I am migrating existing services from a legacy network to ACI fabric. There is an F5 load balancer that I need to migrate to the fabric. The existing F5 is one-armed and I should redirect only server-to-client traffic on it. (topology in the attachment).
I have read the PRB Service Graph Design
Here I found the configuration example for unidirectional PBR, but, unfortunately, only for two-armed service node.
The question is whether it's possible to configure a unidirectional PBR with a one-armed service node?
Is it possible to complete the task by creating a two-arm service graph template, and then, choose the same cluster interface to consumer and provider connectors during the template deployment? (like in the attached screenshot)
Solved! Go to Solution.
Yes, it is possible to have one-arm unidirectional PBR in ACI. The configuration implies that you will apply the PBR policy only on one of the connectors - virtual interfaces configured for the PBR node:
Tenant -> Services -> L4L7 -> Device Selection Policy -> DEVICE -> Consumer (or provider depending on the direction) -> L4-L7 PBR policy:
Thank you for the quick response!
I would like to clarify the configuration of the service graph for my case.
If I choose one-arm option during the template creation (screen1 in the attachment) I have only one connector at the service graph deployment step (screen2 in the attachment). So it is impossible to apply PRB policy only on one of the connectors.
In order for such an option to appear, I have to choose two-arm option during the template creation (screen3). After that, it is possible to set up the PRB policy only for one of the connectors. What confuses me is that I have to specify the same cluster interface on both connectors (screen4).
Could you, please, confirm that this config is correct?