Re: ACI PBR Same EPG

Fernando Hernández · ‎06-10-2024

Hello Guys.

Is it possible to redirect traffic (using a PBR or any other way) to one IP in ACI?
The case is like this:
There is an F5 balancing a service to a cluster of servers. The thing is that when the traffic needs to return, the servers that are part of the load balancing cluster, have ACI as default gateway, and instead of returning to F5, they go to ACI cause destination is on another subnet and traffic can´t return to F5.
So, I was wondering if PBR would work here, but I was reading and looks like to use PBR, they need to be in different EPGs and also seems to be for L4-L7 reasons, so Im not sure PBR would work here.
F5 and the servers are on the same EPG and ACI is as network centric, so they are part of the same vlan, hence same EPG, same BD.

Is there a way to redirect the traffic to F5 from ACI?

balaji.bandi · ‎06-10-2024

have ACI as default gateway

is there any possibility to change source and destination towards F5 before hitting ACI where the traffic coming from ?

PBR possible, but sure you understand and test it :

some reference how that work in ACI PBR :

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2023/pdf/BRKDCN-3982.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Remi-Astruc · ‎06-10-2024

Hi @Fernando Hernández ,

With the design you describe, the best way would be to enable Source NAT on the F5 Virtual Server, so the servers respond to the F5 instead of the Clients.

Regards

Remi Astruc

Ali Aghababaei · ‎06-17-2024

Hi @Fernando Hernández

Yes, it is possible to redirect traffic to a specific IP address in Cisco ACI using Policy-Based Redirect (PBR). Here's how you can achieve this:

Scenario:

You have an F5 load balancer handling traffic to a cluster of servers. When traffic returns from the servers, it bypasses the F5 and goes directly to ACI because the servers use ACI as their default gateway. You need to redirect this returning traffic back to the F5.

Solution: Using Policy-Based Redirect (PBR)

PBR can be configured to redirect traffic based on policies, which allows you to specify that traffic returning from the servers should be sent back to the F5.

Steps to Configure PBR in Cisco ACI:

Create a Service Graph:
- Define a service graph that includes the F5 load balancer.
- Navigate to Tenants > [Your Tenant] > Policies > Service Graphs.
- Create a new service graph and add a node representing the F5 load balancer.
Define a Device Selection Policy:
- Create a policy that specifies the F5 load balancer as the destination device for traffic matching your criteria.
- Navigate to Tenants > [Your Tenant] > Policies > Device Selection Policies.
- Define the policy and associate it with the service graph.
Configure PBR Policies:
- Configure PBR to match the returning traffic from the servers.
- Navigate to Tenants > [Your Tenant] > Networking > Policy-Based Redirects.
- Create a new PBR policy, specifying the match criteria (such as source and destination IPs, subnets, etc.) and the action to redirect the traffic to the F5 load balancer.
Apply the PBR Policy:
- Apply the PBR policy to the relevant Endpoint Groups (EPGs).
- Ensure the EPGs of the servers and the F5 load balancer are correctly configured.
- Navigate to Tenants > [Your Tenant] > Application Profiles > [Your Application Profile] > EPGs.
- Apply the PBR policy to the appropriate EPGs.

Considerations:

EPG Membership: If the F5 and servers are in the same EPG, you might need to adjust the configuration to allow PBR to function correctly. Typically, PBR works between different EPGs, but it can be configured within the same EPG with careful policy application.
Service Graphs and Contracts: Ensure that the service graph is correctly applied to the contracts governing the traffic between the servers and the rest of the network.