Guidelines for Layer 3 Networking
Use the following guidelines when creating and maintaining Layer 3 outside connections.
Topic |
Caution or Guideline |
---|---|
Issue where a border leaf switch in a vPC pair forwards a BGP packet with an incorrect VNID to an on-peer learned endpoint |
If the following conditions exist in your configuration:
If the endpoint is on-peer learned on the ingress leaf switch that receives a BGP packet that is destined to the on-peer learned endpoint, an issue might arise where the transit BGP connection fails to establish between the first layer 3 switch behind the L3Out and the on-peer learned endpoint on the second leaf switch in the vPC pair. This might happen in this situation because the transit BGP packet with port 179 is forwarded incorrectly using the bridge domain VNID instead of the VRF VNID. To resolve this issue, move the endpoint to any other non-peer leaf switch in the fabric so that it is not learned on the leaf switch. |
Border leaf switches and GIR (maintenance) mode |
If a border leaf switch has a static route and is placed in Graceful Insertion and Removal (GIR) mode, or maintenance mode, the route from the border leaf switch might not be removed from the routing table of switches in the ACI fabric, which causes routing issues. To work around this issue, either:
|
L3Out aggregate stats do not support egress drop counters |
When accessing the Select Stats window through , you will see that L3Out aggregate stats do not support egress drop counters. This is because there is currently no hardware table in the ASICs that record egress drops from the EPG VLAN, so stats do not populate these counters. There are only ingress drops for the EPG VLAN. |
Updates through CLI |
For Layer 3 external networks created through the API or GUI and updated through the CLI, protocols need to be enabled globally on the external network through the API or GUI, and the node profile for all the participating nodes needs to be added through the API or GUI before doing any further updates through the CLI. |
Loopbacks for Layer 3 networks on same node |
When configuring two Layer 3 external networks on the same node, the loopbacks need to be configured separately for both Layer 3 networks. |
Ingress-based policy enforcement |
Starting with Cisco APIC release 1.2(1), ingress-based policy enforcement enables defining policy enforcement for Layer 3
Outside (L3Out) traffic for both egress and ingress directions. The default is ingress. During an upgrade to release 1.2(1)
or higher, existing L3Out configurations are set to egress so that the behavior is consistent with the existing configuration.
You do not need any special upgrade sequence. After the upgrade, you change the global property value to ingress. When it
has been changed, the system reprograms the rules and prefix entries. Rules are removed from the egress leaf and installed
on the ingress leaf, if not already present. If not already configured, an |
Bridge Domains with L3Outs |
A bridge domain in a tenant can contain a public subnet that is advertised through an |
Bridge domain route advertisement For OSPF and EIGRP |
When both OSPF and EIGRP are enabled on the same VRF on a node and if the bridge domain subnets are advertised out of one of the L3Outs, it will also get advertised out of the protocol enabled on the other L3Out. For OSPF and EIGRP, the bridge domain route advertisement is per VRF and not per L3Out. The same behavior is expected when multiple OSPF L3Outs (for multiple areas) are enabled on the same VRF and node. In this case, the bridge domain route will be advertised out of all the areas, if it is enabled on one of them. |
BGP Maximum Prefix Limit |
Starting with Cisco APIC release 1.2(1x), tenant policies for BGP |
MTU |
|
QoS for L3Outs |
To configure QoS policies for an L3Out and enable the policies to be enforced on the BL switch where the L3Out is located, use the following guidelines:
|
ICMP settings |
ICMP redirect and ICMP unreachable are disabled by default in Cisco ACI to protect the switch CPU from generating these packets. |