Routing in ACI
When the BD is enabled for IP routing, the mapping database learns the mac address and IP address of the Endpoint . Side by side Leaf switch also maintains the MAC and IP address entry in its tables for local and remote end points.
To route the network outside of the fabric, Leaf uses the LPM table (External Routing table) which is populated by MP-BGP protocols.
A bridge Domain is configured with subnet IP address and we say it as SVI. These SVI ip address and its Corresponding mac address (Gateway Mac address) are instantiated on all leaf nodes where the Bridge domain exits . This MAC address is anycast gateway mac address. This is done why because when the VM moves from one Leaf to another leaf , VM don’t need to change its default gateway information as same gateway IP address and mac address are present on the new leaf nodes.
There are two types of Network ACI can examine
- Inside Network : Network that are associated with Tenants and their Bridge Domain are called Inside Network.
- Outside Network : Network that are associated with outside routes for each of those tenants
When a leaf switch receives any frame it checks weather the destination IP address is in inside network or outside network.
The Route Lookup are as follows :
If the destination IP address match the /32 host entry in the GST , it is considered that destination is in inside fabric and leaf has route entry to it . Now ingress leaf send the packet to leaf on which destination end point is connected.
If the Destination IP address doesn’t match any /32 host route entry, In this case leaf switch checks weather destination ip address is within IP address range of the BD subnets of the tenant .
- If it find that destination ip address is within IP address range of the BD subnets of the tenant than it is considered that destination is in inside fabric. and leaf switch has not learned the destination IP address yet. In this case Ingress Leaf switch encapsulate the frame in VXLAN and sets the outer destination address to the SPINE Proxy VTEP.
- The spine Proxy upon receiving the frame , check the destination IP address and packet sent to egress Leaf switch where the destination end points resides.
- If spine switch does not have the route entry for destination End point then Spine switch generates the ARP request with Source IP address set to Primary IP address of the BD Subnet ( NOT Virtual IP address ) , This ARP request is sent to all leaf nodes on which that BD is instantiated.
If the Destination IP address doesn’t match the /32 Route Entry or the Destination subnet is neither for any Bridge Domain subnet route , the Leaf switch considered that Destination IP address as External Network and then lookup for External Routing table ( LPM tables ) , and if match is found the Ingress leaf switch send that packet to Border leaf .