top of page
Writer's pictureMukesh Chanderia

PBR end-to-end Packet Flow

Updated: Jul 3

  1. Each EGP is represented by PCTag



2. Shadow EPG (Firewall) connect to the service Device (EPG)



3. Traffic in between EGPs will be redirected & from shadow EGP towards EGPs will be unidirectional.




4. EG1 sends packet to EP2 via Leaf1. L1 does route & policy lookup - Redirect to Service BD/Service MAC (If Leaf1 doesn't know where the MAC of Fw interface resides than it will send it to Spine).


Bridge Domain of Firewall





5. Command Line Verification












TROUBLESHOOTING STEPS FOR MULTIPOD SYMMETRIC PBR


Routed flow between EPs 172.16.11.1 to 172.16.12.1

Redirected to one the Firewall HA pair.

FW are one-arm attached to ACI.





Check 1: Is the Graph Deployed?



Check 2: Is the Service EPG deployed?



Check 3: Zoning-Rules




Check 4: Redirect Info



Check 5: Coop DB on Spine

Verify COOP DB if hashing gives you FW MAC



Example Check ingress leaf



54 views0 comments

Recent Posts

See All

Comments


bottom of page