03-31-2020 02:34 AM
I have a setup where two VRF's are being used to host different applications in ACI .
Each VRF has its own PBR utilizing the vZany contract , and its own L3out.
East-West and North-South Traffic is being inspected by each VRF firewall between the EPGs which belongs to the same VRF.
Now I'm targeting to let the EPGs ( from different VRF's ) talk to each other in the fabric without neglecting the firewalls per VRF.
i managed to do that but the traffic flow was going outside the fabric then coming back ( L3out- ACI in NSSA area ) .
More details can be explained during the discussion .
04-01-2020 08:21 AM
Hello!
I am not 100% clear on what you are asking, but I believe you are asking how to achieve this scenario but instead of going in and out of the fabric via L3 Externals, how to achieve PBR with Route leaking between VRFs. Is this correct?
04-01-2020 08:26 AM
04-01-2020 08:49 AM
I think you might have some issues doing this with vzAny contracts, but you can follow this guide to enable route leaking on the subnets that you want to leak to allow inter-vrf communication:
04-02-2020 01:23 AM
Thanks for the useful link , however i think there is limitation on doing PBR with vzany on one-arm setup ( one node only ) .
the best option for my current setup is that east-west communications between EPG in different VRF's ( knowing that each VRF has its own firewall / it's own L3out / its own PBR ) is be like this :
EPG VRF1---FW1---L3out1-----L3out2----FW2--EPG VRF2
my current setup right now traffic flow is like this :
if i want the east-west communication between these EPG's to be directly achieved i can do the route-leaking with another contract ( not the current vZany ) but there will be no firewall inspection .
06-01-2023 11:31 PM
Hello IslamOmar, did you find a way to make it happen? I am also looking for solution, which is almost your case. I need to make sure any connection from VRF1 to VRF2 should pass only 1 firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide