Inter vrf communication under same user tenant fails

ramu.gajula · ‎01-23-2022

Hello Everyone,

I have tenant named TN-MFG and contains two VRF's VRF-MFG and VRF-TESTDEV.

1. VRF-MFG using VzAny contract pretty much allow all between all EPG's.

2. VRF-MFG also has external EPG with OSPF L3OUT.

3. VRF-TESTDEV has an EPG called EPG-TESTDEV1 for now, but additional EPG's will be created later.

What i am trying to achieve is to establish a communication between EPG-TESTDEV1 in VRF-TESTDEV and External L3 EPG in VRF-MFG. However, after applying the contract between both EPG's and routes being populated in respective VRF tables, the communication still fails.

Please help me figure this out. Thank you.

RedNectar · ‎01-23-2022

Hi @ramu.gajula ,

I'm a little confused - the title of your post says "same user tenant" but the text refers to TWO tenants.

Also, you haven't mentioned bridge domains or subnets.

And you haven't said whether the L3 EPG is PROVIDING or CONSUMING the contract.

BUT - here are a few things to remember

If the provider of the contract is an Application EPG, the subnet MUST be defined on the EPG - NOT the Bridge Domain, although if it is defined in both places it won't matter.
The subnet on the provider EPG MUST have the Shared Between VRFs option enabled - or if the provider EPG is the L3 EPG, enable the Shared Route Control Subnet
The subnet of the consumer BD
MUST have the Shared Between VRFs option enabled - or if the consumer EPG is the L3 EPG, enable the Shared Route Control Subnet AND the Shared Security Import Subnet
If you are actually going between tenants,
1. go to the PROVIDER TENANT and make sure the contract is created in that tenant, and EXPORT the contract to the consumer tenant
2. in the consumer tenant, consume the contract as a Consumed contract interface

I hope this helps. I've had a long Christmas break and have not thought about ACI for 2 months!

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

ramu.gajula · ‎01-23-2022

Hello Chris,

Sorry about the mixed up question. I have changed the question. It's basically a communication between EPG's in two different VRF's under a same tenant. in one tenant the EPG is external L3OUT with OSPF routes.

I have applied the contracts without using in Export/Import as they fall under same tenant. Hope my question is clear now.

Regards,

Ramu.

RedNectar · ‎01-24-2022

Hi @ramu.gajula ,

If they are under the same tenant, forget the export/import bit. In other words ignore point 5 above.

BUT the other points are still relevant. You just have to figure out which EPG is providing the contract and which EPG is consuming it.

My advice would be to forget about using vzAny unless you really know what you are doing. I believe vzAny is one of the most mis-used and mis-understood and completely abused constructs in ACI. (Check https://community.cisco.com/t5/application-centric/cisco-aci-contracts-design-vzany-contracts/td-p/4502588 and you may find a helpful article on how you CAN use vzAny if you search for "Making the most of ACI when routing between tenants via a Firewall")

Maybe it's time I wrote an article on what those switches do in the L3-EPG - very tricky little things.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.