Creating a Floating L3Out

Creating a Floating L3Out

Follow the steps in this procedure to create a Layer 3 outside network connection (L3Out) with the floating L3Out feature. When configuring the Floating L3Out for a VMM domain, the configuration creates a port-group on the VMware VDS with the name of <Tenant> | <L3Out name> | < VLAN Number >. The administrator managing the virtual router would then attach the virtual router vNIC to this port-group.

Before you begin

You must have performed the following tasks before creating the L3Out.

  • Configured the interface access policies, accessible attachable entity profile (AEP), and Layer 3 domain.

  • Created the VMM domain or physical domain.

Procedure

Configuration Steps with Physical Domain:

Configuration Steps with Physical Domain:

Step 1

Log in to the Cisco Application Policy Infrastructure Controller (APIC).

Step 2

Go to Tenants > your tenant.

Step 3

In the tenant navigation pane, expand the Networking folder, right-click the L3Outs folder and choose Create L3Out.

Step 4

In the Create L3Out dialog box, 1. Identity dialog box, complete the following steps.

  1. In the Name field, enter a name for the L3Out.

  2. From the VRF drop-down list, choose or create a virtual routing and forwarding (VRF) instance.

  3. From the L3 Domain drop-down list, choose the Layer 3 domain that you created earlier.

  4. On the right side of the dialog box, click one or more routing protocols, and accept the defaults or configure routing as appropriate for your setup.

    You can choose BGP or OSPF.

  5. Click Next.

Step 5

In the Create L3Out dialog box, 2. Nodes and Interfaces dialog box, complete the following steps:

  1. For the Use Defaults check box, leave it checked to accept the default interface and node policy names, or uncheck it to create custom names.

    User can choose defaults or create custom names for the interface and node policies.

  2. In the Interface Types field, choose Floating SVI.

  3. From the Domain Type options, choose Physical.

  4. From the Domain drop-down list, choose a domain.

  5. In the Floating Address field, enter the floating IP address.

    The floating IP address is the common IP address for non-anchor leaf nodes. It is used to locate the router if it is connected to any non-anchor top-of-rack switch through the data path.

  6. In the Encap area, in the Integer Value field, enter the desired VLAN from the static VLAN range.

  7. In the MTU field, enter the maximum transmission unit (MTU) of the external network.

    The range is 1500 to 9216. The value inherit can be used. This will inherit the value configured for the Fabric L2 MTU policy. The default value is 9000. To inherit the value, enter "inherit" in the MTU field.

  8. In the Nodes area, from the Node ID drop-down list, choose a node for the anchor leaf switch.

  9. In the Router ID field, add the address for the router to be used for OSPF or BGP.

  10. In the Loopback Address field, accept the default—which is the same as the router ID—or add a different loopback address.

  11. In the IP Address Primary field, enter the primary IP address for the anchor leaf switch.

    Note

     
    If the external router is connected behind virtual port channel (vPC) leaf anchor nodes, make sure to add a vPC peer leaf as the second anchor node.

  12. (Optional) Click the + (plus sign) next to the Loopback Address field to add additional anchor leaf nodes.

Step 6

In the Create L3Out dialog box, 3. Protocols dialog box, complete the following steps.

  1. In the Protocol Associations area, configure items if necessary.

    For example, if you chose the OSPF protocol, choose an OSPF policy:

    If you chose the BGP protocol, the following configurations are available:

    • Peer Address: Enter the peer IP address

    • EBGP Multihop TTL: Enter the connection time to live (TTL). The range is from 1 to 255 hops; if zero, no TTL is specified. The default is 1.

    • Remote ASN: Enter a number that uniquely identifies the neighbor autonomous system. The Autonomous System Number can be in 4-byte as plain format from 1 to 4294967295.

      Please refer Layer 3 Configuration guide for detail.

  2. Click Next.

Step 7

In the Create L3Out dialog box, 4. External EPG dialog box, complete the following steps.

  1. In the Name field, enter a name for the external EPG.

  2. From the Provided Contract drop-down list, choose or create a contract.

  3. From the Consumed Contract drop-down list, choose or create a contract.

  4. For the Default EPG for all external networks check box, leave it checked or uncheck it and add specific subnets.

  5. Click Finish.

What to do next

Verify that the floating L3Out exists in Cisco APIC and that the port group exists on the VMware VDS. See the procedure Verifying the L3Out Configuration.

Configuration Steps With VMM Domain

Procedure

Step 1

Log in to the Cisco APIC.

Step 2

Go to Tenants > your tenant.

Step 3

In the tenant navigation pane, expand the Networking folder, right-click the L3Outs folder and choose Create L3Out or use an existing L3Out.

Step 4

Select the folder Logical Interface Profiles, right click and select Create Interface Profile.

  1. Assign it a name.

  2. Select Floating L3Out SVI and then select +.

  3. In the Select Floating L3Out dialog box, select the Anchor node(s) and assign the Primary IP Address. In the IP Address Primary field, enter the primary IP address for the anchor leaf switch.

    Note:If the external router is connected behind virtual port channel (vPC) leaf anchor nodes, make sure to add a vPC peer leaf as the anchor node. In the case of the floating L3Out each vPC peer leaf must be entered individually as a separate anchor node.

  4. Enter the Path Attributes, this is the configuration where you associate the Floating L3Out with the VMM domain.

  5. Select the Domain Type as Physical.

  6. Select the VMM domain.

  7. Select the Enhanced LAG Policy for the port-group. This is the ELACP teaming configuration for the port-group on the virtualized host: if the virtualized host Vmnics are configured with ELACP and the Path Attributes configuration doesn't select the correct ELACP, traffic forwarding between the vRouter and the ACI leaf nodes won't work.

  8. Enter the encap VLAN from the VLAN range (only a VLAN defined in the static range of the VMM domain VLAN pool is allowed).

  9. In the Floating Address field, enter the floating IP address. The floating IP address is the common IP address for non-anchor leaf nodes. It is used to locate the router if it is connected to any non-anchor top-of-rack switch through the data path.

Step 5

In the Create L3Out dialog box, 4. External EPG dialog box, complete the following steps:

  1. In the Name field, enter a name for the external EPG.

  2. From the Provided Contract drop-down list, choose or create a contract.

  3. From the Consumed Contract drop-down list, choose or create a contract.

  4. For the Default EPG for all external networks check box, leave it checked or uncheck it and add specific subnets.

  5. Click Finish.

What to do next

Verify that the floating L3Out exists in Cisco APIC and that the port group exists on the VMware VDS. See the procedure Verifying the L3Out Configuration.

Configuring a Secondary IP

This section explains how to create an optional secondary IP by creating a logical interface profile for floating SVI.

Procedure

Step 1

From the navigation pane, go to Tenants > tenant_name > Networking > L3Outs > L3Out_name > Logical Node Profiles > logical_node_profile_name > Logical Interface Profiles > logical_interface_profile_name.

The logical interface profile screen appears in the work pane.

Step 2

From the work pane, click the Floating SVI tab.

Step 3

Double-click on an anchor leaf node.

The Floating SVI dialog appears.

Step 4

Locate the IPv4 Secondary / IPv6 Additional Addresses field and click the + to enable the Address and IPv6 DAD fields and enter the appropriate values.

Note

 

  • Starting in Cisco Application Policy Infrastructure Controller (APIC) Release 5.0(1), IPv6 DAD and ND RA Prefix are disabled by default.

  • Click the ? icon to open the help file and view a description of each field.

Step 5

When finished, click OK.

Configuration Example: Different L3Outs for OSPF and BGP Using GUI

Use this procedure to configure OSPF and BGP for a floating Layer 3 outside network connection (L3Out) if you have already created the Layer 3 domain that you want to use. If both OSPF and BGP need to redistribute routes into the Cisco Application Centric Infrastructure (ACI) fabric, then you would have to configure OSPF and BGP under two different L3Outs, in this fashion:


Note

Note that this scenario could apply to a standard L3Out as well as a floating L3Out.

Before you begin

You must have created a Layer 3 domain. See the procedure Create a Layer 3 Domain Using the GUI.

Procedure

Create the first L3Out with only the BGP protocol enabled (l3out-bgp), with the following settings:

Example

  1. Under l3out-bgp, navigate to the Select SVI or Select Floating SVI page:

    Tenants > tenant_name > Networking > L3Outs > l3out-bgp > Logical Node Profiles > log_node_prof_name > Logical Interface Profiles > log_int_prof_name, then + in the SVI or Floating SVI tab and configure the following:

    • In the Encap field, configure the VLAN settings

    • In the Encap Scope field, select VRF if the L3Out for BGP and the L3Out for OSPF use the same VLAN encapsulation ID for the floating SVI.

  2. Configure the loopback under l3out-bgp (Tenants > tenant_name > Networking > L3Outs > l3out-bgp > Logical Node Profiles > log_node_prof_name > Configured Nodes).

  3. Create a BGP peer between the l3out-bgp anchor leaf nodes and the external router. This example uses BGP peering between the loopback IP addresses. If loopback IP address is used for BGP peering, ensure the route to the loopback IP addresses are available on the anchor leaf nodes and external routers by using OSPF or static routes.

  4. Configure the import route control profile at the BGP peer connectivity profile area:

    Tenants > tenant_name > Networking > L3Outs > BGP_L3Out > Logical Node Profiles > logical_node_profile_name > Logical Interface Profiles > logical_interface_profile_name > bgp_peer_connectivity_profile_name

    Ensure that the external router’s loopback IP addresses are not imported using this route map.

  5. Configure the export route control profile at the BGP peer connectivity profile area:

    Tenants > tenant_name > Networking > L3Outs > BGP_L3Out > Logical Node Profiles > logical_node_profile_name > Logical Interface Profiles > logical_interface_profile_name > bgp_peer_connectivity_profile_name

    This external route control profile should include all of the required routes to be exported out of the fabric, but should not export the l3out-bgp's loopback IP address in this route map (either the l3out-bgp's loopback IP address should not be part of the match rule, or there should be an explicit deny entry in the route map to deny the l3out-bgp's loopback IP address).

  6. Create the second L3Out with only the OSPF protocol enabled (l3out-ospf), with the following settings:

    1. Under l3out-ospf, navigate to the Select SVI or Select Floating SVI page:

      Tenants > tenant_name > Networking > L3Outs > l3out-ospf > Logical Node Profiles > log_node_prof_name > Logical Interface Profiles > log_int_prof_name, then + in the SVI or Floating SVI tab

      and configure the following:

      • In the Encap field, configure the VLAN settings

      • In the Encap Scope field, select VRF if the L3Out for BGP and the L3Out for OSPF use the same VLAN encapsulation ID for the floating SVI.

    2. Create an export route map to export all of the required direct routes, including the loopback of l3out-bgp out of l3out-ospf:

      Tenants > tenant_name > Networking > L3Outs > l3out-ospf, then right-click and choose Create Route Map For Import and Export Route Control, then select default-export

      The match condition for this default-export should be all of the required routes and the l3out-bgp's loopback IP addresses.

    3. Unless the Import Route Control Enforcement is explicitly configured under the L3Out, the external node’s loopback IP addresses are learned on the ACI fabric. If Import Route Control Enforcement is configured under the L3Out, the match condition for this default-import should have all the required routes and the external node’s loopback IP addresses:

      Tenants > tenant_name > Networking > L3Outs > l3out-ospf > Route map for import and export route control > default-import > Contexts > context_name > Associated Matched Rules