Intersite L3out Overview
Starting from release 4.2(1) ACI allows to configure an intersite L3Out on a multi-site ACI fabric. This feature enables for an endpoint in a site to send traffic to Layer 3 resources accessible via a remote L3Out connection. Before release 4.2(1) endpoints deployed in a given site can communicate with the external network domain only through a local L3Out connection.
Inter-site L3Out also support transit routing across sites (L3Out to L3Out) and L3Out in one site to serve as a backup for other sites.
Traffic will be directly encapsulated to the TEP of the remote BL nodes. External prefixes are exchanged across sites (ISN) via MP-BGP VPNV4/VPNv6 sessions between spines.
In this article we will learn about the following topics:
- Inter-site L3Out uses cases
- How to configure inter-site L3Out
Inter-Site L3Out uses case 1
Figure 1.
- An endpoint in site-1 accessing resources outside of the DC through an L3out in site-2
- An endpoint in site-1 accessing data center resources in site-2 connected through L3Out like, mainframe, virtualization environment (NSX-T), container environment (OCP), FW, LB…
Inter-Site L3Out uses case 2
Figure 2.
- An endpoint in site-1 use local L3Out under normal circumstances.
- An L3out in site-2 is used as a backup for endpoints in site-1 during local L3Out failure and vise versa i.e. an endpoint in site-2 will use site-1 L3Out during local L3Out failure.
Inter-Site L3Out uses case 3
Figure 3.
- Intersite L3Out used as a transit route. Layer 3 users / systems connected to site-1 accessing a layer 3 resources reachable only through site-2 using the remote L3Out and vise versa.
- Some layer 3 resources are reachable only through one site. Like partner access when partner is connected to only one of the data center sites.
- Communication between resources like mainframe in site-1 and mainframe in site-2 or container (OCP) in site-1 and container (OCP) in site-2
Lab Setup and Topology Diagram
Figure 4.
- Lab setup is on ACI 5.2(7f), ND 2.2(2d)& NDO 4.1.1i
- VM and L3Out are in VRF1
- VM is in BD1, AP1 and EPG1
- L3Out is the provider and EPG1 is the consumer of the contract
- VM -> 192.168.0.10 & ext host is -> 192.168.100.10
In this example, we will use the intersite L3Out feature to provide L3 connectivity within our multi-site ACI fabric. An endpoint (VM-192.168.0.10) in site-2 will use site-1’s L3Out to access an external endpoint (192.168.100.10) learnt in site-1.
ACI Multi-site Inter-site L3Out Configuration Steps
- Configure External Tunnel Endpoint Pool (ETEP)
- Create Tenant and Schema
- Create extended template with VRF, Contract and Filter
- Create L3Out for SITE1
- Create site specific template for SITE1
- Create site specific template for SITE2
- Apply contract between EPG1 and ext EPG
- Verification
1. Configure External Tunnel Endpoint Pool (ETEP)
Intersite L3Out needs a separate external TEP (ETEP) pool for each site that is part of the Multi-Site domain. The ETEP pools need to be routable and configuration is managed by the Nexus Dashboard Orchestrator. The boarder leaf is assigned an additional TEP address from the ETEP pool for establishing leaf-to-leaf VXLAN tunnel between sites.
Infrastructure -> Site Connectivity -> Configure
Choose the site and pod -> under External TEP Pools click ‘Add TEP pool‘
Enter the External TEP pool ip range -> Click ‘ok’ -> click ‘Deploy’ on the site connectivity window
2. Create Tenant and Schema
3. Create extended template with VRF, Contract and Filter
Under a schema:
- Click ‘Add New Template’
- Choose ‘ACI Multi-Cloud’ template type
- Name the template and associate with the right tenant
- Associate the template with the right site(s)
- Create objects
From the schema window click ‘Add New Template’ and choose ‘ ACI Multi-Cloud’ template type
Name the template and associate with the right tenant
Associate the template with the right site(s)
Create objects needed for the template
4 . Create L3Out for SITE1
Using NDO, create L3Out for SITE1. With NDO release 4.1(1), the entire configuration of L3Outs can be done on NDO. For release before 4.1(1) , create the L3Out object and complete the config in APIC.
Configuring the L3Out properties
5 . Create Site Specific Template for SITE1
SITE1 only needs external EPG for this lab test
6 . Create Site Specific Template for SITE2
SITE2 needs bridge domain, application profile and EPG
7. Apply contract between EPG1 and ext EPG
Applying contract is the step needed to establish communication between the sites for EPG1 and ext-EPG-OSPF. This step creates shadow objects in each sites
8. Verification
Verification is by testing reachability from VM in EPG1 of SITE2 to host connected to SITE1 using L3Out