Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1649
Views
5
Helpful
5
Replies

Packet broker connectivity to ACI

dsdurkin
Level 1
Level 1

‎12-06-2019 03:18 PM

I'm trying to figure out if you can and how you would connect a passive packet broker to the fabric.  I want to use this for l4-l7 copy service to an IDS connected to the packet broker.  The packet broker itself is not an endpoint; there is no IP address on it and no mac for the interface that receives traffic (it would never transmit on this interface).  It seems relatively straightforward (in that i have read the guide 100 times and seems like it's possible) to set up a copy service, but I cannot find anything on how you'd actually physically connect and configure the access policy for the packet broker physical port.  I find some vague references to l4-l7 devices needing to be learned as endpoints, but I don't understand how that would be possible if the device isn't doing any data plan functions.   In a traditional switching environment, it'd basically be a span destination.    And it needs to be l4-l7 service because i want to be able to selectively copy from various contracts.  And even potentially service chain with PBR l4-l7 (which I do have working). 

 

I have read in the Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paper that this would be conceptually possible, but it's lacking in detail on how you actually do it (or at least details I understand).  

 

Is anyone else finding the Cisco documentation somewhat lacking when it comes to configuring real use cases?  

 

I'm running 4.2.

1 person had this problem
Labels:
0 Helpful
5 Replies 5

6askorobogatov
Level 1
Level 1

‎12-10-2019 09:21 AM - edited ‎12-10-2019 10:30 AM

if it's a "bump on a wire" you can connect it is a layer 1 service graph insertion with PBR. The device  need  to be connected between 2 leafs or FEXes on 2 leafs.  L1 service insertion works for L1 device connected between 2 leafs. In the Lab I  initially test it with the wire as L1 device. Works as should,   This config is well documented,  just remember that you will need access port policy with LLDP/ CDP/ MCP off, or fabric will shut ports. 

If you need to span port, is also easy : policy under  TENANT / policies /troubleshooting / SPAN .

 

0 Helpful

dsdurkin
Level 1
Level 1
In response to 6askorobogatov

‎12-10-2019 11:53 AM

Thanks for your response.  

 

It's not really a bump in the wire. Or at least what I'm understanding for a BITW which is that the original packet flow goes through the l4-l7 device (but that device isn't doing any actual forwarding).  This is out of the packet flow entirely which is why it seems like I need a  copy service and not PBR (simple diagram attached).    I have found how to configure a copy service within the tenant, but there is nothing about the physical port or access policy required.   Do i just create an access port policy group with basically everything disabled (and no AEP) and then add that physical port where the packet broker is connected to the leaf interface profile?  

Preview file
26 KB
0 Helpful

6askorobogatov
Level 1
Level 1
In response to dsdurkin

‎12-10-2019 12:37 PM

ok, according to the diagram, service insertion is out of question, L1/L2 service insertion cannot be "one-arm", it should be connected to two ("in" and "out")  BDs.    

So, SPAN. You can span port or entire EPG.  You need to define your source / destination under Fabric / Access Policies /Troubleshooting /Span.  Destination port has a "normal" access port to with you plug your device that will receive span session. 

0 Helpful

amert
Level 1
Level 1

‎02-20-2020 10:58 PM

I dont know whether right or wrong way but it worked for me, follow this steps;

- Create seperate epg,bd and vrf. (not necessary but just in case)

- Add slient-host static endpoint under epg and give random ip mac address, ip must belong to bd subnet.

- Use this ip as a span destination in your span sessions.

- Connect broker's single port to leaf, leaf's port must normal switchport (pc,vpc doesnt work).

- Add this port as a static endpoint under epg, vlan access.

 

If you need more traffic and want to connect more broker port, create one more epg and repeat above steps, not necessary but safe to prevent loops, maybe that is why kind of device dont have mac address but better not trust.

0 Helpful

chethkri@cisco.com
Cisco Employee
Cisco Employee
In response to amert

‎12-02-2020 05:11 AM

Thanks for this.. Can you pls help with what switch models can be used ? What software do we need? Is there licensing involved?

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License