cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
227
Views
5
Helpful
3
Replies
Highlighted
Beginner

Service Graph shadow EPG or how to create a contract for L4-7 devices

Hi folks,

 

I have a firewall attached to ACI as a L4-7 device using it in conjunction with Service Graph functionality and Policy-Based Redirect. Everything is fine for EPGs communicating across the Service Graph, however how do I apply a contract to the transfer network of the firewall itself?

 

I understand that by creating an L4-7 device shadow EPGs are automatically created but how do I apply policy to those. 

The firewall itself should be able to talk e.g. to the DNS server using the cluster interface configured in ACI. Therefore, I need a contract between the device and the DNS-EPG. Unfortunately I'm unable to figure out how to achieve this.

 

Any suggestions are highly appreciated!

 

Kind regards,

Nik

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: Service Graph shadow EPG or how to create a contract for L4-7 devices

Hi,

Is DNS-EPG one of the provider or consumer EPG used in the service graph? if yes, then what you are looking for is "Direct Connect" option. Using this setting in the service graph, you can enable communication (individually):

  • from the consumer EPG to the consumer connector of the PBR node
  • from the provider EPG to the provider connector of the PBR node

For additional details about this option can be found in the ACI PBR white paper: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html 

 

Cheers,

Sergiu

View solution in original post

3 REPLIES 3
Highlighted
Rising star

Re: Service Graph shadow EPG or how to create a contract for L4-7 devices

Hi,

Is DNS-EPG one of the provider or consumer EPG used in the service graph? if yes, then what you are looking for is "Direct Connect" option. Using this setting in the service graph, you can enable communication (individually):

  • from the consumer EPG to the consumer connector of the PBR node
  • from the provider EPG to the provider connector of the PBR node

For additional details about this option can be found in the ACI PBR white paper: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html 

 

Cheers,

Sergiu

View solution in original post

Highlighted
Beginner

Re: Service Graph shadow EPG or how to create a contract for L4-7 devices

Thank you Sergiu,

 

that is exactly what I was looking for! I already tested it in the lab and it does the job :)

 

Kind regards,

Nik

Highlighted
Rising star

Re: Service Graph shadow EPG or how to create a contract for L4-7 devices

Hi Nik,

Glad to hear that the solution was helpful!

Have a nice rest of the week and stay safe!
Cheers,

Sergiu