Solved: SD Access Edge nodes and endhosts does not receive external routes

Nikita Borodavko · ‎03-04-2021

Hello!

I have DNAC version 2.1.2.5 and SD access fabric based on two C9300-48U switches: one border&control plane node, another - edge node.

I create one VN network USERS with one IP network and try to configure routing with server out of fabric but have an issue. The border node receives routes via BGP in vrf:USERS (I can ping this server from border node through vrf USERS) but PC connected to Edge could not ping this server (PC can only ping default gateway and ahother PC in this subnet). I also can't reach server from Edge switch through VRF:USERS.

Fusion router receives route to network USERS in fabric via BGP normally.

My fabric was created with LAN automation, so I do not configure edge device myself, all config has pushed to Edge node by DNAC.

Some output from Edge device:

Switch-10-10-40-132#show ip route vrf USERS

-----//---------------------

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.52.0/23 is directly connected, Vlan1022
L 10.10.52.1/32 is directly connected, Vlan1022

Switch-10-10-40-132#show lisp locator-table vrf USERS
% Could not find matching router lisp in configuration.
Switch-10-10-40-132#

All devices is managed, in compliance.

Configuration screenshots of my DNAC in attached picture.

Maybe someone have idea what's wrong? I'm not sure but if configuration is wrong what the way to correct it? Is it normal for DNAC to manually reconfig fabric devices?

Thank you!

Aninda Chatterjee · ‎03-05-2021

I'm assuming this SVI is a SVI in that particular VRF? This is not expected to work since these are also created on borders as loopbacks (read - https://www.theasciiconstruct.com/post/cisco-sda-part-ix-need-for-duplicate-ips-on-fabric-borders) and the border will consume it.

View solution in original post

Nikita Borodavko · ‎03-05-2021

So, all issues resolves when I upgrade software on border and Edge nodes and reload it. Problem with DHCP was in DHCP server side so now endpoint receives address information successfully.

I still cannot find a way to check connectivity from edge node to shared services outside fabrci, I think more research in LISP operation will help me

Thank you so much!

View solution in original post

balaji.bandi · ‎03-04-2021

Try from the Control plane :

#sho lisp site ( can you able to see the host IP)?

#show ip route vrf USERS

Note - do you have a policy in place (are you using ISE)?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Nikita Borodavko · ‎03-05-2021

Hello! Thank you for ryour reply.

There is no ISE in my lab yet. I don't have policies ("no authentication" template) and only try to configure basic connectivity.

Show lisp site from CP node: the host IP is in the table, in column EID preffix. Server's subnet also in the table.

CP&Border_node#show ip route vrf USERS

Routing Table: USERS
---//---

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 10 subnets, 5 masks
B 10.10.40.0/22 [20/0] via 10.10.59.18, 17:36:30
B 10.10.52.0/23 [200/0], 00:05:10, Null0
C 10.10.52.1/32 is directly connected, Loopback1022
l 10.10.52.6/32 [250/1], 00:05:10, Null0 <-------- Endhost IP
---//---
B 172.25.50.0 [20/0] via 10.10.59.18, 17:36:30
B 172.25.110.0 [20/0] via 10.10.59.18, 17:36:30 <-------- Server's subnet

Nikita Borodavko · ‎03-05-2021

Thank you for your assistance!

I update software on my switches to latest reccomended version and reload it. Now I can ping my server 172.25.110.2 from Endpoint attached to edge node (I manually configure IP and gateway on endpoint).

But I still cannot ping this server from EDGE. This server is DHCP and as edge node has DHCP-relay funcition my endpoint couldn't receive address.

Edge_node#ping vrf USERS 172.25.110.2 source vlan 1022

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.25.110.2, timeout is 2 seconds:

Packet sent with a source address of 10.10.52.1

...

Configuration of edge and border in attach

Thank you.

Aninda Chatterjee · ‎03-05-2021

I'm assuming this SVI is a SVI in that particular VRF? This is not expected to work since these are also created on borders as loopbacks (read - https://www.theasciiconstruct.com/post/cisco-sda-part-ix-need-for-duplicate-ips-on-fabric-borders) and the border will consume it.

Nikita Borodavko · ‎03-05-2021

So, all issues resolves when I upgrade software on border and Edge nodes and reload it. Problem with DHCP was in DHCP server side so now endpoint receives address information successfully.

I still cannot find a way to check connectivity from edge node to shared services outside fabrci, I think more research in LISP operation will help me

Thank you so much!

OlehBosiuk65241 · ‎04-19-2021

Hello, I have the same issue. From PC can ping DHCP server, but for Edge - can`t. Do you figure out this issue?

khizar.khan · ‎02-09-2024

Hi,

were you able to fix the issue of not being able to reach end host from another edge device? I am running into the same problem. I will appreciate a response. I have routes on the BN and I can get to hosts in different VNs from BN, but Edge node doesn’t have any route, so thats why it is not working.