Hi Everyone,The networking

thsmfe001 · ‎12-14-2014

Hi. all

I have been trying to adapt ACI to service provider but it is difficult to fit it to SP environment.

Above all service graph hasn't been worked, even though i configured all based on a document regarding service graph.

** I can't understand why BD and VRF have to be splited to render service graph. Does it mean another BD and VRF should be added for service graph?

I heard that a contract dosen't support a redirect action.

So the traffic interested in a contract cann't be forward to a device cluster on a service graph.

If anyone succeed a service graph with multiple device clusters, let me know how to do it.

Thank you.

Yun.

stcorry · ‎12-16-2014

Hey Yun, are you able to attach a simple topology of what you are trying to do?

In general, this configuration allows you to use the Fabric as the gateway for your EPGs and the requirement for split context is that the traffic from the server will go directly to the gateway, and from the gateway is forced through the firewall to reach the other context. Without this configuration, the server traffic will be routed from one gateway to the other. When you configure the separate VRF, you make the Appliance the hop between the VRFs.

If you set the Appliance as the gateway you might get around this but have other tradeoffs.

thsmfe001 · ‎12-16-2014

Thank you for your answer.

As you mentioned i tried to configure APIC to do service graph.

** Spliting BD and VRF between EPGs and attaching service graph with a ASA.

But ASA couldn't be got the profile from APIC under separated VRF and BD.

To solve the problem i had to make a same VRF between BD.

Could you check it is normal situation or misconfiguring issue?

In addition, i wonder that a static routing is needed on each VRF domain to forward traffic to ASA.

If it is right how to configure static routing on VRF side.

Thank you.

xianli zhang · ‎02-10-2015

I hava the same question. Could you let me know how to solve it ?

Thank you.

thsmfe001 · ‎02-10-2015

Hi. zhang.

Service Graph isn't perfect until now.

As you know ACI doesn't support redirect action to forward the traffics to a service graph.

Due to that reason you have to use static routings on the devices for service graph.

According to documents for service graph, VRFs are seperated between internal and external network on each devices.

But it wasn't worked well, a port group for the device wasn't provided from APIC.

For that reason i have to configure same VRF for service graph and configured static routings on each devices.

It's just like static routing not automation for service chaining.

In my opinion, You'd better use service graph after redirect action would be supported on the contract.

Zach Seils · ‎02-10-2015

Hi Everyone,

The networking requirements depend on how you want to deploy the services. In general you need to have a separate Bridge Domain (BD) for the provider and consumer EPGs. The only exception is when deploying an ADC in one-arm mode. In that case, both the provider and consumer EPGs must be in the same BD.

Support for multiple VRFs (i.e. contexts) is dependent on the capabilities of the service node (firewall, ADC, etc.) itself. Setting a device as multi-context in ACI doesn't make it multi-context; it has to be supported on the device itself.

I'm happy to put together a quick WebEx to walk through the different deployments and configuration for L4-7 services in ACI. You can send me your contact information to seils@cisco.com.

Regards,

Zach

thsmfe001 · ‎12-16-2014

There is one more question to clarify a behavior of contract.

Service Graph is applied based on contract so a action under a filter is very crucial.

I guess that we wouldn't put in trouble if redirect action worked well.

Could you let me know whether ACI support redirect action or not ?

Thank you.

How to create a Service Graph on the contract.