The following table maps the subnet flags of external endpoint groups to the corresponding GUI terminology:
Subnet Flag
GUI Terminology
import_security
External Subnets for External EPG
shared_security
Shared Security Import Subnet
import_route_control
Import Route Control Subnet
export_route_control
Export Route Control Subnet
shared_route_control
Shared Route Control Subnet
aggregate_import_route_control
Aggregate Import
aggregate_export_route_control
Aggregate Export
aggregate_shared_route_control
Aggregate Shared Routes
L3out BGP Peering can be estabilished via Interface Profiles or Node Profiles. The infra tenant differentiates between BGP Infra Peers, which are configured in the Node Profile, and BGP Peers, which are configured in the Interface Profile. BGP Infra Peers are limited only to Node Profiles in infra Tenant. BGP Infra Peer Type and Source Interface Loopback cannot be modified. The following table maps the BGP Peer Type of BGP Infra Peer to the corresponding GUI terminology:
Peer Type
GUI Terminology
wan
WAN Connectivity. By default every infra peer is a wan peer. Example use-case: Remote-Leaf or IPN.
mdp-wan
MDP Connectivity. IPN/ISN use-case with BGW to interconnect multiple ACI pods or sites.
If IP SLA Policy is not existing in configured Tenant’s Data Model and it exists in common Tenant Data Model, then relation for ip_sla_policy attribute will reflect IP SLA Policy in common Tenant.
External EPG with contract masters (inherit contracts from another L3out external EPG):
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
vrf: VRF1
domain: ROUTED1
external_endpoint_groups:
- name: EXT-EPG1
subnets:
- prefix: 0.0.0.0/0
- name: EXT-EPG2
subnets:
- prefix: 10.0.0.0/8
contracts:
masters:
- l3out: L3OUT1
external_endpoint_group: EXT-EPG1
SVI example:
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
vrf: VRF1
domain: ROUTED1
node_profiles:
- name: NODE_101
nodes:
- node_id: 101
router_id: 5.5.5.5
static_routes:
- prefix: 2.2.2.0/24
description: My Desc
next_hops:
- ip: 6.6.6.6
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
vlan: 301
svi: true
ip: 14.14.14.1/24
Routed Sub-interface example:
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
vrf: VRF1
domain: ROUTED1
node_profiles:
- name: NODE_101
nodes:
- node_id: 101
router_id: 5.5.5.5
static_routes:
- prefix: 2.2.2.0/24
description: My Desc
next_hops:
- ip: 6.6.6.6
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
vlan: 301
svi: false
ip: 14.14.14.1/24
Routed Interface example:
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
vrf: VRF1
domain: ROUTED1
node_profiles:
- name: NODE_101
nodes:
- node_id: 101
router_id: 5.5.5.5
static_routes:
- prefix: 2.2.2.0/24
description: My Desc
next_hops:
- ip: 6.6.6.6
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
ip: 14.14.14.1/24
Example with explicit profiles:
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
vrf: VRF1
domain: ROUTED1
node_profiles:
- name: NODE_101
bgp:
name: BGP_PROT1
timer_policy: BGP_TIMER1
as_path_policy: BGP_AS_PATH1
nodes:
- node_id: 101
router_id: 5.5.5.5
static_routes:
- prefix: 2.2.2.0/24
description: My Desc
next_hops:
- ip: 6.6.6.6
track_list: TRACK_POL
interface_profiles:
- name: NODE_101
description: NODE_101 Description
ingress_data_plane_policing_policy: DPP1
egress_data_plane_policing_policy: DPP2
dhcp_labels:
- dhcp_relay_policy: DHCP-RELAY1
dhcp_option_policy: DHCP-OPTION1
scope: tenant
netflow_monitor_policies:
- name: MONITOR1
ip_filter_type: ipv4
interfaces:
- node_id: 101
port: 10
vlan: 301
ip: 14.14.14.1/24
bgp_peers:
- ip: 14.14.14.14
remote_as: 65010
external_endpoint_groups:
- name: EXT-EPG1
subnets:
- prefix: 0.0.0.0/0
Example with Node BGP Peering (BGP Infra Peers) for Remote Leaf use-case in infra Tenant. In case of Interface BGP Peering, bgp_peers instead of bgp_infra_peers must be used:
apic:
tenants:
- name: infra
l3outs:
- name: intersite
vrf: overlay-1
domain: ROUTED1
node_profiles:
- name: NODE_101
bgp:
name: BGP_PROT1
timer_policy: BGP_TIMER1
as_path_policy: BGP_AS_PATH1
nodes:
- node_id: 101
router_id: 5.5.5.5
bgp_infra_peers:
- ip: 10.10.10.10
remote_as: 61111
peer-type: wan
ttl: 10
local_as: 31200
allow_self_as: true
disable_peer_as_check: true
password: admin
peer_prefix_policy: BGP_PP1
bfd: true
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
ip: 14.14.14.1/24
external_endpoint_groups:
- name: RL_EPG
Example with BGP Peers for IPN
apic:
tenants:
- name: infra
l3outs:
- name: L3OUT1
vrf: overlay-1
domain: IPN
node_profiles:
- name: NODE_101
nodes:
- node_id: 101
router_id: 5.5.5.5
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
ip: 14.14.14.1/24
vlan: 4
svi: false
bgp_peers:
- ip: 10.10.10.10
remote_as: 61111
external_endpoint_groups:
- name: intersite
Full example:
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
alias: L3OUT1-ALIAS
description: My Desc
target_dscp: AF13
qos_class: level3
import_route_control_enforcement: true
export_route_control_enforcement: true
custom_qos_policy: QOS_POLICY
ingress_data_plane_policing_policy: DPP1
egress_data_plane_policing_policy: DPP2
vrf: VRF1
domain: ROUTED1
bfd_policy: BFD1
dhcp_labels:
- dhcp_relay_policy: DHCP-RELAY1
dhcp_option_policy: DHCP-OPTION1
scope: tenant
netflow_monitor_policies:
- name: MONITOR1
ip_filter_type: ipv4
bgp:
timer_policy: BGP_TIMER1
as_path_policy: BGP_AS_PATH1
ospf:
area: 0
area_type: regular
area_cost: 1
auth_type: simple
auth_key: cisco
auth_key_id: 1
policy: OIP1
interleak_route_map: ROUTE_MAP1
default_route_leak_policy:
always: false
criteria: 'in-addition'
context_scope: false
outside_scope: false
redistribution_route_maps:
- source: direct
route_map: ROUTE_MAP2
dampening_ipv4_route_map: ROUTE_MAP3
dampening_ipv6_route_map: ROUTE_MAP4
bfd_multihop_node_policy: BFD-NODE1
bfd_multihop_auth:
type: sha1
key_id: 1
key: Secure123
nodes:
- node_id: 101
router_id: 5.5.5.5
router_id_as_loopback: true
static_routes:
- prefix: 2.2.2.0/24
description: My Desc
preference: 1
next_hops:
- ip: 6.6.6.6
description: My Next Hop Desc
ip_sla_policy: IP_SLA1
interfaces:
- channel: VPC1
svi: true
scope: local
vlan: 301
ip_a: 14.14.14.1/24
ip_b: 14.14.14.2/24
ip_shared: 14.14.14.3/24
ip_shared_dhcp_relay: true
link_local_address: fe80::ffff:ffff:ffff:ffff
mode: native
bgp_peers:
- ip: 14.14.14.14
remote_as: 65010
description: My Desc
allow_self_as: true
as_override: true
bfd: true
disable_connected_check: true
remove_private_as: true
remove_all_private_as: true
multicast_address_family: true
ttl: 1
weight: 0
password: C1sco123
local_as: 1234
as_propagate: dual-as
peer_prefix_policy: BGP_PP1
export_route_control: ROUTE_MAP1
import_route_control: ROUTE_MAP2
- channel: PC1
vlan: 311
ip: 24.24.24.1/24
bgp_peers:
- ip: 24.24.24.2
remote_as: 65010
micro_bfd:
destination_ip: 24.24.24.2
start_timer: 120
import_route_map:
name: example-import-name
description: desc
type: global
contexts:
- name: CONTEXT1
description: desc1
action: deny
order: 2
match_rules:
- MATCH1
set_rule: SET1
route_maps:
- name: example-name
description: desc
type: global
contexts:
- name: CONTEXT1
description: desc1
action: deny
order: 2
match_rules:
- MATCH1
set_rule: SET1
export_route_map:
name: example-export-name
contexts:
- name: CONTEXT1
match_rules:
- MATCH2
set_rule: SET2
external_endpoint_groups:
- name: EXT-EPG1
alias: ABC-EXT-EPG1
description: My Desc
preferred_group: false
qos_class: level4
target_dscp: CS5
route_control_profiles:
- name: IMPORT-RCP1
direction: import
subnets:
- name: ALL
prefix: 0.0.0.0/0
import_route_control: false
export_route_control: false
shared_route_control: false
import_security: true
shared_security: false
route_control_profiles:
- name: EXPORT-RCP1
direction: export
contracts:
consumers:
- CON1
providers:
- CON1
imported_consumers:
- IMPORT-CON1
example: This example shows how to configure an L3out with IPv4/IPv6 dual stack and a VIP on the SVI. The configuration includes static routes and external EPGs for the L3out, and is typically used when deploying a high-availability (HA) pair of firewalls with a NAT pool. The L3out is configured as SVI Vlan ‘100’ on Port ‘10’ of Node ‘1001’ and Node ‘1002’. Each node has its own IPv4, IPv6, and shared VIP addresses, and the shared VIP address is used as the gateway for APP1. Static routing is used as a routing protocol, and an External EPG is configured to permit communication from those routes.
apic:
tenants:
- name: TENANT1
l3outs:
- name: 'APP1-L3out'
description: Interface for APP1
vrf: VRF1
domain: DOMAIN1
node_profiles:
- name: 'APP1-NodeProf'
nodes:
- node_id: 1001
router_id: 10.1.1.1
router_id_as_loopback: false
static_routes:
- prefix: 2001:db8:1234:1000::/64
next_hops:
- ip: 2001:db8:1234:2000::10
- prefix: 192.168.1.0/24
next_hops:
- ip: 192.168.2.10
- node_id: 1002
router_id: 10.1.1.2
router_id_as_loopback: false
static_routes:
- prefix: 192.168.1.0/24
next_hops:
- ip: 192.168.2.10
- prefix: 2001:db8:1234:1000::/64
next_hops:
- ip: 2001:db8:1234:2000::10
interface_profiles:
- name: 'APP1-IPv6-IntProf'
description: IPv6 Interface Profile for APP1
interfaces:
- node_id: 1001
port: 10
ip: 2001:db8:1234:2000::1/64
svi: true
vlan: 100
ip_shared: 2001:db8:1234:2000::3/64
- node_id: 1002
port: 10
ip: 2001:db8:1234:2000::2/64
svi: true
vlan: 100
ip_shared: 2001:db8:1234:2000::3/64
- name: 'APP1-IPv4-IntProf'
description: IPv4 Interface Profile for APP1
interfaces:
- node_id: 1001
port: 10
ip: 192.168.2.1/24
svi: true
vlan: 100
ip_shared: 192.168.2.3/24
- node_id: 1002
port: 10
ip: 192.168.2.2/24
svi: true
vlan: 100
ip_shared: 192.168.2.3/24
external_endpoint_groups:
- name: 'APP1-ExtEPG'
subnets:
- prefix: 2001:db8:1234:1000::/64
- prefix: 192.168.1.0/24
example: In this example, BGP is used as dynamic routing protocol. The BGP parameters are configured as follows: BGP remote-as ‘65530’, IPv6 neighbor address ‘2001:db8:1234:2000::10’, IPv4 neighbor address ‘192.168.2.10’, bfd is enabled with the policy ‘BFD-Policy’. ACI advertises default route ’::/0’ and ‘0.0.0.0/0’ to the BGP neighbor and is assumed to receive ‘2001:db8:1234:1000::/64’ and ‘192.168.1.0/24’ from it.
apic:
tenants:
- name: TENANT1
l3outs:
- name: 'APP1-L3out'
description: Interface for APP1
vrf: VRF1
domain: DOMAIN1
node_profiles:
- name: 'APP1-NodeProf'
nodes:
- node_id: 1001
router_id: 10.1.1.1
router_id_as_loopback: false
- node_id: 1002
router_id: 10.1.1.2
router_id_as_loopback: false
interface_profiles:
- name: 'APP1-IPv6-IntProf'
description: IPv6 Interface Profile for APP1
bfd_policy: BFD-Policy
interfaces:
- node_id: 1001
port: 10
ip: 2001:db8:1234:2000::1/64
svi: true
vlan: 100
bgp_peers:
- ip: 2001:db8:1234:2000::10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
- node_id: 1002
port: 10
ip: 2001:db8:1234:2000::2/64
svi: true
vlan: 100
bgp_peers:
- ip: 2001:db8:1234:2000::10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
- name: 'APP1-IPv4-IntProf'
description: IPv4 Interface Profile for APP1
interfaces:
- node_id: 1001
port: 10
ip: 192.168.2.1/24
svi: true
vlan: 100
bgp_peers:
- ip: 192.168.2.10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
- node_id: 1002
port: 10
ip: 192.168.2.2/24
svi: true
vlan: 100
bgp_peers:
- ip: 192.168.2.10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
external_endpoint_groups:
- name: 'APP1-ExtEPG'
subnets:
- prefix: 2001:db8:1234:1000::/64
- prefix: 192.168.1.0/24
- prefix: ::/0
export_route_control: true
import_security: false
- prefix: 0.0.0.0/0
export_route_control: true
import_security: false
Example: This example show the L3OUT configuration using floating svi and security attributes forged transmit, mac address chamnge and promiscous mode.
apic:
tenants:
- name: ABC
vrfs:
- name: VRF1
l3outs:
#This example shows the sample config yaml file to use the auto-generated floating svi using the security attributes.
- name: L3OUT_SVI
vrf: VRF1
domain: ROUTED1
nodes:
- node_id: 101
router_id: 5.5.5.5
router_id_as_loopback: false
interfaces:
- floating_svi: true
node_id: 101
ip: 1.1.1.2/24
vlan: 134
paths:
- floating_ip: 1.1.1.1/24
forged_transmit: true
promiscous_mode: true
mac_change: true
vmware_vmm_domain: VMM1
elag: ELAGDefault
#The example below shows config yaml structure to use logical interfaces profiles to configure the floating svi security attributes.
- name: L3OUT_SVI2
vrf: VRF1
domain: ROUTED1
node_profiles:
- name: NP1
nodes:
- node_id: 103
router_id: 10.10.10.10
router_id_as_loopback: false
- node_id: 104
router_id: 12.12.12.12
router_id_as_loopback: false
interface_profiles:
- name: IP1
interfaces:
- floating_svi: true
node_id: 103
ip: 3.1.1.1/24
vlan: 135
paths:
- floating_ip: 4.1.1.1/24
forged_transmit: true
promiscous_mode: true
mac_change: true
vmware_vmm_domain: VMM1
elag: ELAGDefault
L3out Node and Interface Profiles can either be auto-generated, one per L3out, or can be defined explicitly.
Note: Whether an interface is an svi, routed sub-interface, or routed depends on the following configuration:
The following table maps the subnet flags of external endpoint groups to the corresponding GUI terminology:
Subnet Flag
GUI Terminology
import_security
External Subnets for External EPG
shared_security
Shared Security Import Subnet
import_route_control
Import Route Control Subnet
export_route_control
Export Route Control Subnet
shared_route_control
Shared Route Control Subnet
aggregate_import_route_control
Aggregate Import
aggregate_export_route_control
Aggregate Export
aggregate_shared_route_control
Aggregate Shared Routes
L3out BGP Peering can be estabilished via Interface Profiles or Node Profiles. The infra tenant differentiates between BGP Infra Peers, which are configured in the Node Profile, and BGP Peers, which are configured in the Interface Profile. BGP Infra Peers are limited only to Node Profiles in infra Tenant. BGP Infra Peer Type and Source Interface Loopback cannot be modified. The following table maps the BGP Peer Type of BGP Infra Peer to the corresponding GUI terminology:
Peer Type
GUI Terminology
wan
WAN Connectivity. By default every infra peer is a wan peer. Example use-case: Remote-Leaf or IPN.
mdp-wan
MDP Connectivity. IPN/ISN use-case with BGW to interconnect multiple ACI pods or sites.
Example with Node BGP Peering (BGP Infra Peers) for Remote Leaf use-case in infra Tenant. In case of Interface BGP Peering, bgp_peers instead of bgp_infra_peers must be used:
apic:
tenants:
- name: infra
l3outs:
- name: intersite
vrf: overlay-1
domain: ROUTED1
node_profiles:
- name: NODE_101
bgp:
name: BGP_PROT1
timer_policy: BGP_TIMER1
as_path_policy: BGP_AS_PATH1
nodes:
- node_id: 101
router_id: 5.5.5.5
bgp_infra_peers:
- ip: 10.10.10.10
remote_as: 61111
peer-type: wan
ttl: 10
local_as: 31200
allow_self_as: true
disable_peer_as_check: true
password: admin
peer_prefix_policy: BGP_PP1
bfd: true
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
ip: 14.14.14.1/24
external_endpoint_groups:
- name: RL_EPG
Example with BGP Peers for IPN
apic:
tenants:
- name: infra
l3outs:
- name: L3OUT1
vrf: overlay-1
domain: IPN
node_profiles:
- name: NODE_101
nodes:
- node_id: 101
router_id: 5.5.5.5
interface_profiles:
- name: NODE_101
interfaces:
- node_id: 101
port: 10
ip: 14.14.14.1/24
vlan: 4
svi: false
bgp_peers:
- ip: 10.10.10.10
remote_as: 61111
external_endpoint_groups:
- name: intersite
Full example:
apic:
tenants:
- name: ABC
l3outs:
- name: L3OUT1
alias: L3OUT1-ALIAS
description: My Desc
target_dscp: AF13
qos_class: level3
import_route_control_enforcement: true
export_route_control_enforcement: true
custom_qos_policy: QOS_POLICY
ingress_data_plane_policing_policy: DPP1
egress_data_plane_policing_policy: DPP2
vrf: VRF1
domain: ROUTED1
bfd_policy: BFD1
dhcp_labels:
- dhcp_relay_policy: DHCP-RELAY1
dhcp_option_policy: DHCP-OPTION1
scope: tenant
netflow_monitor_policies:
- name: MONITOR1
ip_filter_type: ipv4
bgp:
timer_policy: BGP_TIMER1
as_path_policy: BGP_AS_PATH1
ospf:
area: 0
area_type: regular
area_cost: 1
auth_type: simple
auth_key: cisco
auth_key_id: 1
policy: OIP1
interleak_route_map: ROUTE_MAP1
default_route_leak_policy:
always: false
criteria: 'in-addition'
context_scope: false
outside_scope: false
redistribution_route_maps:
- source: direct
route_map: ROUTE_MAP2
dampening_ipv4_route_map: ROUTE_MAP3
dampening_ipv6_route_map: ROUTE_MAP4
bfd_multihop_node_policy: BFD-NODE1
bfd_multihop_auth:
type: sha1
key_id: 1
key: Secure123
nodes:
- node_id: 101
router_id: 5.5.5.5
router_id_as_loopback: true
static_routes:
- prefix: 2.2.2.0/24
description: My Desc
preference: 1
next_hops:
- ip: 6.6.6.6
description: My Next Hop Desc
ip_sla_policy: IP_SLA1
interfaces:
- channel: VPC1
svi: true
scope: local
vlan: 301
ip_a: 14.14.14.1/24
ip_b: 14.14.14.2/24
ip_shared: 14.14.14.3/24
ip_shared_dhcp_relay: true
link_local_address: fe80::ffff:ffff:ffff:ffff
mode: native
bgp_peers:
- ip: 14.14.14.14
remote_as: 65010
description: My Desc
allow_self_as: true
as_override: true
bfd: true
disable_connected_check: true
remove_private_as: true
remove_all_private_as: true
multicast_address_family: true
ttl: 1
weight: 0
password: C1sco123
local_as: 1234
as_propagate: dual-as
peer_prefix_policy: BGP_PP1
export_route_control: ROUTE_MAP1
import_route_control: ROUTE_MAP2
- channel: PC1
vlan: 311
ip: 24.24.24.1/24
bgp_peers:
- ip: 24.24.24.2
remote_as: 65010
micro_bfd:
destination_ip: 24.24.24.2
start_timer: 120
import_route_map:
name: example-import-name
description: desc
type: global
contexts:
- name: CONTEXT1
description: desc1
action: deny
order: 2
match_rules:
- MATCH1
set_rule: SET1
route_maps:
- name: example-name
description: desc
type: global
contexts:
- name: CONTEXT1
description: desc1
action: deny
order: 2
match_rules:
- MATCH1
set_rule: SET1
export_route_map:
name: example-export-name
contexts:
- name: CONTEXT1
match_rules:
- MATCH2
set_rule: SET2
external_endpoint_groups:
- name: EXT-EPG1
alias: ABC-EXT-EPG1
description: My Desc
preferred_group: false
qos_class: level4
target_dscp: CS5
route_control_profiles:
- name: IMPORT-RCP1
direction: import
subnets:
- name: ALL
prefix: 0.0.0.0/0
import_route_control: false
export_route_control: false
shared_route_control: false
import_security: true
shared_security: false
route_control_profiles:
- name: EXPORT-RCP1
direction: export
contracts:
consumers:
- CON1
providers:
- CON1
imported_consumers:
- IMPORT-CON1
example: This example shows how to configure an L3out with IPv4/IPv6 dual stack and a VIP on the SVI. The configuration includes static routes and external EPGs for the L3out, and is typically used when deploying a high-availability (HA) pair of firewalls with a NAT pool. The L3out is configured as SVI Vlan ‘100’ on Port ‘10’ of Node ‘1001’ and Node ‘1002’. Each node has its own IPv4, IPv6, and shared VIP addresses, and the shared VIP address is used as the gateway for APP1. Static routing is used as a routing protocol, and an External EPG is configured to permit communication from those routes.
apic:
tenants:
- name: TENANT1
l3outs:
- name: 'APP1-L3out'
description: Interface for APP1
vrf: VRF1
domain: DOMAIN1
node_profiles:
- name: 'APP1-NodeProf'
nodes:
- node_id: 1001
router_id: 10.1.1.1
router_id_as_loopback: false
static_routes:
- prefix: 2001:db8:1234:1000::/64
next_hops:
- ip: 2001:db8:1234:2000::10
- prefix: 192.168.1.0/24
next_hops:
- ip: 192.168.2.10
- node_id: 1002
router_id: 10.1.1.2
router_id_as_loopback: false
static_routes:
- prefix: 192.168.1.0/24
next_hops:
- ip: 192.168.2.10
- prefix: 2001:db8:1234:1000::/64
next_hops:
- ip: 2001:db8:1234:2000::10
interface_profiles:
- name: 'APP1-IPv6-IntProf'
description: IPv6 Interface Profile for APP1
interfaces:
- node_id: 1001
port: 10
ip: 2001:db8:1234:2000::1/64
svi: true
vlan: 100
ip_shared: 2001:db8:1234:2000::3/64
- node_id: 1002
port: 10
ip: 2001:db8:1234:2000::2/64
svi: true
vlan: 100
ip_shared: 2001:db8:1234:2000::3/64
- name: 'APP1-IPv4-IntProf'
description: IPv4 Interface Profile for APP1
interfaces:
- node_id: 1001
port: 10
ip: 192.168.2.1/24
svi: true
vlan: 100
ip_shared: 192.168.2.3/24
- node_id: 1002
port: 10
ip: 192.168.2.2/24
svi: true
vlan: 100
ip_shared: 192.168.2.3/24
external_endpoint_groups:
- name: 'APP1-ExtEPG'
subnets:
- prefix: 2001:db8:1234:1000::/64
- prefix: 192.168.1.0/24
example: In this example, BGP is used as dynamic routing protocol. The BGP parameters are configured as follows: BGP remote-as ‘65530’, IPv6 neighbor address ‘2001:db8:1234:2000::10’, IPv4 neighbor address ‘192.168.2.10’, bfd is enabled with the policy ‘BFD-Policy’. ACI advertises default route ’::/0’ and ‘0.0.0.0/0’ to the BGP neighbor and is assumed to receive ‘2001:db8:1234:1000::/64’ and ‘192.168.1.0/24’ from it.
apic:
tenants:
- name: TENANT1
l3outs:
- name: 'APP1-L3out'
description: Interface for APP1
vrf: VRF1
domain: DOMAIN1
node_profiles:
- name: 'APP1-NodeProf'
nodes:
- node_id: 1001
router_id: 10.1.1.1
router_id_as_loopback: false
- node_id: 1002
router_id: 10.1.1.2
router_id_as_loopback: false
interface_profiles:
- name: 'APP1-IPv6-IntProf'
description: IPv6 Interface Profile for APP1
bfd_policy: BFD-Policy
interfaces:
- node_id: 1001
port: 10
ip: 2001:db8:1234:2000::1/64
svi: true
vlan: 100
bgp_peers:
- ip: 2001:db8:1234:2000::10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
- node_id: 1002
port: 10
ip: 2001:db8:1234:2000::2/64
svi: true
vlan: 100
bgp_peers:
- ip: 2001:db8:1234:2000::10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
- name: 'APP1-IPv4-IntProf'
description: IPv4 Interface Profile for APP1
interfaces:
- node_id: 1001
port: 10
ip: 192.168.2.1/24
svi: true
vlan: 100
bgp_peers:
- ip: 192.168.2.10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
- node_id: 1002
port: 10
ip: 192.168.2.2/24
svi: true
vlan: 100
bgp_peers:
- ip: 192.168.2.10
remote_as: 65530
description: BGP Peer for APP1
bfd: true
multicast_address_family: false
external_endpoint_groups:
- name: 'APP1-ExtEPG'
subnets:
- prefix: 2001:db8:1234:1000::/64
- prefix: 192.168.1.0/24
- prefix: ::/0
export_route_control: true
import_security: false
- prefix: 0.0.0.0/0
export_route_control: true
import_security: false
L3out Node and Interface Profiles can either be auto-generated, one per L3out, or can be defined explicitly.
Note: Whether an interface is an svi, routed sub-interface, or routed depends on the following configuration:
