Re: ACI, FW service insertion. VRF,BD,SG,contract in common tenant but EPG in user tenant

Oleg Bukhalov · ‎09-24-2020

Hello experts!
I need your support to understand why the FW service is not working in my lab installation.
In my lab the Bridge Domain (BD), subnet, VRF, contract and L3Out are all configured in the Tenant common while the endpoint groups (EPGs) are configured in respective user Tenant. (the topology is in the attachment)

Is it supported design for service inserion?

P.S. Everything works fine when I:
- move the EPGs to the common tenant
- remove the reference to the service graph from the contract

jgomezve · ‎09-24-2020

Hello,

Have you tried to create the contract in the user tenant?

Please also try to create the 'Device Selection Policies' in the User Tenant. Avoid using the Wizard

Robert Burns · ‎09-24-2020

Ensure the contract scope is set to Global. The default 'vrf' scope will not work if the two EPGs are in different VRFs.

Robert

tuanquangnguyen · ‎09-24-2020

Just want to mention in his topo, all EPGs are associated to BDs in the same VRF. So contract scope with VRF should suffice.

In fact, if these EPGs are in the same AppProf then the scope AppProf would also work

Hi @Oleg Bukhalov,

Can you double-check if:

The BD is configured correctly?
- Unicast Routing with Subnet being the connection between ACI Leaf and L4-L7
- IP Data-plane Learning should be disabled, but not necessary after certain ACI code (3.x or something), in which ACI fabric would disable Data-plane Learning in L4-L7 Function Connectors/Shadow EPGs)
The L4-L7 Concrete Interface and Cluster Interface is configured correctly?
- Physical: check Physical Domain, Path and encap VLAN. Check if the same encap VLAN is tagged on L4-L7 device's interface (untagged is not supported)
- Virtual: check VNIC. Also check if the Port Group is pushed to VDS, and is the VNIC assigned to that Port Group
L4-L7 Redirect Policy - is it configured with correct Destination (IP/MAC of L4-L7 Device's interface)?
You cannot apply Service Graph Template if it neither sees the EPGs (as in your topo) nor Contract
- Hence, you could manually create a L4-L7 Device Selection Policy with two Function Connectors (consumer and provider). Associate Device Selection Policy with the correct Contract, Graph and Device.
- Associate the correct BD, Redirect Policy and Cluster Interface to the Function Connectors
- Then, go to the Contract Subject that you would want to redirect, and apply the L4-L7 Service Graph
- Check if there's a Graph Instance being deployed

Oleg Bukhalov · ‎09-25-2020

Hi all,

The contract scope is global.

The configuration of VRF,user and service BD, redirect policy is good. I know it because everything is fine when I move the EPGs to common tenant.

As tuanquangnguyen adviced, I created L4-L7 Device selection manually, then add it to the contract and attach this contract to the EPGs in the user tenant. But I see the error "Configuration is invalid due to No device context found for LDev" under Deployed Graph Instances in user tenant.

I can't create the L4-L7 Device selection in user tenant because it doesn't see the device (which is created in the common tenant).

Oleg Bukhalov · ‎10-20-2020

Hello everyone,

I found finally that such a design is not supported. It is not possible to deploy the service graph defined in common tenant in the user tenant. If you need to do so, you must import the service graph device from common tenant to user tenant, then create the service graph template in user tenant and, finally, deploy it in user tenant.

I hope this will be useful to someone.