Author name: Belete Ageze

Belete Ageze, CCDE #20150051 and CCIE #39456, holds an active CCDE, CCIE in Routing and Switching, and CCIE in Service Provider. He is currently a Solutions Integration Architect at Cisco Systems. Belete has been in the networking industry for more than 20 years and has been involved in architecting, designing, and implementing various large-scale networks. Belete also holds a Bachelor’s of Science in Electrical Engineering from Addis Ababa University (Ethiopia). Belete’s passion in Software Defined Networking (SDN), his deep practical experience in network design to address customer’s pain point and requirements, his customer obsession to helping customer understand the technology and how it benefits the business makes him one of the leaders in his field. Belete lives in Maryland, USA with his wife, son, and daughter.

VXLAN EVPN vPC Attached External / L4-L7 Configuration – BGP

Belete Ageze 2xCCIE | CCDE Overview In a VXLAN EVPN fabric, establishing external routed connectivity and integrating Layer 4 to Layer 7 (L4-L7) services are crucial for ensuring network security and optimizing traffic flow. Typically, external routed connections are linked to specific leaf switches known as border leaf switches. These switches handle traffic entering and […]

VXLAN EVPN vPC Attached External / L4-L7 Configuration – BGP Read More »

VXLAN EVPN Multi-Site – NDFC

Belete Ageze 2xCCIE | CCDE In today’s fast-paced digital realm, businesses continually seek ways to swiftly provide adaptable services, meeting ever-changing customer expectations. They aim to enhance agility and productivity to maintain a competitive edge, while also optimizing costs and identifying opportunities for savings.. VxLAN EVPN Multi-site architecture stands out as a robust solution, addressing

VXLAN EVPN Multi-Site – NDFC Read More »

ACI Application Centric Deployment (ACD) and Subnet Sharing with Route Leaking

1. Overview In Cisco ACI, a powerful feature called route leaking enables applications and services to communicate seamlessly across Virtual Routing and Forwarding (VRF) instances. This allows for efficient data flow within the network infrastructure, even when applications reside in separate VRFs for security or isolation purposes. Route leaking achieves this by sharing routing information

ACI Application Centric Deployment (ACD) and Subnet Sharing with Route Leaking Read More »

Cisco VxLAN EVPN Route Leaking – 2 (NDFC)

Overview This blog is a continuation of ‘Cisco VxLAN EVPN Route Leaking – 1’ – https://deliabtech.com/data-center/cisco-vxlan-evpn-route-leaking-1/ . The focus is on configuring route leaking through the use of Nexus Dashboard Fabric Controller (NDFC). Topology Goal – Green vrf imports Blue & Orange vrfs and Blue & Orange vrfs import Green vrf Assumptions Configuration 1. log

Cisco VxLAN EVPN Route Leaking – 2 (NDFC) Read More »

Cisco VxLAN EVPN Route Leaking – 1

Overview Route leaking in Cisco VXLAN EVPN fabrics plays a critical role in enabling communication between workloads residing in different L3 VXLAN Network Segments (VNIs), VRFs. It essentially allows these workloads to seamlessly access resources and services provided by shared services or external networks. VRF (Virtual Routing and Forwarding) – VRFs are leveraged to establish

Cisco VxLAN EVPN Route Leaking – 1 Read More »

VxLAN EVPN Fabrics External Connectivity – VRF Lite

Overview VXLAN EVPN fabrics address the need for workload mobility, flexible resource allocation and multi-tenancy by decoupling workloads from the underlying physical infrastructure. This enables to treat workloads as portable units that can be easily moved across different compute resources within the data center. Workloads in the data center need the ability to connect to

VxLAN EVPN Fabrics External Connectivity – VRF Lite Read More »

NDFC VxLAN EVPN Fabric – Brownfield

Belete Ageze 2xCCIE | CCDE Overview NDFC’s brownfield deployment approach streamlines the migration of existing VXLAN EVPN fabrics, previously set-up via CLI or custom scripts. This transition empowers centralized management through a user-friendly web interface, simplifying configuration tasks, promoting consistency across the fabric, and facilitating troubleshooting efforts. The migration process involves fabric discovery, configuration import

NDFC VxLAN EVPN Fabric – Brownfield Read More »

Underlay Multicast Routing for VxLAN BUM Traffic

Belete Ageze – 2xCCIE | CCDE Overview While Cisco VxLAN leverages BGP EVPN for the control plane, it requires mechanisms to manage Broadcast, Unknown Unicast, and Multicast (BUM) traffic within the VxLAN fabric. VxLAN fabrics typically rely on multicast replication in the underlay network to efficiently forward BUM traffic. Although ingress replication serves as an

Underlay Multicast Routing for VxLAN BUM Traffic Read More »

Cisco iCAM Monitor

Chord Diagram

Overview Cisco iCAM – intelligent CAM (Content Addressable Memory) Analytics and Machine learning is a feature available on Cisco Nexus switches. It provides functionalities focused on resource monitoring and analysis for various switch functions and features like; Cisco iCAM Benefits iCAM provides resource monitoring and analytics for different functions and features on supported switches. It

Cisco iCAM Monitor Read More »

ACI Route Leaking – Shared Services (Network Centric Deployment)

Cisco ACI (Application Centric Infrastructure) uses route leaking technique to allow routes to be shared between VRFs in the same tenant or in different tenants.

Route leaking reduces routing devices involved in a multiple VRF environment and improve network performance by avoiding traffic to use outside path for inter-VRF communication. But accidental route leaking can happen if manual configuration is used in a scaled environment which may increase the complexity of network operation and troubleshooting.

ACI route leaking is a powerful feature and it’s critical to understand the pros and cons during the design phase to get the most out of it based on the unique requirements of the specific deployment.

ACI Route Leaking – Shared Services (Network Centric Deployment) Read More »

Cisco ACI Contract

Cisco ACI security architecture is based on allow-list where explicit definition of traffic flow need to be defined. Contract is a foundation for ACI security architecture where communication between EPGs|ESGs is defined. The contract relationship is between ESGs, EPGs (regular or uSig EPGs) or within EPG|ESG for intra-EPG contract.

Cisco ACI Contract Read More »

Cisco ACI Floating L3Out

ACI uses L3Out to connect to external L3 domains via routing (dynamic routing protocol or static). There are multiple options and tools to optimize the L3Out for effective L3 communications between ACI and external network services. One of those is Floating L3Out.

Floating L3Out enables engineers to configure L3Out without specifying logical interfaces. Floating L3Out makes configuration, management, and troubleshooting easier. Only specific leaf nodes, called anchor leaf nodes establish routing adjacencies with external routers.

Anchor leaf node – is a leaf node that establish route peering / L3 adjacencies with the external routers. As of Cisco ACI release 6.0(1), the verified scalability number of anchor leaf nodes is 6 per L3Out.

Cisco ACI Floating L3Out Read More »

ACI Multi-site Object Naming Consideration

Designing ACI multi-site object names should not be an after thought since it has an implication during inter-site communication deployment. When contract with the right scope is applied between site-local EPGs the ACI objects are mirrored on the remote sites. The mirrored objects appear as if they are deployed in each of these sites’ controllers, while only actually being deployed in one of the sites. These mirrored objects are called “shadow” objects and they appear with the same names as the ones that were deployed directly to each site. Because of the shadow objects requirement for inter-site communication between site-local EPGs, this blogs focus on ACI multi-site object naming consideration an engineer need to be aware of.

ACI Multi-site Object Naming Consideration Read More »

ACI Contract Priority

This blog post will focus on ACI contract priority. Contract is applied in a provider / consumer relationship and a leaf program a security policy (zoning rules) on TCAM (Ternary Content Addressable Memory). Zoning rule entry defines an action (permit, deny, redirect, log) based on the source EPG, the destination EPG, and filter. The source EPG and destination EPG are represented by a unique class ID ( pcTag ). Zoning rules are per VRF, defined with a unique scope and has a priority. The lower the number of the priority, the higher the priority. Zoning rule with the lower value (higher priority) win over zoning rule with a higher value (lower priority). When a traffic between EPGs match more than one zoning rules, the zoning rule priority with some higher level rules is used to decide the action applied on the traffic flow.

ACI Contract Priority Read More »

ACI Contract

The ACI security architecture plays a foundational role toward Zero Trust architecture and Micro Segmentation initiatives in data center. In this blog post ACI contract structure, contract inheritance, contract labels are discussed. EPG|ESG classification, policy enforcement, and ways of deploying contracts from Macro to micro level are also covered.

ACI Contract Read More »

Two Arm Load Balancer with ACI PBR destination in an L3out

When inserting a load balancer into a Cisco ACI fabric, it is important to understand the desired traffic flow, the advantage of using the ACI fabric anycast gateway, the benefit of selective traffic redirection and if DSR is required. Load balancers can be inserted into ACI fabric using the following deployment options. Policy based redirect is a feature to selectively steer traffic to service nodes. PBR with load balancers (one-arm, two-arm) plays a key role on returning traffic back to the same load balancer as the incoming traffic while keeping the client IP as a source IP.

Two Arm Load Balancer with ACI PBR destination in an L3out Read More »

ACI Custom EPG Name for Simple and Meaningful Port Group Naming

An EPG with VMM domain association creates a port group on the APIC managed DVS. The name for the port group defaults to ‘Tenant_name|AP_name|EPG_name’. The name, depending on how the tenant, application profile and EPG are named, may not be simple or meaningful for the VMWare admin. The solution is custom EPG name. An EPG can optionally have a custom name with the VMM domain association. Beginning in release 4.2(3), custom EPG name is used to create a port group with a simple and meaningful name when the default ‘Tenant_name|AP_name|EPG_name’ naming doesn’t meet the need of the VMWare admin’s standard.

ACI Custom EPG Name for Simple and Meaningful Port Group Naming Read More »

One Arm Load Balancer with ACI PBR Destination in an L3out

One Arm LB with ACI PBR Destination in an L3out - logical drawing

When inserting a load balancer into a Cisco ACI fabric, it is important to understand the desired traffic flow, the advantage of using the ACI fabric anycast gateway, the benefit of selective traffic redirection and if DSR is required. Load balancers can be inserted into ACI fabric using the following deployment options. Policy based redirect is a feature to selectively steer traffic to service nodes. PBR with load balancers (one-arm, two-arm) plays a key role on returning traffic back to the same load balancer as the incoming traffic while keeping the client IP as a source IP.

One Arm Load Balancer with ACI PBR Destination in an L3out Read More »

One Arm Load Balancer with ACI Policy Based Redirect

When inserting a load balancer into a Cisco ACI fabric, it is important to understand the desired traffic flow, the advantage of using the ACI fabric anycast gateway, the benefit of selective traffic redirection and if DSR is required. Load balancers can be inserted into ACI fabric using the following deployment options. Policy based redirect is a feature to selectively steer traffic to service nodes. PBR with load balancers (one-arm, two-arm) plays a key role on returning traffic back to the same load balancer as the incoming traffic while keeping the client IP as a source IP.

One Arm Load Balancer with ACI Policy Based Redirect Read More »

VxLAN EVPN Multi-Site Configuration

VxLAN EVPN Multi-site architecture is one of the widely deployed DC network solutions that can be scaled to thousands of switches across a wide range of geographical regions. VxLAN and MPBGP creates a powerful technology used to build a large, secure, and resilient multi-tenant web scale fabric that can scale to host hundreds of thousands of systems. In this document, VxLAN EVPN Multisite with two sites (SITE1 and SITE2) and inter-site network (ISN) will be configured for seamlessly extending layer 2 and layer 3 using anycast BGWs. All configurations necessary for full operation will be included…

VxLAN EVPN Multi-Site Configuration Read More »

ACI Transit Routing

ACI fabric supports transit routing. This feature enables a border leaf to perform bidirectional redistribution between routing domains. A transit traffic can pass from one layer 3 domain to another layer 3 domain through ACI (the ACI acting as a transit between the two layer 3 domains). A transit route is defined to import traffic through a Layer 3 outside network of an L3out where it is to be imported. A different transit route is defined to export traffic through another L3out to the destination routing domain.

The route-maps for import and export route controls are made up of prefix-list matches. Each prefix-list consists of bridge domain (BD), external subnet prefixes in the VRF and the export prefixes that need to be advertised outside. Route control policies are defined in an l3out and controlled by properties and relations associated with the l3Out. APIC uses the enforce route control property of the l3Out to enforce route control directions. The default is to enforce control on export and allow all on import. The default scope for every route is import. These are the routes and prefixes which form a prefix-based EPG…

ACI Transit Routing Read More »