ACI 故障排除：高級 L3out 功能.pdf

《ACI 故障排除：高級 L3out 功能.pdf》由會員分享，可在線閱讀，更多相關《ACI 故障排除：高級 L3out 功能.pdf（70頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLiveJessica Rueda-Technical Leader CCIE DC 65467BRKDCN-3678Advanced L3out FeaturesACI Troubleshooting 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 2Questions?Use Cisco Webex App to chat with the speaker after the sessi

2、onFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12342https:/ 2023 Cisco and/or its affiliates.All rights rese

3、rved.Cisco PublicBRKDCN-3678#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaIntroductionSingle Layer 3 out using eBGPTransit routing between OSPF and eBGP Layer 3 outPolicy enforcement option with Layer 3 outRoute-map in ACI overviewRoute-map example:eBGP setting co

4、mmunity ingress and OSPF matching community egress.AS override vs Allow Self ASSummary 4BRKDCN-3678Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDistribute external routes to other leavesMP-BGP6L3OUT Key ComponentsVRF Overlay-1L3OUTBDVRF1EPGVRF1L3OUT EPGSubn

5、et ALearnExternal Routes(Import)AdvertiseInternal Routes(Export)DistributeExternal RoutesBLEAFnon-BLEAFBRKDCN-3678Learn external routes Routing Protocol in L3OUT Import route-control(optional)12Advertise internal or other external routes(BD subnet or routes from other L3out)to outsideRedistribution

6、export route-control Contract3Allow traffic with contractsL3OUT EPG(Prefix Based EPG)41234Single eBGP L3 out 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSetup 1 Single L3out eBGP Leaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf3

7、02Spine402Spine402Spine401Spine401Pod2EPG EPG 172.16.21.2172.16.21.2IPN AS 370010.1.0.0/240.0.0.0/0 BGP AS 101BD subnet 172.16.21.254/24eBGPeBGPL3Out on Border Leaf101Receive eBGP routesServer-EPG:172.16.21.2 in Pod2 8BRKDCN-3678AS101101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

8、lic#CiscoLiveIPN Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401EPG EPG 172.16.21.2172.16.21.2AS 370010.1.0.0/240.0.0.0/0 BGP AS 101BD subnet 172.16.21.254/24eBGPeBGP12BGP VPNv4BGP VPNv434Leaf101Leaf101Spine are Route Reflector per pod t

9、o distribute to local podBGP routes received on BL(default is import all)9Setup 1 Control plane -L3 out route to Server LeafBRKDCN-3678Pod212BGP VPNv4 exchanged Route across Pod(spine to spine)3Spine egress Pod RR reflect to leaf in pod24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

10、blic#CiscoLiveBorder Leaf CLI check-BGPS1P1-Leaf101#show bgp ipv4 unicast summary vrf DC:DC.NeighborV AS MsgRcvd MsgSentTblVerInQ OutQ Up/Down State/PfxRcd192.168.101.2 4 3700 21 18 10 0 0 00:10:46 2S1P1-Leaf101#show bgp ipv4 unicast vrf DC:DC.Network Next Hop Metric LocPrfWeight Path.*e10.1.0.0/24

11、192.168.101.2 0 3700 iS1P1-Leaf101#show bgp vpnv4 unicast vrf DC:DC|egrep Net|Route|10.1.0.0Network Next Hop Metric LocPrfWeight PathRoute Distinguisher:101:2359302 (VRF DC:DC)*e10.1.0.0/24 192.168.101.2 0 3700 i1.BGP peering to external router is up and 2 routes RX2.Verify routes in bgp table here

12、received from AS 37003.Routes is injected in VPNv4 address family10BRKDCN-3678Idle/Active Idle/Active means session is means session is flapping or downflapping or downAny number(even 0)Any number(even 0)Means session is upMeans session is up101:2359302 2023 Cisco and/or its affiliates.All rights re

13、served.Cisco Public#CiscoLiveBorder Leaf CLI check S1P1-Leaf101#show bgp vpnv4 unicast summary vrf overlay-1|egrep Neig|10.0BGP router identifier 10.0.0.64,local AS number 101NeighborV AS MsgRcvd MsgSentTblVerInQ OutQ Up/Down State/PfxRcd10.0.0.654 10117769 17615 712 0 0 1w5d 7210.0.0.664 101 17778

14、17615 712 0 0 1w5d 72S1P1-Leaf101#show bgp process vrf DC:DC|egrep-A 5 ExportExport RT list:101:2359302Import RT list:101:23593024.Border leaf have VPNv4 peering with 2 spine Route Reflector5.Routes are exported with Route Target of format:BGP-ASN:VRF-VNID11BRKDCN-3678 2023 Cisco and/or its affiliat

15、es.All rights reserved.Cisco Public#CiscoLiveServer Leaf CLI checkS1P2-Leaf301#show bgp vpnv4 unicast 10.1.0.0/24 vrf DC:DCPath type(0 xa25a1c60):internal 0 xc0000018 0 x40 ref 0 adv path ref 2,path is valid,is best pathImported from(0 xa25f74b4)101:2359302:10.1.0.0/24AS-Path:3700,path sourced exter

16、nal to AS10.0.0.64(metric 33)from 10.1.96.64(172.16.2.4)Origin IGP,MED not set,localpref 100,weight 0 tag 0,propagate 0Received label 0Received path-id 2Extcommunity:RT:101:2359302COST:pre-bestpath:165:2415919104VNID:2359302.S1P2-Leaf301#show ip route 10.1.0.0 vrf DC:DC.10.1.0.0/24,ubest/mbest:1/0*v

17、ia 10.0.0.64%overlay-1,200/0,2d20h,bgp-101,internal,tag 3700recursive next hop:10.0.0.64/32%overlay-11.Server leaf receive BGP VPNv4 from spine2.Server leaf install route in RIB with NH PTEP of BL12BRKDCN-3678BL PTEP BL PTEP BGP NHBGP NHRoute-Target that Leaf301 imports:#show bgp proc vrf DC:DC|egre

18、p-A 2 ImportImport RT list:101:2359302aci37-apic1#acidiag fnvread|egrep 10.0.0.64 101 1 S1P1-Leaf101 FDO224702JA 10.0.0.64/32 leaf activeRT:101:2359302 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSetup 1 Control plane BD subnet to externalLeaf101Leaf101Leaf102Leaf102Po

19、d1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401Pod2EPG EPG 172.16.21.2172.16.21.2IPN AS 370010.1.0.0/240.0.0.0/0 No route exported by defaultNo route exported by default(deny all route-map default)External External EPG EPG EPG EPG 1BD 172.16.21.0BD 172.

20、16.21.0BGP L3outBGP L3out2BGP AS 101BD subnet 172.16.21.254/24313BRKDCN-3678BD subnet must be in RIB of BL(contract)BD subnet must be redistributedto BGP processBD subnet added to outbound route-map321 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder leaf Routing and

21、 contractS1P1-Leaf101#show ip route 172.16.21.0 vrf DC:DC.S1P1-Leaf101#S1P1-Leaf101#show ip route 172.16.21.0 vrf DC:DC172.16.21.0/24,ubest/mbest:1/0,attached,direct,pervasive*via 10.0.72.64%overlay-1,1/0,static,tag 4294967294recursive next hop:10.0.72.64/32%overlay-1S1P1-Leaf101#show bgp ipv4 unica

22、st 172.16.21.0/24 vrf DC:DC.S1P1-Leaf101#S1P1-Leaf101#show bgp ipv4 unicast neighbors 192.168.101.2 vrf DC:DC.Inbound route-map configured is permit-all,handle obtainedOutbound route-map configured is exp-l3out-BGP-peer-235930S1P1-Leaf101#show route-map exp-l3out-BGP-peer-2359302route-map exp-l3out-

23、BGP-peer-2359302,deny,sequence 16000Match clauses:route-type:direct14BRKDCN-3678No BD subnet in BL RIB1BD subnet added when when a contract is added a contract is added between Ext EPG and EPG2BL BL Default Route tag Default Route tag for a private subnet for a private subnet BD subnet not in BGP ye

24、t3By default outbound route-map deny all4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder leaf Sending BD subnet Step 1S1P1-Leaf101#show bgp process vrf DC:DC|egrep-A 2 RedisRedistributionstatic,route-map imp-ctx-bgp-st-interleak-2359302S1P1-Leaf101#show ip route 17

25、2.16.21.0 vrf DC:DC172.16.21.0/24,ubest/mbest:1/0,attached,direct,pervasive*via 10.0.72.64%overlay-1,1/0,00:00:04,static,recursive next hop:10.0.72.64/32%overlay-1S1P1-Leaf101#show route-map imp-ctx-bgp-st-interleak-2654211route-map imp-ctx-bgp-st-interleak-2359302,deny,sequence 1Match clauses:tag:4

26、294967294Set clauses:route-map imp-ctx-bgp-st-interleak-2359302,permit,seq 20000Match clauses:S1P1-Leaf101#show bgp vpnv4 unicast vrf RD-MPOD:RD|egrep 172.16.11.0*r172.16.11.0/24 0.0.0.0 0 100 32768?15BRKDCN-3678Subnet Advertised Externally Route tag of BD subnet is removed,and it pushes the subnet

27、to BGP No more route tagStatic to BGP Route-map usedSeq 1 deny private subnet based on tagSeq 20000 permit all the rest route goes to BGP VPNv4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder leaf Sending BD subnet Method 1 Step 216BRKDCN-3678S1P1-Leaf101#show route

28、-map exp-l3out-BGP-peer-2359302.route-map exp-l3out-BGP-peer-2359302,permit,sequence 15801Match clauses:ip address prefix-lists:IPv4-peer16387-2359302-exc-int-inferred-export-dst.S1P1-Leaf101#show ip prefix-list IPv4-peer16387-2359302-exc-int-inferred-export-dstip prefix-list IPv4-peer16387-2359302-

29、exc-int-inferred-export-dst:1 entriesseq 1 permit 172.16.21.254/24S1P1-Leaf101#show bgp ipv4 unicast neighbor 192.168.101.2 advertised-routes vrf DC:DCNetwork Next Hop Metric LocPrfWeight Path*r172.16.21.0/24 0.0.0.0 0 100 32768 101?BD to L3 out association Act on route-map 2023 Cisco and/or its aff

30、iliates.All rights reserved.Cisco Public#CiscoLiveTroubleshooting:Routing protocol unexpected behavior RP traffic is targeted to cpu you can always use tcpdump to see what you receive(kpm_inb)Easer on kpm_inb if linux interface on leaf/spine 17BRKDCN-3678Tcpdump is your friend aci32-leaf1#tcpdump-ni

31、 kpm_inb proto eigrpaci32-leaf1#tcpdump-ni kpm_inb proto ospfaci32-leaf1#tcpdump-ni kpm_inb f port 179You can add extra filter such as:aci32-leaf1#tcpdump-ni kpm_inb-f port 179 and host 1.1.1.1aci32-leaf1#tcpdump-nxxvvi kpm_inb-f port 179 and host 1.1.1.1aci32-leaf1#tcpdump-i kpm_inb-f port 179-w/bo

32、otflash/bgp-trace.pcapOr get more verbose:Or write to pcap file 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTroubleshooting:No need to run any debugs!Review eventsFor understanding the last events on EIGRP/OSPF/BGP18BRKDCN-3678Which is your friendleaf1#show ip eigrp ev

33、ent vrf allleaf1#show ip ospf internal event-history eventleaf1#show bgp internal event-history eventsInside of vsh/vsh_lc,run“which”it shares all the command that can be run inside of the shell aci32-leaf1#which|grep show.*event-history|grep“ip ospf(2489)show ip ospf internal event-history errors|m

34、sgs|statistics|adjacency|event|ha|flooding|lsa|spf|redistribution|ldp|te|rib|hello|spf-trigger|cli|verbose(2490)show ip ospf internal event-history detail statistics Transit Layer 3 out 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive21Transit L3outBRKDCN-3678AS 370010.1.0

35、.0/240.0.0.0/0 eBGPeBGPRequirements:L3 out on BL101RX eBGP route 10.1.0.0/24OSPF on BL301-302 RX 192.168.1.0/24Goal:Transit between to the layer 3 outOSPFOSPFArea 0Area 0OSPF 192.168.1.0/24Leaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spi

36、ne401Spine401Pod2IPN 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLeaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401Pod2IPN Setup 2-OSPF route AS 370010.1.0.0/240.0.0.0/0 Area 0Area 0OSPF 192.168.

37、1.0/24123422BRKDCN-3678Route(192.168.1.0)on leaf 101 from MP-BGP to eBGPRoute is propagated in VPNv4Route is redistributed in MP-BGPOSPF routes is received from external router1243eBGPeBGP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOSPF CLI check Verify OSPF interface

38、 parameters matching with neighbors?23BRKDCN-3678S1P2-Leaf301#show ip ospf neighbor vrf DC:DCNeighbor ID Pri State Up Time Address Interface192.168.0.4 1 FULL/BDR 00:51:21 192.168.102.2 Vlan101192.168.0.13 1 FULL/DR 00:51:23 192.168.102.3 Vlan1012.Verify OSPF neighbor is established on Broadcast net

39、work FULL/(B)DR or 2WAY/Other3.Receiving OSPF external routes?S1P2-Leaf301#show ip route 192.168.1.0 vrf DC:DC192.168.1.0/24,ubest/mbest:1/0*via 192.168.102.3,vlan101,110/5,00:57:47,ospf-default,intraS1P2-Leaf301#show ip ospf interface vrf DC:DCVlan101 is up,line protocol is upIP address 192.168.102

40、.1/29,Process ID default VRF DC:DC,area backboneState DR-OTHER,Network type BROADCAST,cost 4Designated Router ID:192.168.0.13,address:192.168.102.3Backup Designated Router ID:192.168.0.4,address:192.168.102.2Timer intervals:Hello 10,Dead 40,Wait 40,Retransmit 5S1P2-Leaf301#show interface vlan 101|eg

41、rep MTUMTU 9000 bytes,BW 10000000 Kbit,DLY 1 usecIs MTU,Network mask,Area,Timer,Network type Matching?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBorder Leaf From OSPF to MP-BGPS1P2-Leaf301#show bgp vpnv4 unicast 192.168.1.0/24 vrf DC:DCRoute Distinguisher:301:2359302

42、(VRF DC:DC)Advertised path-id 1,VPN AF advertised path-id 1AS-Path:NONE,path locally originated0.0.0.0(metric 0)from 0.0.0.0(10.1.208.65)Origin incomplete,MED 5,localpref 100,weight 32768 tag 0Extcommunity:RT:101:2359302VNID:2359302VPN AF advertised path-id 2Path type(0 xa25a1e50):internal adv path

43、ref 1,path is validnot best reason:WeightImported from(0 xa25f6cf4)302:2359302:192.168.1.0/24AS-Path:NONE,path sourced internal to AS10.1.208.64(metric 3)from 10.1.96.64(172.16.2.4)Origin incomplete,MED 5,localpref 100,weight 0 tag 0,propagate 0Extcommunity:RT:101:23593021.Verify the OSPF route is i

44、nject in MP-BGP(default permit-all import route-map S1P2-Leaf301#show bgp process vrf DC:DC|egrep ospfospf,route-map permit-allBRKDCN-3678Path imported from OSPF1Path from leaf 302(2ndOSPF BL)2Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401Pod2Area 0Area 0OSPF 192.168.1.0/2412Import-all

45、 route-map from OSPF to BGP24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAS 370010.1.0.0/240.0.0.0/0 Setup 2-export transit route method 1 OSPF routes(now iBGP)to eBGP on leaf 10125BRKDCN-3678Export route-map Leaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spi

46、ne201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401IPN OSPF 192.168.1.0/2434eBGPeBGP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExport to eBGP Cli checkS1P1-Leaf101#show bgp ipv4 unicast neighbors 192.168.101.2 vrf DC:DC|egrep OutboundOutbound route-map

47、configured is exp-l3out-BGP-peer-2359302,handle obtainedS1P1-Leaf101#show route-map exp-l3out-BGP-peer-2359302.route-map exp-l3out-BGP-peer-2359302,permit,sequence 15802Match clauses:ip address prefix-lists:IPv4-peer16387-2359302-exc-ext-inferred-export-dstipv6 address prefix-lists:IPv6-deny-allSet

48、clauses:tag 42949672951.Find outbound route-map for BGP neighbor2.Route-map sequence for External prefix inferred exportS1P1-Leaf101#show ip prefix-list IPv4-peer16387-2359302-exc-ext-inferred-export-dstip prefix-list IPv4-peer16387-2359302-exc-ext-inferred-export-dst:1 entriesseq 1 permit 192.168.1

49、.0/243.Prefix-list26BRKDCN-3678ext-inferred 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExport to eBGP Cli checkS1P1-Leaf101#show bgp ipv4 unicast neighbors 192.168.101.2 advertised-routesvrf DC:DCPeer 192.168.101.2 routes for address family IPv4 Unicast:BGP table vers

50、ion is 56,local router ID is 192.168.100.1Status:s-suppressed,x-deleted,S-stale,d-dampened,h-history,*-valid,-bestPath type:i-internal,e-external,c-confed,l-local,a-aggregate,r-redist,I-injectedOrigin codes:i-IGP,e-EGP,?-incomplete,|-multipath,&-backupNetwork Next Hop Metric LocPrfWeight Path.*i192.

51、168.1.0/24 10.1.208.64 5 100 0 101?4.Route-map sequence for External prefix inferred export27BRKDCN-3678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSetup 2-Redistribute iBGP to OSPFAS 370010.1.0.0/240.0.0.0/0 eBGPeBGPeBGP routes(now iBGP)to OSPF on leaf 301-302Area 0A

52、rea 0OSPF 192.168.1.0/24128BRKDCN-3678Redistribute BGP to OSPF Route-mapLeaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401Pod2IPN 1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive29Export to OSPF Cl

53、i checkBRKDCN-3678S1P2-Leaf301#show ip ospf vrf DC:DC|egrep bgpbgp route-map exp-ctx-proto-2359302S1P2-Leaf301#show route-map exp-ctx-proto-2359302.route-map exp-ctx-proto-2359302,permit,sequence 15801Match clauses:ip address prefix-lists:IPv4-proto32770-2359302-exc-ext-inferred-export-dstipv6 addre

54、ss prefix-lists:IPv6-deny-allSet clauses:tag 42949672951.Find outbound route-map for BGP to OSPF redistribution 2.Route-map sequence for External prefix inferred exportS1P2-Leaf301#show ip prefix-list IPv4-proto32770-2359302-exc-ext-inferred-export-dstip prefix-list IPv4-proto32770-2359302-exc-ext-i

55、nferred-export-dst:1 entriesseq 1 permit 10.1.0.0/243.Prefix-list 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExport to OSPF Cli checkS1P2-Leaf301#show ip ospf database external 10.1.0.0 vrf DC:DCOSPF Router with ID(192.168.0.3)(Process ID default VRF DC:DC)Type-5 AS E

56、xternal Link StatesLink ID ADV Router Age Seq#Checksum Tag10.1.0.0 192.168.0.3 410 0 x80000002 0 x3e1b 429496729510.1.0.0 192.168.0.4 410 0 x80000002 0 x3820 42949672954.Verify prefix is in OSPF database as external LSA(type 5)Leaf301Leaf301Area 0Area 0OSPF 30BRKDCN-3678Two LSA in the OSPF DB One re

57、distributed on Leaf301 and one Leaf302 Leaf302Leaf302Policy enforcement&Layer 3 out 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive32Policy enforcement Where?Assumption is using default vrf ingress enforcement modeIn that case policy is always enforced on server leaf in b

58、oth direction BRKDCN-3678Default ingress 1.2(1)+Default ingress 1.2(1)+2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3OUT Contract-EPG to external EPG Source EPG(pcTag)CheckSource EP LearningForwardingLookupDestination EPG(pcTag)CheckForwarding ResultpcTag BOn APICOn LE

59、AFL3OUT EPG BSubnet B External EPGEPG ApppcTag APrefix To pcTag mapping for L3OUTContract Filter Check A to BVRF subnet pcTagVRF1 subnet B pcTag Bsource destination FilterpcTag A pcTag B ICMPICMPSrc:Subnet A-Dst:Subnet BHit subnet BShow zoning-prefixVLAN+I/FpcTag AShow zoning-rule33BRKDCN-3678Prefix

60、 to pcTag table distributed to all leaf where VRF exists build from all“External subnets for External EPG”of all L3 out in the VRF 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3OUT Contract-External EPG to EPG Source EPG(pcTag)CheckForwardingLookup(EP or Pervasive BD)D

61、estination EPG(pcTag)CheckVLAN+I/F Ext EPGForwarding ResultpcTag BpcTag AOn APICOn LEAFEPG ApppcTag A L3OUT EPG BSubnet B External EPGSrc Prefix To pcTagmapping for L3OUT in vrfContract Filter Check B to AVRF subnet pcTagVRF1 subnet B pcTag Bsource destination FilterpcTag B pcTag A ICMPICMPSrc:Subne

62、t B-Dst:Subnet AHit subnet B34BRKDCN-3678Prefix to pcTag table is used in both direction(ingress or egress from an L3 out)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3OUT Contract EPG to external EPGL3OUT EPG with 0.0.0.0/0 Source EPG(pcTag)CheckSource EP LearningForw

63、ardingLookupDestination EPG(pcTag)CheckVLAN+I/FForwarding ResultpcTag ApcTag 15On APICOn LEAFL3OUT EPG B0.0.0.0/0 External EPGEPG ApppcTag APrefix To pcTag mapping for L3OUTContract Filter Check A to 15VRF subnet pcTagVRF1 0.0.0.0/0 pcTag 15source destination FilterpcTag A 15 ICMPICMPSrc:Subnet A-Ds

64、t:Subnet BHit subnet 0.0.0.0/035BRKDCN-3678Exception is External Subnet for External EPG is 0.0.0.0/0 “wildcard”always setting reserved pcTag 15 in egress 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3OUT Contract External EPG to EPG L3OUT EPG with 0.0.0.0/036BRKDCN-36

65、78Source EPG(pcTag)CheckSource EP LearningForwardingLookupDestination EPG(pcTag)CheckVLAN+I/FForwarding ResultpcTag AOn APICOn LEAFEPG ApppcTag A L3OUT EPG B0.0.0.0/00.0.0.0/0 External EPGPrefix To pcTag mapping for L3OUT(unused here(unused here override by vrf pcTag)override by vrf pcTag)pcTag VRFC

66、ontract Filter Check vrf pcTag to AVRF subnet pcTagVRF1 0.0.0.0/0 15(vrf pcTag if ingress)source destination FilterpcTag VRF pcTag A ICMPICMPpcTag VRFIn ingress direction,devices use vrf pcTag if matching 0.0.0.0/0 external subnet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

67、coLive37Risk of using 0.0.0.0/0 on multiple L3 outBRKDCN-3678L3OUT EPG 0.0.0.0/00.0.0.0/0External EPGEPG1172.16.21.0L3OUT EPG0.0.0.0/00.0.0.0/0External EPGL3OUT BGPEPG2172.16.22.0External networkC1C2L3OUT OSPFExternal networkL3OUT EPG 0.0.0.0/00.0.0.0/0External EPGEPG1172.16.21.0L3OUT EPG0.0.0.0/00.

68、0.0.0/0External EPGL3OUT BGPEPG2172.16.22.0External networkC1C2L3OUT OSPFExternal networkExpectations Reality!L3Out Internal Route Maps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRoute maps for direct or static routes L3Out association to a BD Export Route Control Sub

69、net Route map like default-exportRoute maps for routing protocols Export Route Control Subnet Route map like default-export(OSPF,EIGRP)Two types of route mapsborder-leaf#show ip ospf vrf TK:VRFA|egrep direct|static|bgp|eigrpdirect route-map exp-ctx-st-2785280static route-map exp-ctx-st-2785280bgp ro

70、ute-map exp-ctx-proto-2785280eigrp route-map exp-ctx-proto-2785280border-leaf#show ip eigrp vrf TK:VRFA|egrep direct|static|ospf|bgpbgp-65002 route-map exp-ctx-proto-2785280direct route-map exp-ctx-st-2785280ospf-default route-map exp-ctx-proto-2785280static route-map exp-ctx-st-2785280OSPFEIGRPexp-

71、ctx-st-exp-ctx-proto-39BRKDCN-3678Route-map used to determine what is allowed To OSPF/EIGRP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveL3Out association to a BDExport Route Control SubnetRoute map like default-export(best)or named route-map40(BGP)a route map per L3Out

72、 or per peerBRKDCN-3678(when not using a per peer route map)border-leaf#show bgp ipv4 unicast neighbors vrf TK:VRFA|grep OutboundOutbound route-map configured is exp-l3out-BGP-peer-2785280,handle obtained(when using a per peer route map)border-leaf#show bgp ipv4 unicast neighbors vrf TK:VRFA|grep Ou

73、tboundOutbound route-map configured is TK-BGP_PEER1-BGP-out,handle obtainedNon-default route map in BGP peer connectivity profileOverride regular ACI behavior(subnet flags,BD to L3 out association-outexp-l3out-peer-Without per-peer route-map(default behavior)With per-peer route-mapin 4.2 and afterRo

74、ute-map used to determine what is outbound or inbound of a BGP L3 out 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivedefault-export route map configurationAll route advertisement(both BD subnets and transit routing)in one single component while L3Out external EPGs are ded

75、icated for security.41legeBRKDCN-3678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBGP per-peer route maps(4.2+).42BRKDCN-3678Routing policies BGP community setting&matching 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRedistribute all BD s

76、ubnet to OSPFNetwork Requirements44BRKDCN-36783Too much overlapping prefix for both BGP peering!Better to use BGP community Set&Match Better to use BGP community Set&Match Deny the advertisement of routes received via eBGP with AS number 3700 into OSPF.The routes RX from eBGP AS3701 advertised it as

77、 E1 type routes in OSPF2Leaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401Pod2IPN AS 3700Many network including 10.1.0.0/24 eBGPeBGPOSPFOSPFOSPF Multiple BD 172.16.X.X/241Permit Set E1Permit BD 312AS 3701Many network including

78、 10.99.0.0/24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive45Set and Match community BRKDCN-3678AS 3700Many network including 10.1.0.0/24 Area 0Area 0OSPF Leaf101Leaf101Leaf102Leaf102Pod1Spine202Spine202Spine201Spine201Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine40

79、1Spine401Pod2IPN Egress route-map Match comm 1001:1001 Match comm 1001:1001 denydenyMatch comm 2001:2001 Match comm 2001:2001 OSPF type E1OSPF type E1Permit BD subnet range Permit BD subnet range 172.16.0.0/16Set BGP community ingress to 1001:1001Set BGP community ingress to 1001:1001Set BGP communi

80、ty ingress to 2001:2001Set BGP community ingress to 2001:2001Multiple BD 172.16.X.X/24Multiple BD 172.16.X.X/24AS 3701Many network including 10.99.0.0/24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBy default,there is no ingressroute-mapsoeverythingisallowed.First need

81、 to enable on bothBPG l3out import route controlNote:At that stage inboundroute-map is not existingUsing default deny all so allincoming prefix are droppedS1P1-Leaf101#show bgp ipv4 unicast neighbor 192.168.101.2 vrfDC:DC|egrep route-mapInbound route-map configured is permit-allOutbound route-map co

82、nfigured is exp-l3out-BGP-peer-2359302Prerequisite to make any ingress route-mapS1P1-Leaf101#show bgp ipv4 unicast neighbor 192.168.101.2 vrf DC:DC|egrep route-mapInbound route-map configured is imp-l3out-BGP-peer-2359302Outbound route-map configured is exp-l3out-BGP-peer-2359302S1P1-Leaf101#show ro

83、ute-map imp-l3out-BGP-peer-2359302%Policy imp-l3out-BGP-peer-2359302 not found46BRKDCN-3678Before enabling import route-controlAfter enabling import route-control 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSet communitySet communityRoute-map config BGP1default-import3

84、447BRKDCN-3678Create routeCreate route-map map(here default-import used)1Create permit context to match all and set communityCreate permit context to match all and set community2Match All aggregate subnetMatch All aggregate subnet 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

85、coLiveBGP BL resulting route-map S1P1-Leaf101#show route-mapimp-l3out-BGP-peer-2359302route-map imp-l3out-BGP-peer-2359302,permit,sequence 18201Match clauses:ip address prefix-lists:IPv4-peer16387-2359302-agg-ext-in-default-import4Set-Community10015Match-All-BGP1-dstipv6 address prefix-lists:IPv6-de

86、ny-allSet clauses:community 1001:1001 additiveSequence matching Prefix-list for all routes and setting community S1P1-Leaf101#show ip prefix-list IPv4-peer16387-2359302-agg-ext-in-default-import4Set-Community10015Match-All-BGP1-dstip prefix-list IPv4-peer16387-2359302-agg-ext-in-default-import4Set-C

87、ommunity10015Match-All-BGP1-dst:1 entriesseq 1 permit 0.0.0.0/0 le 3248BRKDCN-3678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveResulting route-map BGP2S1P1-Leaf101#show bgp ipv4 unicast neighbors 192.168.201.2 vrf DC:DC|egrep route-mapInbound route-map configured is im

88、p-l3out-BGP2-peer-2359302,handle obtainedOutbound route-map configured is exp-l3out-BGP2-peer-2359302,handle obtainedNext,Apply similar config in BGP2 layer 3 out to set community to 2001:2001 for the 2ndAS connection49BRKDCN-3678S1P1-Leaf101#show route-mapimp-l3out-BGP2-peer-2359302route-map imp-l3

89、out-BGP2-peer-2359302,permit,sequence 18201Match clauses:ip address prefix-lists:IPv4-peer32771-2359302-agg-ext-in-Import-BGP2-SetComm2SetComm10025Match-All-BGP1-dstipv6 address prefix-lists:IPv6-deny-allSet clauses:community 2001:2001 additiveS1P1-Leaf101#show ip prefix-list IPv4-peer32771-2359302-

90、agg-ext-in-Import-BGP2-SetComm2SetComm10025Match-All-BGP1-dstip prefix-list IPv4-peer32771-2359302-agg-ext-in-Import-BGP2-SetComm2SetComm10025Match-All-BGP1-dst:1 entriesseq 1 permit 0.0.0.0/0 le 32 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBGP VPNv4 routes on OSPF B

91、LS1P2-Leaf301#show bgp vpnv4 unicast 10.99.0.0/24 vrf DC:DC()AS-Path:3701,path sourced external to AS10.0.0.64(metric 33)from 10.1.96.64(172.16.2.4)Origin IGP,MED not set,localpref 100,weight 0 tag 0,propagate 0 Received label 0Received path-id 2Community:2001:2001Extcommunity:RT:101:2359302()50BRKD

92、CN-3678OSPF Leaf301Leaf301Leaf302Leaf302Spine402Spine402Spine401Spine401Pod2IPN S1P2-Leaf301#show bgp vpnv4 unicast 10.1.0.0/24 vrf DC:DC()AS-Path:3700,path sourced external to AS10.0.0.64(metric33)from10.1.96.64(172.16.2.4)Origin IGP,MED not set,localpref100,weight0 tag 0,propagate0Receivedlabel 0R

93、eceivedpath-id 2Community:1001:1001Extcommunity:RT:101:2359302()2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOSPF L3outUse default-export Route-map with 3 Seq51BRKDCN-3678Deny all prefix AND match community 1001:1001Permit all prefix AND match community 2001:2001+set OS

94、PF type E1Permit all the rest(matching BD subnet range say 172.16.0.0/16)S1P2-Leaf301#show ip ospf vrf DC:DC|egrep bgpbgp route-map exp-ctx-proto-2359302Default-export is automatically applied outbound on the L3out 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive52Sequence

95、 1BRKDCN-3678route-map exp-ctx-proto-2359302,deny,sequence 17201Match clauses:ip address prefix-lists:IPv4-proto32770-2359302-agg-ext-out-default-export4DenyComm10013MatcComm1001-dstcommunity(community-list filter):proto32770-2359302-agg-ext-out-default-export4DenyComm10013MatcComm1001-rgcomSet clau

96、ses:Leaf301#show ip community-list proto32770-2359302-agg-ext-out-default-export4DenyComm10013MatcComm1001-rgcomStandard Community List proto32770-2359302-agg-ext-out-MatchCommOut2DenyComm10013MatcComm1001-rgcompermit 1001:1001S1P2-Leaf301#show ip prefix IPv4-proto32770-2359302-agg-ext-out-default-e

97、xport4DenyComm10013MatcComm1001-dstip prefix-list IPv4-proto32770-2359302-agg-ext-out-MatchCommOut2DenyComm10013MatcComm1001-dst:1 entriesseq 1 permit 0.0.0.0/0 le 32 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveroute-map exp-ctx-proto-2359302,permit,sequence 18201Match

98、 clauses:ip address prefix-lists:IPv4-proto32770-2359302-agg-ext-out-default-export4MatchComm20015MatchComm2001community(community-list):proto32770-2359302-agg-ext-out-default-export4MatchComm20015MatchComm2001Set clauses:tag 4294967295metric-type type-1S1P2-Leaf301#show ip community proto32770-2359

99、302-agg-ext-out-default-export4MatchComm20015MatchComm2001Standard Community List proto32770-2359302-agg-ext-out-default-export4MatchComm20015MatchComm2001-rgcompermit 2001:2001S1P2-Leaf301#show ip prefix-list IPv4-proto32770-2359302-agg-ext-out-default-export4MatchComm20015MatchComm2001-dstip prefi

100、x-list IPv4-proto32770-2359302-agg-ext-out-default-export4MatchComm20015MatchComm2001-dst:seq 1 permit 0.0.0.0/0 le 32Sequence 253BRKDCN-3678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSequence 3 route-map exp-ctx-st-2359302,permit,sequence 11001Match clauses:ip addre

101、ss prefix-lists:IPv4-st32770-2359302-exc-ext-out-default-export4PermitBD7MatchBd-dstSet clauses:tag 4294967295S1P2-Leaf301#show ip prefix-list IPv4-st32770-2359302-exc-ext-out-default-export4PermitBD7MatchBd-dstip prefix-list IPv4-st32770-2359302-exc-ext-out-default-export4PermitBD7MatchBd-dst:1 ent

102、riesseq 1 permit 172.16.0.0/16 le 3254BRKDCN-3678 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive55Full route-map used from BGP to OSPFBRKDCN-3678S1P2-Leaf301#show route-mapexp-ctx-proto-2359302.route-map exp-ctx-proto-2359302,permit,sequence 11001Match clauses:ip address

103、 prefix-lists:IPv4-proto32770-2359302-exc-ext-out-default-export4PermitBD7MatchBd-dstipv6 address prefix-lists:IPv6-deny-allSet clauses:tag 4294967295route-map exp-ctx-proto-2359302,deny,sequence 17201Match clauses:ip address prefix-lists:IPv4-proto32770-2359302-agg-ext-out-default-export4DenyComm10

104、013MatcComm1001-dstipv6 address prefix-lists:IPv6-deny-allcommunity(community-list filter):proto32770-2359302-agg-ext-out-default-export4DenyComm10013MatcComm1001-rgcomSet clauses:route-map exp-ctx-proto-2359302,permit,sequence 18201Match clauses:ip address prefix-lists:IPv4-proto32770-2359302-agg-e

105、xt-out-default-export4MatchComm20015MatchComm2001-dstcommunity(community-list filter):proto32770-2359302-agg-ext-out-default-export4MatchComm20015MatchComm2001-rgcomSet clauses:tag 4294967295metric-type type-1Set OSPF E1 for Community 1002:1002Note:order of sequence in routeorder of sequence in rout

106、e-map have 2 rulesmap have 2 rules:1.Sequence containing 0.0.0.0/0 le 32 are always after sequence with more specific prefix-list2.After rule 1,order in route-map adhere the sequence number used in GUIDeny community 1001:1001 for all subnetPermit BD subnet 2023 Cisco and/or its affiliates.All rights

107、 reserved.Cisco Public#CiscoLiveExternal OSPF router RIBPOD2-router2#show ip route vrf DC:DC10.99.0.0/24,ubest/mbest:2/0*via 192.168.102.1,Vlan942,110/41,00:08:03,ospf-1,type-1,tag 4294967295*via 192.168.102.2,Vlan942,110/41,00:08:03,ospf-1,type-1,tag 4294967295.172.16.21.0/24,ubest/mbest:2/0*via 19

108、2.168.102.1,Vlan942,110/20,00:23:24,ospf-1,type-2,tag 4294967295*via 192.168.102.2,Vlan942,110/20,00:23:24,ospf-1,type-2,tag 4294967295172.16.22.0/24,ubest/mbest:2/0*via 192.168.102.1,Vlan942,110/20,00:23:24,ospf-1,type-2,tag 4294967295*via 192.168.102.2,Vlan942,110/20,00:23:24,ospf-1,type-2,tag 429

109、4967295.NO 10.1.0.0/24(filtered by outbound ospf route-map)56BRKDCN-3678Set by the match comm statementBD subnet match in Route-map(no set)Regular E210.1.0.0 is not in RIB as filtered by deny route-map matching communityAS override vs Allow Self AS5BRKD 2023 Cisco and/or its affiliates.All rights re

110、served.Cisco Public#CiscoLiveLF101#show bgp ipv4 uni neig 192.168.3.3 route vrf CL:cl2Network Next Hop LocPrfWeight PathCL2CL1BGP Loop PreventionBD route advertisement58BRKDCN-3678Leaf101Leaf101Leaf102Leaf102AS 101Spine202Spine202Spine201Spine201Router#show bgp ipv4 unicast neighbors 192.168.2.2 adv

111、ertised-routes Network Next Hop LocPrfWeight Path*e10.0.0.0/24 192.168.1.1 0 101?BGP loop prevention will see fabric AS!First AS always at far rightBD subnet -CL110.0.0.0/24AS 64555 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMXF1P1-LF101#show bgp ipv4 unicast neighbor

112、s 192.168.3.3 vrf CL:cl2|grep“Allow my”Allow my ASN 3 timesCL2CL159BGP-Allow Self ASBRKDCN-3678Leaf101Leaf101Leaf102Leaf102AS 101Spine202Spine202Spine201Spine201First AS always at far rightBD subnet -CL1172.16.1.254/24AS 64555LF101#show bgp ipv4 un nei 192.168.3.3 routes vrf CL:cl2Network Next Hop L

113、ocPrfWeight Path*e10.0.0.0/24 192.168.3.3 0 64555 101?F1P1-LF101#show ip route 10.0.0.0/24 vrf CL:cl210.0.0.0/24,ubest/mbest:1/0*via 192.168.3.3%CL:cl2,20/0,bgp-65146,tag 64555 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveF1P1-LF101#show bgp ipv4 un nei 192.168.3.3 adve

114、rtised-routes vrf CL:cl2CL1CL2BGP Loop Prevention Incoming external route Peer-check 60BRKDCN-3678Leaf101Leaf101Leaf102Leaf102AS 101Spine202Spine202Spine201Spine20110.255.255.0/24AS 64555F1P1-LF101#show bgp ipv4 unicast vrf CL:cl2 Network NetworkNext Hop Weight Path*e10.0.0.0/24 192.168.3.3 0 64555

115、101?*e10.255.255.0/24 192.168.3.3 0 64555?*r172.16.2.0/24 0.0.0.0 100 32768?*r192.168.2.2/32 0.0.0.0 100 32768?*r192.168.3.3/32 0.0.0.0 100 32768?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCL1CL2BGP Disable Peer checkIncoming external route61BRKDCN-3678Leaf101Leaf101L

116、eaf102Leaf102AS 101Spine202Spine202Spine201Spine20110.255.255.0/24AS 64555Disable Peer AS CheckDisable Peer AS CheckF1P1-LF101#show bgp ipv4 un nei 192.168.3.3 rout vrf CL:cl2Network Next Hop Weight Path*e10.255.255.0/24 192.168.3.3 0 64555?2023 Cisco and/or its affiliates.All rights reserved.Cisco

117、Public#CiscoLiveCL1CL262BGP AS override+Disable Peer AS CheckBRKDCN-3678Leaf101Leaf101Leaf102Leaf102AS 101Spine202Spine202Spine201Spine20110.255.255.0/24AS 64555MXF1P1-LF101#show bgp ipv4 unicast neighbors 192.168.3.3 vrf CL:cl2|grep-i ASN ASN override is enabledPeer ASN check is disabled 2023 Cisco

118、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExternal routerExternal routerLeaf vrf CL2Leaf vrf CL2Router2#show bgp ipv4 un nei 192.168.3.3 rout vrf CL:cl2Network Next Hop Weight Path*10.255.255.0/24 192.168.2.2 0 101 101?First AS replace with Fabric ASCL1CL263BGP AS override+Dis

119、able Peer AS CheckBRKDCN-3678Leaf101Leaf101Leaf102Leaf102AS 101Spine202Spine202Spine201Spine20110.255.255.0/24AS 64555F1P1-LF101#show bgp ipv4 uni neigh 192.168.3.3 adv vrf CL:cl2 Network Next Hop Weight Path*e10.255.255.0/24 192.168.3.3 0 64555?Summary 2023 Cisco and/or its affiliates.All rights re

120、served.Cisco Public#CiscoLiveRoute Control Strategy Approach 1a and 1b ACI Day 0 implementation 65BDBDBD Subnet A-Advertised externallyL3 OutL3 OutTransit Subnet B-Export route-controlBD associated to L3out1a BD subnet on BD Transit on L3outBDBDBD Subnet A-Advertised externallyL3Out L3Out Transit Su

121、bnet B AND BD subnet A Export route-control 1b Transit and BD subnet on L3outBRKDCN-3678Pros:Pros:L3out can decide which BD is advertiseCons:Cons:No differentiation between internal BD subnet and transit route,neither in UI,neither in route-map on leafNote:Note:Aggregation of subnet in prefix-list p

122、ossible but requires route-map Pros:Pros:Easy to deploy subnet All controls under BD Cons:Cons:On L3out itself no visibility or information on which BD subnet will be send outAggregation of BD subnet in prefix-list is impossible 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco

123、LiveRoute Control Strategy Approach 2a and 2b Full route-map approach 66BDBDBD Subnet A-Advertised externallyL3 OutL3 OutRouteRoute-map(defaultmap(default-export)export)-Match prefix(BD and transit)Match prefix(BD and transit)-Aggregate(optional)Aggregate(optional)-Set parameters(optional)Set parame

124、ters(optional)2a All protocols(2.1+code)BDBDBD Subnet A-Advertised externallyL3 OutL3 OutRouteRoute-map defined per neighbormap defined per neighbor-Match prefix(BD and transit)Match prefix(BD and transit)-Aggregate(optional)Aggregate(optional)-Set parameters(optionalSet parameters(optional2b BGP L3

125、out(4.2+code)BRKDCN-3678Pros:Closer feeling to regular router Very tight control on routing Aggregation of subnet in prefix-list very easy More scalable easier to troubleshoot Only one configuration place for route controlCons:Hard to migrate from Approach 1 to route-map Little more complicated For

126、BGP:common route-map for all neighbors on same L3 Pros:Even closer to regular router Same Pros as 2aCons:Even Hard to migrate from Approach 1 to route-map per neighbor best for greenfield None 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!At

127、tendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!67BRKDCN-3678These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in theCi

128、sco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsV

129、isit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive71Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123471 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-3678#CiscoLive