Step-by-Step Configuration Guide

Normal L3Out

A Normal L3Out binds Layer 3 connectivity to specific leaf nodes and specific physical interfaces. Routing adjacency exists only on those defined nodes.

Prerequisites

• Create a VLAN Pool (Static or Dynamic depending on use case)

• Create an L3 Domain

• Associate VLAN Pool with the L3 Domain

• Create a Physical Domain

• Associate Physical Domain to the AEP

• Bind AEP to leaf interfaces connected to the external device (e.g., F5)

Step-by-Step (GUI)

Step 1 — Create L3Out

Navigate:Tenants → → Networking → L3Outs → Create L3Out

Identity

• Name: e.g., Normal_L3Out

• VRF: Select appropriate VRF

• L3 Domain: Select created L3 domain

• Routing Protocol: BGP / OSPF / Static

Step 2 — Create Logical Node Profile

Inside the L3Out:

• Logical Node Profiles → Create

• Add specific leaf nodes (e.g., 101, 102)

• Configure:

  • Router ID

  • Loopback (if required for BGP)

These nodes become your Border Leafs.

Step 3 — Create Logical Interface Profile (Critical Step)

Inside L3Out:

• Logical Interface Profiles → Create

• Select Interface Type: SVI (or Routed Interface)

Now explicitly bind the path:

• Path: Select specific interface (e.g., eth1/10) or vPC

• Encapsulation: e.g., vlan-205

• IP Address: e.g., 192.168.1.1/24

• Configure routing protocol neighbor parameters

This explicit path binding is what makes it a "Normal" L3Out.

Control-plane adjacency will exist only on these defined leaf nodes.

Step 4 — Configure Routing Protocol

Under the protocol tab:

• For BGP:

  • Peer IP

  • Remote ASN

  • BFD (optional)

• For OSPF:

  • Area

  • Interface policy

Step 5 — Create External EPG

Inside L3Out:

• External EPG → Create

• Add external subnets (e.g., 0.0.0.0/0)

• Attach Contracts (Provide/Consume)

Behavioural Summary (Normal L3Out)

• Control plane adjacency only on defined border leaves

• Traffic must reach those leaves

• No dynamic instantiation on other leaves

• Ideal for fixed physical router connections

Floating L3Out

A Floating L3Out allows Layer 3 connectivity to be defined at the domain level instead of per-interface path binding.

Routing adjacency is formed only on Anchor Nodes, but the L3Out can dynamically instantiate across the fabric.

This is commonly used for:

• Virtual routers (F5 VE, CSR, Fw)

• VM mobility

• Service insertion designs

Prerequisites

• VLAN Pool must use Static Allocation

• L3 Domain must reference that VLAN Pool

• Physical Domain must reference same VLAN Pool

• AEP must include required domain

• Leaf switches must support Floating L3Out (Gen2+ platforms such as EX/FX/FX2/GX — verify per release)

Important Architectural Clarification

Floating L3Out does NOT eliminate binding.

Instead of:

You bind:

Step-by-Step

Step 1 — Create L3Out

Navigate:Tenants → Networking → L3Outs → Create L3Out

Identity

• Name: Floating_L3Out

• VRF: Select VRF

• L3 Domain: Select L3 Domain

• Routing Protocol: BGP / OSPF

Step 2 — Configure Floating SVI

Under Nodes and Interfaces:

• Interface Type: Select Floating SVI

• Domain Type: Physical

• Domain: Select Physical Domain

• Encapsulation: vlan-205

• Floating Address: e.g., 192.168.1.250/24

The Floating Address represents the SVI IP used by non-anchor leaves for consistent routing behavior.

Step 3 — Define Anchor Nodes

Add specific leaf nodes that will establish routing adjacency:

Example:

• Node 101

  • Router ID

  • Primary IP: 192.168.1.251/24

• Node 102

  • Router ID

  • Primary IP: 192.168.1.252/24

These nodes:

• Form BGP/OSPF adjacency

• Advertise routes

• Act as control-plane endpoints

Step 4 — Configure Routing Protocol

• For BGP:

  • Peer IP (F5 Self-IP)

  • Remote ASN

• For OSPF:

  • Area configuration

Only Anchor nodes establish adjacency.

Step 5 — Create External EPG

Same as Normal L3Out:

• Define external subnets

• Attach contracts

Behavioural Summary (Floating L3Out)

Control Plane:

• Adjacency only on Anchor nodes

Data Plane:

• Traffic from any leaf can be forwarded internally to anchor nodes

• Non-anchor nodes do not establish routing adjacency

Key difference:

Normal L3Out → Control & Data localised to border leavesFloating L3Out → Control on anchors, Data flexible across fabric

-------------------------------------------------------------------------------------------------------------------------------

Implementing Floating SVI L3Out in Cisco ACI for Highly Available External Connectivity

Why Use Floating SVI L3Out?

In a traditional routed L3Out configuration, each leaf switch has its own routed interface and gateway IP address.

Example:

Leaf-1 gateway → 192.168.10.1Leaf-2 gateway → 192.168.10.2

In such designs, external devices must rely on routing protocols or first-hop redundancy mechanisms to determine which gateway to use.

Floating SVI changes this behaviour.

Instead of individual gateways, all participating leaf nodes share the same virtual gateway IP.

Example:

Leaf-1 IP → 192.168.10.3Leaf-2 IP → 192.168.10.4Floating Gateway → 192.168.10.2

External devices use the floating address as their default gateway, while ACI distributes forwarding responsibilities across the leaf nodes.

Benefits include:

• Active-active forwarding across multiple border leaf switches

• No requirement for HSRP or VRRP

• Faster convergence and simplified failover

• Better load balancing across the fabric

• Simplified external routing design

High-Level Architecture

A Floating SVI deployment typically includes:

• Multiple border leaf switches

• A shared VLAN connecting the external network

• A floating gateway IP address

• Individual node IP addresses for each leaf

• A secondary IP address required for internal ACI operations

Traffic entering the fabric can be processed by any available leaf node, providing resilience and scalability.

Deployment Workflow

The configuration process generally includes the following steps:

1. Create a VLAN Pool

2. Create an L3 Domain

3. Create a Physical Domain

4. Create the L3Out

5. Configure Floating SVI Interfaces

6. Define External EPGs

7. Configure External Subnets

8. Configure Routing (static or dynamic)

Step 1 – Create a VLAN Pool

The VLAN pool defines the encapsulation used by the external network connection.

Navigate to:

Fabric → Access Policies → Pools → VLAN

Create a VLAN pool with Static Allocation and define the VLAN that will be used for the external connectivity.

Example configuration:

Name: External_L3Out_VLAN_PoolAllocation Mode: StaticEncapsulation: VLAN 1000

This VLAN must also be allowed on the upstream switching infrastructure.

Step 2 – Create an L3 Domain

The L3 domain associates the VLAN pool with Layer-3 external connectivity.

Navigate to:

Fabric → Access Policies → Physical and External Domains → L3 Domains

Example configuration:

Name: External_L3Out_DomainAssociated AAEP: External_AAEPVLAN Pool: External_L3Out_VLAN_Pool

This domain enables the L3Out interface to use the defined VLAN encapsulation.

Step 3 – Create a Physical Domain

A physical domain is required for the Floating SVI interface binding.

Navigate to:

Fabric → Access Policies → Physical and External Domains → Physical Domains

Example configuration:

Name: External_Physical_DomainAssociated AAEP: External_AAEPVLAN Pool: External_L3Out_VLAN_Pool

Step 4 – Create the L3Out

Navigate to:

Tenant → Networking → L3Outs

Create a new L3Out and define:

Name: External_L3OutVRF: Production_VRFL3 Domain: External_L3Out_Domain

At this stage, you can choose whether to enable dynamic routing protocols such as BGP or OSPF, or rely on static routing.

Step 5 – Configure Floating SVI Interfaces

When adding the interface configuration, select Floating SVI as the interface type.

Example parameters:

Interface Type: Floating SVIEncapsulation: VLAN 1000 Floating IP Address: 192.168.10.2/28 MTU: 1500

Then define each participating leaf node.

Example:

Leaf Node 101Router ID: 10.10.10.1 Primary Interface IP: 192.168.10.3/28

Leaf Node 102Router ID: 10.10.10.2 Primary Interface IP: 192.168.10.4/28

Additional leaf nodes can be added to increase redundancy and capacity.

Step 6 – Configure Secondary IP Address

Floating SVI configurations require a secondary IP address.

This secondary address is shared across all participating nodes and assists with ARP handling and gateway behavior within the fabric.

Example:

Secondary IP: 192.168.10.1/28

The same secondary address must be configured for each participating leaf node.

Step 7 – Configure External EPG

The external EPG represents the external network connected through the L3Out.

Navigate to:

Tenant → Networking → L3Out → External EPG

Example:

External EPG Name: External_Network

Then define the external networks reachable through this L3Out.

Example subnets:

192.168.50.0/24192.168.60.0/24

These subnets allow ACI to properly classify and route traffic destined for external networks.

Step 8 – Configure Routing

Depending on the design, routes can be exchanged using:

• Static routes

• OSPF

• BGP

For static routing, routes can be defined per node.

Example:

Destination: 192.168.50.0/24Next Hop: External Router IP

Dynamic routing protocols are typically preferred in larger deployments to provide automatic route exchange and failover.

Traffic Forwarding Behaviour

When the Floating SVI is deployed:

1. External devices use the floating IP address as their default gateway.

2. The gateway IP is reachable from any participating leaf node.

3. Traffic entering the fabric is forwarded by the closest leaf.

4. The ACI fabric performs optimal forwarding using the spine-leaf architecture.

If one leaf fails, another leaf automatically handles the traffic without requiring gateway failover.

Operational Verification

After deployment, several checks can be performed on leaf switches.

Example CLI commands:

Verify interface state—> show ip interface brief vrf <VRF_NAME>

Verify routing table—> show ip route vrf <VRF_NAME>

Verify ARP entries—> show ip arp vrf <VRF_NAME>

Verify endpoint learning—> show system internal epm endpoint ip

These commands help confirm that the Floating SVI and external routing are functioning correctly.

Design Considerations

When deploying Floating SVI L3Out, consider the following best practices:

• Ensure VLAN encapsulation is allowed on upstream trunk links.

• Use consistent IP addressing across all participating leaf nodes.

• Validate MTU compatibility between the ACI fabric and external devices.

• Prefer dynamic routing protocols in larger environments.

• Verify domain and AAEP associations before deploying the L3Out.

Conclusion

Floating SVI L3Out provides a robust and scalable method for integrating external Layer-3 networks into Cisco ACI fabrics.

By allowing multiple leaf switches to share a single gateway IP address, this design enables:

• Active-active forwarding

• Simplified failover

• Improved scalability

• Reduced dependency on traditional first-hop redundancy protocols

-------------------------------------------------------------------------------------------------------------------------------

Converting Normal L3Out to Floating L3Out

Technically possible, but requires structural modification.

For production environments, it is recommended to:

Reason:

• Changing interface type (SVI → Floating SVI)

• Can cause routing adjacency flap

• May recreate internal BD objects

• Can temporarily withdraw routes

If Conversion Is Required (Lab / Controlled Environment)

Step 1 — Validate VLAN Pool

Ensure:

• VLAN Pool uses Static allocation

• L3 Domain and Physical Domain are aligned

Step 2 — Remove Explicit Path Bindings

Navigate:L3Out → Logical Node Profile → Logical Interface Profile

Under SVI/Sub-interface:

• Remove explicit interface paths (e.g., eth1/10 bindings)

Step 3 — Create Floating SVI

Under same Logical Interface Profile:

• Select Floating SVI

• Enter:

  • VLAN

  • Floating Address

  • Domain association

• Add Anchor nodes

• Reconfigure Primary IP per node

Step 4 — Validate Routing

Ensure:

• BGP/OSPF adjacency forms on Anchor nodes

• Routes are advertised correctly

• Traffic forwarding behaves as expected

Comparison

Floating L3Out Version Support

• Floating L3Out Introduction:

  • Started in ACI Version 4.2(1): The floating L3Out feature became available starting with Cisco ACI version 4.2(1) for VMware vSphere Distributed Switch (VDS) in Virtual Machine Manager (VMM) domains.

    
    

  • Expanded in ACI Version 5.0(1): From version 5.0(1), the support for floating L3Out was extended to physical domains. This allows using floating L3Out with virtual routers without needing VMM domain integration, or with physical routers without complex interface path configurations.

    
    

• Configuration Simplification:

  
  

  • Previous Setup Requirements: Before version 4.2(1), when connecting to an external virtual router, you had to configure the L3Out logical interface path from each border leaf switch to the hypervisor's uplink where the virtual device was running. If the virtual machines moved to different hosts within a hypervisor cluster, you had to manually configure the L3Out on all potential leaf switches where the virtual machine could run.

    
    

  • Problem Example: For instance, if a hypervisor cluster has 12 leaf switches, you had to create L3Out configurations for every leaf switch to ensure connectivity as virtual machines moved across the cluster.

    
    

• Floating L3Out Benefits:

  
  

  • Simplified Configuration: With floating L3Out, the process is much easier. After setting it up, you no longer need to manually configure the L3Out logical interfaces on all the leaf switches in the cluster.

    
    

  • Automatic Handling: This feature automatically manages the connectivity, even as virtual machines move between different leaf switches, removing the need for complex and time-consuming manual configurations.

    
    

Example  to use the Floating Layer 3 Outside Network Connection (Floating L3Out) feature in Cisco ACI.

The example includes a Virtual Machine Manager (VMM) domain and a Virtual Port Channel (vPC) setup. However, Floating L3Out also works with physical domains, and using vPC is optional.

Key Components

1. Virtual Routers:

   • Can be a regular router, a virtual firewall, or any virtual device.

   • Acts as the next hop for static routes in the Cisco ACI fabric.

   • Establishes a routing connection with the ACI fabric.

     
     

2. Anchor Leaf Nodes:

   • Example Setup: Two leaf switches named Leaf1 and Leaf2.

   • Role:

     • Connect directly with external routers.

     • Establish Layer 3 (L3) routing connections with these external routers.

   • Scalability:

     • Up to 6 anchor leaf nodes are supported per L3Out in Cisco ACI release 6.0(1).

   • IP Addresses:

     • Use primary and floating IP addresses.

     • Can also have secondary and floating secondary IP addresses if needed.

       
       

3. Non-Anchor Leaf Nodes:

   • Example Setup: Two leaf switches named Leaf3 and Leaf4.

   • Role:

     • Do not connect directly with external routers.

     • Act as "pass-through" nodes for traffic between external routers and anchor leaf nodes.

   • Scalability:

     • Up to 32 non-anchor leaf nodes are supported per L3Out in Cisco ACI release 6.0(1).

   • IP Addresses:

     • Use a common floating IP address.

     • Can have floating secondary IP addresses if needed.

     • In VMM domains with VMware vDS:

       • Floating IP is used only when the virtual router is connected to the leaf node.

     • In physical domains:

       • Floating IP is used if the leaf port uses an Attachment Endpoint Profile (AEP) associated with the Floating L3Out.

How Floating L3Out Works

1. Creating L3Out Bridge Domain:

   • When you set up an L3Out, an L3Out bridge domain is created on the anchor leaf nodes.

   • This bridge domain is often called the “L3Out’s SVI subnet.”

     
     

2. Floating L3Out with VMM Domain:

   • If a virtual router moves to a host connected to a non-anchor leaf switch:

     • Cisco APIC automatically deploys the L3Out bridge domain on the non-anchor leaf switch.

     • Installs the floating IP address (and floating secondary IPs if needed) on the non-anchor leaf switch.

   • If an external Endpoint Group (EPG) under the L3Out has a contract with another EPG:

     • Routes to the EPG and policy rules for the contract are also installed on the non-anchor leaf switch.

       
       

3. Maintaining Routing Adjacencies:

   • Even if the virtual router moves, it maintains routing connections with the SVI interfaces on the anchor leaf nodes.

   • This is possible because ACI extends connectivity for the L3Out bridge domain across both anchor and non-anchor leaf nodes.

Let's Understand

Behavior:

• Only Anchor nodes should be physically connected to the F5 (or external router).

• Non-anchor nodes typically do NOT have physical L3 adjacency to the F5.

• Even if a non-anchor leaf has the VLAN present, it does NOT form routing adjacency.

Floating L3Out design assumption:

• Routing adjacency exists only on anchor nodes.

• Traffic from non-anchor nodes is forwarded internally to anchor nodes.

Who are Non-Anchor nodes ?

Every other leaf in the fabric:

• That belongs to the same VRF

• That has the relevant domain association

• That is not selected as Anchor

You do not:

• Mark them as non-anchor

• Configure them as non-anchor

• Apply any special policy

They are simply “not anchor”

Let’s say:

• Node 101 & 102 = Anchor

• Node 103, 104, 105 = Not defined

No configuration needed for 103/104/105.

If a VM connected to Node 104 sends traffic toward external:

• Node 104 forwards to Anchor node via fabric

• Anchor node routes externally

How Does APIC Know Which Leafs Get the Floating SVI?

Floating L3Out works through:

• Domain association

• Static VLAN allocation

• Endpoint presence

APIC dynamically instantiates the SVI on leafs where needed.

But:

• Only anchor nodes run routing protocol

• Non-anchor nodes do not run routing protocol

• Floating IP exists logically across nodes for consistent forwarding

Floating L3Out design

You want a controlled topology:

• Leaf1 & Leaf2 → Anchor nodes

• Leaf3 & Leaf4 → Non-anchor nodes

• Leaf5 & Leaf6 → Completely excluded

First: Important Architectural Reality

In Floating L3Out:

• You explicitly configure Anchor nodes

• All other leaves in the same VRF + Domain scope become eligible non-anchor

• Leaves are “excluded” only if:

  • They do NOT belong to the same domain/AEP

  • OR they do NOT participate in the VRF

  • OR the Floating VLAN is not allowed to instantiate there

So we must design carefully.

Desired Fabric Topology

Design Strategy

We control behavior using:

1️⃣ VRF association

2️⃣ Domain association

3️⃣ VLAN pool scope

4️⃣ AEP bindings

Floating L3Out only instantiates where:

• The leaf participates in the VRF

• The domain/AEP relationship exists

• The VLAN can be allocated

So exclusion = remove one of these.

Step-by-Step Deployment

STEP 1 — Create Dedicated L3 Domain & VLAN Pool

This isolates your Floating L3Out.

Create VLAN Pool

• Static allocation only

• Example: VLAN 205

Create L3 Domain

• Associate VLAN Pool

Create Physical Domain

• Associate same VLAN Pool

Do NOT reuse a domain used by Leaf5/6 workloads if you want them excluded.

STEP 2 — Control AEP Scope

Create a new AEP:

Example:AEP-Floating-L3Out

Associate:

• Physical Domain (created above)

Now bind this AEP ONLY to:

• Leaf1 uplink ports

• Leaf2 uplink ports

• Any ports on Leaf3/4 where endpoints needing L3Out exist

Do NOT bind this AEP to Leaf5 or Leaf6 ports.

STEP 3 — VRF Placement Control

Ensure:

• Bridge Domains and EPGs using this L3Out are only deployed on Leaf1–4.

Endpoints connected to Leaf5/6 should not belong to:

• The same tenant/VRF

  OR

• Should not use EPGs associated with this L3Out

If Leaf5/6 do not host endpoints in that VRF → Floating SVI will not instantiate.

STEP 4 — Create Floating L3Out

Now configure the Floating L3Out.

Navigate:Tenants → Networking → L3Out → Create

Identity

• VRF = your controlled VRF

• L3 Domain = your dedicated L3 domain

• Protocol = BGP/OSPF

STEP 5 — Configure Floating SVI

Under Nodes & Interfaces:

• Interface Type → Floating SVI

• Domain Type → Physical

• Domain → your new Physical Domain

• Encap → vlan-205

• Floating Address → e.g., 192.168.1.250/24

STEP 6 — Define Anchor Nodes

Add:

• Leaf1 → Primary IP 192.168.1.251/24

• Leaf2 → Primary IP 192.168.1.252/24

These will form routing adjacency.

Leaf3/4 are not configured here → automatically non-anchor.

Leaf5/6 also not configured — but exclusion depends on domain/VRF scope.

STEP 7 — Protocol Configuration

Configure BGP/OSPF peer:

• Peer IP = F5 self-IP

• Remote ASN

Only Leaf1/2 will form adjacency.

What Happens Now?

Leaf1 & Leaf2

• Have Floating SVI

• Run routing protocol

• Peer with F5

Leaf3 & Leaf4

• Floating SVI may instantiate

• Do NOT run routing protocol

• Forward traffic internally to Anchor nodes

Leaf5 & Leaf6

If:

• They have no endpoints in this VRF

• Their ports do not use the AEP with this domain

Then:

• No Floating SVI instantiated

• No participation in this L3Out

• Fully excluded

Expected:

Note : If you reuse an existing Physical Domain used across all leaves:

Then VLAN 205 may instantiate everywhere → Leaf5/6 will not be excluded.

Domain scoping is critical.