Scribd Logo
Upload

Welcome to Scribd!

  • BRKACI-2644 p3

    Uploaded by

    Carlos Alonzm
    6 views8 pages
    Shadow EPGs connect external interfaces on a device to internal interfaces to provide services, with the external "consumer connector" interface representing clients and the internal "provider connector" interface representing the servers; each interface is assigned its own policy tag and VLAN to isolate traffic; contracts must be configured bidirectionally between the shadow EPG and client/server EPGs as well as between interfaces to allow connectivity.

    Original Description:

    tshoot aci p3

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Shadow EPGs connect external interfaces on a device to internal interfaces to provide services, with the external "consumer connector" interface representing clients and the internal "provider connector" interface representing the servers; each interface is assigned its own policy tag and VLAN to isolate traffic; contracts must be configured bidirectionally between the shadow EPG and client/server EPGs as well as between interfaces to allow connectivity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views8 pages

    BRKACI-2644 p3

    Uploaded by

    Carlos Alonzm
    Shadow EPGs connect external interfaces on a device to internal interfaces to provide services, with the external "consumer connector" interface representing clients and the internal "provider connector" interface representing the servers; each interface is assigned its own policy tag and VLAN to isolate traffic; contracts must be configured bidirectionally between the shadow EPG and client/server EPGs as well as between interfaces to allow connectivity.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Shadow EPGs

    Quick Review!
    How does policy enforcement work L1 L2
    • Each EPG is represented by a policy
    tag, or PCTag
    • Source Tag (sClass, or source class) EP2
    EP1
    is applied on ingress
    • Source PCTag is carried in VXLAN EPG EPG
    header Client Web
    leaf1# show vlan id 64 extended PCTag PCTag
    VLAN Name Encap Ports 16002 16003
    ---- -------------------------------- ---------------- ------------------
    64 ciscoLive:PBR:Web vlan-3067 Eth1/1, Eth1/2,

    leaf1# vsh_lc -c "show system internal eltmc info vlan 64" | egrep sclass
    sclass: 16002

    Leaf 1# show zoning-rule scope 2490374


    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+
    | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+
    | 4269 | 16002 | 16003 | 16 | uni-dir | enabled | 2490374 | | permit | fully_qual(7) |

    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
    What are shadow EPGs? External and internal
    interfaces
    A ‘two armed’ example L1 L2

    • Shadow EPGs connect to the service


    Device EP1 EP2
    • External Interface is called the
    “Consumer Connector” EPG Shadow EPG
    • Internal interface is the “Provider Client EPG Web
    Connector”
    • Each is represented by a VLAN and Provider Connector
    has its own PCTag

    Cons Prov

    Consumer Connector
    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
    EPGs and PCTags L1 L2

    leaf1# show vlan id 64 extended


    VLAN Name Encap Ports
    ---- -------------------------------- ---------------- ------------------ EP1 EP2
    64 ciscoLive:PBR:Web vlan-3067 Eth1/1, Eth1/2,

    leaf1# show vlan id 140 extended


    EPG EPG
    Client Web 16003
    VLAN Name Encap Ports
    16004
    16001
    ---- -------------------------------- ---------------- ------------------
    140 ciscoLive:ASA_FWctxv1:provider: vlan-3100 Eth1/23, Eth1/24 16002 Shadow
    EPG

    leaf1# vsh_lc -c "show system internal eltmc info vlan 64" | egrep sclass
    sclass: 16002

    leaf1# vsh_lc -c "show system internal eltmc info vlan 140" | egrep sclass
    sclass: 16004

    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
    Shadow EPGs & contracts
    L1 L2
    • EPG Client to EPG Web (Redirect)
    • EPG Web to EPG Client (Redirect)
    • Consumer Conn to Client (uni-dir Filter) EP1 EP2
    • Provider Conn to Web (uni-dir default)
    EPG EPG
    Client Web 16003
    16004
    16001 16002 Shadow
    EPG

    Leaf 1# show zoning-rule scope 2490374


    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+
    | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+
    | 4269 | 16003 | 16001 | 16 | uni-dir | enabled | 2490374 | | permit | fully_qual(7) |
    | 4561 | 16001 | 16002 | 15 | bi-dir | enabled | 2490374 | | redir(destgrp-24) | fully_qual(7) |
    | 4537 | 16002 | 16001 | 16 | uni-dir-ignore | enabled | 2490374 | | redir(destgrp-24) | fully_qual(7) |
    | 4536 | 16004 | 16002 | default | uni-dir | enabled | 2490374 | | permit | src_dst_any(9) |
    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+

    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
    Common issues
    1) Unable to ping Consumer connector L1 L2

    The filter between shadow EPG and


    EP1
    Consumer or provider is
    unidirectional by default. Ping/HTTP
    EPG
    Client 16003
    Enable Direct Connect on the
    Virt. IP
    Graph Template to create EPG to 16001 Shadow
    Shadow EPG contracts EPG

    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
    Common Issues
    2) Routing on Service Device L1 L2

    Service Device route for Provider


    subnet points through consumer EP1 EP2
    connector
    EPG EPG
    Consumer connector does not have a Client Web 16003
    contract and direct connect does not 16004
    16001 16002 Shadow
    fix this EPG

    ciscoasa# show route


    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
    Gateway of last resort is 172.16.2.2 to network 0.0.0.0

    S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.2.2, inside


    S 192.168.1.0 255.255.255.0 [1/0] via 172.16.1.2, outside
    S 192.168.2.0 255.255.255.0 [1/0] via 172.16.1.2, outside

    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
    Common Issues
    2) Routing on Service Device L1 L2

    Use a 1 arm service graph for PBR!


    EP1 EP2
    Service device (FW etc) should know if
    traffic should be allowed or not! EPG EPG
    ciscoasa# show route Client Web 16003
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP Shadow
    Gateway of last resort is 172.16.2.2 to network 0.0.0.0
    16001 16002 EPG
    S* 0.0.0.0 0.0.0.0 [1/0] via 172.16.2.2, inside

    Leaf 1# show zoning-rule scope 2490374


    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+
    | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+
    | 4269 | 16003 | 16001 | 16 | uni-dir | enabled | 2490374 | | permit | fully_qual(7) |
    | 4561 | 16001 | 16002 | 15 | bi-dir | enabled | 2490374 | | redir(destgrp-24) | fully_qual(7) |
    | 4537 | 16002 | 16001 | 16 | uni-dir-ignore | enabled | 2490374 | | redir(destgrp-24) | fully_qual(7) |
    | 4536 | 16003 | 16002 | default | uni-dir | enabled | 2490374 | | permit | src_dst_any(9) |
    +---------+--------+--------+----------+----------------+---------+---------+------+-------------------+----------------------+

    BRKACI-2644 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

    You might also like