We are in the process of implementing Cisco ACI in a brownfield environment, and one of the challenges I'm facing involves replicating source-IP-based PBR from our legacy setup. In the current environment, we have two separate firewall clusters (FW-1 and FW-2) for Internet connectivity, each supporting different provider transits and network translations. These clusters connect to the core switches within a DMZ VRF, sharing a /24 subnet/VLAN.

Traffic destined for the Internet flows natively through the FW-1 cluster via the default route. However, for specific source IPs, we selectively apply PBR to redirect traffic through the FW-2 cluster. In the legacy environment, simple PBR rules using "set ip next-hop" on the ingress VLAN achieve this functionality effectively.

I'm attempting to replicate this setup as a proof of concept (PoC) in the ACI environment and would appreciate any insights or learnings based on your experience. Here's the scenario I’ve modeled:

1. DMZ VRF: The environment includes a southbound L3Out with an external EPG subnet (10.0.0.0/16) matching all traffic to the L3Out.

2. Northbound L3Out: There’s a single L3Out configured with an SVI and a secondary address (192.168.1.254/24) that serves as the gateway for both firewall clusters. The default static route directs all outgoing traffic to the FW-1 cluster (192.168.1.1).

To classify unique traffic for redirection based on the source, I’ve added an additional external EPG (EPG_Redirect) to the southbound L3Out. This EPG is configured to match specific /32 host routes for the source IPs. However, I’m unable to redirect this traffic from "EPG_Redirect" to exit through the FW-2 cluster. Since this is a case of true source-based PBR with ANY destination, adding more specific destination routes to a secondary destination EPG is not a viable option.

Any guidance or suggestions on how to achieve this source-based PBR in ACI, or alternative approaches to handle such a scenario, would be greatly appreciated.