Re: Bypassing PBR nodes while still trying to connect to it?

tuanquangnguyen · ‎06-26-2020

Hey folks, hope we're doing well.

I got a topology where traffic got redirected to a pair of CheckPoint firewalls using PBR. Since there's only one logical interface for each node connecting to the ACI leafs, I also use them as management interface (to access GUI or deploy policies via external CheckPoint Management, which resides within an Application EPG) - hence Direct Connect option is configured as True.

Issue arises at the firewalls that I would need to bypass them altogether. Is it still possible to connect to the firewalls if I did one of the following things:

- To set the VRF to be unenforced, temporarily?

- Or to query and delete the SGT applied to each contract subject, manually?

SLA based is already configured, but I figure that it would only kick in when the PBR node's IP address is not trackable.

Thanks in advance.

tuanquangnguyen · ‎06-28-2020

Hi,
Does anyone have an answer to this?

Sergiu.Daniluk · ‎06-28-2020

Hi @tuanquangnguyen

Just to understand what you trying to achieve: you want to bypass the PBR, but you still want to connect to it for mgmt, right?

From the perspective of the pcTags, this is what happens:

1. When you apply the SG with Direct Connect enabled, you will have:

+ zoning rule between EPG A and EPG B with redirect action-> this is the redirect statement

+ zoning rule between EPG A/B and shadow EPG of SG -> this is to permit direct mgmt connect

2. When you change the VRF to unenforced:

+ zoning rule 0 to 0 permit -> no redirect, but connection from EPG A/B to shadow EPG is allowed

3. When you delete the SG temaplate:

+ no zoning rule between EPG A to EPG B, because contract will be removed from EPG along with the SG (default behavior in 4.2) -> no traffic permitted (unless you manually configure contract back)

+ EPG A/B to shadow EPG will have no zoning rule (since the service graph is removed) so no communication allowed.

Hope it helps. If you have any questions let me know.

Stay safe,

Sergiu

tuanquangnguyen · ‎07-02-2020

Hi @Sergiu.Daniluk,

Thanks for your reply. What I meant was that I would delete the L4-L7 Service Graph option from the Contract Subject, not the template itself.

From what I've asked around so far, the contract would still be in place. Traffic is just not redirected, but go directly from Consumer to Provider and vice versa.

I also wonder if each node's interface in the same logical interface would still be able to communicate with each other in this case - considering they are within the same BD and shadow EPG?

Sergiu.Daniluk · ‎07-02-2020

Thanks for your reply. What I meant was that I would delete the L4-L7 Service Graph option from the Contract Subject, not the template itself.
From what I've asked around so far, the contract would still be in place. Traffic is just not redirected, but go directly from Consumer to Provider and vice versa.

Then yes. In this case the contract will stay and no redirect will happen.

I also wonder if each node's interface in the same logical interface would still be able to communicate with each other in this case - considering they are within the same BD and shadow EPG?

+ even if the EPG A/B and shadow EPG are in the same BD, since you detach the SG from the contract, there will be no zoning rule between them. Thus no communication will be allowed, as long as the vrf is enforced.

tuanquangnguyen · ‎07-02-2020

Hi @Sergiu.Daniluk,

Regarding the second point, what I meant was not from Consumer or Provider EPG to the shadow EPG (the connectors), but within each connector themselves.

So for example, for active and standby PBR firewalls deployed in one-armed mode, can the interfaces (each is attached as vPC to the same pair of service leafs) still communicate with each other?

From my guess, since the SG is completely detached, ACI would not deploy the shadow EPGs, thus even the PBR nodes' interfaces are not possible to communicate?

Sergiu.Daniluk · ‎07-02-2020

Hi @tuanquangnguyen

Ah ok. now I get it. :-)

If you just detach the SG from the contract, that will not remove the shadow EPG(s). My intuition is saying that in a one-armed mode (one shadow EPG / one pcTag shared between the connectors) the communication will happen.

In case of two-armed nodes, where there will be different pcTags (different shadowEPGs) for each connector, then I believe communication will not happen. But is just a guess and I do not really like to make assumptions or guess.

I can do a quick check in the lab and come back with the results. Will do it over the weekend.

Stay safe,

Sergiu

tuanquangnguyen · ‎07-08-2020

Hi @Sergiu.Daniluk,

Thank you for your assistance so far. I've just tried bypassing the PBR nodes by deleting the SG attachment on the subject (for all contracts). Apparently there would be no way to manage the PBR nodes via its interface towards the Service Leaf. So what we did was to simply implement an external interface on those nodes for management purpose.

From my understanding, is that since there are no SG attachment, APIC wouldn't deploy the shadow EPG (the connectors) down to the Leaf switches. This would result in no traffic from the PBR nodes being able to get through the Service Leaf (even L2 traffic between the nodes' interfaces towards Service Leaf were not able to reach each other)

Thanks again.

Sergiu.Daniluk · ‎07-08-2020

Hi @tuanquangnguyen

Yep. It looks like this is the behavior. No SG needed, no shadow EPG configured. Which kinda makes sense in terms of how APIC is doing configuration (generally speaking) - if the object is not used, it will not be programmed.

Stay safe,

Sergiu