Cisco ACI - Transit Routing
Hello 😊 Today we’re going to learn how to implement Transit Routing in Cisco ACI!
Why?
Let’s see the following scenario, where ACI is connected to both Campus Core and a Firewall.
Cisco ACI establish BGP sessions with both devices and exchange some prefixes.
Firewall is announcing two subnets:
- 10.51.132.0/24
- 10.51.133.0/24
The campus core must receive these prefixes through the BGP session with Cisco ACI.
Disclaimer
DYOR (Do Your Own Research). Test the procedure before apply changes into your production environment.
What is L3Out
L3Out in Cisco ACI is a feature that enables the ACI fabric to establish connections with external Layer 3 networks. It allows for the routing of traffic between the ACI fabric and external networks, facilitating communication between tenants within the ACI fabric and entities outside the fabric. L3Out connections can be configured using protocols such as BGP, OSPF, EIGRP, or static routes. These connections provide the necessary connectivity to external routers or switches outside of the ACI fabric. By leveraging L3Out, organizations can seamlessly integrate their ACI fabric with external networks, enabling secure and efficient communication between different network environments.
In our scenario, Cisco ACI have two different L3Outs with BGP sessions, one with the Firewall and the other one with the Campus Core
Transit Routing in Cisco ACI
Transit routing is a feature in Cisco ACI that allows for the routing of traffic between multiple L3Out connections. It enables the ACI fabric to act as a transit network, facilitating communication between external networks connected through different L3Out connections.
With transit routing, traffic can flow from one external network, through the ACI fabric, and then to another external network. This is useful in scenarios where you have multiple external networks that need to communicate with each other, and you want to centralize the routing within the ACI fabric.
Transit routing involves configuring the necessary components in ACI, such as defining the external networks and L3Out connections, creating Virtual Routing and Forwarding (VRF) instances, setting up route policies, and configuring routing protocols. By leveraging transit routing, you can establish seamless communication between different external networks connected to your ACI fabric
Configuration
In our topology, I’ll skip the L3Out configuration and I’ll just describe which flag must be checked and what to do with contracts.
First of all, in your L3Out you should have an External EPG configured. Usually, it’s a 0.0.0.0/0 subnet or, if you have some specific networks, it’s recommended to specify networks behind this external device. You have to flag the “Export Route Control Subnet” check box and the “Aggregate Export”:
By doing this, you’re telling the Cisco ACI to match all the prefixes (like a prefix-list configured: 0.0.0.0/0 le 32)
Then, from a contract perspective, you have to form a connection between this External EPG and the External EPG on the other L3Out. Basically, you have to consume/provide the same contract, to make sure that these External EPGs can talk to each other.
I.E.: Let’s assume that the External EPG on the Campus Core L3Out is consuming a permit any/any contract (used to allow the communication between this External EPG and all the production EPGs), then the External EPG on the Firewall L3Out must provide the same contract (and also consume it due to the communication with production EPGs)
Campus Core L3Out External EPG Contracts:
Firewall L3Out External EPG Contracts:
VERIFY
Cisco ACI routing table for the two subnets:
Let’s connect to the Campus Core and verify the same subnets:
As you can see from the BGP AS Path, the prefixes are coming from AS 65903 (Firewall ASN), passing through 65900 (Cisco ACI ASN) and finally arriving at Campus Core.
Thanks for your time I hope that you’re enjoying my blog!
If you have some questions, please drop me a message through social networks!😊
👈 You can find the relative icons here on the left of the page
Riccardo