Saturday, October 19, 2019

[Cisco ACI] PBR in a contract with vzAny as Provider and Consumer

Hi r/networking,

Has anyone successfully configured PBR in a contract with vzAny acting as both Provider and Consumer (any to any)?

Apparently, the release notes of 3.2(1), White Paper and Cisco Live BRKSEC-2048 all briefly mentioned we could, without further explanation. However, anytime I tried to do so, the APIC raised an error (not a fault, something about rsanyToProv already exists).

I'm running version 3.2(4e) with mixed Gen1 and Gen2 (both Gen1 are dedicated for the PBR node), with the configuration can be abstracted as below:

  1. Contract PERMIT-ANY > Subject PERMIT-ANY > Filter common/default. Permitted bi-directional, with reverse filter ports enabled.
  2. Apply this contract to vzAny, as both Provided and Consumed Contract.
  3. Apply the existing SG template: Consumer <= PBR node <= Provider. The PBR node (HA firewall) is deployed one-armed.
  4. Configure with the BD of the PBR node (called FW-EXT-CONN), redirect policy and cluster interface.
  5. The above error is raised.

Also, if I tried to configure it as a unidirectional contract, then the contract subject did not even appear while applying the SGT.

I was also trying to configure a vzAny to L3Out EPG (with PBR) which raised the same issue (rsanyToProv already exists)

Specific EPG-to-EPG contracts with PBR work fine as they're what we've been using so far.

Not sure if it's a bug or a misconfig on my side, so I'm in need of some help from you.

Thanks in advance.



No comments:

Post a Comment