Configuring ACI Border Gateways
These procedures show how to use the APIC REST API to perform the GUI procedures
of the same name in the Cisco APIC Layer 3 Networking Configuration Guide.
Creating Border Gateway Sets and VXLAN Remote Fabrics
These are a set of border gateway nodes that are used to connect to the remote VXLAN EVPN fabrics. These
BGW nodes could either be part of an ACI pod or be deployed across different pods when the ACI fabric is
a multi-pod fabric. All BGWs within a POD as are assigned the same TEP to attract traffic for endpoints
within this POD from the remote fabric.
Cisco APIC assigns a unique internal anycast TEP for a border gateway set, which is common across all the
pods for a border gateway set. In Cisco APIC Release 6.1(1), only one border gateway set can be configured.
Before you begin
This policy assigns a data plane TEP for border gateways in each POD, which is used to communicate with
remote non-ACI fabrics. This is the external anycast TEP for the POD. Cisco APIC also allocates one internal
anycast TEP for all the border gateways within the fabric.
Procedure
Post with information similar to the following:
Configuring a VXLAN Infra L3Out
The VXLAN infra L3Out configuration allows you to select the ACI Border Gateway nodes and interfaces
to establish EBGP underlay adjacencies with the external network devices. This is required to exchange
underlay reachability information with the remote NX-OS Border Gateways and establish the overlay EVPN
adjacencies with them
You will configure the following pieces when configuring the VXLAN infra L3Out:
Configure the ACI Border Gateway Set.
Configure the remote VXLAN fabric.
Nodes
Only border gateways are allowed to be configured as nodes in the VXLAN infra L3Out.
Each VXLAN infra L3Out can have border gateways from multiple pods that are part of the same
ACI multi-pod fabric.
The border gateway can either be configured in a single VXLAN infra L3Out or multiple VXLAN
infra L3Outs.
When you configure a node profile, you can configure the Router ID and the loopback interface
underneath the node. The loopback interface is the control plane TEP on a BGW, which is used for
the BGP EVPN peering with the VXLAN gateway on the remote fabric.
Interfaces
- Supported types of interfaces are:
- Routed interface or sub-interface
You will also configure the underlay BGP peer policy in the interfaces tab in the VXLAN infra
L3Out. This is the basic underlay configuration that is needed to bring the BGP underlay to exchange
the loopback address to a connected device.
QoS rules
- You can configure the VXLAN ingress rule and VXLAN egress rule through the VXLAN QoS
policy in the VXLAN Infra L3Out.
- If you do not create a VXLAN QoS policy, any ingressing VXLAN traffic is assigned the default
QoS level.
You will also configure the underlay and overlay through the VXLAN Infra L3Out:
- Underlay: BGP peer IP configuration as part of the interface configuration.
- Overlay: BGP EVPN remote configuration is part of the remote fabric configuration.
Before you begin
- Ensure that you have registered the leaf node as a new node type border-gateway for it to be displayed as a
VXLAN EVPN border gateway.
- Complete setting up the Border Gateway Set.
- Complete setting up the Remote VXLAN Fabrics.
- Configure the VXLAN Infra L3Out custom QoS policy using the procedures.
Procedure
Post with information similar to the following:
Configuring a VXLAN VRF Stretch
Using the procedure in this section, you can stretch tenant VRF(s) between the ACI and VXLAN EVPN
domains. This ensures that routed communications for the tenants between those domains can happen by
leveraging the VXLAN data-plane encapsulation. Some specific deployment considerations when stretching
a tenant VRF are.
User tenant VRFs that are stretched are associated to a BGW set, which are associated to the VXLAN
infra L3Out.
Only one VXLAN VRF L3Out is supported on each VRF. This is used to stretch the VRF towards a
BGW.
Before you begin
- Review the Guidelines and Limitations for ACI Border Gateways.
- Configure the VXLAN Gateway infra L3Out using the procedures.
Procedure
Post with information similar to the following:
Configuring a VXLAN Bridge Domain Stretch
Using the procedure in this section, you can stretch tenant bridge domain (s) between the ACI and VXLAN
EVPN domains. This ensures that bridged communications for the tenants between those domains can happen
by leveraging VXLAN data-plane encapsulation.
Before you begin
- Review the Guidelines and Limitations for ACI Border Gateways.
- Configure the VXLAN Gateway infra L3Out using the procedures.
Procedure
Post with information similar to the following:
Configuring a VXLAN VRF Stretch with A Route-Map Configuration
Starting from Cisco APIC 6.1(2), the ACI Border Gateway feature also supports VRF level route-maps that
can be configured on the stretched VRFs. These Route-maps are applicable for all the remote fabrics that are
associated to the border gateway set. The route-map set rules are configured with the route control profile
policies and the action rule profiles.
Using the procedure in this section, you can configure a VXLAN VRF Stretch by using the rest API to specify the outbound and inbound route-maps.
NOTE
This is an optional configuration. If you do not configure import route-maps, all the routes received from
remote VXLAN EVPN fabrics are accepted. If you do not configure export route-maps, all the local bridge
domain subnets are advertised to the remote VXLAN EVPN fabrics that are associated to the border gateway
set.
Following are the list of match and set clauses that are supported by both the inbound route-map and the
outbound route-map:
Supported Match Clauses
• IP Prefix List
• AS-Path
• Community
• Extended Community (match on color extended community is not supported)
• Regex Community
• Regex Extended Community
Supported Set Clauses
• Community
• Extended Community
• Weight
• Preference
• Metric
Before you begin
- Review the Guidelines and Limitations for ACI Border Gateways.
- Configure the VXLAN Gateway infra L3Out using the procedures.
Procedure
Post with information similar to the following:
Configuring a VXLAN Infra L3Out With VXLAN Site ID
Starting from Cisco APIC 6.1(2), you must configure a site ID. You will not be able to configure the border
gateway set policy if you do not have this site ID.
NOTE
If you have already configured the ACI Border Gateway feature for Cisco APIC 6.1(1), and upgrade to Cisco
APIC 6.1(2) without creating a VXLAN site ID a fault is generated for all the stretched VRFs and bridge
domains.
Procedure
Post with information similar to the following:
Configuring the EVPN VXLAN Selectors
Selectors are configured under each ESG with a variety of matching criteria to classify endpoints to the ESG.
Starting with Cisco APIC 6.1(2), two new selectors have been added to classify endpoints and external
destinations learned from remote VXLAN EVPN fabrics.
VXLAN Stretched Bridge Domain Selectors
Use this selector to classify all the L2 MAC addresses learned from the remote VXLAN fabrics into a
corresponding ESG. This selector can be configured only for bridge domains that are VXLAN stretched.
The endpoints from all the remote fabrics belonging to this bridge domain are classified as part of the
same ESG.
VXLAN External Subnet Selector
Use this selector to classify EVPN Type-5 prefixes received from a remote VXLAN fabric into a
corresponding ESG. You cannot have the same prefix configured under an external subnet selector and
an external EPG selector under a local L3Out. If you have an overlap, the longest prefix match determines
the classification of the prefix. You cannot configure the default (0.0.0.0/0) prefix as VXLAN external
subnet selector. A specific prefix configuration is the preferred approach. As a workaround, 0.0.0.0/1 or
128.0.0.0/1 can be used if the Catch All entry is required.
Procedure
Use this procedure to create a VXLAN external subnet selector and the VXLAN stretched bridge domain selector.
Post with information similar to the following, where 'bd1' is the VXLAN stretched BD:
POST to
https://{{IP}}/api/node/mo/uni.xml