Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
328
Views
0
Helpful
2
Replies

ACI route leaking to L3out in different VRF

Go to solution
vv0bbLeS
Level 1
Level 1

ā€Ž05-14-2024 06:02 PM - edited ā€Ž05-14-2024 06:03 PM

Hello all,

I have a small ACI deployment with only 2 Leafs. What I want is to have "Isolated" subnets that are behind a firewall connected to my ACI (so traffic to those "Isolated" subnets has to pass through that firewall).

To accomplish this, say I have this configuration:

  • VRF-MAIN as my main VRF
  • L3OUT-EIGRP-TO-CORE as my EIGRP L3out to my core routers. This L3out is in VRF-MAIN
  • --------------------------------
  • VRF-ISOLATED as an isolated VRF
  • L3OUT-TO-ISOLATED-FIREWALL as my L3out to my "Isolated" firewall. This L3out is in VRF-ISOLATED
  • BD-ISOLATED-SUBNETS as my Bridge Domain that contains my "Isolated" subnets. This BD is associated to L3OUT-TO-ISOLATED-FIREWALL. Traffic to these "Isolated" subnets has to pass through the Isolated Firewall connected to ACI.

 

What I would like is for things outside ACI to be able to reach those "Isolated" subnets. To do this, I need my core routers outside my fabric (connected via L3OUT-EIGRP-TO-CORE) to learn the "Isolated" subnets that sit in BD-ISOLATED-SUBNETS.

Would I need to configure route-leaking between those L3out's to accomplish this? Or is there a better way to design this, if I wanted to have an "Isolated" Bridge Domain that has to pass through a firewall?

 

0xD2A6762E
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Remi-Astruc
Cisco Employee
Cisco Employee

ā€Ž05-14-2024 11:45 PM

Hi @vv0bbLeS ,

Definitely not using route leaking, otherwise the learning will precisely bypass the Firewall.

In your description we miss how the Main VRF connects to the FW. You would need another L3Out in Main VRF connecting the FW. Routing protocols along the path would advertise the subnets till outside (with some caveats to care about).

However, if your Fabric is used only for that, the design seems a bit overkill and you could for exp interconnect the Core and FW directly, avoiding the Main VRF in between.

Well, there could be different ways to handle your need, but that goes a bit beyond the scope of that forum. Feel free to involve Cisco CX Advanced Services so we can help you on such design topics and knowledge transfer.

Regards

Remi Astruc

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Remi-Astruc
Cisco Employee
Cisco Employee

ā€Ž05-14-2024 11:45 PM

Hi @vv0bbLeS ,

Definitely not using route leaking, otherwise the learning will precisely bypass the Firewall.

In your description we miss how the Main VRF connects to the FW. You would need another L3Out in Main VRF connecting the FW. Routing protocols along the path would advertise the subnets till outside (with some caveats to care about).

However, if your Fabric is used only for that, the design seems a bit overkill and you could for exp interconnect the Core and FW directly, avoiding the Main VRF in between.

Well, there could be different ways to handle your need, but that goes a bit beyond the scope of that forum. Feel free to involve Cisco CX Advanced Services so we can help you on such design topics and knowledge transfer.

Regards

Remi Astruc
0 Helpful

Go to solution
vv0bbLeS
Level 1
Level 1
In response to Remi-Astruc

ā€Ž05-15-2024 06:56 AM

@Remi-Astruc ah yes forgot to mention there is another L3OUT in the main VRF to the FW, and yes this fabric is also used for other things (not just the isolated network). Thank you for your answer, it was very helpful!

0xD2A6762E
0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License