cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
585
Views
0
Helpful
9
Replies
wskinner1
Beginner

Anyone gotten ESGs to work in a multi-site configuration?

Unlike EPGs, the ESGs don't seem to respect multi-site contracts.  An ESG at site 1 won't talk to an ESG at site 2 even with an allow all filter and contract between them.

Has anyone found a way around this, like going through an l2/l3 out to go through the ISN?

 

Trying to find a good grouping mechanism to allow default communication between new subnets / vlans.  vzAny and Preferred group don't give enough granularity for me, being as they go after the entire vrf or a single subset of it.  ESGs sound good, but getting it to work between sites seems to be the issue.

 

 

9 REPLIES 9
Robert Burns
Cisco Employee

ESGs are currently not exposed/supported with MSO.  Even if you're trying to use an MSO-created contract with APIC-create ESGs.  The cross-site translation is what is not yet supported.

Robert

Sergiu.Daniluk
VIP Advocate

Hi @wskinner1 

ESG is not supported **YET** in multi-site.

I made a request for this feature to be supported a long time ago, not sure if and when will be supported.

Maybe @Robert Burns can give us some hope ^_^

 

EDIT: haha seems like Robert replied faster then me

 

 

Thanks,

Sergiu

Yup, knew it wasn't "supported", just curious if someone found a work around. Like ESG -> ExtEPG -> ISN -> ExtEPG ->ESG
  ESGs don't look like they got any attention in 5.1 or 5.2 releases.  Still IP selector only, and no mso integration.

Honestly, your best bet currently would be to leverage standard contracts.  You get the support and granularity you need.  You can even leverage inherited contracts if wanted.  I wouldn't recommend the L3out option as you lose all the policy granularity, vrf containment, cross-site visibility etc.  

Robert

P.S. Not that it applies to your situation, but ESGs have been improved in APIC 5.2 where now you can base ESG membership on Tag, and EPG membership in addition to IP subnets.  

I was thinking at the L3out option as well, which at the moment sounds the only option.

When it comes to policy enforcement granularity, playing with ExtEPGs & subnets for ExtEPGs wouldn't help?

@Sergiu.Daniluk  You could make it work, just would be clunky and a very manual process as you'd have to manually tie both side's policies together to achieve the result.  ESGs & Standard contracts have better matching options compared solely to L3 LPMs.

Robert

Totally agree with you about ESGs & Contracts, but since ESG is not available for msite, I guess, it's not much else that can be done.

Its on the roadmap for next year, but not yet committed.  This means we need to hear the request from more customers to prioritize ESG support.  I've created an enhancement request to help track this.  CSCvz17670.  Please open a quick TAC SR, and simply ask them to link this to the case - it will help improve prioritization.

Robert

I'll definitely open a service request! @wskinner1 please open a case as well. The more cases are attached to the enhancement request, the better.

 

Thanks,

Sergiu