How To: vzAny Usage

Overview

This article is written against ACI verison 2.1.  Screenshots & outputs may vary if you are using newer versions.

Note, the term VRF (Virtual Routing and Forwarding) may be interchanged with "Context" and "Private Network" throughout various versions of ACI.

vzAny: What is it?

The "Any" Endpoint Group, is a collection of all of the EPGs (endpoint groups) within a VRF, a.k.a (VRF (virtual routing facility), private network), that allows for a shorthand way to refer to all of the EPGs within that VRF. This shorthand referral eases management by allowing for a single point of contract configuration for all EPGs within a VRF, and also optimizes hardware resource consumption by applying the contract to this one group rather than each EPG individually.

In other words, if one has 1000 EPGs that are all part of the same VRF/VRF/private network, you can apply the contract(s) to this one vzAny group under the VRF/VRF/private network, rather than on each EPG.

How do I use it?

Applying a contract to the vzAny group is simple. In the APIC GUI, navigate to the vzAny configuration page under the VRF/VRF/private network that you wish to apply a contract. The path for this is Tenants -> (Your Tenant) -> Networking -> Private Networks or VRFs -> (Your Private Network or VRF) -> EPg Collection for VRF.

To apply a contract to this group, click on the "+" symbol next to Provided Contracts, and then choose the contract you wish to apply. Click Update to apply the contract. Next, click on the "+" symbol next to Consumed Contracts, and choose the contract you wish to apply. Click Update, and then click Submit after you have added all of your contracts.

=================  PLEASE FOLLOW THESE RULES WHEN USING VZANY ================

If 'any to any' connectivity between EPGs in the Bridge Domain is required, the correct way to do this is to make the VRF operate in 'Unenforced' mode.

What users should not do when using vzAny collection of EPGs, is configure it for both provider and consumer of the common/default contract.  More specific contract filter rules should be used when deploying contracts via the vzAny option.

The following combination is not supported and could lead to a intermittent connectivity issues.

 Enforced and common/default contract for provider and consumer is an invalid combination.

The correct way to use thevzAny if you wanted any EPG in the VRF to be able to consume the Web-Services contract.

And then on the EPG where the Web-Services are provided, configure the Web-Services contract as a provided contract.

Another usage example:

Here all EPGs under the EPG provide contract A, (because the VRF provides it) but only EPG MGMT consumes it. Let’s assume contract permitted SSH, and the customer wants to initiate SSH from devices in MGMT to any other device in the VRF.  Provide the contract on the VRF using vzAny, and consume it on the one EPG where the SSH will be initiated from.  In essence EPG MGMT also provides contract A, but unless some other EPG consumes it, only devices in EPG MGMT can open SSH.

Caveats to keep in mind:

The condition that is created by using vzAny providing and consuming the common/default contract, along with enforced mode on the VRF, is addressed in CSCus74188 .

The use of vzAny does not include the L3 out EPG.  This has been corrected in the 1.11j release.  This is addressed in CSCuu13617 .