top of page

Search

PBR end-to-end Packet Flow

Mukesh Chanderia
Mar 29, 2024
1 min read

Updated: Mar 11, 2025

Each EGP is represented by PCTag

2. Shadow EPG (Firewall) connect to the service Device (EPG)

3. Traffic in between EGPs will be redirected & from shadow EGP towards EGPs will be unidirectional.

The priority is fully_qual(7), indicating that this rule has a high priority.

The priority src_dst_any(9) suggests it is a lower-priority rule compared to the fully qualified rules.

uni-dir-ignore seems to be a special case where certain flows are ignored but redirection still occurs.

4. EG1 sends packet to EP2 via Leaf1. L1 does route & policy lookup - Redirect to Service BD/Service MAC (If Leaf1 doesn't know where the MAC of Fw interface resides than it will send it to Spine).

Bridge Domain of Firewall

5. Command Line Verification

TROUBLESHOOTING STEPS FOR MULTIPOD SYMMETRIC PBR

Routed flow between EPs 172.16.11.1 to 172.16.12.1

Redirected to one the Firewall HA pair.

FW are one-arm attached to ACI.

Check 1: Is the Graph Deployed?

Check 2: Is the Service EPG deployed?

Check 3: Zoning-Rules

Check 4: Redirect Info

Check 5: Coop DB on Spine

Verify COOP DB if hashing gives you FW MAC

Example Check ingress leaf

Recent Posts

What is a Health Group? A Health Group is a configuration object used to group specific PBR destination interfaces—typically the consumer and provider interfaces of the same service node (such as a f

Active/Standby F5 Across Different ACI Pods

Normal L3Out vs Floating L3Out Explained Understanding Cisco ACI Multi-Pod Architecture In a Cisco ACI Multi-Pod design: Each Pod has an independent IS-IS control plane Endpoint learning is maintained

Multi-site Traffic Flow

This article explains how traffic flows between Endpoint Groups (EPGs) across multiple sites in Cisco ACI using Nexus Dashboard Orchestrator (NDO). We will walk through three common design scenarios a

Comments

bottom of page