Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
0
Helpful
2
Replies

Leaking between VRFs - full mesh needed?

Go to solution
Johannes Luther
Level 4
Level 4

‎10-30-2020 04:48 AM

Hi ACI folks,

assumiung the following example topology...

ACI_example.png

From my external L3out I get a default route.

I established a contract between the l3out and the EPGs in the different server VRFs and ticked the right checkboxes in the external EPG.

Result:

- In each VRF I can see the default route

- From each EPG I have external connectivity

 

Question:

If I need connectivity between the EPGs in the different VRFs, I need contracts between each EPG in question.Assuming I have 100 VRFs, I need a bidirectional contract between each VRF ... this does not scale, right?

Is there a way to use the "hub and spoke" topology and use the commom:default VRF as a transit?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎10-30-2020 05:18 AM

I would question the design of having different VRFs and different tenants if they all need to communicate.  If they all need to communicate, why not locate the EPGs in the common tenant, and apply vzAny or Pref. Groups? 

Another way would be to use the default:common contract and provide & consume that between all the EPGs that need to communicate, but then you're not helping yourself from a scaling perspective.

Robert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎10-30-2020 05:18 AM

I would question the design of having different VRFs and different tenants if they all need to communicate.  If they all need to communicate, why not locate the EPGs in the common tenant, and apply vzAny or Pref. Groups? 

Another way would be to use the default:common contract and provide & consume that between all the EPGs that need to communicate, but then you're not helping yourself from a scaling perspective.

Robert

0 Helpful

Go to solution
Johannes Luther
Level 4
Level 4
In response to Robert Burns

‎10-30-2020 05:33 AM - edited ‎10-30-2020 05:35 AM

Hi Robert,
thank you for your answer. It's more or less a "fail open" configuration.
Normally, there is a firewall between all VRFs (each VRF has a dedicated L3Out) --> sandwich design.

 

In case the firewall is faulty (and does funny things), there is the idea to provide a fail open configuration.

 

Is it possible to use the common "default" contract for this? The contract has the scope "VRF" - I guess for this functionality, the contract scope should be "Tenant" or "Global", right?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License