Simplifying & Optimizing Cisco ACI L3Out Configuration
Cisco ACI Deep-Dive Technical Series
Route-Maps, Endpoint Security Groups (ESG) & Inter-VRF Route Leaking — Classical vs Modern Approach with Full Lab Verification
Table of Contents
- What Is L3Out and Why Is It Needed?
- EPGs vs External EPGs
- External EPG Flags: Routing & Policy Control
- Modern Simplification Tools: Route-Maps, ESG & Inter-VRF Leaking
- Scenario 1 — Advertising BD from L3Out
- Scenario 2 — Transit Routing Between Two L3Outs
- Scenario 3 — Inter-VRF Shared Services
- Simplifying with Route-Maps (Step-by-Step)
- Migrating to ESG
- Inter-VRF Leaked Routes for ESG
- Cleanup & Final Traffic Verification
- Conclusion & Key Takeaways
1. What Is L3Out and Why Is It Needed?
Data centers host applications and services that must communicate beyond the local fabric — reaching campus networks, WANs, MPLS-VPN clouds, or the internet. Without external connectivity, the ACI fabric would be isolated and unusable in real enterprise or cloud environments.
L3Out (Layer 3 Out) is the Cisco ACI construct that provides Layer 3 connectivity between the ACI fabric and external Layer 3 network domains. It connects the fabric to external routers or WAN edge devices using routing protocols such as BGP, OSPF, EIGRP, or static routing.
What L3Out Enables
Prefix Advertisement
Advertise internal BD subnets to external routers.
External Route Learning
Learn external routes from upstream routers into the fabric.
Transit Routing
Advertise prefixes from one L3Out to another L3Out.
欄 Shared L3Out
Single L3Out shared across multiple VRFs or tenants.
2. EPGs vs External EPGs
Understanding the difference between an EPG and an External EPG is foundational before simplifying L3Out configuration.
Internal EPG
Classifies endpoints based on VLAN or VXLAN encapsulation within the ACI fabric. Used for workloads running inside the fabric.
External EPG (L3Out)
Classifies external traffic based on IP subnets or prefixes using Longest Prefix Match (LPM) within a VRF context. Contract enforcement applies identically to internal EPGs.
3. External EPG Flags: Routing & Policy Control
Cisco ACI provides flexible options for advertising prefixes and classifying them for security enforcement via External EPG flags — split into two categories:
Routing Control Flags
Export Route Control Subnet
Advertises (exports) a subnet from ACI to outside via L3Out. Primarily used for Transit Routing, also for BD subnet advertisement. Configure on the L3Out advertising the subnet — not the one learning it.
↔️ Shared Route Control Subnet
Leaks an external subnet to another VRF using MP-BGP and route targets. Creates an IP prefix-list for export/import filtering. Configure on the L3Out learning the subnet in the original VRF.
Policy Control (Contract Enforcement) Flags
External Subnet for External EPG
Allows packets from/to a configured subnet via the L3Out with a contract. Classifies packets into the External EPG based on subnet so that contracts apply. Configure on the L3Out learning the subnet.
Shared Security Import Subnet
Leaks prefix-to-pcTag mapping across VRFs. Only valid when "External Subnets for the External EPG" is also configured.
⚠️ The Complexity Problem: These flags add significant operational complexity — especially for transit services and shared services across multiple VRFs. The goal of this guide is to eliminate these flags entirely using modern ACI constructs.
4. Modern Simplification Tools
Route-Maps
Control route redistribution and advertisement between ACI fabric and external routing protocols (OSPF, EIGRP, BGP). Replaces the need for multiple External EPG flags with a single, centralized advertisement policy using "Match Routing Policy Only."
Endpoint Security Groups (ESG)
Modern security construct that decouples security policy from the tight binding of EPGs to Bridge Domains. Security policies span multiple Bridge Domains within a VRF. Improves TCAM efficiency and enforcement consistency.
Inter-VRF Leaked Routes for ESG
Allows route leaking between VRFs specifically for ESGs — enabling shared services and inter-VRF communication without any External EPG prefix flags or BD subnet scopes.
5. Scenario 1 — Advertising BD from L3Out
Establishing communication between an external network and EPG prod2-epg1 (associated with BD internet1-bd1, subnet 11.1.1.0/24).
️ Classical Approach: The BD is marked "Advertised Externally," the external prefix (192.168.100.205/32) is classified under internet11-ext-epg with "External Subnets for External EPG," and a contract is applied between the EPG and External EPG.
Figure 1.1 — Advertising BD from L3Out (Classical EXT-EPG Approach)
6. Scenario 2 — Transit Routing Between Two L3Outs
Establishing connectivity between two external networks — 192.168.100.205 (via l3out-internet11) and 192.168.100.206 (via l3out-internet12).
️ Classical Approach: Prefixes are marked "Export Route Control Subnet" under their respective External EPGs, and contract TRANSIT_ROUTING_CNTR1 is applied between both External EPGs.
Figure 1.2 — Transit Routing (Classical EXT-EPG Approach)
7. Scenario 3 — Inter-VRF Shared Services
BD internet2-bd1 (in vrf internet2-vrf) needs access to IP 192.168.100.206 learned from l3out-internet12 (in vrf internet1-vrf).
️ Legacy Approach: External prefix classified under External EPG with multiple flags (External Subnets + Shared Route Control + Shared Security Import), and BD subnet configured with "Advertised Externally" + "Shared Between VRFs." Creates heavy configuration overhead.
Figure 1.3 — Inter-VRF Route Leaking (Classical EXT-EPG Approach)
8. Simplifying with Route-Maps (Step-by-Step)
Route-Map on l3out-internet11
Context 1 — BD_Advertisement: Permits BD subnet 11.1.1.0/24 (match rule BD_11_1_1_0_24). By selecting "Match Routing Policy Only," BD advertisement is controlled by route-map, not L3Out association:
Figure 1.4 — Route Control Context: BD_Advertisement
Context 2 — Transit_Prefixes: Permits the transit prefix 192.168.100.206/32:
Figure 1.5 — Route Control Context: Transit_Prefixes
The default-export route-map on l3out-internet11 combines both contexts with type "Match Routing Policy Only":
Figure 1.6 — default-export Route-Map for l3out-internet11 (Both Contexts, Match Routing Policy Only)
Route-Map on l3out-internet12
Transit_Prefixes match rule includes 192.168.100.205/32:
Figure 1.7 — Transit_Prefixes Match Rule (l3out-internet12)
The default-export route-map for l3out-internet12 with the Transit_Prefixes context:
Figure 1.8 — default-export Route-Map for l3out-internet12
To support shared services, add Shared-BD context to permit subnet 11.2.1.0/24 (BD_11_2_1_0_24 match rule):
Figure 1.9 — Shared-BD Route Control Context Added to Route-Map
✅ Result: The "Export Route Control Subnet" flag and L3Out-to-BD association are now no longer required. Remove the L3Out association from internet1-bd1 and remove transit prefixes from External EPGs.
Figure 1.10 — BD internet1-bd1: L3Out Association Removed
Figure 1.11 — External EPG internet11-ext-epg (Simplified — Transit Prefix Removed)
Figure 1.12 — External EPG internet12-ext-epg (Before ESG Migration)
Verification — Route-Map Phase
VM 11.1.1.11 successfully pings 192.168.100.205 (0% packet loss):
Figure 1.13 — Verification: VM→External Connectivity (0% Packet Loss)
Transit routing between both L3Outs confirmed:
Figure 1.14 — Transit Routing Verification: 192.168.100.205 → 192.168.100.206 (0% Loss)
Shared service cross-VRF communication confirmed:
Figure 1.15 — Shared Service Verification (Cross-VRF, 0% Packet Loss)
9. Migrating to ESG
We now migrate EPGs and External EPGs to Endpoint Security Groups (ESG), using EPG as selectors for normal EPGs and External EPGs as selectors for external prefixes.
prod2-esg1 — EPG selector: prod2/prod2-ap1/prod2-epg1:
Figure 1.16 — ESG prod2-esg1: EPG Selector
prod2-l3out11-esg — External EPG selector: prod2/l3out-internet11/internet11-ext-epg:
Figure 1.17 — ESG prod2-l3out11-esg: External EPG Selector
prod2-l3out12-esg — External EPG selector: prod2/l3out-internet12/internet12-ext-epg:
Figure 1.18 — ESG prod2-l3out12-esg: External EPG Selector
prod2-shared-svc-esg — EPG selector: prod2/SHARED-SERVICES/SHARED-EPG1:
Figure 1.19 — ESG prod2-shared-svc-esg: Shared Services Selector
ESGs inherit contracts from original EPGs (Figures 1.20–1.23) — ensuring continuous traffic flow during migration:
Figure 1.20 — prod2-esg1: Inherited Contract via EPG Selector
Figure 1.21 — prod2-l3out11-esg: Inherited Contracts (Provided)
Figure 1.22 — prod2-l3out12-esg: Inherited Transit + Shared Contracts
Figure 1.23 — prod2-shared-svc-esg: Inherited SHARED-SVC Contract
⚠️ Important: EPG-to-ESG contracts are not supported (except ESG to External EPG). New explicit contracts must be applied directly to ESGs.
Explicit ESG contracts applied (Figures 1.24–1.27):
Figure 1.24 — prod2-esg1: Explicit ESG Contract (Consumed)
Figure 1.25 — prod2-l3out11-esg: ESG Contracts Provided
Figure 1.26 — prod2-l3out12-esg: Transit + Shared ESG Contracts
Figure 1.27 — prod2-shared-svc-esg: Shared Service ESG Contract
10. Inter-VRF Leaked Routes for ESG
Replace External EPG selectors with External Subnet Selectors under ESG, and replace "Shared Route Control Subnet" with Inter-VRF Leaked Routes for ESG.
prod2-l3out11-esg: Add 192.168.100.205/32 as External Subnet Selector (Shared = False):
Figure 1.28 — prod2-l3out11-esg: External Subnet Selector (Shared=False)
prod2-l3out12-esg: Add 192.168.100.206/32 with Shared = True (leaks pcTag mapping to the destination VRF — analogous to "Shared Security Import Subnet"):
Figure 1.29 — prod2-l3out12-esg: External Subnet Selector (Shared=True)
Using Inter-VRF Leaked Routes for ESG to replace "Shared Route Control Subnet" flag:
Leak 192.168.100.206/32 from internet1-vrf to internet2-vrf:
Figure 1.30 — Inter-VRF Leaked Routes: 192.168.100.206/32 → internet2-vrf
Leak BD subnet 11.2.1.0/24 from internet2-vrf to internet1-vrf (Allow L3Out Advertisement = True):
Figure 1.31 — Inter-VRF Leaked Routes: 11.2.1.0/24 → internet1-vrf (Allow L3Out Adv = True)
✅ Key Benefit: Inter-VRF Leaked Routes overrides the need for "Advertised Externally" and "Shared Between VRFs" on the BD. The BD configuration is now completely clean. (Note: "Advertised Externally" is still required if the BD needs to be advertised out of an L3Out in the same VRF.)
BD subnet 11.2.1.0/24 now has neither scope checked — fully clean:
Figure 1.32 — BD Subnet 11.2.1.0/24: Clean (No Scopes Required)
BD subnet correctly visible in external routing table on vN9K-2 (connected to l3out-internet12):
Figure 1.33 — External Routing Table: All Routes Correctly Advertised
11. Cleanup & Final Traffic Verification
Remove all prefixes from External EPGs — now managed via ESG External Subnet Selectors
Remove legacy contracts from External EPGs — contracts now applied explicitly at ESG level
Remove contracts from EPGs — no contracts from EPG selectors remain
Remove External EPG selectors from ESGs — retain only External Subnet Selectors
Figure 1.34 — External EPG internet11-ext-epg: All Prefixes Removed
Figure 1.35 — External EPG internet11-ext-epg: Contracts Cleared
Figure 1.36 — External EPG internet12-ext-epg: All Prefixes Removed
Figure 1.37 — External EPG internet12-ext-epg: Contracts Cleared
Figure 1.38 — prod2-esg1: EPG Selector Contracts Cleared
Figure 1.39 — prod2-l3out11-esg: EPG Selector Contracts Cleared
Figure 1.40 — Tenant prod2: All EPG Selector Contracts Cleared
Figure 1.41 — prod2-shared-svc-esg: EPG Selector Contracts Removed
Figure 1.42 — prod2-l3out11-esg: Only External Subnet Selector Remains (Active)
Figure 1.43 — prod2-l3out12-esg: Only External Subnet Selector Remains (Active)
Final Traffic Verification — All 3 Flows
1. BD-to-External: VM 11.1.1.11 pings 192.168.100.205 — 0% packet loss:
Figure 1.44 — Final Verification: BD→External (5/5 Packets, 0% Loss)
2. Transit Routing: l3out-internet11 (192.168.100.205) → l3out-internet12 (192.168.100.206) — 0% loss:
Figure 1.45 — Final Verification: Transit Routing (5/5, 0% Loss)
3. Shared Services (Inter-VRF): BD 11.2.1.11 (internet2-vrf) pings 192.168.100.206 (internet1-vrf) — 0% loss:
Figure 1.46 — Final Verification: Shared Services Inter-VRF (5/5, 0% Loss)
✅ All 3 Traffic Flows Successfully Validated
The ESG + Route-Map + Inter-VRF Leaking architecture achieves identical connectivity to the classical External EPG flag approach — with dramatically less configuration, better TCAM efficiency, and clean separation of routing from policy.
12. Conclusion & Key Takeaways
The use of External Subnet Selectors under ESGs simplifies classification of external prefixes, decoupling it from the originating L3Out entirely. This architecture delivers immense flexibility by separating L3Out connectivity (routing protocols, interface profiles) from policy enforcement (ESG contracts).
What Was Achieved with the Modern Approach
Eliminated all External EPG flags — No Export Route Control, Shared Route Control, or Shared Security Import subnet flags needed
Route-Maps centralize advertisement — BD subnets and transit routes managed in one policy with precise match rules
ESG cleans policy enforcement — Contracts applied at ESG level, spanning multiple BDs with better TCAM efficiency
Inter-VRF leaking simplified — No BD scope flags needed for inter-VRF leaking; specify the destination VRF directly
All 3 traffic scenarios verified — BD-to-external, transit routing, and shared services all at 0% packet loss
⚠️ Disclaimer: This content is for demonstration purposes only and is not a formal design guide or official Cisco recommendation. Refer to official Cisco ACI release notes and documentation, and consult with your internal stakeholders and network architects before implementing these configurations in production.
Want to Master Cisco ACI L3Out & ESG?
Explore official Cisco ACI documentation for L3Out, ESG, and Inter-VRF route leaking features.
Explore Cisco ACI ↗Tags
