Showing results for 
Search instead for 
Did you mean: 

Cisco ACI - One VRF consumed by two tenants with PBR FW service insertion

Level 1
Level 1


I need some support to understand if a PBR is an EW traffic PBR or NS in a Multi-Pod deployment.

- EW: Traffic intra VRF in on Tenant

- NS: Traffic going outsite the ACI 


I have one VRF "A" on Common Tenant with some "common services epgs" using a Common configured Bridge Domains in that VRF A. At the same time, i have the Tenant "X" with some Application EPGs that are using Common configured Bridge Domains that belong to the same VRF A. 


My doubt is, if i have a DNS Services deployed in Common in Tenant Common/VRF A/DNS_EPG the traffic comming from Tenant X/VRF A/APP1 should/can be managed by EW FW? or because is in different Tenant i need to deploy some kind of NS inter tenant firewall via PBR?


ACI is like Sudoku... is a nice mind game... :P 

2 Replies 2

Level 1
Level 1

The routing will still occur within the same VRF, regardless of Tenants.

Tenants are NOT for routing domain separation, it's for management separation


With that said, if you want to use contract, you do need to create them in Tenant common and set the scope to global. You do not need to export the contract either. Note: even though you aren't technically "exporting" the contract, it's still considered "shared", hence cannot be used as a consumer within vzAny


If you want to use firewall PBR over contracts, you can as well. It would still be considered as E/W traffic because the traffic isn't really leaving the fabric via an L3Out to a firewall.




Hi, completly agree, but...


If we look into Cisco Documentation it talks about Inter-Tenant configurations and it depends on source-destination tenant. But the example is using 2 VRFs and what i'm saying is 2 tenants 1 vrf... my doubt comes from there:


Inter-tenant configuration

The consumer and provider VRF instances can be in different tenants. In addition to the inter-VRF configuration, several other important configuration considerations apply to the intertenant service graph:

●   Objects defined in the common tenant can be referenced from other tenants, but objects defined in a user tenant can be referenced only from the same tenant.

●   The contract must be visible from the provider and consumer EPGs.

●   The service graph template must be visible from the contract.

●   The L4-L7 device must be visible from the device selection policy.

●   The device selection policy must be defined under the provider EPG tenant. This object must be able to see the cluster interfaces in the L4-L7 device and the PBR bridge domains.

Figure 92 shows a configuration example in which the provider EPG is in VRF2 in the common tenant and the consumer EPG is in VRF1 in a user tenant:

●   The contract is defined in the common tenant so that it is visible from both the consumer and provider EPGs.

●   The device selection policy is defined in the common tenant because the provider EPG is in the common tenant.

●   The L4-L7 device and service graph template are defined in the common tenant so that the contract can refer to the service graph template.

●   PBR bridge domains in VRF2 are defined in the common tenant so that the device selection policy can refer to the cluster interfaces in the L4-L7 device and the PBR bridge domains.

Figure 92.    Example of inter-tenant service graph with PBR configuration (provider EPG is in the common tenant)


Save 25% on Day-2 Operations Add-On License