Overlapping or non-overlapping VTEP pool

Unanswered Question
Jun 8th, 2017
User Badges:

The question is when asking for a VTEP pool to configure ACI fabric, do you ask for non-overlapping IP pool or overlapping is OK?  I understand that the VTEP pool is only used within the fabric (for now) but with the direction of Multi-pod, multi-pod site, GOLF, the Vxlan boundary will be extended out the edge of the network thus VTEP IP will be advertised into IGP for the underlay.  That will required using a non-overlapping VTEP pool if you don't want to rebuilt your fabric.  Is this correct? 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chriswelsh Thu, 06/08/2017 - 13:40
User Badges:

The logic explained below is my logic and the way I explain it, there may be a different official Cisco answer.

The problem with VTEP pools is the APICs.  You see, the APICs can't handle

  1. having a management IP address that overlaps with the VTEP address space, (it can't figure out which interface to send management responses on) or
  2. being accessed from a workstation that is using an IP address that overlaps with the VTEP address space.

Since it is conceivable that any internal IP address may need to access the APIC for some reason sometime, I would recommend that you don't overlap VTEP addresses with any currently used internal addresses.

Below is an example of the routing table from an APIC:

apic1# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.16.11.1 0.0.0.0 UG 0 0 0 oobmgmt
10.0.0.0 10.0.0.30 255.255.0.0 UG 0 0 0 bond0.3967
10.0.0.30 0.0.0.0 255.255.255.255 UH 0 0 0 bond0.3967
10.0.32.64 10.0.0.30 255.255.255.255 UGH 0 0 0 bond0.3967
10.0.32.65 10.0.0.30 255.255.255.255 UGH 0 0 0 bond0.3967
169.254.1.0 0.0.0.0 255.255.255.0 U 0 0 0 teplo-1
169.254.254.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
172.16.11.0 0.0.0.0 255.255.255.0 U 0 0 0 oobmgmt

In this case, the management interface is an OOB management interface, and the APIC sees the OOB management interface route as 172.16.11.0/24.  Now imagine for a minute I had used 10.0.11.0/24 as my OOB Management subnet.  Since that overlaps with my VTEP range (10.0.0.0/16) there is potential that an IP address of say 10.0.11.11 could be allocated to a VTEP somewhere - and if that happened my APIC would be unable to communicate with it because that address overlaps with my management address range.

HTH

RedNectar

aka Chris Welsh

apache_le Thu, 06/08/2017 - 16:14
User Badges:

Excellent example of why the VTEP pool should be non-overlapping.  Thanks.

chriswelsh Mon, 06/12/2017 - 13:30
User Badges:

apache_le - don't forget to mark your question as Answered if you are satisfied with the answer given.  It helps anyone searching the forum to find unanswered questions, and helps others find the answer if they have the same question.

RedNectar

aka Chris Welsh

Actions

This Discussion