Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1538
Views
0
Helpful
5
Replies

PBR between different VRFs

IslamOmar
Level 1
Level 1

‎03-31-2020 02:34 AM

I have a setup where two VRF's are being used to host different applications in ACI .

 

Each VRF has its own PBR utilizing the vZany contract , and its own L3out.

East-West and North-South Traffic is being inspected by each VRF firewall between the EPGs which belongs to the same VRF.

 

Now I'm targeting to let the EPGs ( from different VRF's ) talk to each other in the fabric without neglecting the firewalls per VRF.

 

i managed to do that but the traffic flow was going outside the fabric then coming back ( L3out- ACI in NSSA area ) .

 

More details can be explained during the discussion .

Labels:
0 Helpful
5 Replies 5

stcorry
Cisco Employee
Cisco Employee

‎04-01-2020 08:21 AM

Hello!

 

I am not 100% clear on what you are asking, but I believe you are asking how to achieve this scenario but instead of going in and out of the fabric via L3 Externals, how to achieve PBR with Route leaking between VRFs. Is this correct?

 

 

0 Helpful

IslamOmar
Level 1
Level 1
In response to stcorry

‎04-01-2020 08:26 AM

That's correct , even though i tried the route leaking by making a 3rd contract between the EPGs in different VRFs the traffic is going outside the fabric then coming back
0 Helpful

stcorry
Cisco Employee
Cisco Employee
In response to IslamOmar

‎04-01-2020 08:49 AM

I think you might have some issues doing this with vzAny contracts, but you can follow this guide to enable route leaking on the subnets that you want to leak to allow inter-vrf communication:

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html#InterVRFconfigurationexample

0 Helpful

IslamOmar
Level 1
Level 1
In response to stcorry

‎04-02-2020 01:23 AM

Thanks for the useful link , however i think there is limitation on doing PBR with vzany on one-arm setup ( one node only ) .

 

the best option for my current setup is that east-west communications between EPG in different VRF's ( knowing that each VRF has its own firewall / it's own L3out / its own PBR ) is be like this :

 

EPG VRF1---FW1---L3out1-----L3out2----FW2--EPG VRF2

 

my current setup right now traffic flow is like this :

 

N-S -- VRF 1 is fine -- inspected by FW1
E-W -- VRF 1 is fine -- inspected by FW1
 
N-S -- VRF 2 is fine -- inspected by FW2
E-W -- VRF 2 is fine -- inspected by FW2

 

if i want the east-west communication between these EPG's to be directly achieved i can do the route-leaking with another contract ( not the current vZany ) but there will be no firewall inspection .

0 Helpful

Ugur Ersoy
Level 1
Level 1
In response to IslamOmar

‎06-01-2023 11:31 PM

Hello IslamOmar, did you find a way to make it happen? I am also looking for solution, which is almost your case. I need to make sure any connection from VRF1 to VRF2 should pass only 1 firewall.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License