Solved: Issue Configuring L3 Handoff on second border node on same VLAN

techno.it · ‎11-21-2024

Hello Everyone,

We are building an SDA network with two separate border and control plane nodes ( collated both roles on same device) that are connected by BGP to a fusion firewall (Active/Standby). When DNAC configures the L3 border handoff, I provided manual /29 subnet between the Border Node and the external device. There is a L2 trunk between the border nodes and from each border node there is a L2 trunk towards the firewall. I want to use the same transit VLAN on both Border nodes for the connection with the firewall. BN1 and Firewall already have L3 handoff configured with VLANs 3001 for VRF-X. When attempting to create an L3 handoff between BN2 and Firewall using the same transit VLAN 3001, DNAC throws an error message "

"Layer 3 Handoff VLAN 3002 is already being used for another Layer 3 Handoff. Change the VLAN and retry."

Any suggestions what could be the issue?

Andrii Oliinyk · ‎11-22-2024

BGP. it will be similar to one u have on BN|CP#1 but with use of BN|CP#2 specific IPs.
Another option would be to fallback to double peering from FW side in 2 different VLANs (per BN|CP). Quick Q: does your FW A/S require unique IPs for A & S units per directly attached subnet? if so, then u have to stay with /29 per transfernet per BN|CP.

UPD: try to trick DNAC & provide dummy not used VLAN for the L3-handoff for BN|CP#2. May be even in different subnet & then via configuration preview grab stuff which DNAC prepared & discard L3-handoff workflow. then tweak collected config with IP's/VLANs u need & apply it manually

View solution in original post

Andrii Oliinyk · ‎11-21-2024

i've totally forgotten about this limitation of the DNAC. u need to configure L3-handoff on the BN|CP#2 manually.

Torbjørn · ‎11-22-2024

Alternatively you can use separate VLANs per border node.

Are your borders connected directly to your fusion nodes? If not you should keep in mind that STP could become an issue.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk · ‎11-22-2024

he has intermediate L2-switch in the middle. it's exactly for the purpose to simplify BN|CP<>FN peering. STP has nothing to do with this issue. it's limitation of DNAC to produce multiple peering in the same L3-handoff VLAN.

Torbjørn · ‎11-23-2024

I agree that this mainly is a question regarding how to handle the handoff configuration.

I do however think @techno.it should account for STP when planning his handoff in this case. Convergence could be limited by STP if the L2 topology results in blocking ports, which sounds like it would be the case if there's L2 switching over the trunk between the border nodes. This can be avoided by either converting the link between the borders to routed links, or he could manually prune the VLANs such that there won't be any blocking ports in the STP topology. Please do correct me if you see something that I don't regarding this @Andrii Oliinyk.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk · ‎11-23-2024

not sure it worth any discussing coz whatever L2 in the middle he will switch dedicated VLAN(s) with only 2 isls (per BN|CP) connected to vPC. do u think STP will block any of ports connected to FW & BN|CPs keeping in mind that BN|CPs have no isl between them?

Torbjørn · ‎11-23-2024

From the original post: "There is a L2 trunk between the border nodes and from each border node there is a L2 trunk towards the firewall. I want to use the same transit VLAN on both Border nodes for the connection with the firewall.". I interpret this as that the link between his borders are regular trunks carrying the handoff VLANs as well.

Assuming that the connected switch/another upstream switch being the root bridge for the handoff VLANs. Wouldn't this result in one of the ports on the link between the border nodes to be in blocking state during regular operation and rely on STP convergence in case of certain failure states? It might not matter for all I know, I might just be making faulty assumptions as I haven't tried configuring the handoff in this specific manner before.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk · ‎11-23-2024

it seems to be worthless dispute. "Wouldn't this result in one of the ports on the link between the border nodes" - No, there is no L2 links between BN|CPs

Torbjørn · ‎11-23-2024

I misinterpreted the OP.
No L2 link = no issue. Thank you for clarifying!

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

techno.it · ‎11-22-2024

That's correct. We have Nexus vPC for L2 transit and making adjacency between Border and Fusion Firewall.

Kindly confirm and to be precise, what is the exact manual config needs to be done on borders to overcome this.

Andrii Oliinyk · ‎11-22-2024

BGP. it will be similar to one u have on BN|CP#1 but with use of BN|CP#2 specific IPs.
Another option would be to fallback to double peering from FW side in 2 different VLANs (per BN|CP). Quick Q: does your FW A/S require unique IPs for A & S units per directly attached subnet? if so, then u have to stay with /29 per transfernet per BN|CP.

UPD: try to trick DNAC & provide dummy not used VLAN for the L3-handoff for BN|CP#2. May be even in different subnet & then via configuration preview grab stuff which DNAC prepared & discard L3-handoff workflow. then tweak collected config with IP's/VLANs u need & apply it manually

Andrii Oliinyk · ‎11-23-2024

no issues. hopefully u will help me some day with API'ing SDA - i have a lot of challenges exactly there :0)

techno.it · ‎11-22-2024

Good idea @Andrii Oliinyk Thank you for the suggestion.

Thank you @Torbjørn for your inputs as well.