CISCO ACI L3OUT EXPLAINED

The ACI fabric is formed from multiple components. Some of these components include bridge domains (BDs) and endpoint groups (EPGs) to provide Layer (L2) connectivity or default gateway functions for a group of endpoints. Another one is the Layer 3 Out (L3Out, or external routed network in Cisco APIC GUI prior to the APIC Release 4.2), which is to provide Layer 3 (L3) connectivity between servers connected to ACI and other network domains outside of the ACI fabric through routing protocol or static route.

Cisco ACI was originally built to be a stub network in a data center to manage endpoints. The ACI Layer 3 Out (L3Out) was initially designed only as a border between the stub network formed by ACI and the rest of the network, such as intranet, Internet, WAN, etc., not as a transit network.

Basic components of L3Out

The L3Out provides the necessary configuration objects for five key functions:

1.?????Learn external routes via routing protocols (or static routes)

2.?????Distribute learned external routes (or static routes) to other leaf switches

3.?????Advertise ACI internal routes (BD subnets) to outside ACI

4.?????Advertise learned external routes to other L3Outs (Transit Routing)

5.?????Allow traffic to arrive from or be sent to external networks via L3Out by using a contract

L3OUT - process

1. Learn external routes on border leaf switches
2. Distribute external routes within the ACI fabric
3. Advertise internal routes (BD subnets) to external devices
4. Advertise external routes to other external devices (Transit Routing)
5. Allow traffic with a contract

Root component of L3Out

L3Out contains components called Logical Node/Interface Profile and Networks as its child objects. The details for each child component will be covered in each section later. Instead, this section covers the root component of L3Out.

In the root component of the L3Out, the most important configurations are?VRF, external routed domain, and routing protocol.

●??????VRF

This is the VRF on which the L3Out and its routing protocol are deployed. This could be a VRF in the same tenant or a VRF in a common tenant.

●??????External routed domain

This is the domain to allow the L3Out to use a set of interfaces and VLANs. The domain itself is configured under “Fabric > Access Policies > Physical and External Domains > External Routed Domains” along with the VLAN pool and the Attachable Access Entity Profile (AEP).

●??????Routing protocol

This is the routing protocol that is deployed with the L3Out on the node and interface specified by the Logical Node/Interface Profile. Cisco ACI allows only one routing protocol per L3Out with one exception. BGP and OSPF can be configured in the same L3Out as an exception in order to be able to use OSPF as the IGP for BGP. Once the routing protocol is selected, some parameters such as OSPF area number or EIGRP AS number configurations show up in the same window. The details for each routing protocol parameters are covered in each routing protocol section later (BGP,?OSPF, and?EIGRP).

L3Out bridge domain

When an L3Out SVI is instantiated, Cisco ACI creates a bridge domain (BD) internally for the SVI to provide a Layer 2 flooding domain.?This BD is called the L3Out BD or external BD, and is not visible to the user as a normal BD in APIC.?An L3Out BD is created internally for each access-encap VLAN for an L3Out SVI while a normal BD can contain multiple access-encap VLANs all mapped to the same flooding domain. This L3Out BD may span across multiple border leaf switches if other border leaf switches also use the same access-encap VLAN for the L3Out SVI in the same L3Out.

L3Out Transit Routing

Transit Routing was introduced in APIC Release 1.1(1). This is a feature to allow the ACI fabric to be a transit network by advertising external routes that were learned from one external routing domain to another. Prior to this feature, the ACI fabric was meant to be a pure Stub network. The “Export Route Control Subnet” scope under the L3Out EPG subnet was introduced for this feature. It is located under?“Tenant > Networking > External Routed Networks > L3Out > Networks > L3Out EPG > Subnets”.

For more information on L3OUT go to >

https://www.networklife.net/images/sheets/Networklife_CheatSheet_ACI_04_L3out_v1.1.pdfhttps://www.networklife.net/images/sheets/Networklife_CheatSheet_ACI_04_L3out_v1.1.pdf