aci multisite L3-out and GOLF


aci multisite L3-out and GOLF

14.01 2020 | by massimiliano

aci multisite L3-out and GOLF   ACI Multi-Site L3-out connectivity:   Traditional L3Out on border leaf nodes: the same IP […]



aci multisite L3-out and GOLF

 

ACI Multi-Site L3-out connectivity:

 

Traditional L3Out on border leaf nodes: the same IP subnet is deployed in both sites, usually the same IP prefix information is sent to the WAN from the two sites.

This behavior implies that by default incoming traffic may be delivered indifferently to Site 1 or Site 2.

However, commonly one of the two sites is nominated as the home site for that specific IP subnet (the site at which, at steady state, most of endpoints for that subnet are connected).

 

Routing updates sent to the WAN are properly tuned to help ensure that all incoming traffic is steered toward the home site

 

The migration of a specific endpoint to Site 2 most likely would not modify the behavior and ingress traffic would continue to be steered toward the IP subnet home site; this behavior is possible because of the dynamic discovery in Site 2 of the migrated endpoint, which triggers an EVPN update from the spine nodes in Site 2 to the spine nodes in Site 1.

This update essentially provides Site-1 with the location information for the recovered endpoint required to redirect the traffic flows.

 

 

ACI Multi-Site L3-out connectivity with GOLF:

 

 

GOLF function, it is mandatory to support the IP mobility use case with a Cisco ACI Multi-Site design.

 

The use of EVPN-based L3Out connections, often referred to as GOLF can be positioned to avoid this problem (see step above); deploying GOLF L3Out connections allows you to send toward the WAN edge devices not only IP subnet information but also specific host routes; as a consequence, you can help ensure that ingress traffic is always steered to the site at which the endpoint is located.

 

The GOLF approach was originally introduced to scale up the number of VRF instances to be connected to the external Layer 3 network domain (1000 VRF instances have been supported from the launch of GOLF integration with Cisco ACI).

 

With GOLF the connectivity to the WAN edge routers is no longer provided by the border leaf nodes, but these routers connect now (directly or indirectly) to the spine nodes.

MP-BGP EVPN control plane allows to exchange routes for all the ACI VRFs requiring external connectivity, OpFlex control plane automates the fabric facing VRF configuration on the GOLF router and finally VXLAN data plane enables north-south communication.

 

 

 

STEPS CONFIGURATION:

 

1)

create the L3-out configuration to be used to connect the specific web bridge domains to the external Layer 3 domain; this step is performed at the APIC level (hence separately for each site) and not in the Cisco ACI Multi-Site policy manager

 

2)

the two L3-outs created in each APIC domain are then exposed to the Cisco ACI Multi-Site policy manager, which can then define external EPG objects associated to each L3Out for configuring the specific connectivity requirements for internal EPGs (see next step)

 

3) 

in the policy manager, you can define two templates with corresponding application network profiles specifying web EPGs that should have access to the external network domain using the specific L3-out connections already provisioned at each site; this is done by creating a specific contract in each template between the web EPG and the external EPG associated to the local L3-out

 

4)

the template configuration is pushed to the respective sites

 

5)

the configuration is applied in each APIC domain to provide external connectivity to the endpoints that are part of the web EPGs defined at each site

 

6)

each site’s local L3-out connections are used for inbound and outbound connectivity

 

 

 

ACI Multi-Site L3-out connectivity GOLF MP-BGP EVPN:

 

To establish MP-BGP EVPN adjacencies between the spine nodes and the GOLF routers, the GOLF interfaces must to be part of the global routing table routing domain.

 

Hence, the use of a single set of physical connections implies that also the multi-site traffic will be routed in that global table routing domain and can’t be forwarded as part of a different VRF instance; 

 

The only way to carry the multi-site traffic in a dedicated VRF instance is to use separate physical interfaces; this approach often is important with Multiprotocol Label Switching (MPLS) VPN WAN services, because intersite traffic should not be carried in the global routing table

 

 

 

ACI Multi-Site L3-out connectivity GOLF MP-BGP EVPN with same physical interface

 

1)

define the same router ID for the spine nodes in both infra L3-out connections

 

2)

define the same set of logical interfaces and associated IP addresses

 

3)

associate both L3-out connections with the same overlay-1 VRF instance

 

4)

define the same OSPF area on both the L3-out connections

 

 

 

Torna in alto