Prior to Cisco APIC Release 4.1(2), when Threshold Enable is selected when creating a Layer 4 to Layer 7 policy-based redirect, only two options
were available: deny action or permit action.
With these two options, in a multi-node policy-based redirect graph, when one node crosses the low threshold, the following
action would occur, depending on which of the two options you selected:
-
deny action: Traffic is dropped at this node.
-
permit action: Traffic is sent directly to the destination, and the rest of the service chain is skipped.
Beginning with Cisco APIC Release 4.1(2), a new bypass action option is available. With this option, in a multi-node policy-based redirect graph, when one node crosses the low threshold,
traffic is still able to proceed through the rest of the service chain that is either up or cannot be bypassed.
The following sections describe how traffic is handled for each of these three options using this example two-node policy-based
redirect graph.
When both nodes are up, this two-node policy-based redirect behaves in the following manner:
Source EPG
|
Destination EPG
|
Action
|
100
|
300
|
PBR to n1-external
|
201
|
300
|
PBR to n2-external
|
302
|
300
|
permit
|
300
|
100
|
PBR to n2-internal
|
202
|
100
|
PBR to n1-internal
|
101
|
100
|
permit
|
The following sections describe how the two-node policy-based redirect behaves when the first node goes down, based on the
option that you select in the Threshold Down Action field.
deny action
Using the example configuration described above, if you select deny action in the Threshold Down Action field and the first node goes down, the PBR policies that use the first node are updated to "Drop", and communication between
the Client EPG and the Web EPG will be dropped, as shown in the following table.
Source EPG
|
Destination EPG
|
Action
|
100
|
300
|
Drop
|
201
|
300
|
PBR to n2-external
|
302
|
300
|
permit
|
300
|
100
|
PBR to n2-internal
|
202
|
100
|
Drop
|
101
|
100
|
permit
|
permit action
Using the example configuration described above, if you select permit action in the Threshold Down Action field and the first node goes down, the PBR policies that use the first node are updated to "Permit". Traffic from the Client
EPG to the Web EPG (from 100 to 300) proceeds directly, without the service node. Return traffic from the Web EPG to the Client
EPG (from 300 to 100) is redirected to n2-internal, as shown in the following table; however, the second node might drop the
packet because it is an asymmetric flow.
Source EPG
|
Destination EPG
|
Action
|
100
|
300
|
Permit
|
201
|
300
|
PBR to n2-external
|
302
|
300
|
permit
|
300
|
100
|
PBR to n2-internal
|
202
|
100
|
Permit
|
101
|
100
|
permit
|
bypass action
Beginning with Cisco APIC Release 4.1(2), if you select the new bypass action option in the Threshold Down Action field and the first node goes down, the PBR policies that use the first node are updated to "PBR to next device". In this
case, the following occurs:
-
Traffic from the Client EPG to the Web EPG (from 100 to 300) is redirected to n2-external.
-
Return traffic from the Web EPG to the Client EPG (from 300 to 100) is redirected to n2-internal.
-
Return traffic from n2-external to consumer is set to "Permit".
Source EPG
|
Destination EPG
|
Action
|
100
|
300
|
PBR to n2-external
|
201
|
300
|
PBR to n2-external
|
302
|
300
|
permit
|
300
|
100
|
PBR to n2-internal
|
202
|
100
|
Permit
|
101
|
100
|
permit
|
Guidelines and Limitations
Following are the guidelines and limitations for the bypass action option:
-
The bypass action option is supported only on new generation ToR switches, which are switch models with "EX", "FX" or "FX2" at the end of the
switch name.
-
The bypass action option is not needed on a one-node service graph. If bypass is configured in such a case, forwarding behavior is the same
as permit action.
-
L3Out EPGs and regular EPGs can be consumer or provider EPGs.
-
A service node that has NAT enabled cannot be bypassed, as that will break the traffic flow.
-
The bypass action option is not supported in the following cases:
-
Do not use the same PBR policy in more than one service graph if bypass action is enabled. Cisco APIC will reject configurations if the same PBR policy with bypass action is used in multiple service graphs. To avoid this, configure
different PBR policies that use the same PBR destination IP address, MAC address and Health Group.