Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
1
Replies

Service Graph created in Common Tenant not forwarding traffic

bl80
Level 1
Level 1

‎11-23-2021 07:00 AM

Looking for any troubleshoot steps I can take - validation in CLI I can do/elam/etc to identify why this is not working.

L4/L7 device defined in our "Prod" tenant.  Single Arm, unmanaged Firewall.  Very straightforward configuration and works great 100% of the time.  Bridge Domain created for each Zone on the Firewalls, Policy Based route created for each Zone and based on traffic flow we apply the SG to forward the traffic to necessary Zone we need to see the traffic.

 

Trying to leverage the Common tenant for some traffic and forward traffic to a newly created "Common" zone on the Firewall.

For prep:

Created new vlan ID to the vlan pool that is tied to the physical domain of the FW. Created a Bridge Domain in Common/default with /30 subnet. 

Created the interface on the appropriate tagged interface on the Firewall with second IP of the same /30 (verified I can ping from the FW to the Bridge Domain just fine).

Created a PBR in Common/default to the correct IP/Mac address (mac is the aggregate interface of the FW with all the tagged vlans).

Created a L4/L7 device in Common using the same physical domain and devices thats used in the PROD tenant.

Created jus the Cluster concrete interface for this "Common" vlan as its the only interface that will be used here in the Common tenant.

Created basic contract between some EPGs and validated working.

Applied the SG to the contract and set the consumer and provider as same PBR/BD and Interface as its just simple one-arm deployment.

Nothing is being sent to the FW from what I can tell.  Pcap at the FW interface does not show anything trying to get there.

 

I reverted all the device specific build in Common and added that cluster interface to the existing FW device in the PROD tenant and then exported that to Common to see if that was the solution but same results.  

 

Hopefully this is a supported implementation to use in the Common tenant.

 

Any troubleshooting steps I can take to try to identify where this traffic is being dropped/incorrectly forwarded?  Appreciate any assistance in this. Opened TAC as well. 

 

Labels:
0 Helpful
1 Reply 1

tuanquangnguyen
Level 1
Level 1

‎12-02-2021 06:27 AM

Is either the BD associated to the consumer EPG and/or the provider EPG in the same VRF as common:default? If both are not, then it would not work as per PBR requirement. Can I maybe assume that all the test EPGs use the BDs in VRF common:default?

 

 

image.png

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License