cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1621
Views
0
Helpful
1
Replies

ACI Service Graph with Policy Based Redirect between EPGs on different Tenants

aertural1
Level 1
Level 1

Hi,

 

Is there any way to use Policy Based Redirect functionality while the consumer and provider EPGs are on different tenants.

 

I want to pass encrypted traffic between tenants directly over ACI but the clear-text traffic over a firewall.

 

Thanks.

 

Regards.

1 Reply 1

gmonroy
Cisco Employee
Cisco Employee

aertural1,

    From what I found on SG PBR across 2 tenants, essentially you have two options when taking object visibility into account:

 

  1. Using Common Tenant
    1. Placing the PBR BD within the common tenant so that the device selection policy can see the PBR BD.
    2. This may be the easier of the two options depending on your requirements.
  2. User named Tenant required
    1. Whichever tenant houses your provider EPG should subsequently contain the PBR BD and subsequent device selection policies.
    2. A global scope contract can then be used to define PBR/SG relation from prov EPG to cons EPG across tenants
    3. A dummy global scope contract (no PBR/SG) can potentially be used with the reversed cons/prov relationship to complete route leaking across tenants.

Here are some other guidelines to consider when configuring L4-L7 devices in ACI:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_0110.html#d21827e2578a1635

 

And here is the PBR specific guide:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver201/b_L4L7_Deploy_ver201_chapter_01001.html

 

Cheers,

Gabriel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License