value of 250 is particular to the Nexus platform and is installed by the Adjacency Manager, denoted by the 'am' at the end of the output. This host route has most likely been installed by an ARP request.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x_cha...

 

cheers,

Seb.

0 Helpful

Go to solution
StevenPhipps35347
Level 1
Level 1
In response to Seb Rupik

‎01-12-2022 12:53 PM

Seb,

    Thanks for the reply. 

    Am I to understand that the value of 250 then makes that route least favorite over the zero value found in the mgmt0 interface? I'm hoping to discourage using the same subnet as a management vrf and a production VLAN. They have configured static routes to terminate on the mgmt0 interface when they have the same subnet defined as a L2 VLAN using HSRP with a VIP of .1. The vrf is leaking routes, which doesn't seem necessary when they have production subnets they could use.

 

Steve

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to StevenPhipps35347

‎01-13-2022 01:58 AM

Hi there,

You understanding of AD prefence is correct, but remember they are installed in different route tables so a comparison between the two won't take place.

When ever you redistribute rotues between two different Layer3 doamins, on the occassions where you have IP address overlap, NAT should be used between the two to hide this fact. Leaking between the two whilst keeping the overlap could certainly lead to unexpected behaviour.

 

cheers,

Seb.

0 Helpful

Go to solution
StevenPhipps35347
Level 1
Level 1
In response to Seb Rupik

‎01-13-2022 07:52 AM

Seb,

    Thank you so much. This will help make my case.

 

Steve

0 Helpful
Customers Also Viewed These Support Documents