Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3287
Views
0
Helpful
3
Replies

PBR in a contract with vzAny as Provider and Consumer

Go to solution
tuanquangnguyen
Level 1
Level 1

‎10-19-2019 12:50 PM

Hi community,

Has anyone successfully configured PBR in a contract with vzAny acting as both Provider and Consumer (any to any)?

Apparently, the release notes of 3.2(1), White Paper and Cisco Live BRKSEC-2048 all briefly mentioned we could, without further explanation. However, anytime I tried to do so, the APIC raised an error (not a fault, something about rsanyToProv already exists).

I'm running version 3.2(4e) with mixed Gen1 and Gen2 (both Gen1 are dedicated for the PBR node), with the configuration can be abstracted as below:

  1. Contract PERMIT-ANY > Subject PERMIT-ANY > Filter common/default. Permitted bi-directional, with reverse filter ports enabled.
  2. Apply this contract to vzAny, as both Provided and Consumed Contract.
  3. Apply the existing SG template: Consumer <= PBR node <= Provider. The PBR node (HA firewall) is deployed one-armed.
  4. Configure with the BD of the PBR node (called FW-EXT-CONN), redirect policy and cluster interface.
  5. The above error is raised.

Also, if I tried to configure it as a unidirectional contract, then the contract subject did not even appear while applying the SGT.

I was also trying to configure a vzAny to L3Out EPG (with PBR) which raised the same issue (rsanyToProv already exists)

Specific EPG-to-EPG contracts work fine as they're what we've been using so far.

Not sure if it's a bug or a misconfig on my side, so I'm in need of some help from you.

Thanks in advance.

ciscolive-pbr-vzany.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tuanquangnguyen
Level 1
Level 1

‎10-20-2019 01:32 AM

I gave vzAny-vzAny another shot today. Turned out, I don't have to configure provided and consumed contract at the VRF's vzAny container (folder, MO or whatever you want to call it) BEFORE applying SGT for PBR. I could specify the consumer and provider (both as vzAny) when I applied the PBR SGT to the contact subject.

So I went and did that and BAM! No issue raised. Came back to the vzAny container and the contract was automatically configured under both Provided and Consumed.

Just gonna leave this here as an answer for those who are trying to configure the same as my topology.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
tuanquangnguyen
Level 1
Level 1

‎10-20-2019 01:32 AM

I gave vzAny-vzAny another shot today. Turned out, I don't have to configure provided and consumed contract at the VRF's vzAny container (folder, MO or whatever you want to call it) BEFORE applying SGT for PBR. I could specify the consumer and provider (both as vzAny) when I applied the PBR SGT to the contact subject.

So I went and did that and BAM! No issue raised. Came back to the vzAny container and the contract was automatically configured under both Provided and Consumed.

Just gonna leave this here as an answer for those who are trying to configure the same as my topology.

0 Helpful

Go to solution
peterzhang
Level 1
Level 1
In response to tuanquangnguyen

‎08-11-2020 09:42 AM

How did you configure the routing on the firewall?

 

With PBR, there is an inside and an outside interface and typically we put a route to send traffic from inside/outside to outside/inside interface. 

 

With vzAny, any EPG can be a provider/consumer.... The whitepaper says that the firewall PBR contract can be both provider and consumer in vzAny, but I am not sure how the routing would be configured on the firewall

 

Thanks

0 Helpful

Go to solution
mikel63221
Level 1
Level 1
In response to peterzhang

‎03-03-2023 12:10 PM - edited ‎03-03-2023 12:11 PM

I know this thread is old, but just incase you are still curious you would configure the firewall as one-armed for this specific use case. The firewall would then have a default route to its BD gateway and ACI would take care of the rest.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License