Cisco ACI Service Graph One Arm vs Two Arms
Service Graph One arm deployment
Let’s check the rules in the zoning rules table one by one:
Leaf1# show zoning-rule scope 2818049
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4602 | 32779 | 32776 | default | bi-dir | enabled | 2818049 | | redir(destgrp-6) | src_dst_any(9) |
| 4102 | 32776 | 32779 | default | uni-dir-ignore | enabled | 2818049 | | redir(destgrp-6) | src_dst_any(9) |
| 4629 | 49161 | 32779 | default | uni-dir | enabled | 2818049 | | permit | src_dst_any(9) |
| 4623 | 49161 | 32776 | default | uni-dir | enabled | 2818049 | | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
① For the communication from EPG-APP (consumer) to EPG-WEB (provider), from pctag 32779 to 32776, the Rule action is redirect to destgrp-5. the first step is redirecting the packet to the service node:
32776 | 32779 | redir(destgrp-6)
Leaf1# show zoning-rule scope 2818049
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4602 | 32779 | 32776 | default | bi-dir | enabled | 2818049 | | redir(destgrp-6) | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+# show service redir info group 6
=======================================================================================================================================
LEGEND
TL: Threshold(Low) | TH: Threshold(High) | HP: HashProfile | HG: HealthGrp | BAC: Backup-Dest | TRA: Tracking | RES: Resiliency
=======================================================================================================================================
GrpID Name destination HG-name BAC operSt operStQual TL TH HP TRAC RES
===== ==== =========== ============== === ======= ============ === === === === ===
6 destgrp-6 dest-[192.168.20.50]-[vxlan-2818049] Not attached N enabled no-oper-grp 0 0 sym no no
# show service redir info
=======================================================================================================================================
LEGEND
TL: Threshold(Low) | TH: Threshold(High) | HP: HashProfile | HG: HealthGrp | BAC: Backup-Dest | TRA: Tracking | RES: Resiliency
=======================================================================================================================================
List of Dest Groups
GrpID Name destination HG-name BAC operSt operStQual TL TH HP TRAC RES
===== ==== =========== ============== === ======= ============ === === === === ===
6 destgrp-6 dest-[192.168.20.50]-[vxlan-2818049] Not attached N enabled no-oper-grp 0 0 sym no no
List of destinations
Name bdVnid vMac vrf operSt operStQual HG-name
==== ====== ==== ==== ===== ========= =======
dest-[192.168.20.50]-[vxlan-2818049] vxlan-16646029 A0:93:51:AC:D7:41 Test:VRF-1 enabled no-oper-dest Not attached
② Once the traffic is redirected to the service node (FW in our case), the packet will hit a permit rule from the service node shadow EPG (pctag 49161 in our example) to the provider EPG (pctag 32776 in the example): | 49161 | 32776 | permit
Leaf1# show zoning-rule scope 2818049
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4623 | 49161 | 32776 | default | uni-dir | enabled | 2818049 | | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
③ When the provider EPG EP respond to the traffic, (from EPG-WEB (provider) to EPG-APP (consumer), it will hit the redirect action in the zoning rule and it will be redirected to the service node (FW):
| 32776 | 32779 | redir(destgrp-6)
Leaf1# show zoning-rule scope 2818049
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4102 | 32776 | 32779 | default | uni-dir-ignore | enabled | 2818049 | | redir(destgrp-6) | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+④ Once packet is back from the service node (return path), it will hit the zoning rule (from service node shadow EPG to the consumer EPG):
| 49161 | 32776 | permit
Leaf1# show zoning-rule scope 2818049
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4629 | 49161 | 32779 | default | uni-dir | enabled | 2818049 | | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+TBC
