ACI Service Graph with multiple vrf

komiks · ‎08-10-2025

We have multiple VRFs in an aci and we are need inter VRF EPG-EPG communication to pass through a single FW by using Service Graph. Challenge is you can assoiciate service graph in to a single Bridge Domain which only have a single VRF. So there is an error when using the Service Graph with EPGs that have different VRF than you service BD station that ther is a vrf misconfig. Is there a workaround to do this?

Wassim Aouadi · ‎08-11-2025

Hello @komiks ,

You mentioned a service BD. Is the service BD in one of the EPG VRFs (provider VRF or consumer VRF)? From what you wrote, I understood that you have the service BD is in a third VRF that is neither the provider nor the consumer. If so, then it is not a Cisco-supported design; The service BD must be in either one of the provider or consumer VRF.

Maybe you could provide a topology to understand your design better and be able to help you?

Forum Tips: 1. Paste images inline - don't attach. 2. If you find my post helpful, please give it a thumbs up or mark it as a correct solution; You never know in the future who you might help doing so..

komiks · ‎08-11-2025

Hi @Wassim Aouadi ,

Yes, this is exactly the challenge. let's say I have 3 vrfs (VRF1,2,3) and I need all inter vrf communication to pass through a firewall. let's say service bd is in vrf 1, but i need a service graph for vrf 2- vrf 3 communication. is there a possible way to use the same firewall ( for service graph )for all the vrfs?
I tried to create a separate service BD on the other vrf but it not possible to attached multiple BD in a single SG device.