Solved: PBR in a contract with vzAny as Provider and Consumer

tuanquangnguyen · ‎10-19-2019

Hi community,

Has anyone successfully configured PBR in a contract with vzAny acting as both Provider and Consumer (any to any)?

Apparently, the release notes of 3.2(1), White Paper and Cisco Live BRKSEC-2048 all briefly mentioned we could, without further explanation. However, anytime I tried to do so, the APIC raised an error (not a fault, something about rsanyToProv already exists).

I'm running version 3.2(4e) with mixed Gen1 and Gen2 (both Gen1 are dedicated for the PBR node), with the configuration can be abstracted as below:

Contract PERMIT-ANY > Subject PERMIT-ANY > Filter common/default. Permitted bi-directional, with reverse filter ports enabled.
Apply this contract to vzAny, as both Provided and Consumed Contract.
Apply the existing SG template: Consumer <= PBR node <= Provider. The PBR node (HA firewall) is deployed one-armed.
Configure with the BD of the PBR node (called FW-EXT-CONN), redirect policy and cluster interface.
The above error is raised.

Also, if I tried to configure it as a unidirectional contract, then the contract subject did not even appear while applying the SGT.

I was also trying to configure a vzAny to L3Out EPG (with PBR) which raised the same issue (rsanyToProv already exists)

Specific EPG-to-EPG contracts work fine as they're what we've been using so far.

Not sure if it's a bug or a misconfig on my side, so I'm in need of some help from you.

Thanks in advance.

tuanquangnguyen · ‎10-20-2019

I gave vzAny-vzAny another shot today. Turned out, I don't have to configure provided and consumed contract at the VRF's vzAny container (folder, MO or whatever you want to call it) BEFORE applying SGT for PBR. I could specify the consumer and provider (both as vzAny) when I applied the PBR SGT to the contact subject.

So I went and did that and BAM! No issue raised. Came back to the vzAny container and the contract was automatically configured under both Provided and Consumed.

Just gonna leave this here as an answer for those who are trying to configure the same as my topology.

View solution in original post

tuanquangnguyen · ‎10-20-2019

I gave vzAny-vzAny another shot today. Turned out, I don't have to configure provided and consumed contract at the VRF's vzAny container (folder, MO or whatever you want to call it) BEFORE applying SGT for PBR. I could specify the consumer and provider (both as vzAny) when I applied the PBR SGT to the contact subject.

So I went and did that and BAM! No issue raised. Came back to the vzAny container and the contract was automatically configured under both Provided and Consumed.

Just gonna leave this here as an answer for those who are trying to configure the same as my topology.

peterzhang · ‎08-11-2020

How did you configure the routing on the firewall?

With PBR, there is an inside and an outside interface and typically we put a route to send traffic from inside/outside to outside/inside interface.

With vzAny, any EPG can be a provider/consumer.... The whitepaper says that the firewall PBR contract can be both provider and consumer in vzAny, but I am not sure how the routing would be configured on the firewall

Thanks

mikel63221 · ‎03-03-2023

I know this thread is old, but just incase you are still curious you would configure the firewall as one-armed for this specific use case. The firewall would then have a default route to its BD gateway and ACI would take care of the rest.