In Cisco ACI, the L3Out is a means to communicate with networks outside of ACI.
The L3Out uses a routing protocol or static routes to achieve this communication with external networks . The supported routing protocols at the time of this writing are BGP, OSPF and EIGRP.
On most routers, setting up any of those routing protocols is pretty straight forward, especially if you understand how the protocols work.
ACI is a bit of a different paradigm. Setting up an L3Out includes configuring a lot of different parts, and each part is easy to get wrong.
The goal of this post / tutorial is to provide a script that anybody can use to easily set up an L3Out, without necessarily fiddling with the parts I referred to above.
Before you can use the script, there are a few things you have to do. First I’ll talk about those requirements , then I’ll talk about how to use the script.
- Configure a Tenant
- Configure a VRF in that Tenant
- Configure Bridge Domains where you’ll be attaching the L3Out to
- The Bridge Domains in step 3, need to be in the same VRF as the L3Out (ie VRF from step 2)
- Configure BGP Route Reflectors in ACI
I don’t think any one of these steps is really difficult, even if you have never used ACI before.
Naturally, you’ll also need to configure the external router you’ll be exchanging routes with.
The script assumes you’ll be connecting a trunked interface to ACI from this router, and you’ll be running ospf. The ospf interface type has to be broadcast.
This config snippet below is from a Nexus 9k running NXOS. A VLAN 55 exits on the switch , and is carried on a trunk interface connected to ACI
interface vlan55 no shutdown mtu 9216 ip address 192.168.10.2/24 ip ospf mtu-ignore ip router ospf 0 area 0.0.0.0
Below is a diagram showing what the setup would look like…
Running the Script
First of all, if you do anything with ACI, you should setup python on your machine. Installing python is outside the scope of this post, but you can look at the Cisco Documentation for some pointers
You’ll need to download the the zip file at the end of this post . The following files should be in the zip file:
Copy the first 2 files into the same folder . This is the folder you’ll be running the script from. Now let’s talk about the files for a minute.
You should never have to do anything with the genericL3Out.py file, except run it. Of course, if you know what you are doing, you can go ahead and modify the file.
The configL3Out.yml file is the one you’ll always have to modify. This is where you lay out the parameters for your L3Out configuration. Below are the complete contents of the YAML file:
USERNAME: <replace with your apic username> PASSWORD:<replace with your apic password> APIC_URL: "https://your apic url" TENANT: <replace with tenant name where L3Out will reside > VRF: <replace with VRF name> ROUTER_ID: <Your /32 router id> VLAN: <VLAN encapsulation> INT_IP: <Interface IP address> LEAF: <Leaf ID> PORT: <Port Number> L3OutName: "GenericL3Out" L3OutDomain: "GenericL3OutDom" NodeProfile: "GenericNodeProf"
You never have to change the last 3 parameters, but you are welcome to do so.
To avoid confusion, the sampleconfig.yml file contains a config with actual parameters filled out:
USERNAME: "admin" PASSWORD: "myweakpassword" APIC_URL: "https://172.20.20.20" TENANT: "sampleTenant" VRF: "sampleVRF" ROUTER_ID: "10.55.55.55" VLAN: "55" INT_IP: "192.168.10.1/24" LEAF: "201" PORT: "1/1" L3OutName: "GenericL3Out" L3OutDomain: "GenericL3OutDom" NodeProfile: "GenericNodeProf"
- An L3Out Domain
- an AAEP
- a VLAN pool with a single VLAN (the one you specify in the YAML file)
- An Interface Policy Group
If you are using this in production, you almost certainly need to make changes to one or all of items 2-4 to include additional VLANs , domains or just interface configurations.
That’s all. This should be enough to get your ACI connected to an external OSPF network. At some point in the future, maybe I’ll discuss the actual script and how all the parts work.
If any of this is confusing or if you have any questions, please feel free to reach out directly via email : nnanna at bluesodium dot com.