Policy Based Redirect in ACI
Policy Based Redirect in ACI
Policy based Redirect is available from ACI release 2.0(1m), before this release, all the traffic forwarding decisions in ACI were based on MAC or IP address. But with PBR feature, we have advantage to direct some particular traffic to service node using Subjects in contracts, while all other traffic follows regular path.
PBR Design Consideration
- While deploying PBR, we need to follow below design consideration:
- Service Node must be connected to Service BD with a subnet. Unicast routing must be enabled. The Service BD subnet should either be part of private VRF instance or advertised externally based on requirement.
- PBR supports tracking and probing how ever in PBR service node cannot be connected via L3Out.
- Endpoint dataplane learning must be disable on Service BD in PBR.
- While configuring PBR, Service Node cannot be connected to First generation leafs, if either source and destination endpoint is also connected to same leaf. While this restriction is not for Second Generation leaf.
- If we have Active and Standby Service Node we need to assign same Virtual MAC address, this process is called as MAC masquerade.
- In PBR Routed mode Service node is used only.
- In PBR we can use both Managed and Unmanaged Service Graph.
- PBR can only be enabled on one node in a Multi-node service graph.
PBR Design Scenarios
PBR Service Graph with ADC (One-ARM with no SNAT)
When we want to configure service Graph in ADC with One Arm mode, we need to configure SNAT on ADC. The Incoming traffic from client hitting VIP occurs through regular routing, because VIP has been advertised by ADC. To avoid using SNAT, we need to have PBR with Service Graph that takes care of return traffic.
Below figure describes PBR Service Graph with ADC in One ARM MODE.
PBR Service Graph with ADC (Two-ARM and Routed)
When there is a requirement that, Clients and server don’t point to their default gateway, on Firewall. In this case both Clients and Servers are placed to different BD configured with different subnets.
Now let’s suppose, you want HTTPS traffic to be sent from client to Web Server to be redirected to firewall and rest management and SSH traffic should directly flow to Webserver. This Scenario can be achieved by PBR service graph with two arm mode.
Configuring PBR Service Graph
Steps required to configure Service graph is similar to configuration of Service graph with some changes.
PBR requires Service BD with subnets, as internal and external interface of service node. Below figure shows configuration setting. While Configuring Service graph template, you have to select Route Redirect tab to use PBR feature.
Service Node Health Check
In PBR it is necessary to track the health check of Service Node, because if you node is down and ACI redirect the traffic that service node, then traffic will be dropped.