Node and Interface for L3Out

Modifying Interfaces for L3Out

Modifying Interfaces for L3Out Using the GUI

This procedure modifies an L3Out interface.


Note

The steps for filling out the fields are not necessarily listed in the same order that you see them in the GUI.

Before you begin

  • The Cisco ACI fabric is installed, the Cisco APICs are online, and the Cisco APIC cluster is formed and healthy.

  • A Cisco APIC fabric administrator account is available that enables creating the necessary fabric infrastructure configurations.

  • The target leaf switches are registered in the Cisco ACI fabric and available.

  • Port channels are configured when port channels are used for L3Out interfaces.

Procedure

Step 1

On the menu bar, choose Tenants > All Tenants.

Step 2

In the Work pane, double click the tenant's name.

Step 3

In the Navigation pane, expand tenant_name > Networking > L3Outs > L3Out > Logical Node Profiles > node_profile > Logical Interface Profiles and choose the profile that you want to modify.

Step 4

Choose an interface type tab: Routed Sub-Interfaces, Routed Interfaces, SVI, or Floating SVI.

Step 5

Double click an existing interface to modify it, or click the Create (+) button to add a new interface to the logical interface profile.

Step 6

For interface types other than floating SVI, perform the following substeps:

  1. To add a new interface in the Path Type field, choose the appropriate path type.

    For the routed sub-interface and routed interface interface types, choose Port or Direct Port Channel. For the SVI interface type, choose Port, Direct Port Channel, or Virtual Port Channel.

  2. In the Node drop-down list, choose a node.

    Note

     

    This is applicable only for the non-port channel path types. If you selected Path Type as Port, then perform this step. Otherwise, proceed to the next step.

  3. In the Path drop-down list, choose the interface ID or the port channel name.

    An example of an interface ID is eth 1/1. The port channel name is the interface policy group name for each direct or virtual port channel.

Step 7

For the floating SVI interface type, in the Anchor Node drop-down list, choose a node.

Step 8

(Optional) In the Description field, enter a description of the L3Out interface.

Step 9

For the routed sub-interfaces, SVI, and floating SVI interface types, in the Encap drop-down list, choose VLAN and enter an integer value for this entry.

Step 10

For the SVI and floating SVI interface types, perform the following substeps:

  1. For the Encap Scope buttons, choose the scope of the encapsulation used for the Layer 3 Outside profile.

    • VRF: Use the same transit VLAN in all Layer 3 Outsides in the same VRF instance for a given VLAN encapsulation. This is a global value.

    • Local: Use a unique transit VLAN per Layer 3 Outside.

  2. For the Auto State buttons, choose whether to enable or disable this feature.

    • disabled: The SVI or floating SVI remains active even if no interfaces are operational in the corresponding VLANs.

    • enabled: When a VLAN interface has multiple ports in the VLAN, the SVI or floating SVI goes to the down state when all the ports in the VLAN go down.

  3. For the Mode buttons, choose the VLAN tagging mode.

Step 11

In the IPv4 Primary / IPv6 Preferred Address field, enter the primary IP addresses of the path attached to the Layer 3 outside profile.

Step 12

In the IPv4 Secondary / IPv6 Additional Addresses table, click the + to enter the secondary IP addresses of the path attached to the Layer 3 outside profile.

Step 13

(Optional) In the Link-local Address field, enter an IPv6 link-local address. This is the override of the system-generated IPv6 link-local address.

Step 14

In the MAC Address field, enter the MAC address of the path attached to the Layer 3 outside profile.

Step 15

In the MTU (bytes) field, set the maximum transmit unit of the external network. The range is 576 to 9216. To inherit the value, enter inherit in the field.

Step 16

In the Target DSCP drop-down list, choose the target differentiated services code point (DSCP) of the path attached to the Layer 3 outside profile.

Step 17

Click Submit.

Create OSPF Interface Profile

The OSPF interface profile enables OSPF on the interface. Optionally, the OSPF interface profile can have a relation to an OSPF interface policy for more granular control over interface proprieties.

Faults

Faults are raised in the following scenarios, which will bring down the OSPF session:

  • No pre-shared key provided under Key (key-string) provided under "key" in the KeyChain policy

  • No Key (key-string) configured in the KeyChain policy

  • If you specify unsupported encryption algorithm such as 3DES and AES. These algorithms are supported for Authentication.

No fault will be raised if the OSPF session goes down because the Send/ Accept lifetime of the key was expired, with no active key. The KeyChain state under the OSPF interface will be in “not-ready” state.

Before you begin

  • The Cisco ACI fabric is installed, the Cisco APICs are online, and the Cisco APIC cluster is formed and healthy.

  • A Cisco APIC fabric administrator account is available that enables creating the necessary fabric infrastructure configurations.

  • The target leaf switches are registered in the Cisco ACI fabric and available.

  • Port channels are configured when port channels are used for L3Out interfaces.

Procedure

Step 1

On the menu bar, choose Tenants > All Tenants.

Step 2

In the Work pane, double click the tenant's name.

Step 3

In the Navigation pane, expand tenant_name > Networking > L3Outs > L3Out > Logical Node Profiles > node_profile > Logical Interface Profiles > OSPF Interface Profile.

Step 4

In the Name field, enter a name for the OSPF interface. This name can be between 1 and 64 alphanumeric characters.

Note

 

You cannot change this name after the object has been saved.

Step 5

[Optional] In the Description field, enter a description for the OSPF interface profile. The description can be 0 to 128 alphanumeric characters.

Step 6

Enter a value for the target interface policy name. This name can be between 1 and 64 alphanumeric characters. You cannot change this name after the object has been saved.

Step 7

To configure the OSPF interface profile by using the MD5 or the simple authentication, complete the following steps:

  1. In the OSPFv2 Authentication Key field, enter the authentication key. The authentication key is a password (up to 8 characters) that can be assigned on an interface basis. The authentication key must match for each router on the interface

    Note

     

    To use authentication, the OSPF authentication type for this interface's area should be set to Simple (the default is None).

  2. In the Confirm OSPFv2 Authentication Key field, renter the authentication key.

  3. In the OSPFv2 Authentication Key ID field, enter the authentication key identifier.

  4. In the OSPFv2 Authentication Type field, select the appropriate option.

    The OSPF authentication type. Authentication enables the flexibility to authenticate OSPF neighbors. You can enable authentication in OSPF to exchange routing update information in a secure manner.

    Note

     

    When you configure authentication, you must configure an entire area with the same type of authentication.

    The authentication types are:

    • None—No authentication is used.

    • Simple—You need to specify the authentication key, OSPFv2 Authentication Key that you specified earlier. The authentication key is a password (up to 8 characters) that can be assigned on an interface basis. The authentication key must match for each router on the interface

    • Md5—The password does not pass over the network. MD5 is a message-digest algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode. When you configure authentication, you must configure an entire area with the same type of authentication.

    The default is None.

Step 8

To configure the OSPF interface profile by using the KeyChain authentication, complete the following steps:

  1. In the OSPFv2 KeyChain Policy field, select OSPFv2 KeyChain policy.

    The OSPFv2 KeyChain policy supports HMAC-SHA authentication along with Simple and MD5 authentication. When you select this option, you can have multiple keys under the same key chain.

    For enhanced security, you can use the rotating keys by specifying a life time for each key. When the lifetime expires for a key it automatically rotates to next key. If you do not specify any algorithm, OSPF will use MD5, which is the default cryptographic authentication algorithm

    Note

     

    The new key is the preferred key and will take precedence against the existing keys.

    Note

     

    You can configure the authentication by specifying the legacy way, which is the OSPFv2 authentication type - MD5 authentication /Simple authentication or by specifying the OSPFv2 keychain policy.

    Configuring the Keychain policy will override the selected Authentication Type.

Step 9

(applicable only for OSPFv3) OSPFv3 IPsec Policy: to associate an OSPFv3 IPsec policy to an L3Out interface, select an IPsec policy from the drop-down list. For creating an OSPFv3 IPsec policy, see the Create an OSPF IPsec Policy procedure

What to do next

To specify the rotating keys for the OSPFv2 KeyChain, refer to the Create Key Policy.

Create Key Policy

Before you begin

Ensure that you have create the OSPFv2 interface profile. Refer to Create OSPF Interface Profile for more information.

Procedure

Step 1

On the menu bar, click Tenants> All Tenants.

Step 2

In the Work pane, double click the tenant’s name.

Step 3

In the Navigation pane, navigate to Policies > Protocol > KeyChains.

Step 4

Right-click KeyChains, select Create Key Policy, and perform the following steps:

  1. Type a name for the policy and optionally add a description.

  2. In the Key ID field, enter a valid key ID.

  3. In the Pre-Shared Key field, enter the pre-shared key.

  4. In the Cryptographic Algorithm field, enter the algorithm.

  5. In the Start Time field, specify the start time in YYYY-MM--DD- HH-MM-SS format.

  6. In the End Time field, specify the end time in YYYY-MM--DD- HH-MM-SS format.

  7. In the Key accept lifetime start time field, specify the start time in the YYYY-MM--DD- HH-MM-SS format.

    This is a rotating key. you will be specifying a life time for each key. When the lifetime expires for a key it automatically rotates to next key. If you do not specify any algorithm, OSPF will use MD5, which is the default cryptographic authentication algorithm.

    This field is not applicable for OSPFv3 IPSec policy.

    Note

     

    The new key is the preferred key and will take precedence against the existing keys.

  8. In the Key accept lifetime end time field, specify the end time in the YYYY-MM--DD- HH-MM-SS format.

    This field is not applicable for OSPFv3 IPSec policy.

Step 5

Click Submit.

Create an OSPF IPsec Policy

Beginning with Cisco APIC release 6.1(2), encryption and authentication for OSPFv3 sessions are supported. Use this procedure


Note

OSPFv3 is not supported on infra tenant; the OSPF IPSec policy support is for user tenant only.

Before you begin

Create a keychain policy.

Procedure

Step 1

On the menu bar, click Tenants> tenant name.

Step 2

On the left Navigation pane, navigate to Policies > Protocol > OSPF > OSPF IPSec.

Step 3

In the Create IPSec Authentication Policy window, enter these details:

  • Name: for the IPSec policy.

  • Description: description for the IPSec policy.

  • IP Security Protocol: select either Authentication Header (AH) or Encapsulating Security Payload (ESP).

    If you select Authentication Header, only authentication is supported. If you select ESP, the available options are: authentication, encryption or both (authentication and encryption).

    Supported keychain algorithms:

    • Authentication Header: MD5 (default), HMAC-SHA1.

    • Encapsulating Security Protocol: for authentication: HMAC-SHA1; for encryption: 3DES (default), AES.

      Note

       

      If you do not select any algorithm or choose an unsupported algorithm, the default is automatically selected.

  • Security Parameter Index: unique value for creating the IPSec protocol. Select a value from the drop-down list. The supported range is from 256 to 4294967295.

  • OSPFv3 Authentication Keychain: select a keychain value from the drop-down list. If you have selected the AH option for the IP Security Protocol field, this field is mandatory. If you leave the field blank, a fault is generated.

    To check for faults, navigate to the OSPF Interface Profile screen and click the Faults tab.

  • OSPFv3 Encryption Keychain: select a keychain value from the drop-down list. This field is not applicable if you have selected the AH option for the IP Security Protocol field. If you have selected the ESP option for the IP SecurityProtocol field, it is mandatory to enter a value for the Authentication Keychain field or the Encryption Keychain field.

Step 4

Click Submit.

You can use the show ipv6 ospfv3 interface interface-id command on the switch over a SSH or console session to check the created IPSec policy.

Step 5

To associate the created OSPFv3 IPSec policy to an L3Out interface, see Step-9 of the Create OSPF Interface Profile procedure.

Customizing SVI for L3Out

SVI External Encapsulation Scope

About SVI External Encapsulation Scope

In the context of a Layer 3 Out configuration, a switch virtual interfaces (SVI), is configured to provide connectivity between the ACI leaf switch and a router.

By default, when a single Layer 3 Out is configured with SVI interfaces, the VLAN encapsulation spans multiple nodes within the fabric. This happens because the ACI fabric configures the same bridge domain (VXLAN VNI) across all the nodes in the fabric where the Layer 3 Out SVI is deployed as long as all SVI interfaces use the same external encapsulation (SVI) as shown in the figure.

However, when different Layer 3 Outs are deployed, the ACI fabric uses different bridge domains even if they use the same external encapsulation (SVI) as shown in the figure:

Figure 1. Local Scope Encapsulation and One Layer 3 Out
Figure 2. Local Scope Encapsulation and Two Layer 3 Outs

Starting with Cisco APIC release 2.3, it is now possible to choose the behavior when deploying two (or more) Layer 3 Outs using the same external encapsulation (SVI).

The encapsulation scope can now be configured as Local or VRF:

  • Local scope (default): The example behavior is displayed in the figure titled Local Scope Encapsulation and Two Layer 3 Outs.

  • VRF scope: The ACI fabric configures the same bridge domain (VXLAN VNI) across all the nodes and Layer 3 Out where the same external encapsulation (SVI) is deployed. See the example in the figure titled VRF Scope Encapsulation and Two Layer 3 Outs.

Figure 3. VRF Scope Encapsulation and Two Layer 3 Outs

Encapsulation Scope Syntax

The options for configuring the scope of the encapsulation used for the Layer 3 Out profile are as follows:

  • Ctx—The same external SVI in all Layer 3 Outs in the same VRF for a given VLAN encapsulation. This is a global value.

  • Local —A unique external SVI per Layer 3 Out. This is the default value.

The mapping among the CLI, API, and GUI syntax is as follows:

Table 1. Encapsulation Scope Syntax

CLI

API

GUI

l3out

local

Local

vrf

ctx

VRF

Note

The CLI commands to configure encapsulation scope are only supported when the VRF is configured through a named Layer 3 Out configuration.

Guidelines for SVI External Encapsulation Scope

To use SVI external encapsulation scope, follow these guidelines:

  • If deploying the Layer 3 Outs on the same node, the OSPF areas in both the Layer 3 Outs must be different.

  • If deploying the Layer 3 Outs on the same node, the BGP peer configured on both the Layer 3 Outs must be different.

Configuring SVI External Encapsulation Scope Using the GUI

Before you begin

  • The tenant and VRF configured.

  • An L3Out is configured and a logical node profile under the L3Out is configured.

Procedure

Step 1

On the menu bar, click > Tenants > Tenant_name.

Step 2

In the Navigation pane, click Networking > L3Outs > L3Out_name > Logical Node Profiles > LogicalNodeProfile_name > Logical Interface Profiles.

Step 3

In the Navigation pane, right-click Logical Interface Profiles, and click Create Interface Profile.

Step 4

In the Create Interface Profile dialog box, perform the following actions:

  1. In the Step 1 Identity screen, in the Name field, enter a name for the interface profile.

  2. In the remaining fields, choose the desired options, and click Next.

  3. In the Step 2 Protocol Profiles screen, choose the desired protocol profile details, and click Next.

  4. In the Step 3 Interfaces screen, click the SVI tab, and click the + icon to open the Select SVI dialog box.

  5. In the Specify Interface area, choose the desired values for the various fields.

  6. In the Encap Scope field, choose the desired encapsulation scope value. Click OK.

    The default value is Local.

The SVI External encapsulation scope is configured in the specified interface.

Support for Multiple Encapsulation for L3Outs With SVI

When an L3Out is configured with SVI interfaces on different leaf switches using the same encapsulation VLAN, the SVI VLAN will be mapped to the same VXLAN network identifier (VNID). This forms a single bridge domain (external bridge domain) and broadcast domain across the fabric. An SVI interface configured with a different VLAN will form a separate external bridge domain as illustrated in the diagram below. Prior to release 5.2(3) it was not possible to create a single external bridge domain with different encapsulation VLANs on different switches.

Figure 4. Separate VNID Associated to External Bridge Domains with Different Encapsulation (pre-ACI 5.2(3) Releases).

Release 5.2(3) added support for configuring a single external bridge that can be configured with different encapsulation VLANs on different leaf switches. The multiple encapsulation support feature uses the floating SVI object to define the external bridge domain for floating L3Outs or an external bridge group profile for defining the external bridge domain for regular L3Outs. The use case for this feature may be where the same VLAN cannot be used on different leaf switches because it may already be in use.

Figure 5. Single VNID Associated to External Bridge Domains with Different Encapsulation (post-ACI 5.2(3) Releases).

As of ACI release 6.0(1), this feature is supported for physical domain L3Outs only, not for VMM domain L3Outs.

Grouping Multiple SVIs With Different Access Encapsulation

The following figure shows a configuration where multiple SVIs are grouped together with different access encapsulation.

For this use case:

  • The following leaf switches are VPC pairs:

    • node101 and node102

    • node103 and node104

    • node105 and node106

To configure the use case shown above, where you are grouping multiple SVIs into a Layer 2 bridge group:

  1. Create three regular SVIs for each VPC pair:

    • Create the regular SVI svi-100 on leaf switches node101 and node102

    • Create the regular SVI svi-101 on leaf switches node103 and node104

    • Create the regular SVI svi-102 on leaf switches node105 and node106

  2. Configure the leaf switches with access encapsulations:

    • Configure leaf switches node101 and node102 with access encapsulation vlan100

    • Configure leaf switches node103 and node104 with access encapsulation vlan101

    • Configure leaf switches node105 and node106 with access encapsulation vlan102

  3. Group the regular SVIs svi-100, svi-101, and svi-102 together to behave as part of a single Layer 2 broadcast domain:

    1. Create a bridge domain profile.

      The bridge domain profile is represented by the new MO l3extBdProfile

    2. Provide a unique name string for the bridge domain profile.

    3. Associate each of the regular SVIs that need to be grouped together to the same bridge domain profile.

      Two new MOs are available for this association: l3extBdProfileCont and l3extRsBdProfile.

Guidelines and Limitations

  • Layer 2 loops are blocked by the external device/hypervisor. Loops may occur if this feature is used with external switches that rely on spanning tree protocol to prevent loops.

  • The SVI will be deleted and re-added after configuring the external bridge domain profile on them.

  • The external bridge domain profile is L3Out-scoped. On a node, you cannot have two different access encapsulation mappings to the same external bridge domain profile.

  • Bridge domain grouping is not supported with encapsulation scope ctx (the VRF option in the APIC GUI).

  • Grouped SVIs with different line encapsulation can not share any common nodes.

  • If you downgrade from release 5.2(3) to a previous release where multiple encapsulation for L3Outs with SVI is not supported, the following actions will be performed on the L3Out that was configured with multiple encapsulations and/or the external bridge domain profile:

    • The new allocator used for the multiple encapsulation support (l3extBdProfileEncapAllocator) will be deleted

    • All external bridge domain profiles (new l3extBdProfile MOs) will be deleted

    • All new l3extBdProfileCont MOs will be deleted

    • All new l3extRsBdProfile MOs will be deleted

Configuring Multiple Encapsulation for L3Outs With SVI Using the GUI

Procedure

Step 1

Create the regular SVIs and configure the leaf switches with access encapsulations.

See Configuring SVI External Encapsulation Scope Using the GUI for those procedures.

Step 2

Create an external bridge group profile that will be used for SVI grouping.

  1. Navigate to Tenants > tenant-name > Policies > Protocol > External Bridge Group Profiles.

    A page showing the already-configured external bridge group profiles is displayed.

  2. Right-click on External Bridge Group Profiles and choose Create External Bridge Group Profile.

    The Create External Bridge Group Profile page is displayed.

  3. Enter a name for the external bridge group profile, then click Submit.

    The page showing the already-configured external bridge group profiles is updated with the new external bridge group profile.

Step 3

Associate a regular SVI with the bridge domain profile.

  1. Navigate to Tenants > tenant-name > Networking > L3Outs > L3Out-name > Logical Node Profile > log-node-profile-name > Logical Interface Profile > log-int-profile-name.

    The General page for this logical interface profile is displayed.

  2. Click on the SVI tab.

    A page showing the already-configured switch virtual interfaces is displayed.

  3. Double-click on the switch virtual interface that you want to associate with the external bridge domain profile.

    General information for this switch virtual interface is displayed.

  4. In the External Bridge Group Profile field, select the external bridge domain profile that you want to associate with this switch virtual interface.

  5. Click Submit.

Configuring Multiple Encapsulation for L3Outs With SVI Using the CLI

Procedure

Step 1

Create the regular SVIs and configure the leaf switches with access encapsulations.

See Configuring SVI Interface Encapsulation Scope Using NX-OS Style CLI for those procedures.

Step 2

Log into your APIC through the CLI, then go into configuration mode and tenant configuration mode.


apic1#
apic1# configuration
apic1(config)# tenant <tenant-name>
apic1(config-tenant)#

Step 3

Enter the following commands to create an external bridge profile that will be used for SVI grouping.


apic1(config-tenant)# external-bridge-profile <bridge-profile-name>
apic1(config-tenant-external-bridge-profile)# ?

Step 4

Enter the following commands to associate a regular SVI with the bridge domain profile.


apic1(config)# leaf <leaf-ID>
apic1(config-leaf)# interface vlan <vlan-num>
apic1(config-leaf-if)# vrf member tenant <tenant-name> vrf <VRF-name>
apic1(config-leaf-if)# ip address <IP-address>
apic1(config-leaf-if)# external-bridge-profile <bridge-profile-name>

Configuring Multiple Encapsulation for L3Outs With SVI Using the REST API

Procedure

Step 1

Create the regular SVIs and configure the leaf switches with access encapsulations.

See Configuring SVI Interface Encapsulation Scope Using the REST API for those procedures.

Step 2

Enter a post such as the following example to create an external bridge profile that will be used for SVI grouping.


<fvTenant name="t1" dn="uni/tn-t1" >
    <l3extBdProfile name="bd100" status=""/>
</fvTenant>

Step 3

Enter a post such as the following example to associate a regular SVI with the bridge domain profile.


<fvTenant name="t1">
    <l3extOut name="l1">
        <l3extLNodeP name="n1">
            <l3extLIfP name="i1">
                <l3extRsPathL3OutAtt encap="vlan-108" 
                    tDn="topology/pod-1/paths-108/pathep-[eth1/10]" 
                    ifInstT="ext-svi">
                    <l3extBdProfileCont>
                        <l3extRsBdProfile tDn="uni/tn-t1/bdprofile-bd100" status=""/
                    </l3extBdProfileCont>
                </l3extRsPathL3OutAtt>
            </l3extLIfP>
        </l3extLNodeP>
    </l3extOut>
</fvTenant>

Step 4

Enter a post such as the following example to specify the separate encapsulation for floating nodes.


<fvTenant name="t1">
    <l3extOut name="l1">
        <l3extLNodeP name="n1">
            <l3extLIfP name="i1">
                <l3extVirtualLIfP addr="10.1.0.1/24" 
                    encap="vlan-100" 
                    nodeDn="topology/pod-1/node-101"  
                    ifInstT="ext-svi">
                    <l3extRsDynPathAtt floatingAddr="10.1.0.100/24"
                        encap="vlan-104" 
                        tDn="uni/phys-phyDom"/>
                </l3extVirtualLIfP>
            </l3extLIfP>
    </l3extOut>
</fvTenant>

SVI Auto State

About SVI Auto State


Note

This feature is available in the APIC Release 2.2(3x) release and going forward with APIC Release 3.1(1). It is not supported in APIC Release 3.0(x).

The Switch Virtual Interface (SVI) represents a logical interface between the bridging function and the routing function of a VLAN in the device. SVI can have members that are physical ports, direct port channels, or virtual port channels. The SVI logical interface is associated with VLANs, and the VLANs have port membership.

The SVI state does not depend on the members. The default auto state behavior for SVI in Cisco APIC is that it remains in the up state when the auto state value is disabled. This means that the SVI remains active even if no interfaces are operational in the corresponding VLAN/s.

If the SVI auto state value is changed to enabled, then it depends on the port members in the associated VLANs. When a VLAN interface has multiple ports in the VLAN, the SVI goes to the down state when all the ports in the VLAN go down.

Table 2. SVI Auto State

SVI Auto State

Description of SVI State

Disabled

SVI remains in the up state even if no interfaces are operational in the corresponding VLAN/s.

Disabled is the default SVI auto state value.

Enabled

SVI depends on the port members in the associated VLANs. When a VLAN interface contains multiple ports, the SVI goes into the down state when all the ports in the VLAN go down.

Guidelines and Limitations for SVI Auto State Behavior

Read the following guidelines:

  • When you enable or disable the auto state behavior for SVI, you configure the auto state behavior per SVI. There is no global command.

Configuring SVI Auto State Using the GUI

Before you begin

  • The tenant and VRF configured.

  • An L3Out is configured and a logical node profile and a logical interface profile under the L3Out is configured.

Procedure

Step 1

On the menu bar, click > Tenants > Tenant_name.

Step 2

In the Navigation pane, click Networking > L3Outs > L3Out_name > Logical Node Profiles > LogicalNodeProfile_name > Logical Interface Profiles.

Step 3

In the Navigation pane, expand Logical Interface Profile, and click the appropriate logical interface profile.

Step 4

In the Work pane, click the SVI tab, then click the + sign to display the SVI dialog box.

Step 5

To add an additional SVI, in the SVI dialog box, perform the following actions:

  1. In the Path Type field, choose the appropriate path type.

  2. In the Path field, from the drop-down list, choose the appropriate physical interface.

  3. In the Encap field, choose the appropriate values.

  4. In the Auto State field, choose the SVI in the Work pane, to view/change the Auto State value.

    The default value is Disabled.

    Note

     

    To verify or change the Auto State value for an existing SVI, choose the appropriate SVI and verify or change the value.

About Cisco Floating L3Outs

Beginning with the Cisco Application Policy Infrastructure Controller (APIC) release 4.2(1), you no longer need to specify multiple Layer 3 outside network connection (L3Out) logical interface paths to connect external network devices.

The floating L3Out feature enables you to configure a L3Out without specifying logical interfaces. The feature saves you from having to configure multiple L3Out logical interfaces to maintain routing when virtual machines (performing a specific virtual network function) move from one host to another. Floating L3Out is supported for VMM domains with VMware vSphere Distributed Switch (VDS).

Beginning with the Cisco APIC release 5.0(1), physical domains are supported. This means that the same simplified configuration can be used for physical routers deployments as well.

For more information, see the Using Floating L3Out to Simplify Outside Network Connections knowledge base article:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/Cisco-ACI-Floating-L3Out.html