Clarification on Service Graph Deployment Modes (GoTo, GoThrough, OneA

willytech007 · ‎08-03-2025

Dear Cisco Community,

I've been studying "Implementing Service Graphs" in ACI and would appreciate some clarification on the deployment modes, particularly coming from a traditional networking background. The official certification guide's diagrams leave some gaps in my understanding, especially regarding the GoTo mode variations:

Routed mode with outside Layer 2 bridge domain
Routed mode with L3Out and NAT
Routed mode with route peering

Key Questions:
• Could someone explain the real-world use cases for each GoTo mode?
• How do these compare functionally with GoThrough and OneArm modes?
• Are there any gotchas or best practices when implementing these in production?

What's particularly confusing is how these modes handle:

Traffic flow between EPGs and service devices
Policy enforcement points
NAT/route redistribution requirements

Would greatly appreciate:
✓ Practical examples from your deployments
✓ Any unofficial diagrams that better illustrate the packet flows
✓ Recommendations for when to choose each mode

Thank you in advance for sharing your expertise!

Best regards,

Wassim Aouadi · ‎08-08-2025

Hello @willytech007 ,

I agree with your statement that the certification guide is confusing. Service insertion is definitely a complex ACI topic.

Routed Mode means that the firewall is participating in layer-3 operations. A real-world example can be that the firewall interfaces are configured as the IP default gateways for ACI BD subnets.

Go-Through Mode is when the firewall is bridging VLANs: one VLAN on the inside interface, one VLAN on the outside interface. However, I still did not figure out the difference between Go-Through and L2 in the GUI configuration page of L4-7 Devices (so I would appreciate if someone could let me know).

Go-Through Mode vs One-Arm Mode is not the right comparison, because One-Arm Mode means the firewall uses a single interface for both inside and outside traffic (I already explained Go-Through Mode above).

Routed Mode with peering means the firewall is connected to ACI using L3Out.

Routed mode with outside Layer 2 bridge domain: the firewall inside interface is the IP default gateway of the user EPG and the outside interface is configured with an IP address. It connects to an external router using ACI layer-2 BD. The IP default gateway of the firewall outside interface is an external router.

I have no experience with Routed Mode and NAT unfortunately.

If you have time, you'll find more details on the different designs on this link: Service Graph Design with Cisco ACI 5.2 and later

(edited to correct a mistake and clarify the Route Mode with outside layer-2 BD)

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

willytech007 · ‎08-10-2025

Yes sir, in some cases is so confusing but the link explain better the topics with more detail than the book, great information

julian.bendix · ‎08-10-2025

GoTo/Routed Mode is what I ALWAYS use in real life. Never used anything else so far.

Always got firewall connected one-armed to ACI, having a PBR BD where ACI and Firewall each have at least one IP.. and traffic is redirected to the Firewall IP in the PBR BD.

Firewall only has a default route back to ACI, nothing else routing wise.