Hi @titusroz03 ,

The 400 error message is indicating that there is an overlapping subnet somewhere within the VRF. I'd suggest you issue a command like:

fabric <lowest_leaf_id>-<highest_leaf_id> show ip route <tenant>:<VRF>

and double check that there is not already a subnet that overlaps with 10.129.199.0/24 or 10.22.56.0/22

i.e between 10.129.199.0 and 10.129.199.254; or

between 10.22.56.0  and 10.22.59.254 

@RedNectar I could see this output in all the leaves from 1 to 4 , when I put the show command as you mentioned. Please advise..

Hi @titusroz03 ,

Sorry for the slow reply. Was too busy yesterday.

That output shows that the 10.22.56.0/22 subnet is already configured on another leaf, presumably on a different EPG or BD.

Probably a better command to help find the overlapping IP addresses is

show running-config tenant <your_tenant_name> interface

This will show you all configured BD IP addresses, something like this:

apic1# show running-config tenant common interface
# Command: show running-config tenant common interface
# Time: Tue Sep 23 22:00:52 2025
  tenant common
    interface bridge-domain SharedServices_BD
      description 'Created as part of Housley standard setup by setup_Shared fab common&mgmt tn'
      ip address 10.200.0.1/24 secondary scope public
      ip shared address 10.200.0.1/24 consumer application any epg any
      ip shared address 10.200.0.5/32 provider application SharedServices_AP epg SharedServices_EPG scope public
      exit
    interface bridge-domain default
      exit
    exit
apic1#

Note how the IP addresses assigned to EPGs also turn up in the output for the BD config

Meanwhile - I forgot to ask about your original post. Are you getting the 400 error when defining an IP address on an EPG or on a BD? And what addresses were already defined on the BD and EPG?

And also, wondering if you have "mapped all our BDs to EPGs in one-to-one basis." then WHY are you defining IP addresses on both the EPG and the BD? One or the other is sufficient.

@RedNectar I will check the command you have given, meanwhile for your question my answer is any changes I do on BD or EPG I am getting this error

@titusroz03 ,

OK. If the error occurs on both BD and EPG, then I guess you better see if the show running-config tenant <your_tenant_name> interface shows any routes to the IP address shown in the error

@HaiCa Actually this was Multi pod setup was handed over from a different vendor to us, they implemented this and were managing this before. They haven't provided the sufficient info about this and left. I have started to explore this, and this issue started after an upgrade to 5.2.

So, this is multipod setup, with Four tenants (Prod, Pre-prod, DMZ-Prod, DMZ-Preprod). Prod and Prod-DMZ comes under one POD1 and Preprod and Preprod DMZ comes under one POD2. Each Tenant have a VRF for it and we have contracts between the tenants i.e prod to preprod for multipod for pod to pod connectivity.

We have an IPN link between the pod1 and pod2.

So I amusing that you config VRF leaking between VRFs (inside Tenants). Just apply the same configuration for BD's subnet and EPG's subnet. I implement that config for some multi-pod environments. I really like this articl, hope that can help you understand more about this kind of setup:

https://community.cisco.com/t5/data-center-and-cloud-blogs/cisco-aci-inter-vrf-tenant-route-leaking-design-simplified/ba-p/3820919

Best regards!

@HaiCa Thanks for sharing the document. It was really helpful to understand the traffic flow and routing through contracts in our multipod setup. So, I can understand that enabling shared between VRFs in Provider and consumer epgs in both provider and consumer tenants and applying a global contract will give the inter vrf route leak. But at the same time I was told in this below document that Subnet under BD should not be enabled for shared between VRF. 

ACI Inter VRF/Tenant Route Leaking Configuration Example - Cisco Community

Step1: Configure shared subnet under the provider-epg as opposed to configuring under BD.

First thing is it doesn't allow me to enable same settings in both BD and EPG, because I couldn't submit any change. through online GUI.

Second thing even though I can do it offline I am skeptical to  enable for shared between VRF in BD under subnet, since it wasn't suggested by cisco in the above document as you can see and it wasn't done in the original setup as well.

Have to explore some other options to bring out the fabric from this unknown trap.

Again, It will be good if you can share the ACI version that running. 
I can see that the article you mention is for version 2.3(1f). The latest, officially setup I believed may be found in white paper:

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html

So if your ACI version older than 4.2, well I sorry that I can not help. Because I only working with ACI version 5 or 6.

For the GUI do not allow you to submit, I recommend you open a TAC.

For minimal downtime, you can prepare a Postman REST API | curl script or some other automation tool. That maybe good to delete all the subnet on EPGs --> Enable Shared on BD --> config EPG's subnet same scope setting as BD Subnet. That will only take 5 min on maintenance window if prepare well.

Hope that can help.
Thanks

Hi @titusroz03 ,

Let me emphasise how important it is to give the full picture when you ask the question. Not after time-giving volunteers have spent considerable time trying to interpret and re-create the problem from the scant information you supplied in you original post.

And if you want follow up, it is important to address all the questions that you are asked as well.

I hope someone solves this for you, but for me, my patience timer has expired on this one.

@titusroz03 

Let's start by looking at your images

ACI-BCP_EPG.jpg	ACI-BCP-BD.jpg

And now I'll return to my question I asked in this earlier reply (perhaps I didn't highlight it sufficiently)

And also, wondering if you have "mapped all our BDs to EPGs in one-to-one basis." then WHY are you defining IP addresses on both the EPG and the BD? One or the other is sufficient.

So, I'll ask again: "Why are you configuring an IP address on BOTH the EPG and the BD?"

Now there's nothing stopping you from configuring an IP address on BOTH the EPG and the BD, but at the end of the day (as I pointed out in the same reply - Note how the IP addresses assigned to EPGs also turn up in the output for the BD config) the EPG subnet information is configured under the BD structure - which is why it can't conflict with the BD.

SO - if you DO configure IP address on BOTH the EPG and the BD, then they both must have the same scope, as explained by the error message saying:

Solution:

Assuming you want the 10.22.59.254/22subnet to be both Advertised Externally AND Shared between VRFs, then here is my advice.

1. Remove the IP subnet from the EPG configuration
2. Change the scope of the BD subnet to be both Advertised Externally AND Shared between VRFs

Let me know if that solves your problem.