For every subnet that is configured under the L3Out, specific flags exist that are frequently used for in or out redistribution with external routers.
Some of the options might be greyed-out, which depends on the protocol that is selected from the top level of the L3Out configuration.
The Import Route control is only available for OSPF and BGP and has to be selected on the main External Routed Networks interface.
External Route Control Subnet
The External Route Control Subnet flag is used only when you want to export a transit route (a route that has been imported on an L3Out) through another L3Out.
This option does not have any effect in the ingress direction, therefore it can be utilized only when exporting routes.
The effect of this flag is to add an entry in the prefix-list, which is consumed by an outgoing BGP route map or ingress OSPF area filter.
This option has no influence on the routing table — it will not add a static or any other entry in the routing table or database. It is used only to filter subnets in the outgoing direction.
By default, all external routes are accepted and all outgoing routes are denied. The defined prefixes and assigned flag will allow the subnets to be advertised out.
Import Route Control Subnet
By default ACI imports all subnets presented to us by remote routers. You can change that behavior (for example, for security and/or scalability reasons).
In the majority of ACI configurations the prefixes that are accepted are defined by the flag attribute External Network for External EPG. But in scenarios where supernet prefix is used or even the full network prefix (0.0.0.0/0) the number of received prefixes might become very large.
In such scenarios ACI offers another option to filter incoming prefixes. This can be accomplished with the Import Route Control policy. The import policy is available for BGP (for a very long time) and OSPF (with latest ACI software versions only).
To enable the option under the L3Out definition the import policy has to be enabled. By default it is disabled.
The Import Route Control Subnet option can only be configured on L3Out with OSPF or BGP neighborship. It does not work on static or EIGRP neighbors. Under the main L3Out configuration the Route Control Enforcement for import is automatically disabled. The export option is enabled and cannot be disabled. This means that ACI can accept all routes, but to export them they have to match at least to one entry in the route-map and associated permit prefix-list.
When to use this option? If a greater subnet is allowed to be received, but the administrator only wants to accept a small subset of IP addresses that are defined by the IP address/mask and flag Import Route Control Subnet.
External Subnet for External EPG
This flag is used to identify which external subnet will be linked to which EPG. In most configurations a single EPG per L3Out is used, but in rare situations external subnets can be split into multiple EPGs. Those EPGs can use contracts with dedicated traffic rules. The flag that is assigned to the subnet in the incoming direction creates an entry for EPG. When the IP packet is received on L3Out, the source IP is checked against the LPM table and assigned to the appropriate EPG. In the outgoing direction, packets are checked against the LPM table and forwarded to the associated external EPG and corresponding physical interface.
From the configuration perspective, this flag should be configured only when looking towards the ACI fabric from the external network. If the flag is missing or the subnet or the source IP address is not matching, then the traffic will be dropped at the L3Out boundary.
If same prefix with same subnet under same VRF is applied but using two external EPG can lead to undesired behavior and is strictly not recommended.
Effects on the routing table:
- On Gen1 – Install a subnet in LPM (longest prefix match) to redirect them to Broadcom chipset
- On Gen-2 – Also install a subnet in LPM of the ASIC, but punt all smaller subnet to the EPG
Use Case of Flags:
External Subnet for External EPG
Devices like firewalls, load balancers or other that use static route and have a specific subnet behind them, should only use the flag External Subnet for External EPG for the subnet that resides on the other side of the device.
The external device will use a static default route that points to ACI interface. The ACI fabric knows the network behind the device as it has marked the subnet and that subnet is inserted into LPM with external EPG destination.
For the incoming direction subnets have to be flagged with External Subnet for External EPG even in the case when they are received by dynamic protocol. The example above show an example with network 0.0.0.0/0 which can be the case to cover all external subnets. This has to be used once per VRF and traditionally toward the router with exit to Internet or core network.
Internal Subnets only need the Advertised Externally flag under the BD- L3 configuration for specific subnets.
Export Route Control Flag:
If the external device is using dynamic routing protocol, then the routing protocol takes care about redistribution of ACI fabric subnets and subnets behind ACI fabric that are in transit. For this configuration to work, transit network has to be marked with the Export Route Control flag.