Configure Route Control in ACI

Introduction

This document describes the configuration of Route Control in Application Centric Infrastructure (ACI).

Prerequisites

Requirements

• L3out must be configured:  L3out Configuration Guide
• Bridge Domain configured as layer 3: Bridge Domain Configuration
• Multi-site configured: Multisite Configuration

Components Used

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configuration

All supported routing protocols base the route map for route control configuration on the same premises:

1. Configure a Route Map
2. Establish set and match criteria
3. Apply Route Map accordingly

Navigate to Tenant > TENANT_NAME > Networking > L3out > L3OUT_NAME > Route Map for Import and Export Route Control.

Right-click on the folder or use the tools button to Create Route Map for Import and Export Route Control.

By default, an import and export route control exists already. If you would like to edit these, just select them from the drop-down menu in the Name field.

These default route controls are mainly applied for route re-distribution and VRF leaking. For the special case of the import route control, L3out must be marked as Import on Route Control Enforcement option.

To create a new one, manually input the desired name in the Name field.

• Match Prefix AND Routing Policy —This option matches a configured prefix list and a route policy defined.

• Match Routing Policy Only — This option matches the global destination route and only defines a policy to be applied.

Click the Plus ( + ) button to create a new context that creates the actual route map policy.

• Match Rule — Matches the set of attributes (prefix list, communities for BGP, or regular expressions) to where the rules are to be applied.

• Set Rule — Applies a set of instructions to the attributes specified on the Match Rule:

From this step, the rules to be applied need to match the protocol routing decision.

OSPF

By default, ACI advertises the OSPF route with an external type 2 and a metric of 20.

You can change these attributes as follows:

The metric value is summed up to the cost of the interface in the peer router:

Router# show ip route ospf-1 vrf vrf_test
IP Route Table for VRF "vrf_test"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

10.10.10.0/24, ubest/mbest: 2/0
*via 10.46.0.1, Vlan481, [110/45], 00:06:04, ospf-1, type-1, tag 4294967295
*via 10.46.0.2, Vlan481, [110/45], 00:06:05, ospf-1, type-1, tag 4294967295

Router#

EIGRP

With this method, for EIGRP the only parameter configurable to alter route selection is the Metric, same that is added to the Diiffusal Update Algorithm (DUAL)

Leaf# show ip eigrp topology vrf Test:Test_VRF
EIGRP Topology Table for AS(1818)/ID(192.168.10.1) VRF Test:Test_VRF

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.10.10.0/24, 1 Successors, FD is 51200, tag is 4294967295
via Rconnected(51200/0)
Leaf# ! After applying route-map
Leaf# 
Leaf# show ip eigrp topology vrf Test:Test_VRF
EIGRP Topology Table for AS(1818)/ID(192.168.10.1) VRF Test:Test_VRF

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 10.10.10.0/24, 1 Successors, FD is 51200, tag is 4294967295
via Rconnected(5145600/0)
Leaf#

BGP

Must of the BGP attributes can be configured according to requirement needs:

ACI validation

To validate in the ACI command line interface (CLI), each protocol is assigned to a default name that includes the VRF VNID:

Leaf# show vrf Test:Test_VRF detail extended
VRF-Name: Test:Test_VRF, VRF-ID: 23, State: Up
VPNID: unknown
RD: 103:2686981
Max Routes: 0 Mid-Threshold: 0
Encap: vxlan-2686981
Table-ID: 0x80000017, AF: IPv6, Fwd-ID: 0x80000017, State: Up
Table-ID: 0x00000017, AF: IPv4, Fwd-ID: 0x00000017, State: Up

Leaf#

To validate route maps applied to each protocol, run:

• OSPF
  
  

Leaf# show ip ospf vrf Test:Test_VRF | egrep route-map
Table-map using route-map exp-ctx-2686981-deny-external-tag
bgp route-map exp-ctx-proto-2686981
eigrp route-map exp-ctx-proto-2686981
static route-map exp-ctx-st-2686981
direct route-map exp-ctx-st-2686981
coop route-map exp-ctx-st-2686981
Leaf# 

• EIGRP
  
  

Leaf# show ip eigrp vrf Test:Test_VRF | egrep route-map
static route-map exp-ctx-st-2686981
ospf-default route-map exp-ctx-proto-2686981
direct route-map exp-ctx-st-2686981
coop route-map exp-ctx-st-2686981
bgp-64512 route-map exp-ctx-proto-2686981
Tablemap: route-map exp-ctx-2686981-deny-external-tag , filter-configured

Leaf#

• BGP
  
  

Leaf# show bgp process vrf Test:Test_VRF | egrep route-map
static, route-map imp-ctx-bgp-st-interleak-2686981
ospf, route-map permit-all
direct, route-map imp-ctx-bgp-direct-interleak-2686981
coop, route-map exp-ctx-coop-bgp-2686981
direct, route-map permit-all

Leaf#

With the correct route-map identified, its content can be displayed:

Leaf# show route-map exp-ctx-st-2686981
route-map exp-ctx-st-2686981, deny, sequence 1 
Match clauses:
tag: 4294967294 
Set clauses:
route-map exp-ctx-st-2686981, permit, sequence 8201 
Match clauses:
ip address prefix-lists: IPv4-st63-2686981-exc-ext-out-Test2RM-Context0RM-MatchRule-dst 
ipv6 address prefix-lists: IPv6-deny-all 
Set clauses:
tag 4294967295 
metric 5 
metric-type type-1 
route-map exp-ctx-st-2686981, permit, sequence 15801 
Match clauses:
tag: 4294967292 
Set clauses:
tag 0 
route-map exp-ctx-st-2686981, permit, sequence 15802 
Match clauses:
tag: 4294967291 
Set clauses:
tag 4294967295 
route-map exp-ctx-st-2686981, permit, sequence 15804 
Match clauses:
ip address prefix-lists: IPv4-st63-2686981-exc-int-inferred-export-dst 
ipv6 address prefix-lists: IPv6-deny-all 
Set clauses:
tag 0

Leaf#

Several entries for route maps are created by default, including the default deny for all routes that match tag 4294967294. The tag value is set by ACI border leaf switches to avoid route loops. This is the only value on a route-map that cannot be modified unless is changed at the VRF level.

The prefix list created by the Match Rule policy can be displayed:

Leaf# show ip prefix-list IPv4-st63-2686981-exc-ext-out-Test2RM-Context0RM-MatchRule-dst 
ip prefix-list IPv4-st63-2686981-exc-ext-out-Test2RM-Context0RM-MatchRule-dst: 2 entries
seq 1 permit 10.10.0.0/16 le 32
seq 2 permit 0.0.0.0/0 
Leaf# 

Multisite MP-BGP

Multisite fabrics allow the configuration of stretched L3outs and are site-specific. Endpoints in a fabric prefer the external routes advertised by local L3outs rather than the remote L3out unless a more specific route exists in the remote fabric. To influence the routing decision, since the routes are injected into MP-BGP vpnv4 address family in the overlay-1 VRF; a special route map called interleak is needed.

The configuration of the route map is virtually the same as a regular route map. AS-Prepand is the recommended value to influence route decisions in the eBGP neighbors:

• Under the route map Set Rule policy create a Set AS Path policy:

•  Select either AS-Prepend or AS-Prepend last is needed.

Implementation

Once the Route Map for import and Export Route Control has been configured. The implementation depends on the needs:

• For an implementation that affects all routes received and advertised in an L3out:

Navigate to Tenant > TENANT_NAME > Networking > L3out > L3OUT_NAME > Route Control Profile

• For an implementation that affects specific route classification:
  
  

Navigate to Tenant > TENANT_NAME > Networking > L3out > L3OUT_NAME > Subnets.

Enable Export Route Control Subnet.

Configure the Route Control Profile.

• For interlake implementation:
  
  

Navigate to Tenant > TENANT_NAME > Networking > L3out > L3OUT_NAME.

Configure Route Profile forInterleak .

Configure Route Profile for redistribution using Static source mode: