PBR end-to-end Packet Flow

1. Each EGP is represented by PCTag

2. Shadow EPG (Firewall) connect to the service Device (EPG)

3. Traffic in between EGPs will be redirected & from shadow EGP towards EGPs will be unidirectional.

The priority is fully_qual(7), indicating that this rule has a high priority.

The priority src_dst_any(9) suggests it is a lower-priority rule compared to the fully qualified rules.

uni-dir-ignore seems to be a special case where certain flows are ignored but redirection still occurs.

4. EG1 sends packet to EP2 via Leaf1. L1 does route & policy lookup - Redirect to Service BD/Service MAC (If Leaf1 doesn't know where the MAC of Fw interface resides than it will send it to Spine).

Bridge Domain of Firewall

5. Command Line Verification

TROUBLESHOOTING STEPS FOR MULTIPOD SYMMETRIC PBR

Routed flow between EPs 172.16.11.1 to 172.16.12.1

Redirected to one the Firewall HA pair.

FW are one-arm attached to ACI.

Check 1: Is the Graph Deployed?

Check 2: Is the Service EPG deployed?

Check 3: Zoning-Rules

Check 4: Redirect Info

Check 5: Coop DB on Spine

Verify COOP DB if hashing gives you FW MAC

Example Check ingress leaf