top of page

Search

PBR end-to-end Packet Flow

Mukesh Chanderia
Mar 29, 2024
1 min read

Updated: Mar 11, 2025

Each EGP is represented by PCTag

2. Shadow EPG (Firewall) connect to the service Device (EPG)

3. Traffic in between EGPs will be redirected & from shadow EGP towards EGPs will be unidirectional.

The priority is fully_qual(7), indicating that this rule has a high priority.

The priority src_dst_any(9) suggests it is a lower-priority rule compared to the fully qualified rules.

uni-dir-ignore seems to be a special case where certain flows are ignored but redirection still occurs.

4. EG1 sends packet to EP2 via Leaf1. L1 does route & policy lookup - Redirect to Service BD/Service MAC (If Leaf1 doesn't know where the MAC of Fw interface resides than it will send it to Spine).

Bridge Domain of Firewall

5. Command Line Verification

TROUBLESHOOTING STEPS FOR MULTIPOD SYMMETRIC PBR

Routed flow between EPs 172.16.11.1 to 172.16.12.1

Redirected to one the Firewall HA pair.

FW are one-arm attached to ACI.

Check 1: Is the Graph Deployed?

Check 2: Is the Service EPG deployed?

Check 3: Zoning-Rules

Check 4: Redirect Info

Check 5: Coop DB on Spine

Verify COOP DB if hashing gives you FW MAC

Example Check ingress leaf

Recent Posts

In-Band Management Configuration in ACI

High-Level Objective The goal is to enable APICs, leaf switches, and spine switches to: Use in-band management IP addresses Carry management traffic over the ACI fabric data plane Reach external

Understanding “Output Errors” and “Stomped CRC” on Cisco ACI Leaf–Spine Links

Introduction One of the most misunderstood interface statistics in Cisco ACI and Nexus-based fabrics is the presence of “output errors” on leaf–spine links, often accompanied by “stomped CRC” or inp

Debounce Timer in Cisco ACI

Understanding Interface Flapping and the Debounce Timer in Cisco ACI Interface flapping on Cisco ACI leaf switches is one of the most commonly misunderstood issues in environments connected to WAN, DW

Comments

bottom of page