Each EGP is represented by PCTag
2. Shadow EPG (Firewall) connect to the service Device (EPG)
3. Traffic in between EGPs will be redirected & from shadow EGP towards EGPs will be unidirectional.
4. EG1 sends packet to EP2 via Leaf1. L1 does route & policy lookup - Redirect to Service BD/Service MAC (If Leaf1 doesn't know where the MAC of Fw interface resides than it will send it to Spine).
Bridge Domain of Firewall
5. Command Line Verification
TROUBLESHOOTING STEPS FOR MULTIPOD SYMMETRIC PBR
Routed flow between EPs 172.16.11.1 to 172.16.12.1
Redirected to one the Firewall HA pair.
FW are one-arm attached to ACI.
Check 1: Is the Graph Deployed?
Check 2: Is the Service EPG deployed?
Check 3: Zoning-Rules
Check 4: Redirect Info
Check 5: Coop DB on Spine
Verify COOP DB if hashing gives you FW MAC
Example Check ingress leaf
Comments