Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
5
Replies

Deployed Graph Instances (Device L4-L7) Apic release 6.0

shady-magdy
Level 1
Level 1

‎06-12-2025 12:32 AM - edited ‎06-12-2025 03:31 AM

We have one VRF with Vzany, we have configured two devices as a cluster Fortigate Two Arm with PBR source and destination, then we configured two bridge domains and concrete interfaces, service graph routed mode, and we have created two Contracts 

at last step we created two graph instances first one with first contract from (Consumer in to ---> Provider in) and second one with second contract from (Consumer in ----> Provider out), 

we have two questions, first one we have in the design that some traffic goes on reverse way (out to -----> in) so we need to create another graph, or it goes on reverse way by default???

if i have in design that some of traffic goes from out to out OR in to in so i need to create another graph?? 

Labels:
0 Helpful
5 Replies 5

AshSe
VIP
VIP

‎06-16-2025 09:58 PM

Hello @shady-magdy 

May I request you to present your question in diagramatic form for better understanding.

BR

AshSe

0 Helpful

gesteira
Level 1
Level 1

‎06-22-2025 05:41 PM

Hello, 

    You don`t need to create two contracts, you just create one contract to send to firewall through service graph, contract could be applied on both directions as default configuration, so you don`t need second contract to a reverse traffic, only one service graph.

CCIE DC #69064
0 Helpful

shady-magdy
Level 1
Level 1
In response to gesteira

‎06-23-2025 12:12 AM - edited ‎06-23-2025 02:08 AM

thats sound good, if i have some of traffic goes from out to out OR in to in do i need to create another graph?? 

0 Helpful

gesteira
Level 1
Level 1
In response to shady-magdy

‎06-23-2025 06:32 AM

You can use only one service graph and apply to a diferent contract 

Firstly, you create your Device Firewall Concrete Device with your vlans and ports

Tenant -> Services -> L4-L7 > Devices >

then you create your service graph templates

Tenant -> Services -> L4-L7 -> Create Service Graph Templates

gesteira_0-1750685140484.png

then you apply L4-L7 Service Graph Template

gesteira_1-1750685209612.png

After this you choose your Consumer EPG (that could be L3out or EPG ) and Provider

gesteira_2-1750685264870.png

After this, you can create or choose a existing contract. 

To apply on same Firewall Interfaces, you use same Service Graph as apply again, you just you need to create new contract if you want specific filter and click no filter (Allow all traffic), if you will send all traffic to firewall you can choose same contract, i recomend depend of the traffic create new contract for kind of traffic that you are going to use to be more safe.

You don`t need to create new service graph, only if you are going to use another firewall, or another L4-L7 device.

 

Please rate or put correct if your doubt is fixed, 

thanks

CCIE DC #69064
0 Helpful

shady-magdy
Level 1
Level 1
In response to gesteira

‎06-24-2025 02:30 AM - edited ‎06-24-2025 02:31 AM

yes, we configure one contract with graph instances FW-out to FW-in , the design is that some traffic goes from FW-IN(consumer) to FW-IN(Provider) with same contract, does it require another graph instance or it use the configured one

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License