Inter-VRF Communication

Introduction

This document describes how to setup and configure communication between two Virtual Route Forwarders (VRFs), also known as Contexts with an Application Centric Infrastructure (ACI) environment.  This procedure applies to VRFs in separate tenants or within the same tenant.

Note: This configuration has been tested on versions up to 2.2(1).  Screenshots in this article can vary slightly with later versions.

Terminology/Acronyms

EPG - End Point Group

Context - Known in the ACI GUI as VRF.  This is an instance within a Tenant.

BD - Bridge Domain

Topology:

Communication between provider End Point Group - EPG-X in Tenant-X and provider EPG-Y in Tenant-Y:

1. Configure the shared subnet for EPG-X under the EPG (as opposed to under the Bridge Domain (BD).  This will be the provider EPG.
2. Configure the shared subnet for EPG-Y under either the EPG or BD.  This will be the consumer EPG.
3. Create a global contract in Tenant-X for the traffic you want to allow.
4. Add that contract as provided to EPG-X.
5. Export that contract from Tenant-X to Tenant-Y.
6. Add the imported contract in Tenant-Y as a consumed contract interface to EPG-Y.

Note: You can alternately use a contract in the Common tenant (which both Tenants have access to), in which case you can skip the export/import step above.

Detailed Steps:

Configure the shared subnet for EPG-X under the EPG.

Ensure that it is marked as Shared to allow route leaking.

Configure the shared subnet for EPG-Y under either the EPG or BD.

Ensure that it is marked as Shared to allow for route leaking. In this example, the subnet for EPG-Y was created under its BD. 

Create a contract in Tenant-X for the traffic you want to allow.

Ensure to mark the Scope as Global.

Traffic is allowed with  the default filter found in the Common tenant. 

NOTE: If the subject is marked Apply Both Directions then the traffic is able to originate from either EPG, similar to when you configure intra-context communication.

Add the contract you created to EPG-X as a provided contract.

Export that contract from Tenant-X to Tenant-Y.

NOTE: If you configure inter-VRF routing between two VRFs in the same Tenant, there is no need to export/import the contract.

Once you hit Submit, the contract will show up under Imported Contracts in Tenant-Y.

Add the imported contract in Tenant-Y as a consumed contract interface to EPG-Y.

Use this section in order to confirm that your configuration works properly.

IP routes are exported between Virtual Route Forwarders (VRFs). The routes between the contexts are highlighted in bold:

calo2-leaf2# show ip route vrf Tenant-X:Context-X

IP Route Table for VRF "Tenant-X:Context-X"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>



10.10.10.0/24, ubest/mbest: 1/0, attached, direct, pervasive

    *via 192.168.120.64%overlay-1, [1/0], 00:14:59, static

10.10.10.1/32, ubest/mbest: 1/0, attached

    *via 10.10.10.1, vlan34, [1/0], 00:15:06, local

192.168.10.0/24, ubest/mbest: 1/0, attached, direct, pervasive

    *via 192.168.120.64%overlay-1, [1/0], 00:14:59, static



calo2-leaf2# show ip route vrf Tenant-Y:Context-Y

IP Route Table for VRF "Tenant-Y:Context-Y"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>



10.10.10.0/24, ubest/mbest: 1/0, attached, direct, pervasive

    *via 192.168.120.64%overlay-1, [1/0], 00:15:17, static

192.168.10.0/24, ubest/mbest: 1/0, attached, direct, pervasive

    *via 192.168.120.64%overlay-1, [1/0], 00:15:17, static

192.168.10.1/32, ubest/mbest: 1/0, attached

    *via 192.168.10.1, vlan38, [1/0], 00:15:17, local