Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
799
Views
0
Helpful
1
Replies

Bi-directional service graph PBR?

SIMMN
Spotlight
Spotlight

‎03-19-2024 02:48 PM

With ACI native contract, by default the filter would be applied bi-directionally. For example, if a contract blocks RDP is applied between consumer EPG1 and provider EPG2. ACI fabric would prevent workload in EPG1 to RDP to workload in EPG2. ACI fabric would also prevent workload in EPG2 to RDP to workload in EPG1.

With service graph PBR, i have a contract to redirect RDP traffic to firewall. When i apply the service graph between consumer EPG1 and provider EPG2. RDP traffic from EPG1 to EPG2 is redirected to firewall but RDP traffic from EPG2 to EPG1 is not redirected…The PBR contract does have bidirectional enabled…

Anyway to apply service graph PBR bidirectionally, like how the native contract is applied?

2 people had this problem
0 Helpful
1 Reply 1

AshSe
VIP
VIP

‎12-04-2024 02:30 AM

Hey @SIMMN 

In Cisco ACI, when using service graphs with Policy-Based Redirect (PBR), the behavior can indeed differ from the default bidirectional nature of native contracts. By default, native contracts apply filters in both directions between the consumer and provider Endpoint Groups (EPGs). However, service graphs with PBR may require additional configuration to achieve bidirectional traffic redirection.

To apply a service graph with PBR bidirectionally, you need to ensure that the service graph and the associated contracts are explicitly configured to handle traffic in both directions. Here are the steps to achieve this:

  1. Create Two Separate Contracts:

    • Create one contract for traffic from EPG1 to EPG2.
    • Create another contract for traffic from EPG2 to EPG1.

  2. Apply Service Graph to Both Contracts:

    • Attach the same service graph to both contracts. This ensures that the PBR rules are applied in both directions.

  3. Configure Filters Appropriately:

    • Ensure that the filters within the contracts are configured to match the RDP traffic in both directions.

  4. Verify PBR Configuration:

    • Make sure that the PBR rules on the firewall or service device are configured to handle traffic in both directions. This might involve setting up appropriate access control lists (ACLs) or policies on the firewall.

    PS: Kindly note that in the case of PBR using Service Graph if you place a firewall, the default behavior of firewall is to block all the traffic on all the interfaces, therefore you have to explicitly allow the traffic on the required interfaces.

     

    HTH

    AshSe

    Forum Tips: 

    1. Paste images inline - don't attach.

    2. Always mark helpful and correct answers, it helps others find what they need.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License