cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1222
Views
0
Helpful
2
Replies

Application EPG and External EPG of different VRFs, having same subnets

bhayashi
Level 1
Level 1

Is the following configuration supported?

 

Application EPG and External EPG of different VRFs, having same subnets

 

Below is an example for the above configuration and the intention of using such a design.

[EPG-1A]

- Application EPG

- belonging to VRF1

- having a subnet: 192.168.10.0/24

 

[EPG-1E]

- External EPG

- belonging to VRF1

- having a subnet: 192.168.20.0/24

 

[EPG-2A]

- Application EPG

- belonging to VRF2

- having a subnet: 192.168.20.0/24

 

[EPG-2E]

- External EPG

- belonging to VRF2

- having a subnet: 192.168.10.0/24

 

[topology]

EPG-1A(192.168.10.0/24) <--> VRF1 <--> EPG-1E(192.168.20.0/24) <-->external L3 device(e.g. ASA)  <--> EPG-2E(192.168.10.0/24) <--> VRF2 <--> EPG-2A(192.168.20.0/24)

 

As described above, EPG-1A has the same subnet(192.168.10.0/24) as EPG-2E and EPG-2A the same subnet(192.168.20.0/24) as EPG-1E.

The intention of using this design is we have to use a firewall(e.g. ASA) to filter all traffic between two zones and we decide not to use Service Graph. Instead, We use two VRFs to represent the two zones and put the firewall between the two VRFs for traffic filtering. The firewall is supposed to use static routing to connect to the VRFs through L3Outs.

 

Is the above configuration supported in ACI? Assuming everything else is correctly configured, would the end-to-end traffic work well between EPG-1A(192.168.10.0/24) and EPG-2A(192.168.20.0/24).

 

Is there any limitation or restriction that we need to pay attention to when using the above design?

 

Any answer/advice will be greatly appreciated!

 

Best regards

Bunketsu Hayashi

 

2 Replies 2

buhayash
Cisco Employee
Cisco Employee

The configuration will work fine(assuming the static routes on L3-Out and the L3 device are configured correctly).

There is no particular restriction/limitation about this configuration .

Remi Astruc
Level 1
Level 1

Hi @bhayashi ,

Yes, there IS a problem. Besides the ACI matters, the ASA Firewall cannot have a subnet being at the same time directly attached to an interface and reachable via another interface.

 

Remi Astruc

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: