Solved: Re: ACI OOB Network not Reachable from Overlay Networks

nrm081823 · ‎09-23-2025

Hi,

Would like to check if you experience this in your ACI. Currently, we have OOB with 192.168.0.0/24 network and I need this to be reachable with the workloads hosted in ACI (overlay or ACI as a gateway).

Thanks.

nrm081823 · ‎09-23-2025

I have Catalyst Switch that handles the OOB management of the ACI fabric (APIC and Switches). On the other hand, I have multiple EPGs and L3Outs that need to be reachable to my ACI OOB network. Please see my diagram attached, the GWs are hosted in ACI and the workloads need to be connected to my OOB network.

View solution in original post

julian.bendix · ‎09-23-2025

Hey!

Usually what I do is have the OOB Network terminating on a Firewall.

If the setup is small enough, this can happen on the same firewall which will be acting as DC-Edge Firewall.

Then you just have to get the routing right and allow this traffic on the firewall..

Regarding your question... I would need much much more info about your setup.
Where are the OOB MGMT Ports of the APICs and Switches connected to?
On which device is the Gateway for the OOB Network located?
Do you have a L3OUT in the Tenant (or Tenants) where your workload is located, or is the ACI Fabric only stretching L2?

BR Jules

nrm081823 · ‎09-23-2025

I have Catalyst Switch that handles the OOB management of the ACI fabric (APIC and Switches). On the other hand, I have multiple EPGs and L3Outs that need to be reachable to my ACI OOB network. Please see my diagram attached, the GWs are hosted in ACI and the workloads need to be connected to my OOB network.

julian.bendix · ‎09-23-2025

Where does your L3Out connect to?

Is the OOB Switch also the Gateway for the OOB Network?

nrm081823 · ‎09-23-2025

Via Leaf switch also connected to external devices. Yes, the OOB switch is the GW of ACI fabric management.

What I want to resolve is the communication between OOB management IP addresses and workloads connected in the leaf switches (ACI overlay and/or L3Out).

julian.bendix · ‎09-23-2025

Then you just need to get the Routing between the OOB Switch and the L3Out right.. and allow those traffic via Contract between the External and Internal EPG..

Should be easy to achieve.

The OOB Network is not air-gapped, is it? If you can reach both the workloads in ACI and the OOB Network from your campus network.. you should easily be able to allow traffic between them..

julian.bendix · ‎09-24-2025

The following is all you need to do, allow traffic from the OOB Network to the L3OUT, then allow ACI internally from External EPG to Internal EPG...

nrm081823 · ‎09-24-2025

Hi,

OOB is actually in an isolated network and we are accessing it physically. Here’s my traffic requirements:

Workload 1 (10.150.0.0/24) <> OOB Network 192.168.0.0/24
Workload 2 (10.150.1.0/24) <> OOB Network 192.168.0.0/24
L3Out (10.250.0.0/24) <> OOB Network 192.168.0.0/24

julian.bendix · ‎09-24-2025

I see.. that is not good in that case.

If you would switch to in-band Management instead of OOB, you could solve this by performing route leaking between the mgmt Tenant and the User Tenant(s).

But with OOB mgmt .. this option won't work.

My advice would be to connect the OOB Switch to your Core Network through a Firewall.
Then this problem would be easily solved while still isolation the OOB Network.

BR Jules