ACI | inter-tenant service graph with PBR

Ayham Dardari · ‎01-10-2023

Hello,

I have ACI version 5.2 with the following scenario:

2 Tenants for Prod and Dev plus the common tenant for the shared services and the L3OUT, and I want to add L4L7 FW and configure service graphs with PBR to redirect the traffic to the FW.

The FW is a physical CheckPoint appliance and it's one arm with VLAN trunking, it has a sub-interface for each subnet (same subnets as in the BDs), and creating multiple context is not possible.

The Prod Tenant has 2 BDs and 2 EPGs as per the diagram, and the same applies to the Dev Tenant

We will use the BDs 1-5 for the PBR, and for the L3OUT we will create Ext-BD which the FW will use as it's default GW.

The traffic redirection requirement is as the following:

Traffic between EPG1 and EPG2 in Prod Tenant should be redirected to the FW using BD1 and BD2.
Traffic between EPG1 or EPG2 in Prod Tenant and EPG5 or L3OUT in common tenant should be redirected to the FW using BD1 or BD2 and EPG5 or Ext-BD.
Traffic between EPG3 and EPG4 in Dev Tenant should be redirected to the FW using BD3 and BD4.
Traffic between EPG3 or EPG4 in Dev Tenant and the L3OUT in common tenant should be redirected to the FW using BD3 or BD4 and Ext-BD.
Traffic between EPG5 and L3OUT in common Tenant should be redirected to the FW using BD5 and Ext-BD.
Inter-tenant traffic between EPGs in Prod Tenant and EPGs in Dev Tenant should be redirected to the FW using the respective BDs in each tenant.

My question is this scenario valid, and in which Tenant should the FW be positioned and how can I reference it in other Tenants.