cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
549
Views
0
Helpful
2
Replies
Highlighted
Beginner

Application EPG and External EPG of different VRFs, having same subnets

Is the following configuration supported?

 

Application EPG and External EPG of different VRFs, having same subnets

 

Below is an example for the above configuration and the intention of using such a design.

[EPG-1A]

- Application EPG

- belonging to VRF1

- having a subnet: 192.168.10.0/24

 

[EPG-1E]

- External EPG

- belonging to VRF1

- having a subnet: 192.168.20.0/24

 

[EPG-2A]

- Application EPG

- belonging to VRF2

- having a subnet: 192.168.20.0/24

 

[EPG-2E]

- External EPG

- belonging to VRF2

- having a subnet: 192.168.10.0/24

 

[topology]

EPG-1A(192.168.10.0/24) <--> VRF1 <--> EPG-1E(192.168.20.0/24) <-->external L3 device(e.g. ASA)  <--> EPG-2E(192.168.10.0/24) <--> VRF2 <--> EPG-2A(192.168.20.0/24)

 

As described above, EPG-1A has the same subnet(192.168.10.0/24) as EPG-2E and EPG-2A the same subnet(192.168.20.0/24) as EPG-1E.

The intention of using this design is we have to use a firewall(e.g. ASA) to filter all traffic between two zones and we decide not to use Service Graph. Instead, We use two VRFs to represent the two zones and put the firewall between the two VRFs for traffic filtering. The firewall is supposed to use static routing to connect to the VRFs through L3Outs.

 

Is the above configuration supported in ACI? Assuming everything else is correctly configured, would the end-to-end traffic work well between EPG-1A(192.168.10.0/24) and EPG-2A(192.168.20.0/24).

 

Is there any limitation or restriction that we need to pay attention to when using the above design?

 

Any answer/advice will be greatly appreciated!

 

Best regards

Bunketsu Hayashi

 

2 REPLIES 2
Cisco Employee

Re: Application EPG and External EPG of different VRFs, having same subnets

The configuration will work fine(assuming the static routes on L3-Out and the L3 device are configured correctly).

There is no particular restriction/limitation about this configuration .

Beginner

Re: Application EPG and External EPG of different VRFs, having same subnets

Hi @bhayashi ,

Yes, there IS a problem. Besides the ACI matters, the ASA Firewall cannot have a subnet being at the same time directly attached to an interface and reachable via another interface.

 

Remi Astruc

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards