I'm trying to figure out if you can and how you would connect a passive packet broker to the fabric. I want to use this for l4-l7 copy service to an IDS connected to the packet broker. The packet broker itself is not an endpoint; there is no IP address on it and no mac for the interface that receives traffic (it would never transmit on this interface). It seems relatively straightforward (in that i have read the guide 100 times and seems like it's possible) to set up a copy service, but I cannot find anything on how you'd actually physically connect and configure the access policy for the packet broker physical port. I find some vague references to l4-l7 devices needing to be learned as endpoints, but I don't understand how that would be possible if the device isn't doing any data plan functions. In a traditional switching environment, it'd basically be a span destination. And it needs to be l4-l7 service because i want to be able to selectively copy from various contracts. And even potentially service chain with PBR l4-l7 (which I do have working).
I have read in the Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paper that this would be conceptually possible, but it's lacking in detail on how you actually do it (or at least details I understand).
Is anyone else finding the Cisco documentation somewhat lacking when it comes to configuring real use cases?
I'm running 4.2.
if it's a "bump on a wire" you can connect it is a layer 1 service graph insertion with PBR. The device need to be connected between 2 leafs or FEXes on 2 leafs. L1 service insertion works for L1 device connected between 2 leafs. In the Lab I initially test it with the wire as L1 device. Works as should, This config is well documented, just remember that you will need access port policy with LLDP/ CDP/ MCP off, or fabric will shut ports.
If you need to span port, is also easy : policy under TENANT / policies /troubleshooting / SPAN .
Thanks for your response.
It's not really a bump in the wire. Or at least what I'm understanding for a BITW which is that the original packet flow goes through the l4-l7 device (but that device isn't doing any actual forwarding). This is out of the packet flow entirely which is why it seems like I need a copy service and not PBR (simple diagram attached). I have found how to configure a copy service within the tenant, but there is nothing about the physical port or access policy required. Do i just create an access port policy group with basically everything disabled (and no AEP) and then add that physical port where the packet broker is connected to the leaf interface profile?
ok, according to the diagram, service insertion is out of question, L1/L2 service insertion cannot be "one-arm", it should be connected to two ("in" and "out") BDs.
So, SPAN. You can span port or entire EPG. You need to define your source / destination under Fabric / Access Policies /Troubleshooting /Span. Destination port has a "normal" access port to with you plug your device that will receive span session.