Transit Routing via L3OUT

Transit Routing via L3OUT

The Cisco APIC software supports external Layer 3 connectivity with OSPF (NSSA) and Internal Border Gateway Protocol. The fabric advertises the tenant’s bridge domain subnets out to the external routers on the External Layer 3 Outside (L3Out) connections. The routes that are learned from the external routers are not advertised to other external routers.

No matter how many L3Outs ACI may have, the communication was always between the internal EPG and L3Outs, and not between one L3Out connection to another L3Out connection.

From the APIC release 1.1, ACI introduced the capability to be a transit network by allowing communication between two L3Outs. This functionality is called transit routing. In transit routing, multiple L3Out connections within a tenant and VRF are supported and the APIC advertises the routes that are learned from one L3Out connection to another L3Out connection. The external Layer 3 domains peer with the fabric on the border leaf switches. The fabric is a transit Multiprotocol-Border Gateway Protocol (MP-BGP) domain between the peers. To succeed, there are two elements. One is to advertise external routes that are learned from one L3Out to another, typically referred to as “export.” Another is to apply contract between two L3Outs.

The two simple and recommended ways to export the external routes (advertise the external routes from one L3Out to another) are the following:

• Default-exportroute profile with a prefix-list in the L3Out
• Export Route Control Subnet scope with L3Out subnets in the L3Out EPG

In this scenario, the router in the legacy network (on the right in the picture) needs to communicate to the 172.16.1.0/30 subnet behind the router in the partner network (on the left in the picture) through the Cisco ACI fabric. This scenario is the transit routing between L3Out Legacy and L3Out Partner.

The Cisco ACI fabric needs to advertise (export) 172.16.1.0/30 that is learned from L3Out Partner to L3Out Legacy. The export configuration is performed on L3Out Legacy that advertises and exports out the subnet. The following are the two export configuration examples:

Option 1—"default-export" Route Profile

In Cisco ACI, there are many ways to configure and use route profiles (route-map). For transit routing, the recommended configuration with a route profile (route-map) is to use "default-export" with Type "Match Routing Only" and prefix-lists. Here, routing protocol controls are solely with the route-map "default-export" and no L3Out subnets under the External EPG (L3Out EPG) should be configured with the scope "Export Route Control Subnet." The L3Out subnets, in this case, are used only to apply contracts with "External Subnets for the External EPG."

In this example, Cisco ACI is configured to advertise 172.16.100.100/32 and 172.16.1.0/30, that should be learned from other L3Outs, to L3Out BGP.

Please note that the “default-export” route profile takes effect on the L3Out without associating it to L3Out EPG or subnets unlike other route profiles with custom names.

Another option is to use the scope "Export Route Control Subnet" with L3Out subnets in the L3Out EPG. 

This configuration is very simple and designed to reflect the intent directly without going through the traditional route-map configuration.

Option 2: "Export Route Control Subnet" Scope with L3Out Subnets

With either option 1 or option 2 export configuration, the external route 172.16.1.0/30 learned from L3Out Partner is advertised to L3Out Legacy. For the mutual communication, the export configuration needs to be done in L3Out Partner for the subnet from L3Out Legacy (x.x.x.x/y).

---