Cisco Application Centric
Infrastructure (ACI) policy-based redirect (PBR) enables provisioning service appliances, such as firewalls or load balancers, as managed or unmamnaged nodes without needing a Layer 4 to Layer 7 package. Typical use cases include provisioning service appliances that can be pooled, tailored to application profiles, scaled easily, and have reduced exposure to service outages. PBR simplifies the deployment of service appliances by enabling the provisioning consumer and provider endpoint groups to be all in the same virtual redirect and forwarding (VRF) instance. PBR deployment consists of configuring a route redirect policy and a cluster redirect policy, and creating a service graph template that uses the route and cluster redirect policies. After the service graph template is deployed, use the service appliance by enabling endpoint groups to consume the service graph provider endpoint group. This can be further simplified and automated by using vzAny. While performance requirements may dictate provisioning dedicated service appliances, virtual service appliances can also be deployed easily using PBR.
The following figure illustrates the use case of redirecting specific traffic to the firewall:
Figure 1. Use Case: Redirecting Specific Traffic to the Firewall
In this use case, you must create two subjects. The first subject permits HTTP traffic, which then gets redirected to the firewall. After the traffic passes through the firewall, it goes to the Web endpoint. The second subject permits all traffic, which captures traffic that is not redirected by the first subject. This traffic goes directly to the Web endpoint.
The following figure illustrates a sample ACI PBR physical topology:
Figure 2. Sample ACI PBR Physical Topology
The following figure illustrates a sample ACI PBR logical topology:
Figure 3. Sample ACI PBR Logical Topology
While these examples illustrate simple deployments, ACI PBR enables scaling up mixtures of both physical and virtual service appliances for multiple services, such as firewalls and server load balancers.
Observe the following guidelines and limitations when planning PBR service nodes:
For high availability active/standby deployment, configure the service nodes with the MAC address of the active deployment. In a high availability active/standby deployment, when the active node goes down, the standby node takes over the MAC address of active node.
The next-hop service node IP address and virtual MAC address must be provided.
The service node bridge domain must have the learning of the source VTEP on remote leaf switches disabled and GARP learning enabled.
Provision service appliances in a separate bridge domain.
The service appliance, source, and bridge domain can be in the same VRF.
For N9K-93128TX, N9K-9396PX, N9K-9396TX, N9K-9372PX, and N9K-9372TX switches, the service appliance must not be in the same leaf switch as either the source or destination endpoint group. For N9K-C93180YC-EX and N9K-93108TC-EX switches, the service appliance can be in the same leaf switch as either the source or destination endpoint group.
The service appliance can only be in a regular bridge domain.
The contract offered by the service appliance provider endpoint group can be configured to allow-all, but traffic should be routed by the ACI fabric.
Multicast and broadcast traffic redirection is not supported.
Redirection to transparent services is not supported.
If you change a redirect policy's destination to a different group, the Cisco APIC raises a fault due to the change and the policy's operational status becomes disabled. You must clear the fault to re-enable the policy.
Supported PBR configurations in the same VRF
instance include the following:
Figure 4. Supported PBR Configurations in the Same VRF Instance