PBR in Service Graph

PBR in Service Graph

Cisco ACI supports a policy-based routing (PBR) functionality, which can be used with a service graph to redirect traffic between security zones to inserted Layer 4 to Layer 7 devices, such as a firewall, load balancer, or Cisco Intrusion Prevention System (IPS), without the need for this device to be the default gateway for endpoints.

You can use PBR to selectively send traffic to Layer 4 to Layer 7 devices based, for instance, on the protocol and specific Layer 4 port, you can insert a firewall in the transparent mode in a Layer 2 domain with almost no modification to existing routing and switching configurations, and so on.

The following figure shows two options for an insertion of a router firewall, which protects traffic flows between the external Layer 3 network domain and the web EPG.

• Service Grapgh without PBR
• Service Graph with PBR

The routing-based design requires multiple VRFs and Layer 3 outside (L3Out) connections, which are established between the fabric and the internal and external firewall interfaces. It represents a classic VRF sandwich configuration, where all traffic goes through the routed firewall.

The use of PBR significantly simplifies the configuration, because the previously described VRF sandwich configuration is not required anymore. Hence, you can use single VRF, while the traffic is instead redirected to the service node based on the configured policy.