Skip to content

ACI L3Out

Estimated time to read: 7 minutes

  • Originally Written: November, 2023

Info

This post uses the Nexus as Code (NaC) project which makes it very easy to configure ACI fabrics through a YAML file . More details and examples can be found at https://developer.cisco.com/docs/nexus-as-code/#!aci-introduction

Basic L3Out with Floating SVI

I use this configuration to setup a basic OSPF peering between the ACI fabric and a virtual router/firewall in an vSphere cluster. I'm using a virtual ASA in my lab.

I'm using a floating SVI instead of a regular SVI as it cuts down the configuration. VLAN 500 is configured as the ACI encap and the vSphere portgroup. Since the portgroup applies the VLAN tag, the router can use a standard interface. i.e. I don't configure VLAN 500 on the router.

Floating SVIs simplifies the configuration as it uses the Virtual Machine Manager (VMM) integration with ACI and VMware. Rather than configuring individual paths to each vSphere host I just select the vCentre and it creates a port group automatically with VLAN 500. The relevant configuration is below and the peering on the virtual router is to the floating_ip

paths:
    - vmware_vmm_domain: ucsc-c220m5-vds-01
      floating_ip: 172.16.100.3/24

For more information on Floating SVIs see the following link.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/all/floating-l3outs/simplify-outside-network-connections-using-floating-l3outs.html

192.168.100.0 is a bridge domain on the ACI fabric

192.168.101.0 and 172.16.102.0 are behind the firewall i.e. not connected to the ACI fabric.

Relevant vASA configuration

192.168.101.0 and 172.16.102.0 are behind the firewall i.e. not connected to the ACI fabric.

APIC UI and the corresponding Nexus as Code configuration

Configuration 
---
apic:
  tenants:
    - name: conmurph
      managed: false

      l3outs:

        - name: floating-l3out-to-firewall
          vrf: vrf-01
          domain: conmurph.vrf-01
          ospf:
            area: 0
            area_type: regular

          node_profiles:
            - name: border-leafs
              nodes:
                - node_id: 101
                  router_id: 101.2.1.1
                - node_id: 102
                  router_id: 102.2.1.1

              interface_profiles:
                - name: ucsc-c220m5-vds-01
                  ospf:
                    policy: floating-l3out-to-firewall

                  interfaces: # floating SVI
                    - node_id: 101
                      vlan: 500
                      floating_svi: true
                      ip: 172.16.100.1/24
                      paths:
                        - vmware_vmm_domain: ucsc-c220m5-vds-01
                          floating_ip: 172.16.100.3/24
                    - node_id: 102
                      vlan: 500
                      floating_svi: true
                      ip: 172.16.100.2/24
                      paths:
                        - vmware_vmm_domain: ucsc-c220m5-vds-01
                          floating_ip: 172.16.100.3/24

          external_endpoint_groups:
            - name: all-ext-subnets
              subnets:
                - prefix: 0.0.0.0/1
                - prefix: 128.0.0.0/1

          export_route_map:
            contexts:
              - name: migrated-subnets
                match_rule: match-migrated-subnets

      policies:
        match_rules:
          - name: match-migrated-subnets
            prefixes:
              - ip: 192.168.100.0/24

        ospf_interface_policies:
          - name: floating-l3out-to-firewall
            network_type: bcast

Checking the connection

Advertising Routes

Once the peering is configured there are a few ways in ACI to advertise the routes externally. In this example the 192.168.100.0 subnet which exists on the ACI fabric will be advertised. Two of the options are shown below.

  • Associating the L3Out to the bridge domain is straight forward in the GUI.

  • If using Nexus as Code I prefer the default-export route map method as it allows the configuration to advertise the routes to be in the same file/folder as the rest of the L3Out configuration. This allows you to separate the L3Out config from the bridge domain and EPG configuration. See the Terraform Design Considerations for Cisco ACI post for reasons you may want to do this.

  • First navigate to the bridge domain subnet you wish to advertise. In this example it's 192.168.100.0.

  • Make sure the Advertise externally checkbox is selected for the bridge domain subnet

  • Next click the + button in the Associated L3Outs box and select the L3Out to which you want to advertise the subnet.

  • First navigate to the bridge domain subnet you wish to advertise. In this example it's 192.168.100.0.

  • Make sure the Advertise externally checkbox is selected for the bridge domain subnet

  • If you're configuring through the UI, right-click on the Route map for import and export route control folder in the L3Out configuration.
  • Use the drop-down menu to select the name as default-export under the L3Out configuration
  • As per the following document, when explicit prefix list is used, the type of the route profile should be set to match routing policy only.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/l3-configuration/cisco-apic-layer-3-networking-configuration-guide-60x/route-control-layer3-config-60x.html

  • In this example I'm just advertising a single bridge domain prefix so this is added to the match rule

Confirming it's working

  • Confirm on the firewall/router that you see the 192.168.100.0 subnet which exists on the ACI fabric
  • Confirm on the ACI fabric that you see the 192.168.101.0 and 172.16.102.0 subnets which exist behind the firewall/router

Comments