cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
175
Views
0
Helpful
1
Replies

PBR in a contract with vzAny as Provider and Consumer

Hi community,

Has anyone successfully configured PBR in a contract with vzAny acting as both Provider and Consumer (any to any)?

Apparently, the release notes of 3.2(1), White Paper and Cisco Live BRKSEC-2048 all briefly mentioned we could, without further explanation. However, anytime I tried to do so, the APIC raised an error (not a fault, something about rsanyToProv already exists).

I'm running version 3.2(4e) with mixed Gen1 and Gen2 (both Gen1 are dedicated for the PBR node), with the configuration can be abstracted as below:

  1. Contract PERMIT-ANY > Subject PERMIT-ANY > Filter common/default. Permitted bi-directional, with reverse filter ports enabled.
  2. Apply this contract to vzAny, as both Provided and Consumed Contract.
  3. Apply the existing SG template: Consumer <= PBR node <= Provider. The PBR node (HA firewall) is deployed one-armed.
  4. Configure with the BD of the PBR node (called FW-EXT-CONN), redirect policy and cluster interface.
  5. The above error is raised.

Also, if I tried to configure it as a unidirectional contract, then the contract subject did not even appear while applying the SGT.

I was also trying to configure a vzAny to L3Out EPG (with PBR) which raised the same issue (rsanyToProv already exists)

Specific EPG-to-EPG contracts work fine as they're what we've been using so far.

Not sure if it's a bug or a misconfig on my side, so I'm in need of some help from you.

Thanks in advance.

ciscolive-pbr-vzany.png

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: PBR in a contract with vzAny as Provider and Consumer

I gave vzAny-vzAny another shot today. Turned out, I don't have to configure provided and consumed contract at the VRF's vzAny container (folder, MO or whatever you want to call it) BEFORE applying SGT for PBR. I could specify the consumer and provider (both as vzAny) when I applied the PBR SGT to the contact subject.

So I went and did that and BAM! No issue raised. Came back to the vzAny container and the contract was automatically configured under both Provided and Consumed.

Just gonna leave this here as an answer for those who are trying to configure the same as my topology.

View solution in original post

1 REPLY 1

Re: PBR in a contract with vzAny as Provider and Consumer

I gave vzAny-vzAny another shot today. Turned out, I don't have to configure provided and consumed contract at the VRF's vzAny container (folder, MO or whatever you want to call it) BEFORE applying SGT for PBR. I could specify the consumer and provider (both as vzAny) when I applied the PBR SGT to the contact subject.

So I went and did that and BAM! No issue raised. Came back to the vzAny container and the contract was automatically configured under both Provided and Consumed.

Just gonna leave this here as an answer for those who are trying to configure the same as my topology.

View solution in original post

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards