Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
5
Helpful
1
Replies

ACI design - Route leaking issue

Netzwerker
Level 1
Level 1

‎08-24-2022 05:44 AM

Hi,

In the attached design, and in the same vrf-X: we have EPGs that must go through the firewall and others directly to the ASR.

With this design, it can cause routing problems in VRF-X? because we will have a route leaking from VRF-X-OUT to VRF-X and therefore the routes from VRF-X-OUT can override the routes in VRF-X. (example of a default route).

Thank you

Labels:
Preview file
50 KB
0 Helpful
1 Reply 1

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎08-25-2022 10:07 AM - edited ‎08-25-2022 10:08 AM

If you have some EPGs/BDs that must go only directly, and the same route should be reachable through firewall as well, then the design will not work.

I would suggest a PBR service graph, inside the same VRF. This way you can control which EPGs must go through firewall, which EPGs can communicate directly with the ASR, and bonus, you can enforce East-West PBR via FW (EPG to EPG), and all this without routing complexity - basically only a default route to ASR and routes configured on FW (default to outside, specific routes to inside).

Here is the whitepaper for reference https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

Take care,

Sergiu

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License