Node and Interface for L3Out

Modifying Interfaces for L3Out

Modifying Interfaces for L3Out Using the GUI

This procedure modifies an L3Out interface.


Note

The steps for filling out the fields are not necessarily listed in the same order that you see them in the GUI.

Before you begin

  • The Cisco ACI fabric is installed, the Cisco APICs are online, and the Cisco APIC cluster is formed and healthy.

  • A Cisco APIC fabric administrator account is available that enables creating the necessary fabric infrastructure configurations.

  • The target leaf switches are registered in the Cisco ACI fabric and available.

  • Port channels are configured when port channels are used for L3Out interfaces.

Procedure

Step 1

On the menu bar, choose Tenants > All Tenants.

Step 2

In the Work pane, double click the tenant's name.

Step 3

In the Navigation pane, expand tenant_name > Networking > L3Outs > L3Out > Logical Node Profiles > node_profile > Logical Interface Profiles and choose the profile that you want to modify.

Step 4

Choose an interface type tab: Routed Sub-Interfaces, Routed Interfaces, SVI, or Floating SVI.

Step 5

Double click an existing interface to modify it, or click the Create (+) button to add a new interface to the logical interface profile.

Step 6

For interface types other than floating SVI, perform the following substeps:

  1. To add a new interface in the Path Type field, choose the appropriate path type.

    For the routed sub-interface and routed interface interface types, choose Port or Direct Port Channel. For the SVI interface type, choose Port, Direct Port Channel, or Virtual Port Channel.

  2. In the Node drop-down list, choose a node.

    Note

     

    This is applicable only for the non-port channel path types. If you selected Path Type as Port, then perform this step. Otherwise, proceed to the next step.

  3. In the Path drop-down list, choose the interface ID or the port channel name.

    An example of an interface ID is eth 1/1. The port channel name is the interface policy group name for each direct or virtual port channel.

Step 7

For the floating SVI interface type, in the Anchor Node drop-down list, choose a node.

Step 8

(Optional) In the Description field, enter a description of the L3Out interface.

Step 9

For the routed sub-interfaces, SVI, and floating SVI interface types, in the Encap drop-down list, choose VLAN and enter an integer value for this entry.

Step 10

For the SVI and floating SVI interface types, perform the following substeps:

  1. For the Encap Scope buttons, choose the scope of the encapsulation used for the Layer 3 Outside profile.

    • VRF: Use the same transit VLAN in all Layer 3 Outsides in the same VRF instance for a given VLAN encapsulation. This is a global value.

    • Local: Use a unique transit VLAN per Layer 3 Outside.

  2. For the Auto State buttons, choose whether to enable or disable this feature.

    • disabled: The SVI or floating SVI remains active even if no interfaces are operational in the corresponding VLANs.

    • enabled: When a VLAN interface has multiple ports in the VLAN, the SVI or floating SVI goes to the down state when all the ports in the VLAN go down.

  3. For the Mode buttons, choose the VLAN tagging mode.

Step 11

In the IPv4 Primary / IPv6 Preferred Address field, enter the primary IP addresses of the path attached to the Layer 3 outside profile.

Step 12

In the IPv4 Secondary / IPv6 Additional Addresses table, click the + to enter the secondary IP addresses of the path attached to the Layer 3 outside profile.

Step 13

(Optional) In the Link-local Address field, enter an IPv6 link-local address. This is the override of the system-generated IPv6 link-local address.

Step 14

In the MAC Address field, enter the MAC address of the path attached to the Layer 3 outside profile.

Step 15

In the MTU (bytes) field, set the maximum transmit unit of the external network. The range is 576 to 9216. To inherit the value, enter inherit in the field.

Step 16

In the Target DSCP drop-down list, choose the target differentiated services code point (DSCP) of the path attached to the Layer 3 outside profile.

Step 17

Click Submit.

Customizing SVI for L3Out

SVI External Encapsulation Scope

About SVI External Encapsulation Scope

In the context of a Layer 3 Out configuration, a switch virtual interfaces (SVI), is configured to provide connectivity between the ACI leaf switch and a router.

By default, when a single Layer 3 Out is configured with SVI interfaces, the VLAN encapsulation spans multiple nodes within the fabric. This happens because the ACI fabric configures the same bridge domain (VXLAN VNI) across all the nodes in the fabric where the Layer 3 Out SVI is deployed as long as all SVI interfaces use the same external encapsulation (SVI) as shown in the figure.

However, when different Layer 3 Outs are deployed, the ACI fabric uses different bridge domains even if they use the same external encapsulation (SVI) as shown in the figure:

Figure 1. Local Scope Encapsulation and One Layer 3 Out
Figure 2. Local Scope Encapsulation and Two Layer 3 Outs

Starting with Cisco APIC release 2.3, it is now possible to choose the behavior when deploying two (or more) Layer 3 Outs using the same external encapsulation (SVI).

The encapsulation scope can now be configured as Local or VRF:

  • Local scope (default): The example behavior is displayed in the figure titled Local Scope Encapsulation and Two Layer 3 Outs.

  • VRF scope: The ACI fabric configures the same bridge domain (VXLAN VNI) across all the nodes and Layer 3 Out where the same external encapsulation (SVI) is deployed. See the example in the figure titled VRF Scope Encapsulation and Two Layer 3 Outs.

Figure 3. VRF Scope Encapsulation and Two Layer 3 Outs

Encapsulation Scope Syntax

The options for configuring the scope of the encapsulation used for the Layer 3 Out profile are as follows:

  • Ctx—The same external SVI in all Layer 3 Outs in the same VRF for a given VLAN encapsulation. This is a global value.

  • Local —A unique external SVI per Layer 3 Out. This is the default value.

The mapping among the CLI, API, and GUI syntax is as follows:

Table 1. Encapsulation Scope Syntax

CLI

API

GUI

l3out

local

Local

vrf

ctx

VRF

Note

The CLI commands to configure encapsulation scope are only supported when the VRF is configured through a named Layer 3 Out configuration.

Guidelines for SVI External Encapsulation Scope

To use SVI external encapsulation scope, follow these guidelines:

  • If deploying the Layer 3 Outs on the same node, the OSPF areas in both the Layer 3 Outs must be different.

  • If deploying the Layer 3 Outs on the same node, the BGP peer configured on both the Layer 3 Outs must be different.

Configuring SVI External Encapsulation Scope Using the GUI

Before you begin

  • The tenant and VRF configured.

  • An L3Out is configured and a logical node profile under the L3Out is configured.

Procedure

Step 1

On the menu bar, click > Tenants > Tenant_name.

Step 2

In the Navigation pane, click Networking > L3Outs > L3Out_name > Logical Node Profiles > LogicalNodeProfile_name > Logical Interface Profiles.

Step 3

In the Navigation pane, right-click Logical Interface Profiles, and click Create Interface Profile.

Step 4

In the Create Interface Profile dialog box, perform the following actions:

  1. In the Step 1 Identity screen, in the Name field, enter a name for the interface profile.

  2. In the remaining fields, choose the desired options, and click Next.

  3. In the Step 2 Protocol Profiles screen, choose the desired protocol profile details, and click Next.

  4. In the Step 3 Interfaces screen, click the SVI tab, and click the + icon to open the Select SVI dialog box.

  5. In the Specify Interface area, choose the desired values for the various fields.

  6. In the Encap Scope field, choose the desired encapsulation scope value. Click OK.

    The default value is Local.

The SVI External encapsulation scope is configured in the specified interface.

Support for Multiple Encapsulation for L3Outs With SVI

Prior to release 5.2(3), L3Outs configured with SVIs are limited to one VLAN encapsulation for each external bridge domain.

Beginning with release 5.2(3), support is now available for using different external VLAN encapsulations, where all of the different external encapsulation instances are treated as part of a single Layer 2 domain. An L3Out configured with multiple SVIs, each using a different encapsulation, can be grouped into a single external bridge domain. This single external bridge domain will use a single VXLAN network identifier (VNID) and will be a single broadcast domain. The SVIs configured with different encapsulations can use IP addresses in the same subnet.

Grouping Multiple SVIs With Different Access Encapsulation

The following figure shows a configuration where multiple SVIs are grouped together with different access encapsulation.

For this use case:

  • The following leaf switches are VPC pairs:

    • node101 and node102

    • node103 and node104

    • node105 and node106

To configure the use case shown above, where you are grouping multiple SVIs into a Layer 2 bridge group:

  1. Create three regular SVIs for each VPC pair:

    • Create the regular SVI svi-100 on leaf switches node101 and node102

    • Create the regular SVI svi-101 on leaf switches node103 and node104

    • Create the regular SVI svi-102 on leaf switches node105 and node106

  2. Configure the leaf switches with access encapsulations:

    • Configure leaf switches node101 and node102 with access encapsulation vlan100

    • Configure leaf switches node103 and node104 with access encapsulation vlan101

    • Configure leaf switches node105 and node106 with access encapsulation vlan102

  3. Group the regular SVIs svi-100, svi-101, and svi-102 together to behave as part of a single Layer 2 broadcast domain:

    1. Create a bridge domain profile.

      The bridge domain profile is represented by the new MO l3extBdProfile

    2. Provide a unique name string for the bridge domain profile.

    3. Associate each of the regular SVIs that need to be grouped together to the same bridge domain profile.

      Two new MOs are available for this association: l3extBdProfileCont and l3extRsBdProfile.

Guidelines and Limitations

  • Layer 2 loops are blocked by the external device/hypervisor. Loops may occur if this feature is used with external switches that rely on spanning tree protocol to prevent loops.

  • The SVI will be deleted and re-added after configuring the external bridge domain profile on them.

  • The external bridge domain profile is L3Out-scoped. On a node, you cannot have two different access encapsulation mappings to the same external bridge domain profile.

  • Bridge domain grouping is not supported with encapsulation scope ctx (the VRF option in the APIC GUI).

  • Grouped SVIs with different line encapsulation can not share any common nodes.

  • If you downgrade from release 5.2(3) to a previous release where multiple encapsulation for L3Outs with SVI is not supported, the following actions will be performed on the L3Out that was configured with multiple encapsulations and/or the external bridge domain profile:

    • The new allocator used for the multiple encapsulation support (l3extBdProfileEncapAllocator) will be deleted

    • All external bridge domain profiles (new l3extBdProfile MOs) will be deleted

    • All new l3extBdProfileCont MOs will be deleted

    • All new l3extRsBdProfile MOs will be deleted

Configuring Multiple Encapsulation for L3Outs With SVI Using the GUI

Procedure

Step 1

Create the regular SVIs and configure the leaf switches with access encapsulations.

See Configuring SVI External Encapsulation Scope Using the GUI for those procedures.

Step 2

Create an external bridge group profile that will be used for SVI grouping.

  1. Navigate to Tenants > tenant-name > Policies > Protocol > External Bridge Group Profiles.

    A page showing the already-configured external bridge group profiles is displayed.

  2. Right-click on External Bridge Group Profiles and choose Create External Bridge Group Profile.

    The Create External Bridge Group Profile page is displayed.

  3. Enter a name for the external bridge group profile, then click Submit.

    The page showing the already-configured external bridge group profiles is updated with the new external bridge group profile.

Step 3

Associate a regular SVI with the bridge domain profile.

  1. Navigate to Tenants > tenant-name > Networking > L3Outs > L3Out-name > Logical Node Profile > log-node-profile-name > Logical Interface Profile > log-int-profile-name.

    The General page for this logical interface profile is displayed.

  2. Click on the SVI tab.

    A page showing the already-configured switch virtual interfaces is displayed.

  3. Double-click on the switch virtual interface that you want to associate with the external bridge domain profile.

    General information for this switch virtual interface is displayed.

  4. In the External Bridge Group Profile field, select the external bridge domain profile that you want to associate with this switch virtual interface.

  5. Click Submit.

Configuring Multiple Encapsulation for L3Outs With SVI Using the CLI

Procedure

Step 1

Create the regular SVIs and configure the leaf switches with access encapsulations.

See Configuring SVI Interface Encapsulation Scope Using NX-OS Style CLI for those procedures.

Step 2

Log into your APIC through the CLI, then go into configuration mode and tenant configuration mode.


apic1#
apic1# configuration
apic1(config)# tenant <tenant-name>
apic1(config-tenant)#

Step 3

Enter the following commands to create an external bridge profile that will be used for SVI grouping.


apic1(config-tenant)# external-bridge-profile <bridge-profile-name>
apic1(config-tenant-external-bridge-profile)# ?

Step 4

Enter the following commands to associate a regular SVI with the bridge domain profile.


apic1(config)# leaf <leaf-ID>
apic1(config-leaf)# interface vlan <vlan-num>
apic1(config-leaf-if)# vrf member tenant <tenant-name> vrf <VRF-name>
apic1(config-leaf-if)# ip address <IP-address>
apic1(config-leaf-if)# external-bridge-profile <bridge-profile-name>

Configuring Multiple Encapsulation for L3Outs With SVI Using the REST API

Procedure

Step 1

Create the regular SVIs and configure the leaf switches with access encapsulations.

See Configuring SVI Interface Encapsulation Scope Using the REST API for those procedures.

Step 2

Enter a post such as the following example to create an external bridge profile that will be used for SVI grouping.


<fvTenant name="t1" dn="uni/tn-t1" >
    <l3extBdProfile name="bd100" status=""/>
</fvTenant>

Step 3

Enter a post such as the following example to associate a regular SVI with the bridge domain profile.


<fvTenant name="t1">
    <l3extOut name="l1">
        <l3extLNodeP name="n1">
            <l3extLIfP name="i1">
                <l3extRsPathL3OutAtt encap="vlan-108" 
                    tDn="topology/pod-1/paths-108/pathep-[eth1/10]" 
                    ifInstT="ext-svi">
                    <l3extBdProfileCont>
                        <l3extRsBdProfile tDn="uni/tn-t1/bdprofile-bd100" status=""/
                    </l3extBdProfileCont>
                </l3extRsPathL3OutAtt>
            </l3extLIfP>
        </l3extLNodeP>
    </l3extOut>
</fvTenant>

Step 4

Enter a post such as the following example to specify the separate encapsulation for floating nodes.


<fvTenant name="t1">
    <l3extOut name="l1">
        <l3extLNodeP name="n1">
            <l3extLIfP name="i1">
                <l3extVirtualLIfP addr="10.1.0.1/24" 
                    encap="vlan-100" 
                    nodeDn="topology/pod-1/node-101"  
                    ifInstT="ext-svi">
                    <l3extRsDynPathAtt floatingAddr="10.1.0.100/24"
                        encap="vlan-104" 
                        tDn="uni/phys-phyDom"/>
                </l3extVirtualLIfP>
            </l3extLIfP>
    </l3extOut>
</fvTenant>

SVI Auto State

About SVI Auto State


Note

This feature is available in the APIC Release 2.2(3x) release and going forward with APIC Release 3.1(1). It is not supported in APIC Release 3.0(x).

The Switch Virtual Interface (SVI) represents a logical interface between the bridging function and the routing function of a VLAN in the device. SVI can have members that are physical ports, direct port channels, or virtual port channels. The SVI logical interface is associated with VLANs, and the VLANs have port membership.

The SVI state does not depend on the members. The default auto state behavior for SVI in Cisco APIC is that it remains in the up state when the auto state value is disabled. This means that the SVI remains active even if no interfaces are operational in the corresponding VLAN/s.

If the SVI auto state value is changed to enabled, then it depends on the port members in the associated VLANs. When a VLAN interface has multiple ports in the VLAN, the SVI goes to the down state when all the ports in the VLAN go down.

Table 2. SVI Auto State

SVI Auto State

Description of SVI State

Disabled

SVI remains in the up state even if no interfaces are operational in the corresponding VLAN/s.

Disabled is the default SVI auto state value.

Enabled

SVI depends on the port members in the associated VLANs. When a VLAN interface contains multiple ports, the SVI goes into the down state when all the ports in the VLAN go down.

Guidelines and Limitations for SVI Auto State Behavior

Read the following guidelines:

  • When you enable or disable the auto state behavior for SVI, you configure the auto state behavior per SVI. There is no global command.

Configuring SVI Auto State Using the GUI

Before you begin

  • The tenant and VRF configured.

  • An L3Out is configured and a logical node profile and a logical interface profile under the L3Out is configured.

Procedure

Step 1

On the menu bar, click > Tenants > Tenant_name.

Step 2

In the Navigation pane, click Networking > L3Outs > L3Out_name > Logical Node Profiles > LogicalNodeProfile_name > Logical Interface Profiles.

Step 3

In the Navigation pane, expand Logical Interface Profile, and click the appropriate logical interface profile.

Step 4

In the Work pane, click the SVI tab, then click the + sign to display the SVI dialog box.

Step 5

To add an additional SVI, in the SVI dialog box, perform the following actions:

  1. In the Path Type field, choose the appropriate path type.

  2. In the Path field, from the drop-down list, choose the appropriate physical interface.

  3. In the Encap field, choose the appropriate values.

  4. In the Auto State field, choose the SVI in the Work pane, to view/change the Auto State value.

    The default value is Disabled.

    Note

     

    To verify or change the Auto State value for an existing SVI, choose the appropriate SVI and verify or change the value.

About Cisco Floating L3Outs

Beginning with the Cisco Application Policy Infrastructure Controller (APIC) release 4.2(1), you no longer need to specify multiple Layer 3 outside network connection (L3Out) logical interface paths in a virtual environment.

The floating L3Out feature enables you to configure a L3Out without specifying logical interfaces. The feature saves you from having to configure multiple L3Out logical interfaces to maintain routing when virtual machines move from one host to another. Floating L3Out is supported for VMware vSphere Distributed Switch (VDS).

Beginning with the Cisco APIC release 5.0(1), physical domains are supported.

For more information, see the Using Floating L3Out to Simplify Outside Network Connections knowledge base article:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/Cisco-ACI-Floating-L3Out.html