Solved: ACI PBR - Redirect Traffic to a host on a different Leaf

Lamont Bullock · ‎07-26-2024

Hello Cisco Community. I have what I hope is a basic question with ACI Policy Based Redirection. With ACI can PBR be configured to redirect traffic entering a leaf to a host on another leaf? I have some hosts connected to Leaf switches throughout the fabric and want to direct some of their traffic to an SDWAN/WAN optimizer that is connected to another leaf switch. I just need to know if this is doable. Thanks a lot!!!

AshSe · ‎07-29-2024

Dear @Lamont Bullock , I have partially drawn the diagram with respect to your previous details and based on my understanding. You can replace the firewall with WAN Optimiser.I would appreciate if you could draw diagram with respect to your queries. PFB my comments to your questions & statements:

LB: there are actually 4 WAN optimizers, and I need to send certain traffic to each one based on the source IP.

AS: doable

LB: I also have a normal routing path to the same destination sites that do not use WAN optimization, exiting the fabric via an L3Out, that I have to maintain so normal dynamic routing will bypass the optimizers all together.

AS: doable

LB: The WAN optimizers do have firewalls to inspect the ingress/egress traffic taking that path.

AS: Do you mean there are inbuilt firewalls in the WAN Optimiser?

If yes, How is this related to PBR ?

LB: ......but I need hosts that are distributed around the fabric to be able to have their traffic redirected to them if possible.

AS: Didn't understand what do you mean here.

View solution in original post

AshSe · ‎07-29-2024

In your case you don't need PBR. By configuring Leaf-2 as Border Leaf, you can send your traffic to SDWAN Optimiser.

PBR may be required if your SDWAN optimiser is connected inside ACI fabric and in between Leaf-1 and Leaf-2, and the traffic flow is like:

Host ==> Leaf-1 ==> SDWAN Optimiser ==> Leaf-2 ==> L3Out == WAN Edge Router

In typical and most common case, it is a firewall that is used to redirect the traffic to. Look at the below diagram:

Lamont Bullock · ‎07-29-2024

AshSe,

Thank you for the response. Sorry, my 1st attempt to post the thread got lost, so I had to retype it and it was more abbreviated. I do need PBR for my scenario because I need to send traffic to the optimizer based on the source and destination IP addresses. It's not depicted, but there are actually 4 WAN optimizers, and I need to send certain traffic to each one based on the source IP. I also have a normal routing path to the same destination sites that do not use WAN optimization, exiting the fabric via an L3Out, that I have to maintain so normal dynamic routing will bypass the optimizers all together. The WAN optimizers do have firewalls to inspect the ingress/egress traffic taking that path. The fabric is much larger than what is depicted, I simplified it for the question I was asking. There will be a fixed set of Leaf switches the WAN optimizers will connect to, and they are virtual machines in the fabric, but I need hosts that are distributed around the fabric to be able to have their traffic redirected to them if possible. Do you know if this is doable?

Thanks again,

Lamont

AshSe · ‎07-29-2024

Dear @Lamont Bullock , I have partially drawn the diagram with respect to your previous details and based on my understanding. You can replace the firewall with WAN Optimiser.I would appreciate if you could draw diagram with respect to your queries. PFB my comments to your questions & statements:

LB: there are actually 4 WAN optimizers, and I need to send certain traffic to each one based on the source IP.

AS: doable

LB: I also have a normal routing path to the same destination sites that do not use WAN optimization, exiting the fabric via an L3Out, that I have to maintain so normal dynamic routing will bypass the optimizers all together.

AS: doable

LB: The WAN optimizers do have firewalls to inspect the ingress/egress traffic taking that path.

AS: Do you mean there are inbuilt firewalls in the WAN Optimiser?

If yes, How is this related to PBR ?

LB: ......but I need hosts that are distributed around the fabric to be able to have their traffic redirected to them if possible.

AS: Didn't understand what do you mean here.

Lamont Bullock · ‎07-30-2024

LB: there are actually 4 WAN optimizers, and I need to send certain traffic to each one based on the source IP.

AS: doable

LB: Great thanks. that answers my core question

LB: I also have a normal routing path to the same destination sites that do not use WAN optimization, exiting the fabric via an L3Out, that I have to maintain so normal dynamic routing will bypass the optimizers all together.

AS: doable

LB: Great thanks.

LB: The WAN optimizers do have firewalls to inspect the ingress/egress traffic taking that path.

AS: Do you mean there are inbuilt firewalls in the WAN Optimiser?

If yes, How is this related to PBR ?

LB: Yes, the firewalls are built-in. It's not related to PBR, since the PBR is just to get the traffic to the WANOP. basically, unnecessary added info.

LB: ......but I need hosts that are distributed around the fabric to be able to have their traffic redirected to them if possible.

AS: Didn't understand what do you mean here.

LB: I need hosts connected to Leaf switches 1 and 4 to have their traffic trying to reach destination hosts 1 & 2 redirected to the WAN optimizers connected to Leaf switches 2 & 3. There are other hosts in the fabric connected to other leaf switches that would follow this example. I just dont want the source hosts to have to be connected to the same leaf switches that the WAN optimizers connect to in order for the PBR to work.

Thank you very much AshSe, you have given me hope. I will research how to configure PBR so I can have a proof of concept and move forward from there to implementing it.

AshSe · ‎07-31-2024

All the very best @Lamont Bullock . Please take a look at more improvised diagram