Showing results for 
Search instead for 
Did you mean: 

Cisco Community Designated VIP Class of 2020


Packet broker connectivity to ACI

I'm trying to figure out if you can and how you would connect a passive packet broker to the fabric.  I want to use this for l4-l7 copy service to an IDS connected to the packet broker.  The packet broker itself is not an endpoint; there is no IP address on it and no mac for the interface that receives traffic (it would never transmit on this interface).  It seems relatively straightforward (in that i have read the guide 100 times and seems like it's possible) to set up a copy service, but I cannot find anything on how you'd actually physically connect and configure the access policy for the packet broker physical port.  I find some vague references to l4-l7 devices needing to be learned as endpoints, but I don't understand how that would be possible if the device isn't doing any data plan functions.   In a traditional switching environment, it'd basically be a span destination.    And it needs to be l4-l7 service because i want to be able to selectively copy from various contracts.  And even potentially service chain with PBR l4-l7 (which I do have working). 


I have read in the Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paper that this would be conceptually possible, but it's lacking in detail on how you actually do it (or at least details I understand).  


Is anyone else finding the Cisco documentation somewhat lacking when it comes to configuring real use cases?  


I'm running 4.2.


Re: Packet broker connectivity to ACI

if it's a "bump on a wire" you can connect it is a layer 1 service graph insertion with PBR. The device  need  to be connected between 2 leafs or FEXes on 2 leafs.  L1 service insertion works for L1 device connected between 2 leafs. In the Lab I  initially test it with the wire as L1 device. Works as should,   This config is well documented,  just remember that you will need access port policy with LLDP/ CDP/ MCP off, or fabric will shut ports. 

If you need to span port, is also easy : policy under  TENANT / policies /troubleshooting / SPAN .



Re: Packet broker connectivity to ACI

Thanks for your response.  


It's not really a bump in the wire. Or at least what I'm understanding for a BITW which is that the original packet flow goes through the l4-l7 device (but that device isn't doing any actual forwarding).  This is out of the packet flow entirely which is why it seems like I need a  copy service and not PBR (simple diagram attached).    I have found how to configure a copy service within the tenant, but there is nothing about the physical port or access policy required.   Do i just create an access port policy group with basically everything disabled (and no AEP) and then add that physical port where the packet broker is connected to the leaf interface profile?  


Re: Packet broker connectivity to ACI

ok, according to the diagram, service insertion is out of question, L1/L2 service insertion cannot be "one-arm", it should be connected to two ("in" and "out")  BDs.    

So, SPAN. You can span port or entire EPG.  You need to define your source / destination under Fabric / Access Policies /Troubleshooting /Span.  Destination port has a "normal" access port to with you plug your device that will receive span session. 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here