Troubleshooting Layer 3 Connectivity Within Cisco ACI

Troubleshooting Layer 3 Connectivity Within Cisco ACI

Cisco ACI fabric can provide unicast routing between the subnets configured under the bridge domains, which are part of the same VRF. Therefore, you can provide connectivity between the different EPGs, which represent a logical group of endpoints with similar policy requirements (such as an application tier or a set of services) and bridge domains. Still, since by default in Cisco ACI, endpointstwo different EPGs cannot talk to each other, you have to explicitly allow the required communication using a contract. During troubleshooting of endpoint connectivity issues, you should be able to verify and test the IP connectivity between the endpoints in different EPGs. However, endpoints within the same EPG can talk to each other without any additional policy.

The following example shows an inter-EPG Layer 3 connectivity, between two endpoints connected to the Cisco ACI fabric.

During troubleshooting of Layer 3 endpoint connectivity issues, you should verify the configured logical constructs, such as tenant, VRF (unique Layer 3 forwarding domain), bridge domains (and subnets), and EPGs (including application profile), as well as physical constructs (domain, static, or AAEP interface binding to EPGs, and so on). You should also check the filters and contracts used between EPGs, and make sure you are using proper provider and consumer EPGs in the contract.

First, you should verify the Layer 2 connectivity and endpoint learning information, so you can move to Layer 3 troubleshooting. If you are using virtual endpoints on a hypervisor host, you should check the configuration in the virtualization environment, to make sure it is appropriate configured according to the Cisco ACI fabric settings.