thank you for sharing!

First, let's assume that our gateway in the ACI.

Traffic must pass like this:

Endpoint x --> Leaf

Leaf --> FW

FW --> Leaf

Leaf --> EndPoint y

How we can achieve this scenario without implementing PBR service graph? How routing will be between this 2 Endpoints?

We have a configured L3OUT for  FW interconnection. 

Hi @Netzwerker  

One way to do it is using a VRF sandwich design:

However, this might be difficult if you want to force traffic between all EPGs to go through FW. Thats why this type of design works for situations like you want traffic between DMZ and Inside or DMZ and Outside to pass through firewall.

If you want more granularity in what traffic to pass through FW and what not, regardless if the EPG is in one security zone or another, PBR is a much better approach. Also, less L3Outs.

Reference: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

Stay safe,

Sergiu

Hi @balaji.bandi & @RedNectar,

Thank you for your replies,

Here you can find attached the example I wanted to talk about.

In this example, there is a contract between EPG1 and EPG2! So automatically, a static route will be injected in each Leaf (for each EPG) that points to the Spine.

For traffic from EPG3 to EPG1, it must pass via FW so we have to add a static route manually that points to FW. By doing this we will have 2 static routes in Leaf2 for the same destination (EPG1). Logically, it will always favor the first route to the Spine (the most specific)!

I hope I have explained the problem  well.

For this scenario, you have two options:

1. Move EPG3 in another VRF - this means all traffic to EPG3 will go through firewall

2. PBR - you can use the PBR contract exclusivly just for EPG1-EPG3 communication. Plus you don't have to modify any existing config.

Note that in newer versions you do not even need to configure a new interconnect/BD for PBR. You can basically use the existing L3Out for PBR.

Check the whitepaper: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html#PBRdestinationinanL3Out

Cheers,

Sergiu

Hi @Netzwerker  ,

Your example is a CLASSIC case of where to use PBR, where you don't wan't ALL traffic from EPG1 to go to the firewall.

The fact that you have said 

a static route will be injected in each Leaf (for each EPG) that points to the Spine. ... so we have to add a static route manually that points to FW

---

tells me you are OVERTHINKING this problem. Please forget about traffic flows in ACI in terms of routes. I mean it. FORGET you ever learned routing*, because ACI implements policy via EPGs and contracts. 

You are NEVER going to control traffic within ACI* thinking about routes. You have to think in terms of EPGs and CONTRACTs.

And in your case, you need a CONTRACT between EPG-1 and EPG-3. The fact that the EPGs are on Leaf1 or Leaf2 or any other leaf is totally irrelevant to ACI, ACI will dynamically push whatever policies (and routes) to which ever leaf needs them.

And using PBR you can EASILY add a contract between EPG-1 and EPG-3 that says - send all traffic to the  firewall.  And then ACI will dynamically "add a static route that points to FW" wherever needed.

*When controlling traffic leaving or entering ACI via a L3Out - then you can start thinking about routes again.