cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
2
Replies
Highlighted
Beginner

Service Graph for Unidirectional PBR

HI All,

 

We're trying to replicate an existing design in our legacy network in ACI and are experiencing some issues.  In our legacy network, we used PBR on a pair of N7Ks to set the nexthop address of matching application traffic to a load-balancer. 

In trying to construct a similar configuration in a network-centric ACI fabric design with unmanaged F5 load-balancer, I've used a one-armed service graph with the F5 as a GoTo function node and with route redirect enabled, and in deploying the graph the backend server BD was selected for both the consumer and provider LIFs.  The route redirect policy destination is the F5 self-IP interface on the backend server BD and a filter (matching HTTP) is used to match application traffic to be PBR'ed to the F5.

 

The service graph works in the configuration for requests to the F5 service VIP, however direct requests to the backend servers from consumer EPGs do not work.  A traffic capture shows that the SYNs for direct connections to the backend servers (e.g. for monitoring) are PBR'ed to the F5s first where they are subsequently dropped.

 

Has anybody had any experience with a similar configuration or set of requirements for PBR? 

 

Cheers,

 

-Luke

2 REPLIES 2
Highlighted
Beginner

Hi,

 

What's the contract for the PBR? Do you have 2 subjects, one for redirection and one for direct traffic? We have a similar setup, not for F5 but for firewalls and it works fine.

 

Cheers,

Highlighted
Beginner

Hi, Luke,

did you resolve this direct access to servers? Can you advise what actions need to be taken in order to have the same access (http for example) over VIP and over direct IP access to servers, using unidirectional graph?

Regards,

Miljko