Route Profile & Route Map in Cisco ACI
This post consists of some notes from ACI L3OUT white paper.
Route-map type:
When a Route Profile is associated to a component such as an L3Out EPG or an L3Out subnet, the Match
Rules from the Route Profiles are merged into the internal route map for the component. The Route Profile Type option defines how APIC merges the configured Route Profile rules into a route map deployed from other APIC policies such as an “Export Route Control Subnet” scope under the L3Out subnet.
- Match Prefix AND Routing Policy: This type will combine prefixes from the component that the Route Profile is associated with AND the match criteria configured in the Route Profile.
Example1:
Example2: The route map just merges prefixes from both objects Match Prefix and Routing Policy.
- Match Routing Policy Only: This type will use only the match criteria configured in the Route Profile and ignore prefixes from the component to which the Route Profile is associated.
In this example, “Type Match Routing Policy Only” completely ignores the L3Out subnets with an “Export Route Control Subnet” scope. Hence, in this particular case, there is no point in configuring L3Out subnets with an “Export Route Control Subnet” scope.
Context:
- Order: Decides the order of the context policies to be applied. It is equivalent to a sequence number in a normal route map. But, since this is merged into implicit route maps, the actual sequence number will not be the same as this order number.
- Action: Permit or deny action was introduced in APIC Release 2.3(1). In some earlier releases prior to this option, Set Rules was labeled as Action. This is equivalent to permit or deny in a normal route map.
Contents
Route Profile under L3OUT external EPG:
In an L3Out EPG, the Route Profile under each L3Out is used to add Match and/or Set Rules to the internal route maps used for an “Export Route Control Subnet” or “Import Route Control Subnet” scope.
The Route Profile (Route map) is applied to all of the configured L3Out subnets with matching direction scope in this L3Out EPG.
Route Profile Direction: This decides which subnet type the Route Profile is applied to:
– Route Export Policy: The Route Profile is applied to subnets with “Export Route Control Subnet” scope.
– Route Import Policy: The Route Profile is applied to subnets with “Import Route Control Subnet”
scope.
When Route Profile is configured under the L3Out Subnet, It is applied to this particular subnet. If the subnet scope and Route Profile direction do not match, the Route Profile is not applied.
Bridge Domain advertisement via Route map:
Note
On top of these two association levels, there is one more level. That is a special Route Profile called default-export or default-import, which will be applied to the entire L3Out and associated BDs.
When Route Profiles are associated with multiple levels, a more granular scope will be prioritized. This means L3Out Subnet > L3Out EPG > default export/import.
Example 1: Advertise BD via Route map (default-export & Match Prefix AND Routing Policy)
The Route Profile is default-export, and its type is “Match Prefix AND Routing Policy”. Hence, ACI applies the Route Profile to all subnets related to this L3Out 1, including the BD subnets with L3Out association and an “Advertise Externally” scope.
Example 2: Advertise BD via Route map (default-export & Matching Routing Policy Only)
An interesting example to mention is when creating default-export route-map under the L3OUT and selecting “Matching Routing Policy Only“. Since default-export is applied to the entire L3OUT and also BDs, if you advertise the bridge domain via export or L3out Association, it won’t be exported unless explicitly defined in the match prefix of the route-map (export direction).
Due to default-export with Matching Routing Policy Only, ACI overwrites any other rules related to L3Out 1, even the Bridge Domain association.
Note
A normal route profile (not default-export or import) with Matching Routing Policy Only will let the Bridge domain to be advertised since the route profile is not applied to Bridge Domain associations.
But, at the same time, a route map (normal or default) can be used to advertise the BD subnet if the prefix is explicitly configured in the route map.
Apply Route Profiles to all possible routes:
There are multiple ways to apply Route Profiles to all possible routes:
- Use default-export/default-import with Explicit Prefix List of 0.0.0.0/0 and an Aggregate option
- Apply a custom Route Profile with an Explicit Prefix List of 0.0.0.0/0 and an Aggregate option to L3Out EPG (not applied to static routes, directly connected subnets, and BD subnets).
- Apply a custom Route Profile to L3Out EPG or L3Out subnet for 0.0.0.0/0 with an “Export/Import Route Control Subnet” scope and an “Aggregate Export/Import” option. (Supported only from APIC Release 4.2 onward.)
The recommended configuration: Default-export for simple routing control
The figure below illustrates an example of how the default-export Route Profile with the type “Match Routing Policy Only” simplifies the configuration to advertise subnets from the L3Out.
The default export route map can be used as a single source of controls for any subnet advertisements from the L3Out.
Note: The “Advertise Externally” scope in the BD subnet is still required
With this approach, we are separating two functions:
- The L3Out EPG can focus on the security (contracts) management with an “External Subnets for the External EPG” scope for subnets that are learned via the L3Out.
- The Route map “default export/import” focuses on advertising the routes to the outside or importing the routes.
Note: L3Out shared service (VRF route leaking) still needs to be configured in the L3Out EPG.