Solved: ACI PBR based on source and destination IP/Subnet

Lamont Bullock · ‎02-14-2025

Hello Community. I have a need to configure PBR in ACI and hoping someone let me know if this is doable and perhaps point me in the right direction with the configuration.

I have two sites I need to forward some traffic flows to a few SDWANs using PBR, but I need the PBR policy to key on the source and Destination subnets, so static routes won't help here. Depicted in the picture with the red line is the natural path using normal routing. This path is good for most traffic flows, and we need to keep this available. Some of our traffic flows need to get PBR'd to the SDWANs and take the green paths. The Applications that are using the SDWAN paths are proprietary and cannot handle the WAN delays. We currently have this working outside of an ACI fabric using NX-OS routers, but we are converting the sites to ACI and we'll need to support this capability in ACI. All the PBR documentation and HOWTO videos never show the redirection being based on IP address or subnets, only EPGs and Contracts with services. The other kicker is I need a portion of the IPs in the X.X.X.0/24 to be sent to one SDWAN appliance and another portion to be sent to the other SDWAN (like X.X.X.0/25 --> SDWAN1 and X.X.X.128/25 --> SDWAN2). The Client hosts are VMs and the SDWAN appliances are VMs too. There is no VMM domain configured in ACI, so I think I have to treat the SDWAN appliances as physical devices. And the APIC configuration for the L4-L7 Device wants a physical port. The SDWANs are not on the same subnet as the VM Clients.

Is ACI capable of triggering the PBR using the source and destination IPs or subnets?
Do I need to separate the VM clients into two EPGs and apply the subnets there to be able to associate them with different contracts to direct them to different SDWANs?
With the Destination network being at a different site, how do I represent the destination as an EPG/Contract when it's not in this ACI fabric?
Since the SDWANs are VMs on some hypervisors, do I still need to put the leaf ports to those hypervisors connect to in the L4-L7 Device?
Do I need to configure completely separate PBR elements for each SDWAN, or can I share any of the components to use with both SDWANs (i.e. L4-L7 Device, Contracts, Service Graph Templates, etc...).

Thanks for any guidance you can provide. It's much appreciated.

Lamont

Remi-Astruc · ‎02-19-2025

Hi @Lamont Bullock ,

PBR can only be applied with a Contract, and a Contract can only be consumed/provided by an EPG/ESG. So no, you cannot set IPs as consumer/provider.

However, you can either split the subnet into 2 different EPGs (redesigning both with different network constructs), or use ESG with IP Selector matching your X.X.X.x/25.

Then you can define SDWAN as PBR device ("physical" L4L7 with the ESXi ports) and use a "trick" by attaching the PBR Contract consumed by the EPG/ESG and provided by the L3Out ExtEPG, so the consumer>PBR/PBR>consumer forwarding will occur while the provider>PBR/PBR>provider side will never occur (at your own risk, as not officially described).

Another standard Contract consumed by other EPGs/ESGs and provided by the L3Out ExtEPG will forward normally all the other traffic via the normal WAN path.

Regards

Remi Astruc

View solution in original post

Robert543 · ‎02-15-2025

In Cisco ACI (Application Centric Infrastructure), Policy-Based Redirect (PBR) allows traffic redirection based on specific criteria such as source and destination IP/subnet. If you are facing issues with PBR based on these attributes, ensure that your service graph is correctly configured with the appropriate L4-L7 service nodes.

Tags: blog

Lamont Bullock · ‎02-15-2025

Robert543,

Thank you very much for the response. I am confused on how to specify the source and destination IP/Subnet. Is this done using the EPGs? The contracts and its sub-components don't seem to have a place to specify IP addresses only protocol and port ranges. So, I am confused on where/how to identify this info. Can you please help me understand which object to configure this on?

Lamont

Remi-Astruc · ‎02-19-2025

Hi @Lamont Bullock ,

PBR can only be applied with a Contract, and a Contract can only be consumed/provided by an EPG/ESG. So no, you cannot set IPs as consumer/provider.

However, you can either split the subnet into 2 different EPGs (redesigning both with different network constructs), or use ESG with IP Selector matching your X.X.X.x/25.

Then you can define SDWAN as PBR device ("physical" L4L7 with the ESXi ports) and use a "trick" by attaching the PBR Contract consumed by the EPG/ESG and provided by the L3Out ExtEPG, so the consumer>PBR/PBR>consumer forwarding will occur while the provider>PBR/PBR>provider side will never occur (at your own risk, as not officially described).

Another standard Contract consumed by other EPGs/ESGs and provided by the L3Out ExtEPG will forward normally all the other traffic via the normal WAN path.

Regards

Remi Astruc

Lamont Bullock · ‎02-21-2025

Remi-Astruc,

Thanks a lot for the info. That was exactly what I needed to know. I did get the PBRs working. I used the ESG to break the source network's /24 into two /25s and created an ExtEPG with External Subnets for External networks to represent the remote site network. I appreciate your help.

Lamont