09-16-2017 06:54 AM - edited 03-01-2019 05:20 AM
On my ACI network my VRF's are set to unenforced mode. I want to transition the network from unenforced to unforced mode but everything still needs to be basically IP any any. The network is not production yet but I don't want to impact the testing that's currently being done on it.
The 2 options I want to use is either vzAny or prefered group membership. My first question is how would I do this with VzAny? What do I need to change and where do I apply it without breaking things? This includes all epg's including the external epg.
Prefered group seems to be a bit more straight forward to configure. My question here is which is a better way to go? Prefered group or VZany? If I do decide to use prefered group can I have a contract between my prefered group epg 's and non prefered group epg's?
Thx
Solved! Go to Solution.
09-21-2017 01:06 AM - edited 09-21-2017 01:09 AM
Hi
I would recommend to go for preferred group. vzAny is okay if you do a permit-any kind of design (aka network centric design) - but as soon as you want to apply some more granular polices in the same VRF you might put yourself in a dead end situation.
If you work with a preferred group it's pretty easy: All EPGs inside the preferred group are able to communicate without a contract. EPGs outside of the preferred group must have contracts in place. Also if communication between a EPG outside of the preferred group and a EPG inside the group is needed, a contract must be in place.
Just remeber: the preferred group is not an object, it's just a way how to configure permit statements - so you can't configure a contract between an non preferred group epg (let's assume the name of this EPG is "EPG-X") and the preferred group itself. Instead you must apply a contract between EPG-X and each and every EPG inside the preffered group to which EPG-X must be able to communicate.
Also have a look at the restrictions (for instance if you do transit routing):
HTH
09-21-2017 01:06 AM - edited 09-21-2017 01:09 AM
Hi
I would recommend to go for preferred group. vzAny is okay if you do a permit-any kind of design (aka network centric design) - but as soon as you want to apply some more granular polices in the same VRF you might put yourself in a dead end situation.
If you work with a preferred group it's pretty easy: All EPGs inside the preferred group are able to communicate without a contract. EPGs outside of the preferred group must have contracts in place. Also if communication between a EPG outside of the preferred group and a EPG inside the group is needed, a contract must be in place.
Just remeber: the preferred group is not an object, it's just a way how to configure permit statements - so you can't configure a contract between an non preferred group epg (let's assume the name of this EPG is "EPG-X") and the preferred group itself. Instead you must apply a contract between EPG-X and each and every EPG inside the preffered group to which EPG-X must be able to communicate.
Also have a look at the restrictions (for instance if you do transit routing):
HTH
10-06-2017 03:42 AM
Hi Marcel,
conerning the use of "Preferred group" instead of vzAny, what about if i'd go for the use of both them?
I mean, let's suppose to have a scenario of migration from Brownfield to ACI where in each Tenant i would have just one VRF (in the scheme in attachement named VRF Prod) where all the internal EPGs/BDs/VLANs are allowed to talk each other (in the legacy environment they do inter-vlan routing).
Now i want to let them to talk to external world via different L3Out external EPGs for different reasons.
What about to introduce the "Preferred Group" to let them to talk each other (saving contracts) and at the same time to have "vzAny" in place as well internally the same VRF, introducing so two new VRFs VRF EXT_Prod and VRF FWINTRA_PROD in order to have:
- 5 contracts between vzAny and L3Out external EPGs (as shown in the draw)
- 4 contracts between L3Out FWINTRA_Prod and the remaining 4 L3Out external EPGs
10-06-2017 03:42 AM
Hi Marcel,
conerning the use of "Preferred group" instead of vzAny, what about if i'd go for the use of both them?
I mean, let's suppose to have a scenario of migration from Brownfield to ACI where in each Tenant i would have just one VRF (in the scheme in attachement named VRF Prod) where all the internal EPGs/BDs/VLANs are allowed to talk each other (in the legacy environment they do inter-vlan routing).
Now i want to let them to talk to external world via different L3Out external EPGs for different reasons.
What about to introduce the "Preferred Group" to let them to talk each other (saving contracts) and at the same time to have "vzAny" in place as well internally the same VRF, introducing so two new VRFs VRF EXT_Prod and VRF FWINTRA_PROD in order to have:
- 5 contracts between vzAny and L3Out external EPGs (as shown in the draw)
- 4 contracts between L3Out FWINTRA_Prod and the remaining 4 L3Out external EPGs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide