Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5437
Views
5
Helpful
4
Replies

Forming Contract between L3out EPG and other EPGs within a AP with 1.1(3f)

petar.forai1
Level 1
Level 1

‎10-16-2015 02:29 PM - edited ‎03-01-2019 04:52 AM

Hi

I cant figure out how to form a contract between a routed L3 out and the APs other EPGs. Within the AP I've added the external L3 domain to the domains. But I cant figure out how to form a contract between external L3 out and an internal EPG. The docs reference 1.0 in many places and there external EPGs and the domain enforcement within the EPG seem to be a bit different.

Labels:
0 Helpful
4 Replies 4

Robert Correiro
Level 1
Level 1

‎10-16-2015 03:18 PM

Hi petar.forai1,

 

There are a few configuration steps you'll need to follow.

 

(1) Create a contract, with an associated subject. The subject will contain filters and corresponding filter entries.

 

(2) Within the Application Profile, under the EPG, right click on the "Contracts" folder and select either "Add Provided Contract" or "Add Consumed Contract" depending on your desired traffic flow.

 

(3) Within the External Routed Network (L3 Out), on the External Network Instance Profile you created, make sure the Subnets listed have the "Security Import Subnet" option checked. This option is required to enforce policy on those subnets (via contracts) for traffic coming in/going out of the L3 out.

 

(4) Within the External Routed Network (L3 Out), on the created External Network Instance Profile, go to the Contracts tab towards the upper right of the work pane. Here you can apply the contract you created earlier to the L3 Out as either provided, consumed, or both.

 

You're enforcing policy between the internal EPG and the External EPG (device traffic coming in through the L3 Out) by having the contract on both.

 

Also, please let me know which documents you're referencing. If they are unclear or need updating, I can work towards improving them.

 

Hope this helps.

petar.forai1
Level 1
Level 1
In response to Robert Correiro

‎10-19-2015 11:35 AM

Hi Robert,

Thanks for your explanation. Is it normal that I don't see the L3ext icon (the L3 ext cloud icon for extrenal EPGs) within an AP that needs to talk to L3 ext out? I should mention that I'm not in the common tenant and I needed to replace the bridge domain and private network to get L3 ext connectivity (since the L3ext is configured under common tenant and one of it's private networks/contexts). 

 

TIA,

P

0 Helpful

Blake Parker
Level 1
Level 1
In response to petar.forai1

‎11-06-2015 02:38 AM

Hi Petar,

What tenant are the "private networks" in that you are wanting to make the common L3Ext accessable to?

If they are in the mgmt tenant, this is not possible.  The mgmt tenant is a special type of tenant and cannot access anything outside of itself.

@vbootstrap

0 Helpful

atcapaev
Cisco Employee
Cisco Employee
In response to Robert Correiro

‎05-17-2019 07:22 AM

Hello,

 

Could you please aleborate on the following

 

(2) Within the Application Profile, under the EPG, right click on the "Contracts" folder and select either "Add Provided Contract" or "Add Consumed Contract" depending on your desired traffic flow.

 

Do I have to apply both contracts on consume and provide direction? Or either is enough?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License