Cisco ACI L3OUT Subnet Scopes [Explained]
Scopes
All three scopes here (Export, Import, and Shared) create an IP prefix-list with the specified subnet on a border leaf. Hence, these scopes will affect only a route with an exact match. If you configure a subnet as 10.0.0.0/8 with these scopes, ACI applies the configuration to 10.0.0.0/8 but not to 10.0.0.0/16. In case the requirement is to match multiple subnets with one configuration entry, you need to use the Aggregate option for each scope. Please note that Aggregate option for Export and Import scopes is supported only for 0.0.0.0/0 subnet.
I- Export Route Control Subnet:
Advertising external routes to outside (Transit Routing) can be achieved with a single check box “Export Route Control Subnet” scope in L3Out Subnet (Tenant > Networking > External Routed Networks > L3Out > Networks > L3Out EPG > Subnets).
- Transit routing case:
When this scope “Export Route Control Subnet” is selected, a route-map rule is created on the border leaf switches to redistribute the configured subnet from other L3Outs (routing protocol or static route) into the routing protocol for this L3Out. The redistribution happens from MP-BGP when the two L3Outs are on different border leaf switches.
If the two L3Outs are on the same border leaf, redistribution happens directly between the routing protocols for each L3Out. If the two L3Outs use the same routing protocol on the same border leaf, other methods than redistribution are used.
Since the route-map rule uses an IP prefix-list, the subnet with “Export Route Control Subnet” scope needs to be exactly the same as what is in the routing protocol database.
- BD Advertisement use case:
This scope is to advertise (export) a subnet from ACI to the outside via an L3Out. Although this scope is mainly for Transit Routing, it could also be used to advertise a BD subnet.
Note
An external route with “Export Route Control Subnet” scope is advertised from the configured L3Out. This scope should not be configured on an L3Out that is learning the same route, because it would mean the L3Out tries to advertise the route back to its learning source. This could potentially cause a loop.
II- Import Route Control Subnet
This scope is about learning (importing) an external subnet from an L3Out. By default, a border leaf learns any routes from a routing protocol. This scope can be enabled on the L3OUT level.
This scope is to be configured on an L3Out that is learning the subnet if you need to limit external routes learned via OSPF and BGP. This option is not available for EIGRP.
Once “Import Route Control Enforcement” is enabled on an OSPF L3Out, a border leaf uses a table map with an IP prefix-list for the subnet with “Import Route Control Subnet” so that only those subnets can be used in the routing table even though the routes may be in the OSPF LSDB on a border leaf.
When this scope is enabled on a BGP L3Out, a border leaf uses an inbound route-map with an IP prefix-list for the subnet with “Import Route Control Subnet” against all BGP peers in the L3Out. Hence, only the configured routes can be learned in the BGP table in the first place.
III- Shared Route Control Subnet
This scope is to leak an external subnet to another VRF. ACI uses MP-BGP and route target to leak an external route from one VRF to another. This scope creates an IP prefix-list with the subnet, which is used as a filter to export/import routes with the route target in MP-BGP.
You should configure this scope on an L3Out that is learning the subnet in the original VRF.
Classifications
I- External Subnets for the External EPG:
“External Subnets for the External EPG” does not have any impact on the routing table. It simply defines how to classify the traffic based on the source or destination IP address in order to apply a contract. Even when the routing table has only a default route 0.0.0.0/0, users still can configure more specific subnets, such as 20.0.0.0/8 with “External Subnets for the External EPG” EPG1.
the matching is based on a longest prefix match (LPM). For example, a source for a packet with source IP 20.1.1.1 will be classified into L3Out EPG1due to 20.0.0.0/8 with “External Subnets for the External EPG” scope.
When a traffic IP does not match any of the subnets in the “External Subnets for the External EPG” scope in the VRF, the traffic will likely be dropped as there is no L3Out EPG with a contract in the VRF for the IP.
Note
Please note that this scope is per VRF instead of L3Out: these L3Out subnet scopes are per VRF. Hence, even if a subnet 10.0.0.0/8 is learned from L3Out A, and traffic with source IP 10.0.0.1 is coming from L3Out A, the traffic could be classified into an L3Out EPG under L3Out B (let’s call it L3Out EPG B) if L3Out EPG B has 10.0.0.0/8 with “External Subnets for the External EPG” scope instead of L3Out EPG A, for some reason.
II- Shared Security Import Subnet:
This scope is used to allow packets with the configured subnet when the packets are going across VRFs with an L3Out. A route in the routing table is leaked to another VRF with “Shared Route Control Subnet”, as mentioned above. However, another VRF has yet to know which EPG the leaked route should belong to.
The “Shared Security Import Subnet” scope informs another VRF of the L3Out EPG that the leaked route belongs to. Thus, this scope can be used only when the “External Subnets for the External EPG” scope is also used; otherwise, the original VRF doesn’t know which L3Out EPG the subnet belongs to either. The APIC GUI blocks the configuration if “Shared Security Import Subnet” is configured without “External Subnets for the External EPG”. This scope is also a longest prefix match.
