Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
2
Helpful
1
Replies

Transit routing and VRF leaking between two L3Outs

Daniel S.
Level 1
Level 1

‎06-24-2025 05:04 AM - edited ‎06-24-2025 05:31 AM

Hello ACI people,

I came across interesting scenario.

I need to create Transit Routing between two different L3Outs, L3Out-A and L3Out-B, they are in different VRFs, VRF-A and VRF-B under one Tenant.

L3Out-A is using OSPF and L3Out-B is just a static route.

I am attaching the diagram to explain what has been configured as far as flags on the external subnets.

After configuring all the mentioned points on the diagram, I finished up with a contract with a global scope.

Once finished, I have seen the routes properly leaked between VRFs.

Then I realized, that this is no good and does not work.

I did ELAM capture and I see "SECURITY_GROUP_DENY".

Which indicates absence of a contract allowing communication between the source and destination EPGs, but I do have a contract in place.

What am I doing wrong? 

Sadly at this Fabric I am running 4.2n release.

Thank you in advance :).

DanielS_0-1750766608911.png

 

 

Labels:
1 Reply 1

Daniel S.
Level 1
Level 1

‎06-24-2025 12:43 PM

Small update.

The initial Contract was created in the same Tenant where I have both L3Outs. After I created a new identical Contract in the Common Tenant, then the Contract was applied and packet forwarded. Waiting for a confirmation to see if this works, but seems like this helped.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License