Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
0
Helpful
4
Replies

ACI / Traffic coming through L3OUT to ESGs is blocked

MarceloBF
Level 1
Level 1

‎05-17-2025 06:35 PM - edited ‎05-26-2025 08:11 PM

Hello Guys

I am trying to implement vrf route leaking using ESGs. If you check the attached diagram my goal is to bypass the flow going through the firewall when all the endpoints in EPG_VLAN200 want to communicate with especific endpoints in EPG_VLAN100. Any other traffic (for both EPGs)  must go through the firewall (interVRF).  

The need to use ESGs is because: 

1. We can't apply a contract to an ESG and EPG at the same time.

2. We need to leak traffic from and to specific endpoints in EPG_VLAN100

So, I have configured two ESGs: 

1. ESG_VLAN100 contains especific IP address selectors 

2. ESG_VLAN200 contains the EPG_VLAN200 as selectors

3. I have created a contract with the default filter and tenant as scope and I have applied the contract as consumed by ESG_VLAN100 and as provided by ESG_VLAN200. 

4. Under each VRF I have configured InterVRF Leaked Routes for ESG to accomplish my goal (bypass the traffic).  

5. I have a vzAny contract (consumed/provided). This configuration is applied both to vrf Blue and vrf Red.

Under these circumstances, the vrf route leaking works as expected, however when the endpoints in EPG_VLAN201 (vrf Red) wants to communicate with the especific endpoints in ESG_VLAN100 (vrf Blue) the traffic is denied. The same happens when the endpoints in EPG_VLAN101 (vrf Blue) want to communicate with the endpoints in ESG_VLAN200 (vrf Red). 

 Looking forward for your comments. Thanks in advance. 

 

Labels:
Preview file
36 KB
0 Helpful
4 Replies 4

AshSe
VIP
VIP

‎05-21-2025 10:34 PM - edited ‎05-27-2025 02:13 AM

Hey @MarceloBF 

I have tried to recreate the diagram (inserted below):

 

Screenshot 2025-05-27 at 2.42.19 PM.png

could you please elaborate the significance of the contracts and arrows shown by you in your diagram.

BR

AshSe

 

0 Helpful

MarceloBF
Level 1
Level 1
In response to AshSe

‎05-26-2025 10:02 AM - edited ‎05-26-2025 12:04 PM

Hello AshSe

I see some incorrect information in your diagram. ESG_VLAN100 and ESG_VLAN200 are linked to endpoints in different subnets, plus unlike ESG_VLAN100, ESG_VLAN200 is using EPG Selectors. About the contract, this is provided by the ESG_VLAN200 (VRF RED) and consumed by the ESG_VLAN100(VRF_BLUE), it is using the default filter (permit any).

The goal is to leak the traffic between enpoints ESG_VLAN100 and endpoints in ESG_VLAN200.

Any other traffic, for example: traffic between enpoints in EPG_VLAN201 (VRF_RED) and endpoints in ESG_VLAN101 (VRF_BLUE) must use the L3out connection. I have made elam captures and I have noticed that this traffic is trying to be leaked as well (pctag 14 0xE).  

0 Helpful

AshSe
VIP
VIP
In response to MarceloBF

‎05-27-2025 12:01 AM

updated

0 Helpful

julian.bendix
Level 3
Level 3

‎05-30-2025 01:52 AM

Hey @MarceloBF !
Could you share more details on the output of the ELAM you ran?
Did it show the traffic as dropped, if yes, what does it show as reason (drop code)?

Other than that, if the config is like shown in the diagram, it looks fine to me.

BR Jules

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License