L3Out for Routing to L4-L7 Devices
If NAT is not an option and you still want to send the traffic to end points which are behind FW or Load Balancer, you can have two options:
- Use Service Graph Redirect
- Configure Static or Dynamic Routing via L3Out Connection
Static Routing and Dynamic Routing work well on the L3Out SVI via vPC. Now if you are using the static routing then in that case a secondary IP address for SVI and vPC configuration must be done. This Secondary IP address will be used as Next Hop for static routing.
Now if we are using more than two leafs for L3Out then based on Leaf hardware and its software release, there are some restriction and these restriction apply if:
- L3Out connection consists of more than two leaf with the SVI in same VLAN Encapsulation
- Border switch is using static routing to connect to external devices.
- vPC is being used to connect external device to fabric.
These restriction are because, traffic gets routed to L3Out connection but may be switched or bridged on external Bridge domain on another L3out connection.
Below is the topology choices, in which on left topology choices works well with both first generation and second generation leaf switches. On the right side the topology is designed if we have EX and FX 9300 platform switches. In topology L3Out connection is used for static routing to route traffic to external device which is configured on HA pair (active-standby).
Topology below uses Deign consideration with static routing L3Out and vPC
Now if you are going to use the more than two first generation border switch, than the preferred approach would be to use the dynamic routing with different VLAN encapsulation per vPC pair on the L3Out SVI.
Topology below uses design consideration with Endpoints attached leaf node configuration with L3Out.
Below are some thoughts to be applies to these design.
- With 9300 EX and FX series END connection to Border leaf are fully supports with Software release 2.2(2e). And you should configure fabric wide selecting policy by selecting Disable Remote EP learn.
- Now if Leaf switch are Compute switches and are of first generation switch then we must follow:
- If VRF ingress policy is enabled (by default enabled), Software Version must be 2.2(2e) or later. Also configure disable endpoint learning on Border switches
- Configure VRF instance for egress policy while selecting policy Control Enforcement direction option egress
Design Consideration on Deploying Graph templates on multiple EPGs.
As soon as L4-L7 device is connected to fabric via Service Graph to multiple EPG, and because of the interface of L4-L7 devices are same, ACI allocates the different VLAN for L4-L7 interface and associates the shadow EPG, each time EPG ( Consumer side or Provider Side ) is in different BD.
Let’s suppose, a service graph is applied first time between EPG outside and Web EPG as per below figure , and again the same Service Graph is applied between EPG outside and APP EPG, and EPG Web and EPG App are in same BD , due to which L4-L7 interface will be than associated to two shadow EPGs one for BD1 and One for BD2 as per below figure :
Even if there are more number of EPGs in BD1 and BD2 than also L4-L7 appliance is connected to only two shadow EPGs.
Now if the Service Graph template is applied between Multiple EPGs in three BD as example , L4-L7 appliances will be attached to three Shadow EPGs and the NIC on appliance trunk multiple VLANS