I need your support to understand why the FW service is not working in my lab installation.
In my lab the Bridge Domain (BD), subnet, VRF, contract and L3Out are all configured in the Tenant common while the endpoint groups (EPGs) are configured in respective user Tenant. (the topology is in the attachment)
Is it supported design for service inserion?
P.S. Everything works fine when I:
- move the EPGs to the common tenant
- remove the reference to the service graph from the contract
Just want to mention in his topo, all EPGs are associated to BDs in the same VRF. So contract scope with VRF should suffice.
In fact, if these EPGs are in the same AppProf then the scope AppProf would also work
Hi @Oleg Bukhalov,
Can you double-check if:
The contract scope is global.
The configuration of VRF,user and service BD, redirect policy is good. I know it because everything is fine when I move the EPGs to common tenant.
As tuanquangnguyen adviced, I created L4-L7 Device selection manually, then add it to the contract and attach this contract to the EPGs in the user tenant. But I see the error "Configuration is invalid due to No device context found for LDev" under Deployed Graph Instances in user tenant.
I can't create the L4-L7 Device selection in user tenant because it doesn't see the device (which is created in the common tenant).
I found finally that such a design is not supported. It is not possible to deploy the service graph defined in common tenant in the user tenant. If you need to do so, you must import the service graph device from common tenant to user tenant, then create the service graph template in user tenant and, finally, deploy it in user tenant.
I hope this will be useful to someone.