V4ACIHostRoutingAdv 1

CamilloRossi,JohnWeston,TechnicalMarketingEngineer,DCNBU,31Jul2018,ACIHostBasedRoutingAdvertisement,InMulti-PodandMulti-SiteusecasescustomersmayconfiguredifferentL4/L7deviceclustersperpodorsiteEgresstrafficfromapodorsitewillpreferthelocalL3out.IngresstrafficcanarriveatL3outsineitherpodorsite.ThiscanleadtoAsymmetrictrafficflowswheretheingressandegresstrafficistakingadifferentpathresultinginFirewallsdroppingtheflow,Whyishostroutingfromborderleavesneeded?,IPN,WAN,L3Out-1WAN,L3Out-2WAN,BDSubnet192.168.0.1/24,Advertising192.168.0.0/24,Advertising192.168.0.0/24,192.168.0.100,192.168.0.100,CustomersUsingGOLF:GOLFisprimarilyusedbylargeSPsorlargeEnterprisecustomers15-20%customerBenefits:Auto-programmingofVRFsonGOLFrouters1BGP-EVPNsessionforallfabricVRFsVxLANdataplanehandofftoGOLFrouterEVPNroutetoL3VPNroutetranslationHostroutingWorkslikeacharmonceyougetitupIssues:ComplextodeployinreallifeespeciallywithOpflexASR9kteamONLYrecommendsManualGOLFandnotOpflexMissingmanybasicfeatures:Mcastvrfleakingtrustsec,etc,GOLFalreadysupportshostrouteadvertisement.WhynotuseGOLFforhostroutes?,InordertoensuretrafficsymmetryasofACI4.0itwillbepossibletoadvertisehostroutes(/32and/128)fromtheBorderLeavesThehostroutewillbeadvertisedonlyifthehostisconnectedtothelocalPODorlocalsite.IftheEPismovedawayfromthelocalPODorsite,oroncetheEPisremovedfromtheEPdatabase,therouteadvertisewillbewithdrawn.Remoteleafwilladvertisehostroutesforendpointsconnectedtotheremoteleafpairandthepodwheretheremoteleafisassociated.AddssupportforL3multicastwithhostbasedroutingusingregularL3Outs(SupportedonL3Outswithroutedandroutedsub-interfaces,notsupportedwithSVIinterfaces).SupportedRoutingProtocols:BGPOSPFEIGRP,Host-RouteAdvertisementOverview,SupportedonallCloudscaleandlaterswitches(EX/FX/FX2/FX3)Notsupportedon1stGenHardwareTestedborderleafhostscaleis30khostroutes(sumof/32and/128),HostBasedRoutingHW/Scale,HostRouteBehavior,Non-BorderLeaves,BorderLeaves,.1,.2,.3,.1,.2,10.1.10.0/24,10.1.20.0/24,BD1,BD2,AdvertiseHostRoutes:,AdvertiseHostRoutes:R,COOPOracles,COOPCitizens,HostRoutes,10.1.10.0/2410.1.10.1/3210.1.10.2/3210.1.10.3/32,Endpointinformationisstoredonspines(COOPOracles)inthefabric.WhenaBDisenabledwithHostRoutingtheborderleaveswilldownloadhostroutesfromthespinesOnlyendpointsthatcurrentlyintheCOOPdatabaseandlocaltothepod/sitearedownloadedNon-borderleavesdonotdownloadhostroutesfromspinesEnablingHostRoutingontheBridgeDomaindoesnotautomaticallyadvertisethehostroutesoutL3outsTheBDmustbeassociatedtotheL3outoranexplicitprefixlistmatchingthehostroutesmustbeconfiguredtoadvertisehostroutesoutofthefabric(existingbehaviorforBDsubnets),HostRouteBehavior,Non-BorderLeaves,BorderLeaves,.10,.11,.12,.1,.2,10.1.10.0/24,10.1.20.0/24,BD1,BD2,AdvertiseHostRoutes:,AdvertiseHostRoutes:R,COOPOracles,COOPCitizens,HostrouteswillappearasCOOProutesontheborderleafwithanexthopofNULL,HostRoutes,10.1.10.0/2410.1.10.10/3210.1.10.11/3210.1.10.12/32,HostroutesareaddedtotheRIBontheborderleafwhichallowstheroutestobeadvertisedoutoftheL3out.TheroutesarenotaddedtotheFIBsincetheyarenotrequiredforforwarding.ForwardingtotheNBLisbasedonthelearnedendpointinformation,WAN,ContractrequirementsforinstallingBDsubnetsandhostroutes,EPG,BD,10.1.10.0/24,L3OutExtEPG,AdvertiseExternally:R,RequirementstoadvertiseBDsubnetsoutanL3outBDsubnetmustbehavethe“AdvertiseExternally”optionenabled.BDmustbeassociatedtoanL3out(option1)L3outmusthaveexplicitroute-mapconfiguredmatchingBDsubnets(option2)TheremustbeacontractbetweentheEPGinthatBDandtheExternalEPGfortheL3outIfthereisnocontractbetweentheBD/EPGandtheExternalEPGtheBDsubnetandhostroutesmaynotbeinstalledontheborderleaf,C,Note:ContractrequirementforenforcedmodeVRFs.ContractnotrequiredifEPGandExtEPGareinapreferredgroup,WAN,Host-RouteDownloadMulti-PodandMulti-SiteandRemoteLeaf,IPN,Non-BorderLeaves,BorderLeaves,Non-BorderLeaves,BorderLeaves,192.168.10.1,192.168.10.20,192.168.10.5,192.168.10.8,192.168.10.1192.168.10.20,192.168.10.5192.168.10.8,192168.10.0/24192.168.10.1192.168.10.20,192168.10.0/24192.168.10.5192.168.10.8,BLsdownloadhostrouteslocaltothepodorsiteorremoteleafpair.TheCOOPendpointinformationincludesaflagthatindicatesifanendpointisremotetothepod/site/RL.ThisflagwillpreventremoteendpointsfrombeinginstalledashostroutesHostroutesareremovedfromtheBLwhentheendpointtimesoutormovesbetweenpods/sites/RL(vmotion),192.168.10.30,RL(Pod2),192168.10.0/24192.168.10.30,Pod2,Pod1,Configuration,ThisconfigurationisappliedonaperBridgeDomainlevelEnabled“HostBasedRouting”,GUIConfiguration,CLIConfiguration,apic1#configureapic1(config)#tenantapic1(config-tenant)#bridge-domainapic1(config-tenant-bd)#advertise-host-routesapic1(config-tenant-bd)#end,AdvertisingHostRouteOptions,AssociateBDtoL3outConfigureexplicitroute-mapunderL3outmatchingBDsubnetsBothoftheseoptionsaresupportedforhostrouteadvertisement,TwooptionsareavailabletoadvertiseroutesoutanL3out,Option1:AssociateBridgeDomaintoL3out,Option1:AssociateBridgeDomaintoL3out,BridgeDomain,Subnet:14.1.1.0/24,AdvertiseExternally:R,Subnet:15.1.1.0/24,AdvertiseExternally:R,L3Out,BDassociatedtoL3out,AssociatingtheBDtoanL3outautomatestheconfigurationoftheroute-mapfortheL3out.Theroute-mapconfiguredbythesystemwillmatchallBDsubnetsdefinedundertheBDthathaveAdvertiseExternallyTheroute-mapwillalsomatchallhostrouteswhenAdvertiseHostRoutesisenabledfortheBD.ThehostroutesadvertisedoutOSPFandEIGRPL3outswillincludethetag4294967295,AdvertiseHostRoutes:R,Explicitroutemapconfigurationallowsyoutoconfigurearoute-mapdirectlyundertheL3out.Theroutemapnamemustbedefault-exportforoutboundroutesRoute-mapscontaincontexts.Acontextisaroute-mapsequenceandcanbeapermitoradenyRoute-mapscancontainupto10contexts(0-9)Contextscontainmatchandsetrules.matchrulescanmatchipprefixesorBGPcommunitiessetrulescansettags,community,etcMatchandSetrulesaredefinedunderthetenantandcanbereusedacrossL3outs,Option2:explicitRouteMapoverview,AprefixmatchrulecanmatchoneormoreprefixesPrefixescanbeanexactmatchoranaggregatematchAnaggregatematchwillmatchtheroutewiththespecifiedmasklengthandalllongermasklengths(theprefix-listincludesthele32keyword)ThematchruleprefixescanmatchexternalroutesandBDroutesincludinghostroutesForOSPFandEIGRPL3outstheroute-mapisappliedatredistributionForBGPtheroute-mapisappliedonallBGPneighborsundertheL3outintheoutbounddirection,Option2:explicitRouteMapoverview,Option2:explicitRouteMaplogicalconfiguration,L3Out,Route-mapname:default-export,context0action:permit,matchrule:BD-subnetsmatchprefix10.1.1.0/24aggregatematchprefix10.2.2.0/24,route-mapdefault-exportpermit10matchipprefix-listBD-subnetsipprefix-listBD-subnetsseq110.1.1.0/24le32seq210.2.2.0/24,Logicalconfiguration,matchrule:BDsubnets,Switchroute-map*,actualroute-map/prefixlistnameswillbeinternallygenerated,Option2:Configuration:Route-Mapdefinition,route-mapsequence,Option2:Route-Map:MatchRuleconfiguration,HomesiteadvertisesBDsubnetrouteBackupsiteadvertisesonlyhostroutes,ExplicitRouteMapUsecaseexample,192.168.0.10,.11,.12,Explicitroute-mapforL3out1matchesBDsubnetonly(noaggregate),Explicitroute-mapforL3out2hostroutes(aggregateoption),RequiresseparateL3outsperpod,RouteMapUseCaseConfigurationexample,PermitBDsubnet,DenyBDsubnet,PermitBDhosts,L3Out1,L3Out2,SharedL3Out,HostbasedroutingissupportedforsharedL3outBorderlea