How can we achieve this using PBR in ACI

losharm · ‎09-26-2022

In the above scenario, every traffic is going via L3out-1 where the default route is given and using next hop 20.1 but the condition is if SIP- 10.10.10.10 and DIP is 14.14.14.14 then the next hop should be 30.1 and traffic pass via L3out-2 instead of L3out-1. How can we achieve this via ACI? Please explain.....

RedNectar · ‎09-27-2022

Hi @losharm ,

I assume that the route to 14.14.14.14 is already being advertised by R2 (or you have a static route)

So all you need to do is add a L3EPG to the L3Out with a subnet of 14.14.14.14/32, then add a contract between the EPG with the 10.10.10.10 endpoint and the L3EPG.

Also remember that L3Outs are configured on a Leaf switch - unlike EPGs which are configured as a model and pushed to leaves when required. Might seem like a small difference, but it is important when it comes to interpreting how routes are learned from outside.

Now, IF there are other endpoints in the same EPG as 10.10.10.10 that should NOT have access to 14.14.14.14, then you will have to move 10.10.10.10 to a NEW EPG liked to the same BD (where 10.10.10.1 lives). This will also mean changing the VLAN (or portgroup) that 10.10.10.10 currently uses. And if you want 10.10.10.10 to communicate freely with all the other endpoints in the OLD EPG, then create a contract between the OLD and the NEW EPGs

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Wolfberg · ‎09-28-2022

PBR service graphs use Policy Based Redirect (notice the use of Redirect instead of Routing) to redirect traffic toward a L4-L7 device. The traffic that needs to be redirected is defined within the contract in ACI. Redirection can be done on both L2, L3 and L4, which is why it is redirecting instead of routing.