Very nice tutorial, Colin. It's worth mentioning the goofiness of L3 peering over VPC -- i.e., that packets from the OSPF border router will be sent out both interfaces regardless of which leaf SVI IP/MAC the router thinks it's sending to. For OSPF control plane, this means each leaf receives OSPF messages destined to the other leaf, so they must forward those via the fabric. For data plane, this means ACI uses the "peer gateway" hack so leaves can impersonate each other for L3 forwarding. Frankly, I see no value in running three different link failover mechanisms at the same time (IGP, VPC, and LACP). Given VPC goofiness and LACP's vendor interop problems (timers, standby link, and "suspend individual" behavior), I really don't want my IGP relying on them. So, by far the simplest and most universal approach should be to run your L3OUT IGP over multiple routed interfaces / subinterfaces.
Great explanation of L3OUT in CISCO ACI . However, this video is intended for network engineers who already have some background knowledge about general networking and CISCO ACI.
Hi Thanks, for the comment, No I haven't done a static routed version, but it would be the same as this one, just don't tick a dynamic routing protocol, and then enter your relevant static routes under each node in the L3OUT Node Profile.
Thanks for the video! Can you please share the configuration of the 3560G switch? In particulate, I would like to see vlan 100 svi configuration, port channel configuration, and T3 & T4 configurations. Thanks for your help in advance.
One of the best Videos on L3out. Simple and straight to the point.
Appreciate Colin a video Service Graph (FW).
Very nice tutorial, Colin. It's worth mentioning the goofiness of L3 peering over VPC -- i.e., that packets from the OSPF border router will be sent out both interfaces regardless of which leaf SVI IP/MAC the router thinks it's sending to. For OSPF control plane, this means each leaf receives OSPF messages destined to the other leaf, so they must forward those via the fabric. For data plane, this means ACI uses the "peer gateway" hack so leaves can impersonate each other for L3 forwarding.
Frankly, I see no value in running three different link failover mechanisms at the same time (IGP, VPC, and LACP). Given VPC goofiness and LACP's vendor interop problems (timers, standby link, and "suspend individual" behavior), I really don't want my IGP relying on them.
So, by far the simplest and most universal approach should be to run your L3OUT IGP over multiple routed interfaces / subinterfaces.
Craig Weinhold excellent observation.
The best tutorial on L3 out configuration.. Thank you sir
Great explanation of L3OUT in CISCO ACI . However, this video is intended for network engineers who already have some background knowledge about general networking and CISCO ACI.
very nice explanation ....helped me a lot
Sir . you made me very happy , thank you so much
Excellent Videos. Thank you!!
Colin, thanks for such nice videos! You mentioned you have plans to create another video for shared L3Out? Thanks!
Hello, do you have a video on static L3 out? that implememtation is more common as typically the next hop is a static only firewall.
Hi Thanks, for the comment, No I haven't done a static routed version, but it would be the same as this one, just don't tick a dynamic routing protocol, and then enter your relevant static routes under each node in the L3OUT Node Profile.
@@colinlynch1972 Thanks. Thanks for creating content that is fantastic. It does matter.
Hi,
How can I practise L3-out in a home lab. What did you use for this video. Is hardware mandatory to practise and validate data path traffic
Thanks for the video! Can you please share the configuration of the 3560G switch? In particulate, I would like to see vlan 100 svi configuration, port channel configuration, and T3 & T4 configurations. Thanks for your help in advance.
!
hostname C3650G
!
!
vlan 2740
name sdnlab
lldp run
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip mtu 1500
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
ip mtu 1500
!
!
interface Port-channel100
description Routed Link to ACI Fabric l3out
switchport trunk allowed vlan 100
switchport mode trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 172.22.140.51 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0/1
description Legacy Link to ACI Fabric l2out
switchport access vlan 2740
switchport trunk allowed vlan 2,3
switchport mode trunk
!
!
interface TenGigabitEthernet1/1/3
description Routed Link to ACI Fabric l3out
switchport trunk allowed vlan 100
switchport mode trunk
channel-group 100 mode active
!
interface TenGigabitEthernet1/1/4
description Routed Link to ACI Fabric l3out
switchport trunk allowed vlan 100
switchport mode trunk
channel-group 100 mode active
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
vrf forwarding Legacy
ip address 2.2.2.2 255.255.255.0
!
interface Vlan3
vrf forwarding Legacy
ip address 3.3.3.3 255.255.255.0
!
interface Vlan100
ip address 100.0.0.1 255.255.255.0
!
interface Vlan2740
ip address 172.22.140.240 255.255.255.0
!
router ospf 100
network 1.1.1.1 0.0.0.0 area 1
network 2.2.2.2 0.0.0.0 area 1
network 100.0.0.0 0.0.0.255 area 1
network 172.22.140.0 0.0.0.255 area 0
default-infomation orginate
!
ip default-gateway 172.22.140.250
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.22.140.250
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 172.22.140.250
!
!
!
!
end
C3650G#
Thanks Much!!!!!!!!!!!
Colin, thanks for such nice videos! You mentioned you have plans to create another video for shared L3Out? Thanks!
@5:15 can the AS be public?
You started taking about L3OUT , but never explained WHAT is L3OUT, no Definition was given , therefore it is confusing!
Noted, thanks for the feedback and apologies for the confusion.