Solved: PBR service graph across tenants

Antonio Macia · ‎12-14-2019

Hi,

Is it possible to do policy based redirect service graph between two different tenants (without using the common tenant)?

For example, let's say we have an EPG in the production tenant that must be accessible from another EPG in the non-production tenant through the firewall using PBR. Because the EPG are in different tenants, you cannot select one of the EPGs when applying the service graph to a contract.

Regards.

6askorobogatov · ‎12-14-2019

If you L4-L7 is in Pord tenant, you just heave to create contract, add L4-7 to the subject(s), attach provider side of contact . to EPG in prod tenant, export contact to nonprod tenant and add contact interface to clients' EPG.

PBR wil be used in L4-7 config to sent traffic to your the L4-7 device, In case of FW you need PBR on both sides.

View solution in original post

6askorobogatov · ‎12-14-2019

If you L4-L7 is in Pord tenant, you just heave to create contract, add L4-7 to the subject(s), attach provider side of contact . to EPG in prod tenant, export contact to nonprod tenant and add contact interface to clients' EPG.

PBR wil be used in L4-7 config to sent traffic to your the L4-7 device, In case of FW you need PBR on both sides.

Antonio Macia · ‎12-16-2019

Hi,

Thanks, I missed that part of the PBR white paper documentation. I'll test it and let you know.

Maurlai · ‎03-12-2021

Hi,

what does it means "In case of FW you need PBR on both sides"?

Sides=tenants?

Or simply do you means both sides are the two arms of firewall??

Thanks a lot if you reply

6askorobogatov · ‎03-13-2021

You may need PBR to direct incoming packets to FW and PBR to direct returning traffic to FW.