Proper way to set Contract and Firewall Service Graph for any traffic between VRFs
APIC v 4.2(5l)
I am trying to find out the proper way to setup the contracts and apply service graph between EPGs/uEPGs in a few different VRFs (and across Tenants). Simply, I want to create a single "VRF1-to-VRF2" contract that I can set any EPG in VRF1 as consumer and then any EPG in VRF2 as provider and apply a service graph to send this to a firewall. Typically contract scope will be Tenant but also Global for some I've done. All filtering for this specific traffic will be managed on the FW.
I have this setup in a handful of areas all around the fabric and the traffic is working exactly as expected but during an unrelated TAC it was pointed out to me that I have numerous F0467 errors raised.
"vzAny share service provider is not supported"
The way I do this currently is to create a simple contract (typically named for the direction of the traffic, ie: "VRF1-to-VRF2")
Next I set the correct EPGs/uEPGs in the appropriate VRFs as consumer and provider for that Contract. VRF1 as consumer, VRF2 as provider in this example.
Then I apply the service graph (simple routed, route redirect to Palo Alto FW on a specific zone)-- when it comes up to choose the consumer/provider EPGs I set consumer as VRF1/AnyEPG and then provider as VRF2/AnyEPG.
Lastly I set the appropriate existing contract subject and set the correct parameters for the BD/PBR/Interface to the FW zone.
All the above works as expected. I can set that contract as consumer for any EPG/uEPG in VRF1 and then provider in any EPG/uEPG in VRF2 and all traffic is properly routed to the FW zone for policy filtering.
Same goes for traffic between Tenants just exporting the provider side created contract and adding as consumed interface on the consumer side. All of this has been working as expected for many months since we brought up the fabric.
During a webex session with a TAC engineer on an unrelated issue it was shown to me that we have raised faults in nearly every VRF. The above application of the contract/service graph application creates an entry in Tenant > Networking > VRFs > VRFx > EGP Collection for VRF > Provided Contracts. Then clicking on Faults I see all the raised alerts "vzAny shared service provider is not supported" for every time I have configured this in the above described method.
I just did some quick testing and created a new contract between some test EPGs. I was able to confirm traffic between EPGs via the Firewall service graph with the raised fault. I then simply deleted the entry of the contract under Tenant > Networking > VRFs > VRFx > EGP Collection for VRF > Provided Contracts and the fault disappeared and the traffic still functions exactly as expected.
I am not understanding what exactly is going on here - I must be doing something incorrect and there has to be a supported way to accomplish my end goal.
I found this article but it does not apply to what I am trying to accomplish :
The fault you are observing is because of the supportability: vzAny is supported as a consumer of a shared service but is not supported as a provider of a shared service.
The fact that is working for you does not mean it's supported. In other words, it was not tested enough by Cisco BU to make it as a supported design. If you face any problems and you raise a support case, the recommendation you will get from TAC is to go under a supported design. What you can do is in the provider VRF, instead of providing the contract as vzAny, configure the EPGs to provide the contract.
常见的数据中心之间通信均会采用运营商MSTP/OTN专线进行互联实现通信，由于长途线路价格昂贵通常我们需要最大化使用线路带宽，传统的网络传输中通常是尽力而为传输一旦突发流量较大就会发生线路拥塞的情况，从而影响业务正常通信传输。这时候我们可以采用Qos技术来实现数据中心思科设备之间关键网络流量保障，从而实现链路最大化利用。拓扑图场景如下：如上图，SW01是位于数据中心A的广域网接入Cisco Nexus 3048交换机，SW02是位于数据中心B的广域网接...
Cloud Networking Community on Cisco Customer Connection
Join our community!!
As a valued Cisco Cloud Networking (former DCN) customer, you can be part of Cisco Customer Connection Program (CCP), Cisco’s global online community program. Connect ...
Join us for a live demo of Cisco Intersight Cloud Orchestrator to learn how you can simplify the orchestration and automation of your infrastructure and workloads across your hybrid cloud environment. We will take a closer look at Cisco Intersight Cloud O...
Hybrid Cloud Demo Series: Simplify Orchestration of Your Infrastructure and Workloads
Tuesday, September 7, 202110:00 am Pacific Time(San Francisco, GMT-08:00)Join us for a live demo of Cisco Intersight Cloud Orchestrator to learn how you can simpli...
Hybrid Cloud Demo Series: Simplify your hybrid cloud environment with Cisco Cloud ACI
Tuesday, August 24, 202110:00 am Pacific Time(San Francisco, GMT-08:00)Join us for a special Hybrid Cloud Demo Series webinar featuring Cisco Cloud Application Cen...