Solved: Contract for EPG to BD subnet

linusTS · ‎10-04-2022

Hi there, I am new to ACI, just have a question when dealing with the Contracts, but I don't have ACI device to test it:

Let's say Endpoints in EPG-A needs to communicate with Endpoints under BD-B

both EPG-A and BD-B are in the same VRF
VRF policy control is enforced
they are in different BD
the subnet is created in the BD-B and there is no EPG members under the BD-B

1. Can they communicate without using a contract by default?

2. If yes, how can they communicate? If no, how to make it work?

Thanks in advance.

Sergiu.Daniluk · ‎10-04-2022

Hi @linusTS

the subnet is created in the BD-B and there is no EPG members under the BD-B

You said there is no EPG member under the BD. This means that the BD subnet (SVI) will not be configured on any leaf.

In other words, you will not be able to `ping` it from anywhere since it doesn't exists.

1. Can they communicate without using a contract by default?
2. If yes, how can they communicate? If no, how to make it work?

To simplify the discussion, only EPGs, ESGs or VRFs can consume or provide a contract. When it comes to communication between EPs from a EPG/BD and the IP address configured on a different BD, as far as I remember (I will test it tomorrow) you don't need a contract. If I am wrong, I will come back and rectify my statement.

In your case, to make the ping work, first you need to configure at least an EPG in the BD and distribute that EPG on a leaf (easiest way through static path).

Take care,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎10-04-2022

Hi @linusTS

the subnet is created in the BD-B and there is no EPG members under the BD-B

You said there is no EPG member under the BD. This means that the BD subnet (SVI) will not be configured on any leaf.

In other words, you will not be able to `ping` it from anywhere since it doesn't exists.

1. Can they communicate without using a contract by default?
2. If yes, how can they communicate? If no, how to make it work?

To simplify the discussion, only EPGs, ESGs or VRFs can consume or provide a contract. When it comes to communication between EPs from a EPG/BD and the IP address configured on a different BD, as far as I remember (I will test it tomorrow) you don't need a contract. If I am wrong, I will come back and rectify my statement.

In your case, to make the ping work, first you need to configure at least an EPG in the BD and distribute that EPG on a leaf (easiest way through static path).

Take care,

Sergiu

linusTS · ‎10-05-2022

Hi Sergiu,

"You said there is no EPG member under the BD. This means that the BD subnet (SVI) will not be configured on any leaf."
> Thanks for sharing this helpful concept!

How about the Shadow EPGs? Will Service Graph automatically create a Shadow EPG under the BD of a L4-L7 device?

If I create a BD for the F5 VIP subnet, is it right that I don't need to manually create an EPG for the BD? Then how can I know there is a Shadow EPG under a BD?

"Service Graph – Use Service Graph on a contract between the L3Out EPG “External” for the external network and “Web” EPG. The EPGs (called “internal service EPGs” or “shadow EPGs”) for the load balancer external and internal interfaces are automatically created through Service Graph rendering. The internal service EPGs are not displayed in the GUI, and the user doesn’t need to manage them."
>Source: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743890.html

Sorry for so many questions.

Sergiu.Daniluk · ‎10-05-2022

The moment when you deploy your service graph, the shadow epg is automatically created. This means that on the Service Leaf, the BD IP address will be configured as well. At that moment you will be able to ping it.

RedNectar · ‎10-04-2022

Hi @linusTS ,

I don't understand your question, it is a jig-saw puzzle with missing pieces. Please complete the diagram below to show the relationships between the Endpoints that belong to an EPG (Endpoints do NOT assigned to BDs or VRFs - Endpoints are assigned to EPGs. EPGs are assigned to BDs. BDs are assigned to VRFs)

If there are no Endpoints in EPG-B - then HELLO - you can't communicate with that which does not exist! Although I don't really think that is what you meant!

IF you meant can EPG-A endpoints communicate with EPG-B endpoints as shown below, then then answer is NO, not unless

there is a contract between the EPGs OR
Preferred groups has been enabled under the VRF AND
- Each EPG is a member of the preferred group
A contract is provided and consumed by the VRF (vzAny)
Both EPGs are assigned to the same ESG
Policy Control Enforcement for the VRF is Unenforced, but
- You say you have this as Enforced, and
- you really should leave it as Enforced (my advice)

So, perhaps the solution you are looking for is to use an ESG

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Sergiu.Daniluk · ‎10-05-2022

I think he just want to ping from an EP from EPG-A to the Anycast GW of BD-B, as a test probably.

linusTS · ‎10-05-2022

Hi RedNectar,

The reason I ask this question is I find a deployed ACI environment uses a BD subnet without any EPGs associated with it in GUI. The BD is used for Service Graph.
And I am wondering how can it work without a contract between other EPGs and the BD. Looks like there is a shadow EPG under the BD which is automatically created by the Service Graph.
Thanks for sharing the information about how two endpoints can communicate.