Showing results for 
Search instead for 
Did you mean: 

how to Add ACI copy service to existing l4-7 PBR serivce-graph ?

Level 1
Level 1

how to Add ACI copy service to existing l4-7 PBR serivce-graph ? and will that cause a traffic disruption ?

We have PBR l4-7 pbr service graph deployed to a one-armed firewll that is filtering all traffic with any/any contract.

No we want to copy the traffic to a tpa interface on a vritual firewall to check a newly built rules-base. Do i add the copy serivce device to the existing deployed l4-7 service-graph ? Or do i deploy a new service graph with different contracts because you can only add one serivce graph to a contract. But wont the risk then be that traffic between EPGS might use the new any/any contract and bypass the orignal pbr service-graph.

3 Replies 3

Cisco Employee
Cisco Employee


To begin with, you might not be able to add a Copy service with an existing PBR. For any L4-L7 contracts with PBR, it cannot be modified to a Copy Service contract. A new contract contract has to be created with Copy Service because you can only add one service-graph to a contract. This means there could be traffic disruption between the EPGs as the old L4-L7 PBR gets bypassed. I couldn't find any documentation around it, but you can try this configuration in 

Hope this helps!


I'll see if i can mock this up in a seperate tenant. It would be nice if i could add the copy service device as an extra device in the existing service-graph, say as a chained service insertion device. Because bypassing the current PBR would break all segmentation rules on the one-armed firewall cluster doing the segmentation and enforcement. Maybe other road to travel would be taking one of our spines or leafs from our aci test netwrok, converting the EX leaf from ACI mode to NXOS mode and install Nexus Data broker on it an use that leaf as ERSPAN Termination end point and plug in the TAP interface of a virtual checkpoint there on an esxi host to get normal span traffic on the tap port to analyse the new policy set with current traffic to see if the firewall people didn;t miss anything in the new policy set.

That is surely a solution that can be tried in mockup. This is a very reasonable ask to have copy service in conjunction with an existing service graph.

Save 25% on Day-2 Operations Add-On License