Hi Everyone,
We're in the middle of a OpenStack pilot project and are still at the discovery and exploration phase of how OpenStack and ACI work together. So far we've achieved basic integration and functionality via the GBP model to get instances running within two EPGs and have contracts between these two.
A new tenant was created with a VRF, BDs with subnets within that VRF. The policy enforcement between the instances across compute nodes is working according to the GBP model. So far so good.
Now've encountered the use case for having existing EPGs in ACI (for example from an vmware domain) to talk to EPGs from the OpenStack VMM.
The fabric's existing EPGs and their BDs are of course located on non OpenStack managed/created VRFs and the services running on those EPGs are quite a few -- moving their subnets from BD subnets to EPG subnets to get route leaking working is currently not really an option.
Ideally we would be able to select existing VRFs on the fabric once new L3 GBP policies are created but I havent found any way to get this done.
Changing VRF properties that are OpenStack owned is no supported as the consistency checker will immediately remove those (same goes for BDs, subnet, etc.)
From an OpenStack perceptive we could use Floating IPs (FIPs) NAT pools where the BD would be assigned an existing VRF but would very much loose policy enforcement as all instances and their FIPs would be within one 'egress' EPG.
One approach seems to be to use an shared L3Out as an route leaking VRF between existing ACI side VRFs and the OpenStack created VRFs but this approach seems quite strange -- can anyone explain if this is really the method to go to from an IP routing perspective?
Another question/issue that popped up is that for an OpenStack created EPG we can't associate the vmware VMM domain with this EPG since the consistency manager daemon removes the non OpenStack VMM domain -- is this a limitation of GBP?
