Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1980
Views
0
Helpful
2
Replies

Service Graph for Unidirectional PBR

its-networking
Level 1
Level 1

‎10-10-2018 07:17 PM - edited ‎03-01-2019 05:40 AM

HI All,

 

We're trying to replicate an existing design in our legacy network in ACI and are experiencing some issues.  In our legacy network, we used PBR on a pair of N7Ks to set the nexthop address of matching application traffic to a load-balancer. 

In trying to construct a similar configuration in a network-centric ACI fabric design with unmanaged F5 load-balancer, I've used a one-armed service graph with the F5 as a GoTo function node and with route redirect enabled, and in deploying the graph the backend server BD was selected for both the consumer and provider LIFs.  The route redirect policy destination is the F5 self-IP interface on the backend server BD and a filter (matching HTTP) is used to match application traffic to be PBR'ed to the F5.

 

The service graph works in the configuration for requests to the F5 service VIP, however direct requests to the backend servers from consumer EPGs do not work.  A traffic capture shows that the SYNs for direct connections to the backend servers (e.g. for monitoring) are PBR'ed to the F5s first where they are subsequently dropped.

 

Has anybody had any experience with a similar configuration or set of requirements for PBR? 

 

Cheers,

 

-Luke

Labels:
0 Helpful
2 Replies 2

HelenaC
Level 1
Level 1

‎10-11-2018 02:41 AM

Hi,

 

What's the contract for the PBR? Do you have 2 subjects, one for redirection and one for direct traffic? We have a similar setup, not for F5 but for firewalls and it works fine.

 

Cheers,

0 Helpful

mmiljkovic
Level 1
Level 1

‎09-16-2020 02:56 AM

Hi, Luke,

did you resolve this direct access to servers? Can you advise what actions need to be taken in order to have the same access (http for example) over VIP and over direct IP access to servers, using unidirectional graph?

Regards,

Miljko

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License