Deploying Symmetric PBR To a Dummy EPG

roysegev · ‎01-03-2023

Hello, I am trying to deploy a symmetric PBR that will redirect traffic that is sent to a fictitious EPG. The purpose of the EPG is to serve as single destination in order to load balance traffic to multiple servers. Meaning, when traffic is sent to the dummy EPG it is expected to reach one of the servers and return straight to the client.
For the dummy EPG I configured a bd with a /32 subnet. This EPG is the provider for the service graph contract (any EPG is the consumer).

When sending traffic to the dummy EPG it does not reach the PBR nodes (the servers). Does anyone know what the problem is? or implemented a similar topology in the past?

Thanks in advance.

balaji.bandi · ‎01-03-2023

As long the contract in place for the respect EPG to reach server, that should work as technically speaking.

here is the flow explained for better understanding when you deploying this kind of scenarios.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

roysegev · ‎01-04-2023

Hello, the contract is for any EPG to be redirected by the pbr to another EPG (the servers) when sending traffic to the Dummy EPG. do you know of any problem this can cause?

Sergiu.Daniluk · ‎01-04-2023

The problem is that you send the traffic to the "dummy BD" IP address. Without going into too many details, the PBR contract is enforced for traffic between endpoints or between EPs and L3Out prefixes. For your specific case, there should be traffic between client EP and dummy EP. So the solution should be simple: configure your BD with /30 or something, and add a dummy server in your dummy EPG.

However, note that the destination IP for the traffic flow is the dummy EP. So not sure what you will accomplish with these packets on your servers. There should be a LB device which should properly change the VIP to real IP address of servers for pool.But hey, if you just want to do some tests, sure, it will work.

Take care,

Sergiu

roysegev · ‎01-05-2023

Hi @Sergiu.Daniluk, thank you for the explanation!

We configured the dummy BD with a /32 subnet (there are no actual endpoints in the EPG). This was done with the hopes that the /32 subnet will be advertised to the entire fabric, unfortunately we saw that the subnet was not being advertised anywhere. Do you know if there is a way to achieve this without an actual EP in the dummy EPG?

Thanks in advance.

Roy

Sergiu.Daniluk · ‎01-05-2023

Try with a dummy-L3Out + static route, instead of a dummy EPG. This way the routes will be propagated to the compute leafs and the zoning rules can be enforced.

Take care,

Sergiu

roysegev · ‎01-05-2023

Hi Sergiu,

We found a way to propagate static routes from the EPG to the compute leaves:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L3_config/b_Cisco_APIC_Layer_3_Configuration_Guide/b_Cisco_APIC_Layer_3_Configuration_Guide_chapter_01000.html

But we still don't recieve any traffic to the PBR nodes, could this be because the next hop we configured is not real (doesn't exist on any leaf)?

Sergiu.Daniluk · ‎01-05-2023

The reason is most likely because you do not have a static patch configured, meaning your EPG is not deployed on any leaf. Try configuring a valid static path for your EPG (with a vlan from a phy domain associated to the EPG) and you will see the route pushed to the leaf, even if the next hop is not real.

Take care,

Sergiu