I have a setup where two VRF's are being used to host different applications in ACI .
Each VRF has its own PBR utilizing the vZany contract , and its own L3out.
East-West and North-South Traffic is being inspected by each VRF firewall between the EPGs which belongs to the same VRF.
Now I'm targeting to let the EPGs ( from different VRF's ) talk to each other in the fabric without neglecting the firewalls per VRF.
i managed to do that but the traffic flow was going outside the fabric then coming back ( L3out- ACI in NSSA area ) .
More details can be explained during the discussion .
I am not 100% clear on what you are asking, but I believe you are asking how to achieve this scenario but instead of going in and out of the fabric via L3 Externals, how to achieve PBR with Route leaking between VRFs. Is this correct?
I think you might have some issues doing this with vzAny contracts, but you can follow this guide to enable route leaking on the subnets that you want to leak to allow inter-vrf communication:
Thanks for the useful link , however i think there is limitation on doing PBR with vzany on one-arm setup ( one node only ) .
the best option for my current setup is that east-west communications between EPG in different VRF's ( knowing that each VRF has its own firewall / it's own L3out / its own PBR ) is be like this :
EPG VRF1---FW1---L3out1-----L3out2----FW2--EPG VRF2
my current setup right now traffic flow is like this :
if i want the east-west communication between these EPG's to be directly achieved i can do the route-leaking with another contract ( not the current vZany ) but there will be no firewall inspection .