Solved: How to create a multi-site L3out in ACI through NDO?

bmcgahan · ‎09-26-2023

I'm trying to create a "multi-site" L3out in ACI via the Nexus Dashboard, but I can't figure out what specific clicks in the GUI trigger the spines in one site to form VPNv4 BGP peerings with the spines in another site.

The docs that I'm reading say that you can create the L3out via the Nexus Dashboard, but then have to complete the config of the OSPF node profiles etc. via the APIC GUI.

I got it to the point where Site1 can use Site1_L3out, and Site2 can use Site2_L3out, but if Site1_L3out goes down I want it to failover to the IPN through the spines and use Site2_L3out, and vice versa.

I swear I had this working once, but now I can't figure out what steps I did in the GUI to trigger them to form VPNv4 in addition to the normal L2VPN EVPN peering.

I'm running NDO 2.3(2d) and APICs 5.2(6e).

Any suggestions?

Oliver Qiu · ‎10-10-2023

Hi @bmcgahan,

From NDO (Nexus Dashboard Orchestrator) release 4.1, you can setup new policies for creating and configuring L3Out for Cisco ACI fabrics. I see you are running NDO 2.3(2d), 2.3 I think that is ND (Nexus Dashboard) version, not NDO.

As you may already know, prior releases of NDO provided the ability to create an L3Out object in Application templates that allowed you to create an L3Out and deploy it to your site. However, the actual L3Out configurations had to be done manually by logging in to the sites' controllers (Cisco APIC) and providing the details for each L3Out individually.

If you are running NDO 4.1, you can find the below link,
https://www.cisco.com/c/en/us/td/docs/dcn/ndo/4x/configuration/cisco-nexus-dashboard-orchestrator-configuration-guide-aci-411/ndo-configuration-aci-use-case-l3out-411-41x.html

Thanks,
Oliver

View solution in original post

Oliver Qiu · ‎10-10-2023

Hi @bmcgahan,

From NDO (Nexus Dashboard Orchestrator) release 4.1, you can setup new policies for creating and configuring L3Out for Cisco ACI fabrics. I see you are running NDO 2.3(2d), 2.3 I think that is ND (Nexus Dashboard) version, not NDO.

As you may already know, prior releases of NDO provided the ability to create an L3Out object in Application templates that allowed you to create an L3Out and deploy it to your site. However, the actual L3Out configurations had to be done manually by logging in to the sites' controllers (Cisco APIC) and providing the details for each L3Out individually.

If you are running NDO 4.1, you can find the below link,
https://www.cisco.com/c/en/us/td/docs/dcn/ndo/4x/configuration/cisco-nexus-dashboard-orchestrator-configuration-guide-aci-411/ndo-configuration-aci-use-case-l3out-411-41x.html

Thanks,
Oliver

bmcgahan · ‎10-11-2023

Hi Oliver,

You're right, my NDO is 4.1.2h, the Dashboard itself is 2.3. I'll try the steps in that doc and see if it leads me anywhere.

Thanks for the reply!

bmcgahan · ‎10-12-2023

Hi Oliver,

That did work. You're correct, in 4.1 you don't need to use the APIC at all to configure the L3outs. My mistake was that I was using the L3out object under the Application Management > Schemas > Templates, when I should have been using the L3out object under Application Management > L3out Templates

Also, it turns out that associating the External EPG to the L3out is what triggers the Spines in one Site to negotiate BGP VPNv4/VPNv6 AFIs with the Spines in another Site. Technically the L3out won't function without the External EPG associated anyways, but behind the scenes, it seems to be this object association that triggers the new BGP AFIs to be negotiated. Like everything else in ACI, I'm not sure why, it just is...