cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
0
Helpful
3
Replies

ACI / Traffic coming through L3OUT to ESGs is blocked

MarceloBF
Level 1
Level 1

Hello Guys

I am trying to implement vrf route leaking using ESGs. If you check the attached diagram my goal is to bypass the flow going through the firewall when all the endpoints in EPG_VLAN200 want to communicate with especific endpoints in EPG_VLAN100. Any other traffic (for both EPGs)  must go through the firewall (interVRF).  

The need to use ESGs is because: 

1. We can't apply a contract to an ESG and EPG at the same time.

2. We need to leak traffic from and to specific endpoints in EPG_VLAN100

So, I have configured two ESGs: 

1. ESG_VLAN100 contains especific IP address selectors 

2. ESG_VLAN200 contains the EPG_VLAN200 as selectors

3. I have created a contract with the default filter and tenant as scope and I have applied the contract as consumed by ESG_VLAN100 and as provided by ESG_VLAN200. 

4. Under each VRF I have configured InterVRF Leaked Routes for ESG to accomplish my goal (bypass the traffic).  

5. I have a vzAny contract (consumed/provided). This configuration is applied both to vrf Blue and vrf Red.

Under these circumstances, the vrf route leaking works as expected, however when the endpoints in EPG_VLAN201 (vrf Red) wants to communicate with the especific endpoints in ESG_VLAN100 (vrf Blue) the traffic is denied. The same happens when the endpoints in EPG_VLAN101 (vrf Blue) want to communicate with the endpoints in ESG_VLAN200 (vrf Red). 

 Looking forward for your comments. Thanks in advance. 

 

3 Replies 3

AshSe
VIP
VIP

Hey @MarceloBF 

I have tried to recreate the diagram (inserted below):

 

Screenshot 2025-05-27 at 2.42.19 PM.png

could you please elaborate the significance of the contracts and arrows shown by you in your diagram.

BR

AshSe

 

Hello AshSe

I see some incorrect information in your diagram. ESG_VLAN100 and ESG_VLAN200 are linked to endpoints in different subnets, plus unlike ESG_VLAN100, ESG_VLAN200 is using EPG Selectors. About the contract, this is provided by the ESG_VLAN200 (VRF RED) and consumed by the ESG_VLAN100(VRF_BLUE), it is using the default filter (permit any).

The goal is to leak the traffic between enpoints ESG_VLAN100 and endpoints in ESG_VLAN200.

Any other traffic, for example: traffic between enpoints in EPG_VLAN201 (VRF_RED) and endpoints in ESG_VLAN101 (VRF_BLUE) must use the L3out connection. I have made elam captures and I have noticed that this traffic is trying to be leaked as well (pctag 14 0xE).  

updated

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License