05-17-2025 06:35 PM - edited 05-26-2025 08:11 PM
Hello Guys
I am trying to implement vrf route leaking using ESGs. If you check the attached diagram my goal is to bypass the flow going through the firewall when all the endpoints in EPG_VLAN200 want to communicate with especific endpoints in EPG_VLAN100. Any other traffic (for both EPGs) must go through the firewall (interVRF).
The need to use ESGs is because:
1. We can't apply a contract to an ESG and EPG at the same time.
2. We need to leak traffic from and to specific endpoints in EPG_VLAN100
So, I have configured two ESGs:
1. ESG_VLAN100 contains especific IP address selectors
2. ESG_VLAN200 contains the EPG_VLAN200 as selectors
3. I have created a contract with the default filter and tenant as scope and I have applied the contract as consumed by ESG_VLAN100 and as provided by ESG_VLAN200.
4. Under each VRF I have configured InterVRF Leaked Routes for ESG to accomplish my goal (bypass the traffic).
5. I have a vzAny contract (consumed/provided). This configuration is applied both to vrf Blue and vrf Red.
Under these circumstances, the vrf route leaking works as expected, however when the endpoints in EPG_VLAN201 (vrf Red) wants to communicate with the especific endpoints in ESG_VLAN100 (vrf Blue) the traffic is denied. The same happens when the endpoints in EPG_VLAN101 (vrf Blue) want to communicate with the endpoints in ESG_VLAN200 (vrf Red).
Looking forward for your comments. Thanks in advance.
05-21-2025 10:34 PM - edited 05-27-2025 02:13 AM
Hey @MarceloBF
I have tried to recreate the diagram (inserted below):
could you please elaborate the significance of the contracts and arrows shown by you in your diagram.
BR
AshSe
05-26-2025 10:02 AM - edited 05-26-2025 12:04 PM
Hello AshSe
I see some incorrect information in your diagram. ESG_VLAN100 and ESG_VLAN200 are linked to endpoints in different subnets, plus unlike ESG_VLAN100, ESG_VLAN200 is using EPG Selectors. About the contract, this is provided by the ESG_VLAN200 (VRF RED) and consumed by the ESG_VLAN100(VRF_BLUE), it is using the default filter (permit any).
The goal is to leak the traffic between enpoints ESG_VLAN100 and endpoints in ESG_VLAN200.
Any other traffic, for example: traffic between enpoints in EPG_VLAN201 (VRF_RED) and endpoints in ESG_VLAN101 (VRF_BLUE) must use the L3out connection. I have made elam captures and I have noticed that this traffic is trying to be leaked as well (pctag 14 0xE).
05-27-2025 12:01 AM
updated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide