EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFExternal Layer 3 Network Connectivity
External Layer 3 Network Connectivity
Cisco ACI refers to external Layer 3 connectivity as a L3Out, which allows you to use standard Layer 3 technologies to connect to an external network. Standard technologies can be Layer 3 connections to an existing network, WAN routers, firewalls, mainframes, or any other Layer 3 device. A Layer 3 connection facilitates a routing exchange between Cisco ACI and the external routers.
Three different types of interfaces are supported on a border leaf switch to connect to an external router:
-
Layer 3 interface: Commonly used when each router physical interface is dedicated to a VRF.
-
Layer 3 subinterface with 802.1Q tagging: With a subinterface, the same physical interface can be used to provide multiple connections. Commonly used when router physical interfaces are shared by multiple tenants or VRFs.
-
Switched virtual interface: With an SVI interface, the same physical interface that supports Layer 2 and Layer 3 can be used for a Layer 2 outside connection, and a Layer 3 outside connection. Commonly used to connect service devices, for example a firewall and load balancer, via port channel or vPC, and to share service device physical interfaces.
Cisco ACI supports Layer 3 connections using static routing (IPv4 and IPv6) or the following dynamic routing protocols:
-
OSPFv2 (IPv4) and OSPFv3 (IPv6)
-
BGP (IPv4 and IPv6)
-
EIGRP (IPv4 and IPv6)
Route Propogation
Within the Cisco ACI fabric, MP-BGP is implemented between leaf and spine switches to propagate external routes within the ACI fabric. External networks are automatically redistributed to MP-BGP on border leaf switches. The BGP route reflector technology is deployed to support many leaf switches within a single fabric. Users need to specify which spine switches to be MP-BGP route reflectors. All leaf and spine switches belong to a single BGP AS.
Advertising Internal Networks
By default, a bridge domain subnet scope is Private to VRF. You must designate internal networks (such as, bridge domain subnets) as public or advertised externally to allow their propagation via external Layer 3 connections.
In addition to this, associated L3Outs need to be specified in the bridge domain. So the ACI fabric administrator can manage to which external network the bridge domain subnet is advertised. In the example below, border leaf starts advertising subnet 10.0.1.0/24 to the the external router via OSPF_L3Out.
This example summarizes the route distribution with OSPFv2:
-
MP-BGP peering is automatically established between leaf and spine switches immediately after the spine switches are configured as route reflectors.
-
The ASBR border leaf redistributes bridge domain subnets to OSPF.
-
The ASBR border leaf redistributes external OSPF routes to MP-BGP.
-
MP-BGP propagates the external routes to all leaf switches where the VRF is instantiated.
Transit Routing
Cisco ACI fabric supports transit routing, which enables border routers to perform bidirectional redistribution with other routing domains. Such redistribution lets the ACI fabric provide full IP connectivity between different routing domains. Doing so can also provide redundant connectivity by enabling backup paths between routing domains.
By default, ACI learns any routes from external devices via the routing protocol. ACI has import filters that limit the external routes ACI will learn and use. The import filters select a subset of routes that are advertised by the external peers to the fabric. The import filter is implemented with a route-map internally and is generated by using the prefixes in the prefix-based EPG (such as external EPG, L3Out EPG). Set actions can also be associated with import route-maps.
You can select subnets to advertise to external routers via L3Out. The advertised subnets are bridge domain subnets and external routes from another external router. A default route can be advertised to external routers if required.
Configuring External Layer 3 Networks
To configure an external Layer 3 network, you need to create a L3Out, enable MP-BGP route reflectors, configure a bridge domain to advertise the bridge domain subnet, and a contract between the L3Out External EPG and a normal EPG.
-
Create a L3Out
-
Create Routed Outside
-
Create Node Profile
-
Create Interface Profile
-
Create External EPG Network
-
-
Enable MP-BGP route reflectors
-
Mandatory to distribute external routes within the ACI fabric
-
-
Configure a BD to advertise BD subnet
-
Associate L3Out with a bridge domain
-
Designate subnets as advertised externally
-
-
Configure a contract between the L3Out External EPG and an EPG
L3Out Configuration
L3Out is used to configure the interfaces, routing protocols, and protocol parameters that are necessary for IP connectivity to external routing devices.
The external network is used to define which subnets should use which contracts. When 0.0.0.0/0 is used for L3Out external EPG classification, the networks 0.0.0.0/0 (which means all possible routes) should use contracts from the External EPG. If you want to let only particular external network subnets belong to the External EPG, more specific subnet configuration for L3Out external EPG is required. For example, if 10.0.0.0/24 is the L3Out external EPG classification, only the 10.0.0.0/24 external network can use the contract from the External EPG and is accessible only from the internal EPGs that share the same contract.
OSPF Peering Configuration
OSPF is one of the protocols that you can enable between Cisco ACI and an external router. Cisco ACI supports all common options, such as OSPF area including backbone, various stub options, neighbor authentication, and other similar options.
An L3Out must be associated with a VRF and an external routed domain. The ExtL3Out external routed domain references a VLAN pool and interfaces (via AAEP). If a routed interface or routed subinterface is used, External Routed Domain is not required.
EBGP Peering Configuration
You can use External Border Gateway Protocol (EBGP) to attach the Cisco ACI fabric to an outside domain. The L3Out configuration contains (in addition to the selection of peering interface) a rich set of BGP neighbor options, such as MD5 authentication, next-hop-self, and so on.
For example, the local AS number feature is to disguise the ACI BGP AS number that is shared with infra MP-BGP. Just like a normal router, users can configure the local AS option to make itself look like a different AS to its BGP peer in case external routers cannot peer with ACI BGP AS number directly for some reason.
External Network EPG Configuration
You can define one or more external IP networks to represent the L3Out EPG. 0.0.0.0/0 designates all networks reachable through the Layer 3 outside connection.
You should set the scope to External Subnets for the External EPG, which is the default setting.
The following are the most relevant settings:
-
Export Route Control Subnet: Controls which subnets are advertised out of the fabric. This scope is mainly for Transit Routing.
-
Import Route Control Subnet: Controls the external subnets allowed into the fabric. Supported for BGP and OSPF, but not for EIGRP. This scope can be used only when Import Route Control Enforcement is enabled in the L3Out via Route Control Enforcement option.
-
Shared Route Control Subnet: Controls which external subnets are advertised to other VRFs for shared L3Out (VRF Route leaking with L3Out).
-
External Subnets for the External EPG: A classifier for the external EPG. The subnet defined by this scope belongs to this External EPG and will use the contracts in it. Please note that the scope of this option is not closed to the L3Out, but is VRF wide. For example, even if 10.0.0.0/8 is learned via L3Out A, but 10.0.0.0/8 is configured in an External EPG in L3Out B in the same VRF, it will use contract from the EPG in L3Out B.
-
Shared Security Import Subnet: Configures the classifier for the external subnets in the VRF where the routes are leaked for shared L3Out (VRF Route leaking with L3Out).
External Subnets for the External EPG
The "External Subnets for the External EPG" scope are used to define the subnets that should be classified to the external EPG. This policy does not affect routing, it is purely for contract application. This classification with "External Subnets for the External EPG" is per VRF even though the configuration is under a L3Out. This is because a contract is applied at the VRF level, which means that if a subnet is configured with "External Subnets for the External EPG" scope for L3Out-1 and traffic with a source address matching that subnet arrives from a L3Out-2 router, the traffic is still classified to the external EPG of L3Out-1 instead of L3Out-2.
Comment
TABLE OF CONTENTS
RECENT POSTS
- Cisco Data Center Career: Getting Started with Nexus Training
- Lock Down Your Networks in a Digital World: The Ultimate Guide to Learning Mastering Cisco Identity Services Engine (ISE)
- How to Become an AWS Solution Architect — Your Ultimate Guide to Cloud Mastery
- The Docker Training Course Outline - Your Guide to Becoming a Docker Expert
- Develop Next-Level Azure Networking Skills with AZ-700 Training
- Reasons to Choose DClessons for Your SD-WAN Velocloud Training Needs
- Learn to Network: Get More Out Of Cisco ACI and DCACIA with DClessons
- Learn Cisco CCIE Data Center, Certified data center professional with DClessons in Data Center Technologies
- Reasons to Choose Cisco SD-WAN Solutions with DClessons
- What is Docker and Why is It Important?
LEAVE A COMMENT
Please login here to comment.