Cisco ACI L3Out (Layer 3 Out)

Layer 3 Outside (L3out) for Routed Connectivity to External Networks

In a Cisco ACI fabric, the bridge domain is not meant for the connectivity of routing
devices, and this is why you cannot configure static or dynamic routes directly on a Cisco ACI
bridge domain. Spine Nodes
You need to use a specific construct for routing configurations: the L3Out.
Localisation : Tenant > Networking > External Routed Domains
Cisco ACI
A L3Out policy is used to configure interfaces, protocols, and protocol parameters Leaf Nodes
necessary to provide IP connectivity to external routing devices.

Part of the L3Out configuration involves also defining an external network (also L3out
known as an external EPG) for the purpose of access-list filtering.

The external network is used to define which subnets are potentially accessible APIC Cluster
through the Layer 3 routed connection.

As part of the L3Out configuration, these subnets should be defined as external

networks. Alternatively, an external network could be defined as 0.0.0.0/0 to cover 0.0.0.0/0 External
all possible destinations, but in case of multiple L3Outs, you should use more Networks for ACI
specific subnets in the external network definition.

L3out objects relationships

Routed connectivity to external networks is Bridge

enabled by associating a fabric access external Tenant Access
domain
routed domain with a tenant Layer 3 external
instance profile (l3extInstP or external EPG) of BD to L3out
a Layer 3 external outside network (l3extOut), association Layer 3 External
in the hierarchy in the side diagram: Domain Profile
EPG VRF BGP
A Layer 3 external outside network (l3extOut
object) includes the routing protocol options OSPF Vlan Pool
(BGP, OSPF, EIGRP, static) and the switch- External EPG L3out
Contract

specific and interface-specific configurations. EIGRP AAEP

Route control
The External EPG exposes the external
network to tenant EPGs through a contract.
Securiy control

Definitions Conracts Logical node profile

Logical node profile

Node
This is the leafwide VRF routing configuration, whether it is
dynamic or static routing. For example, if you have two border
OSPF Node
leaf nodes, the logical node profile consists of two leaf nodes. BGP Peer
interfae profile Connectivity profile
Logical interface profile
Logical interface profile
This is the configuration of Layer 3 interfaces or SVIs on the EIGRP
leaf defined by the logical node profile. The interface selected Interface profile Interface
by the logical interface profile must have been configured
with a routed domain in the fabric access policy. This routed
domain may also include VLANs if the logical interface profile Interface
defines SVIs.
External network and EPG
This is the configuration object that classifies traffic from the
outside into a security zone.
L3out Design

Gateway Resiliency (static routing) Router Router Router

Some design scenarios require gateway resiliency on L3Out.

For L3Outs configured with static routing, Cisco ACI provides L3 out
multiple options for a resilient next hop: VRF
This option is available on routed interfaces, L3 out L3 out
Common Tenant
Secondary IP subinterfaces, and SVIs, but is used mostly with VRF VRF
SVIs.
User Tenant User Tenant
This option is available on routed interfaces and on VRF VRF VRF
HSRP subinterfaces (not on SVIs). It is used primarily in ACI Fabric
User Tenant User Tenant User Tenant
conjunction with an external switch.
One L3out object per User Tenant ACI Fabric
ACI Fabric
L3 out Static route => 192.168.1.254 One L3out object inside the Common Tenant
Leaf101 Leaf102 Every user Tenant are associated to it
Secondary (simplify and scale the configuration).
SVI .252 .254 SVI .253
.1
This is called « shared services ».
192.168.1.0/24
Example of config in page 3.
Author: Ben oit GON CALVES – 2020 – ACI 4.2
 Cisco ACI L3Out (Layer 3 Out)

Tenant Tab Configuration Steps Fabric Tab

Configure Tenant & VRF Configure VLAN Pool

1 Localisation : Tenants > Add Tenant SPINE SPINE
Localisation : Tenants > Networking > VRF
1 Localisation : Fabric > Acces s Policies > Pools > Vlan

Name L3out.VLANPo ol
Tenant: ACME Vlan: 10
VRF: Networklife

2 Configure External Routed Domain

2 Configure the Bridge Domain Localisation : Fabric > Acces s Policies > Physical and
Localisation : Tenant > Networking > Bridge Domain LEAF 101 LEAF 102 External Domains > External Domains

Name: Standalone.BD Name: WAN-L3out.RoutedDomain

Clic on « Advertise Host Routes » to enable Vlan Pool: L3out.VLANPo ol
adve rtise ment to all deploye d border le af switches. L3out vlan-10
VRF: attac h it to the VRF created at previous step.
Subnet: 10.0.0.1/24 + « Advertise Externally » 3 Configure AEP
Localisation : Fabric > Acces s Policies > Policies > Global
External
Configure the AP & EPG > Attachable Access Entity Profile ss
3 Localisation : Tenant > Application Profiles
Router
Name: ExternalRouter.AEP
Name of AP: Standalone.AP Domain: WAN-L3out.RoutedDomain
Standalone Server WAN
Name of EPG: Standalone.EPG
BD: Standalone.BD Configure Interface Policies
4 Localisation : Fabric > Acces s Policies > Policies >
Configure the L3out Interface
4 Localisation : Tenant > Networking > External Routed Reuse previously created objects
Networks

Right click and c hoose create L3out 5 Configure Interface Policy Groups
Name: WAN-L3out External En dpoint Localisation : Fabric > Acces s Policies > Inte rface > Leaf
VRF: Networklife Interface > Policy Groups > Acces s Port
External Routed Domain: WAN-L3out.RoutedDomain
Name: ExternalRouter.APPG
- If you need dynamic routing, tick the BGP, OSPF or Link: 1G-Auto
EIGRP. For this example, we will configure static routing. STP: STP-BPDU-Guard-on
Don’t forget to STP: STP-BPDU-Filter-on
attach your L3out PFC: PFC-auto
5 Configure Node Profile LACP: LACP-ac tive
Localisation : Tenant > Networking > External Routed to each BD. AAEP: ExternalRouter.AEP
Networks

- Inside the L3out object > Po lic y > Node Profiles, Configure Interface Profiles
Click « + »
Don’t forget the 6 Localisation : Fabric > Acces s Policies > Inte rface > Leaf
Name : ACINodeProfile contract. Interface > Profiles
- Nodes, clic k « + », select the ID of the leaf 102 and
Name: Leaf101-LeafProf
configure the Router ID IP address
- Acces s Port Selector: Eth1.01
- Set the static ro ute 0.0.0.0/0 with the external router IP
- Acces s Bloc k Port: 1/1
as a ne xt-hop.
- Interface Policy Group: StandaloneServe r.APPG
Configure Logical Interface Profiles
Name: Leaf102-LeafProf
6 Localisation : Te nant > Networking > External Routed
Networks > Logical Node Profiles > ACINodeProfile > - Acces s Port Selector: Eth1.01
Logical Interfac e Profiles - Acces s Bloc k Port: 1/1
- Interface Policy Group: ExternalRouter.APPG
Name: Leaf102-IntPro f
- Configure the local IP in the same subnet as the
external router, you can use Routed sub-interfaces,
Routed interfac es or SVI. Policy Universe
- Choose the Po rt 1/1 previously c reated and
encapulation vlan-10.

Configure External Networks (EPG)

7 Localisation : Tenant > Networking > External Routed ACME Tenant ACCESS
Networks > Networks

Name: WAN-ExtNet
Subnets: 0.0.0.0/0

WAN-L3out WAN-L3out.RoutedDomain
Standalone.AP Standalone.BD Networklife
L3 Ext Outside Layer 3 External
AP BD VRF
Networks Domain Profile

Standalone.EPG WAN-ExtNet ACINodeProfile

EPG Subnets L3out.VLANPo ol
L3 External L3 External Node Vlan Pool
Instance Profile Profile
8 Attach the BD to the L3out
Localisation : Tenant > Networking > Bridge Domain

- Go to the Bridge domain which need to acces s the L3out Contract

- Click on Po lic y > L3 Configuration Leaf102-IntPro f
- Into L3out, clic k « + » and add the object WAN-L3out L3 ExternalRouter.AEP
External AAEP
Interface Profile
Create Contract and attach it to the EPGs
9 Localisation : Tenant > Contract > Standard

- Create a standard contrac t, with a filter allowing IP any.

- Configure the External EPG WAN-ExtNet as Provider
- Configure the vZany (EPG Collec tion for VRF) as Consumer (one application for all BDs)

Author: Ben oit GON CALVES – 2020 – ACI 4.2

 Cisco ACI L3Out (Layer 3 Out)

Configuration Steps
Shared L3out with multiple Tenants
3 validated designs are possible for « shared services »:

Option 1 - BD in Common Tenant Option 2 - BD in User tenant Option 3 - Inter-VRF Leaking with Shared L3out
- Shared L3 out for the fabric with static/dynamic
- Shared L3 out for the fabric with static/dynamic - Shared L3out for the fabric with static/dynamic routing
routing in Tenant Common.
routing in Tenant Common. in Tenant Common.
- All Endpoint groups (EPGs), Bridge Domains
- All Endpoint groups (EPGs) are configured in - All Endpoint groups (EPGs), Bridge Domains (BDs),
(BDs), and subnets are configured within the
respective user Tenant(s) subnets and VRFs are configured within the customer’s
customer’s respective user Tenant(s)
- Bridge Domains (BDs), subnets, and VRFs are all respective user Tenant(s)
- The VRF is configured in the Tenant common
configured in the Tenant common. - Only L3out is configured in the common tenant.
where the L3out is configured.
Router Router Router

L3 out L3 out L3 out

VRF VRF VRF

BD + Subnet BD + Subnet

Common Tenant Common Tenant Common Tenant

BD + Subnet BD + Subnet BD + Subnet BD + Subnet

EPG EPG EPG EPG VRF EPG VRF EPG

Use r Tenant User Tenant
User Tenant User Tenant User Tenant User Tenant

ACI Fabric ACI Fabric ACI Fabric

HowTo Configure Option 3 - Inter-VRF Leaking with Shared L3out

User Tenants
Make sure the IP subnets in user
tenants do not overlap, this Configure the Tenant Tenant1.Tn Configure the Tenant Tenant2.Tn
design requires them to be 1 Configure the VRF Tenant1.VRF 1 Configure the VRF Tenant2.VRF
shared between VRFs.
Configure the Bridge Domain Configure the Bridge Domain
In this example, we reuse the 2 Localisation : Tenant Tenant1.Tn > Networking > 2 Localisation : Tenant Tenant2.Tn > Networking >
Bridge Domains > YourBD > L3 Configurations Bridge Domains > YourBD > L3 Configurations
physical topology of the page 2 Tenant1.BD Tenant2.BD
(L3out on leaf 102), but the Name: Tenant1.BD 10.1.1.1/24
Name: Tenant2.BD 10.2.2.1/24

logical configuration is changing. On L3 configuration, enable unic ast routing and On L3 configuration, enable unic ast routing and
create the subnet 10.1.1.1/24 with the following create the subnet 10.2.2.1/24 with the following
options: options:
- Advertise Externally - to advertis e these gateway - Advertise Externally - to advertis e these gateway
subnets out to Shared L3Out to the internet subne ts out to Share d L3Out to the internet
- Shared between VRFs - To leak the subnets to the - Shared between VRFs - To le ak the subnets to the
common tenant. common te nant.
Router
NOTE – Do not assoc iate L3out listed on the BD; when NOTE – Do not assoc iate L3out listed on the BD; when
we use an Inter-vrf Shared L3out, we do not need to we use an Inte r-vrf Shared L3out, we do not need to
as sociate the user Tenant BDs with the L3out in as sociate the user Te nant BDs with the L3out in
Tenant Common. Te nant Common.
static
Configure the AP & EPG Configure the AP & EPG
Vlan-10 3 Localisation : Tenant > Application Profiles 3 Localisation : Tenant > Application Profiles

EPG ExtNet P Name of AP: Standalone.AP Name of AP: Standalone.AP

Name of EPG: Standalone.EPG Name of EPG: Standalone.EPG
WAN_L3out
BD: Tenant1.BD BD: Tenant2.BD
VRF
default
Common Tenant
common Moving into common tenant
Te nant
Configure External Networks (EPG)
4 Configure the L3out Localisation : Tenant > Networking > External Routed
Ct Localisation : Tenant > Networking > External Routed 7 Networks > Networks
Networks

Configure Node Profile Name: WAN-ExtNet

EPG ExtNet
Tenant.Tn Tenant2.Tn 5 Localisation : Tenant > Networking > External Routed
Subnets: 0.0.0.0/0
Networks
Tenant1.BD Tenant2.BD Tick the following options:
10.1.1.1/24 10.2.2.1/24
Configure Logical Interface Profiles - External Subnets for the External EPG – allow this subnet
6 Localisation : Tenant > Networking > External Routed in the external EPG
C C Networks > Logical Node Profiles > ACINodeProfile >
EPG EPG Logical Interfac e Profiles
VRF VRF - Shared Route Control Subnet – if this network is learned
from the outside through this VRF, it can be leaked to
the othe§I
EP EP EP EP EP EP Create Contract and attach it to the EPGs
8 Localisation : Tenant Commo n > Contract > Standard - Shared S ecurity Impo rt Subnet – sets the c lassifier for
the subnets in the VRF where the routes are advertised.
ACI Fabric - Create a standard contrac t, with a Global scope and a Shared security-import subne ts are used with shared
filter allowing IP any. L3Out configuration, not used for routing control. This
- Configure the External EPG WAN-ExtNet as Provider P setting configures an ACL in the VRF that is c onsuming
- Configure the vZany as Consumer C on Tenant1.VRF the shared L3Out.
and Tenant2.VRF.

Author: Ben oit GON CALVES – 2020 – ACI 4.2