ACI: two scenarious IPU/APU (LAB) and steps configuration bestpractices – OSPF different areas Border Leaf – OSPF summarization – Transit Routing – BGP capability

13.02 2024 | by massimiliano

---

SCENARIO 1 DESIGN IPU represent the control-plane traffic and will be consider one Tenant Customer Group; APU represent the data-plane […]

SCENARIO 1 DESIGN

IPU represent the control-plane traffic and will be consider one Tenant Customer Group;

APU represent the data-plane traffic and will be consider a different Tenant customer Group;

The VMs are external end-point EPG with subnet defined on ACI Fabric;

From each Tenant we have two different OSPF process dedicated; one for control-plane and the other one for the data-plane;

For each Tenant we have two different VRF belonging and will be consider the VRF virtual L3 ACI Fabric and configured on Border Leaves level as logical node profile;

The single VRF will be associated to different Bridge Domain (it mean each Tenant with its BD);

For each Tenant we configure two different L3-out connections (L3 interface SVI) on Leaf by the Logical Node Profile;

Each Tenant can include multiple EPG;

An EPG provides a contract to permit connections between them; it mean create an object that classifies traffic from outside into a security zone and the mapping among external subnets with the external EPG We can use different contract scope: per-VRF; per-Application Profile; per-Tenant; Global

STEP di CONFIGURAZIONE SCENARIO 1

Configure a VRF for each customer Tenant

Configure L3-out policy associated with a VRF

a) define the logical node profile –> Border Leaves

b) logical interface profile –> SVI interface on the BL defined by the logical node profile

c) external network and EPG: object that classifier traffic from the outside into the ACI Fabric (security zone)

L3-out must be referred by the Bridge Domain whose subnet need to be advertised to the outside

L3-out policies provide IP connectivity between a VRF and an external IP network; each L3-out is associated with one VRF instances only.

For subnet defined in the BD to be announced to the outside router, follow:

d) the subnet need to be defined as advertised externally

e) the BD must have a relationship with the L3 out connection

g) a contract must exist between layer 3 external EPG and the EPG associated with BD; if this contract is not in place, the    advertisement of the subnets cannot occur.

SCENARIO 2 DESIGN

IPU represent the control-plane traffic and will be consider one Tenant Customer Group;

APU represent the data-plane traffic and will be consider a different Tenant customer Group;

The VMs are external end-point EPG with subnet defined on ACI Fabric;

From each Tenant we have two different OSPF process dedicated; one for control-plane and the other one for the data-plane

For each Tenant we have the same VRF belonging and will be consider the VRF virtual L3 ACI Fabric and configured on Border Leaves level as logical node profile;

Under each Tenant configure EPG and associate with the Bridge Domain in the Common Tenant;

Configure a contract and application profile under each Tenant;

The L3-out connection can be configured as dynamic or static;

Each BD and subnet is visible to all Tenant;

All tenants use the same VRF instance; hence we cannot use overlapping IP addresses

STEP di CONFIGURAZIONE SCENARIO 2

Configure a VRF under the Common Tenant

Configure L3-out connection under the Common Tenant and associate it with the VRF instances

Configure a Bridge Domain and subnet under each customer Tenant

Associate the Bridge Domain with a VRF in the common Tenant and the L3-out connection

Under each Tenant configure EPG and associate the EPG with a BD in the Tenant itself

Configure contracts and application profiles under each Tenant

ACI OSPF area types on Different Border Leaf

OSPF areas on different Border Leaf are different OSPF areas

ACI border leaf running OSPF are always AS boundary (ASBR)

All external routes learned in OSPF are redistribuite into MP-BGP

MP-BGP routes are redistribuite into OSPF as external type2

OSPF areas on different border leaf (pairs BL) are different OSPF areas, even if ID match

IPv4 and IPv6 support

During the configuration we will add a node and interface profile (avoid to using the loopback; the loopback should only be used in a BGP routing protocol configuration;

When the OSPF interface profile is added and the protocol profile is configured, ACI will ask authentication information as well as an OSPF policy;

The OSPF policy is where you can manage parameters such as the type of link, BFD, passive participation and MTU ignore

ACI OSPF area type on the same Border Leaf

OSPF areas on the same Border Leaf need different area type to be advertised

ACI border leaf running OSPF are always AS boundary (ASBR)

all external routes learned in OSPF are redistribuite into MP-BGP

MP-BGP routes are redistribuite into OSPF as external type2

IPv4 and IPv6 support

ACI Border Leaf follow OSPF rules which as:

a) multiple areas (but NO-backbone areas among them) the routes are not advertised between areas;

b) no-backbone-area and backbone-area are advertised between them

ACI OSPF Summarization

Two otions are available with ACI:

External route summarization (equivalent to the summary address config)

Inter-area summarization (equivalent to the area range config)

When Tenant routes are injected into OSPF, ACI Leaf where L3-out connection resides is acting as an ASBR; in this case the summary address config (thats is external route sumarization) should be used;

For scenario where there are two L3-out connection and each using a different area and attached to the same border leaf switch, the area range config will be used to summarize.   

ACI Transit Routing Fabric

The transit routing function in the ACI Fabric enables the advertisement of routing information from one L3-out to another, allowing full IP connectivty between routing domain through the ACI;

To configure transit routing through ACI, we must mark the subnets in question with the Export Route Control option when configuring the external networks under the L3-out;

ACI Fabric BGP capability

ACI has the capability to peer with external BGP networks and redistribute the routing information throughout the Fabric; to use this functionality we need to select BGP as the routing protocol when we create the L3-out connection;

ACI border leaf needs to have iBGP sessions with all BGP speakers within the AS; we can use router reflector functionality;

ACI border leaf don’t have iBGP sessions among themselves because can learn routes from each other via MP-BGP;

When the layer 3 out connection is required for each Tenant, we need configure separate iBGP sessions for each Tenant;

When we are configuring the routed outside connection, the BGP-specific configuration required to create a node profile with the follow informations:

a) router ID with static route to the next-ho address (the loopback should be created)

b) BGP peering such as the neighbor IP

c) the interface and interface profile we will use with port, IP and vlan encapsulation details

An BGP peer connectivity profile include:

d) peer address

e) authentication

f) external EGP group; this group represent all the devices that are reachable through L3-out and BGP connection

ACI BGP advertisement prefix from Fabric

ACI has the capability to advertise prefixes from the Fabric Leaf to its neighbor with the association L3-out network with the BD (Bridge Domain which will create a route map) that contains the subnets we want to advertise;

This subnets are marked as advertised externally and an application profile with an EPG linked to this Bridge Domain must be created;

A route profile provides a control mechanism for routes with BGP peer; a route profile can be associated with:

a) Prefix;

b) Bridge Domain;

c) Layer 3 out network.

When a route profile is associated with a BD, all of the subnets will be advertised with the same BGP community value; we can mark different BGP community for different subnets;

A route profile with the name «default-export» can be configured and will be applied automatically to the L3-out network ACI support outbound BGP policy to set community or extended community value for Tenant routes.