Solved: Re: Communication between Users in Different VRF is Cisco ACI

To allow two users (as opposed to two EPGs - you said users - so I'll answer THAT question) in different VEFs to communicate in ACI, follow these steps:

Create filters and (a) contracts that define which protocols, ports etc you wish to allow the communication on, and decide which of the two users is the provider of the services (i.e. the server side of the communication) and which of the two users is the consumer of the services (i.e. the client side of the communication). It matters.
- Make sure you mark the scope of the contract as Tenant (if both users are in the same tenant, or global if the users are in different tenants)
  - If the users are in different tenants, create the contract in the provider tenant, and export the contract to the consumer tenant
Now navigate to the provider user's EPG > Contracts >+ Add Provided Contract
- Select the contract you just created as a Provided contract
Now navigate to the provider user's EPG > Subnets >+ Create EPG Subnet
- Create a new subnet that defines the IP address (x.x.x.x/32) of the provider user
  - Make sure you mark the subnet as:
    1. [x] No default SVI gateway
    2. [x] Shared between VRFs
IF the consumer is...
- in a DIFFERENT tenant
  - navigate to the consumer user's EPG > Contracts >+ Add Consumed Contract Interface
    - Select the contract you just created as a Consumed contract Interface
- in the SAME tenant
  - navigate to the consumer user's EPG > Contracts >+ Add Consumed Contract
    - Select the contract you just created as a Consumed contract
Now navigate to the consumer user's BD (or EPG - it doesn't matter) > Subnets >+ Create EPG Subnet
- Create a new subnet that defines the IP address (x.x.x.x/32) of the consumer user
  - Make sure you mark the subnet as:
    1. [x] No default SVI gateway
    2. [x] Shared between VRFs

Job's done.

I understand VRF Leaking can do this but is there any other way to do the same.

NO

Think it through!

User IP-A sends a TCP SYN addressed to IP-B on another subnet

He sends the packet to its default gateway's MAC address

The default gateway doesn't know the route to B because someone thought that route leaking wasn't necessary

What happens to the packet?

Or if the default gateway happens to have a route (because of a default route perhaps), you can follow the same dead-end logic for the reply packet.

I hope this helps.

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

kirank10 · ‎03-19-2022

Thanks Chris Welsh @RedNectar

RedNectar · ‎03-20-2022

No problem @kirank10 . Let's hope @Bharatsiingh1 finds it useful too.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

waleedmatter · ‎02-21-2024

I think there is another solution to make two L3out one for the first VRF and second for the second VRF and will make the firewall which connected to ACI L3OUT to make the routing between the two VRF's

I have a question

If i have Cisco ACI Multisite and the two fabric is ok in two sites (assumed each site in different VRF and different tenant and application profiles names ) and i need to extend some Vlan's through the NDO as well as to have subnets to talk the other EPG's so the good approach to make the the VRF and tenant and application profile are the same in the two sites and the NDO can import it and see it so the NDO can use it for the extended to avoid the leaking the routing between two VRF through firewall ?