Hi, I have a existing small ACI fabric, illustrated in the high-level diagram below and I would need some information/advice on a "weird" setup requirement...RT1 has already established OSPF peering with ACI and Jumpbox (using RT1 as default gateway) can reach other endpoints connected in ACI. Single VRF and vzAny are used in the fabric.

Now, I need to move existing FW1 and FW2 into ACI fabric with routed links (OSPF peering and static route respectively). For historical reasons and to avoid firewall configuration changes, I would have to keep the existing transit subnet/IPs configured on the firewall routed links, which is VLAN10 (172.16.8.0/24). I wish I could get it changed to two /30 or /29 subnets for routing transit purpose...The "weird" requirement is to maintain communication between Jumpbox (192.168.1.10) and the VLAN10 IPs on FW1 and FW2 (172.16.8.32 and 172.16.8.132 respectively).

I used existing L3Out to establish the OSPF peering with FW1 which uses 172.16.8.32 while ACI's VLAN10 SVI use 172.16.8.33. Connection is all good between ACI and networks protected by FW1. Jumpbox can connect to FW1 172.16.8.32 as well.

I created a new L3Out in the same VRF just for static routing and established connection between FW2 (172.16.8.132) and ACI (172.16.8.133). Connection is all good between ACI and networks protected by FW2. However, Jumpbox can NOT connect to FW2 172.16.8.132 anymore...

I understand the IPs on transit network is supposed to be used to transmit traffic through, not transmit traffic to...But I have to figure out if this could work or not...Anyone with more brain power, please advice!