Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
669
Views
0
Helpful
0
Replies

PBR FW/IPS with single L3Out in common

AlexCross
Level 1
Level 1

‎01-23-2019 05:48 AM - edited ‎03-01-2019 05:45 AM

Hi, folks!

 

We have a single L3Out in tenant "common" and want to transparently insert FirePower FW/IPS with service graph and PBR in data path from/to all other tenant's EPGs.

 

The first problem is that PBR requires both ends of service graph be in the same VRF, but each tenant has its own.

 

Second, when we made additional L3Outs in tenant's VRF connected to backbone on different subinterfaces, then we got route flapping and loops, probably because in ACI a border leaf must use single L3Out to link to particular OSPF area.

 

Lastly, according to "Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design" white paper, it's possibly to use PBR between L3Out EPGs. Are there any options to use this approach to direct tenant's traffic through FW/IPS with PBR towards L3Out in tenant "common" deployed over 4 nodes in multi-pod with ECMP?

 

Thank you in advance for any suggestions.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License