Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
910
Views
1
Helpful
5
Replies

Cisco ACI Multipod Service graph PBR (East-West Segmentation)

yaseenhasan
Level 1
Level 1

‎07-09-2024 12:08 AM - edited ‎07-09-2024 12:15 AM

Hello @Robert Burns / All

I'm implementing service graph in PBR mode in a multipod, each pod has an active/standby pair of Firewalls. The fabric consists of one tenant/ one vrf and several bridge domains / EPGs (Network centric) that are spread across both pods. The end goal is to segment traffic between EPGs. I am leaning towards applying contract on the VZ-Any level and the contract references a service graph. 

My question here is - When Devices are configured under L4-L7Services, would I configure a device for each pod or just configure one device and include firewalls from both pods under one device?

Regards

YH

Labels:
5 Replies 5

Ibrahim Jamil
Level 6
Level 6

‎07-17-2024 07:35 AM

Hi Mr Robert Burns , Hi All

Greeting

I m doing almost the same project but for North-south traffic ,  FTD Cluster will be stretched across PODs + LB F5 , i m struggling finding DOCs mentioned such setup

 

can u pls give us Gotchas to go further

 

thanks

 

Ibrahim

ME Region / Dead Sea

 

0 Helpful

ainajohn96
Level 1
Level 1
In response to Ibrahim Jamil

‎06-25-2025 03:51 AM

Hello YaseenHasan,

You should set up two PBR (Policy-Based Routing) policies—one for each firewall cluster.

In a Multi-Pod ACI design, it's common to encounter hairpinning traffic within the IPN network. This happens because ACI uses a hashing mechanism to determine which firewall will handle the traffic redirection. For example, even if you have both EPG10 and EPG20 located in POD1, ACI might still route their traffic through the firewall in POD2.

0 Helpful

AshSe
VIP
VIP

‎07-31-2024 04:08 AM

Hi @yaseenhasan , below is my understanding based on details shared by you. Please check and validate/correct:

MoD Physical Connectivity:

Screenshot 2024-07-31 at 3.38.56 PM.png

 

 

 

 

 

Logical Connectivity:

Screenshot 2024-07-31 at 4.37.04 PM.png

I am sorry to say that I am not able to understand your question. Could you please elaborate your question.

0 Helpful

ayoubas
Level 1
Level 1

‎06-24-2025 09:13 AM

Hello @yaseenhasan 

You should configure two PBR policies, one PBR policy for each Firewall cluster
, and in the multipod design , you are likely going to have hairpining traffic in your IPN network because ACI uses a hash to choose to which firewall ACI is going to redirect the traffic, so you can have for exemple two EPGs; like EPG10 and EPG20 in POD1 and they are going to use POD2 firewall
0 Helpful

julian.bendix
Level 3
Level 3

‎06-27-2025 12:28 AM

Hey!
I am using this setup a lot... 

You configure one PBR device per logical HA Cluster, meaning if you have only one physical cluster (2 nodes) and no virtual separation on them, it will only be one PBR node.

What I am doing a lot is is separating one physical HA Cluster into multiple virtual ones. Like with firewall contexts on Cisco Firewalls, VDOMs on Fortinet etc.
Then you will need one PBR Device per virtual HA Pair of course.

But if i get your setup right - it is only one HA Cluster without virtual separation, it  will be only one PBR Device.

BR
Jules

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License