What is Policy-Based Redirect (PBR) in Cisco ACI?

Policy-Based Redirect (PBR) is used in a Cisco ACI service chain to steer traffic to a specific service node such as a firewall, based on contract policies, even when normal routing or endpoint learning would not send the traffic through that device.

What happens when a client sends traffic to a destination for the first time using PBR?

If the destination endpoint is not yet known, traffic is sent from the ingress leaf to the spine proxy. The spine forwards it to the destination leaf. After both EPG class IDs are learned, the PBR policy redirects the traffic to the firewall service node.

Why does the leaf modify the destination MAC address during PBR redirect with vPC?

The leaf changes the destination MAC address to the external MAC of the firewall interface. This ensures that traffic is forwarded to the PBR service node for inspection and policy enforcement as defined by the service graph.

Why is the client IP not learned from traffic forwarded to the PBR node?

IP data-plane learning is intentionally disabled on the PBR bridge domain to prevent endpoint table pollution. This avoids incorrect forwarding decisions that could occur if PBR service traffic were learned as regular endpoints.

How is traffic delivered to the firewall if the leaf does not know the PBR node’s MAC address?

If the PBR node’s MAC address is not present in the leaf’s endpoint table, the packet is sent to the spine proxy. The spine then forwards the traffic to the appropriate leaf where the firewall service node is connected.

PBR Traffic Flow Learning

Depending on the PBR design, several traffic flows are possible. These figures depict the east-west traffic flow between endpoints in EPG client and EPG web, when a firewall service node in Layer 3 mode is integrated in Cisco ACI fabric using a service graph with PBR.

EPG client is a consumer EPG and the EPG web is a provider EPG, using a contract with service graph PBR. The generated traffic from the client endpoint that is destined for the web endpoint follows this sequence:

Endpoint client, which is connected to Leaf 1, sends traffic to the web.
Assuming that Leaf 1 has not learned the destination endpoint, Leaf 1 forwards the traffic to the spine proxy. Currently, Leaf1 cannot resolve the destination EPG class ID (pcTag) either to apply a contract with PBR policy.
The spine node forwards the traffic to Leaf 3, to which the destination web endpoint is connected. In addition, Leaf 3 learns the source endpoint (client) information from this traffic and populates its endpoint table.
Since Leaf 3 can resolve both, the source and destination EPG class IDs, the contract with the PBR service graph is invoked, which results with PBR traffic redirection on Leaf 3. In this process, the destination MAC address is rewritten to the PBR node MAC address (MAC Ext of the firewall external interface) on the consumer side. Leaf 3 looks up the PBR node MAC Ext in the PBR BD. Since Leaf 3 does not know where this destination MAC address is connected, the traffic goes to the spine proxy, which forwards the traffic to Leaf 2, to which the PBR node is connected. Hence, the traffic is forwarded to the external interface of the PBR node for inspection and routing. Leaf 2 does not learn the client IP address from this traffic like Leaf 3 did, because IP data-plane learning is disabled for the PBR node bridge domain.

The traffic from the PBR node that is destined for the web endpoint follows this sequence:

GENERAL FAQ

What is the Policy-Based Redirect (PBR) in Cisco ACI?

PBR is used in an ACI service chain to steer the traffic to a particular service node (eg, firewall) based on contract policies, even if other normal routing or endpoint learning does not send the traffic through that device.

What is the traffic direction when a client IP tries to send traffic to an IP on the web tier for the first time via PBR?

If the destination endpoint is not known, traffic is first sent from the ingress leaf to the spine proxy. The spine forwards it to the leaf where the web endpoint is running. After the leaf sends both EPG class IDs, the PBR policy redirects the traffic to the firewall service node.

Comment

You are will be the first.

Please login here to comment.

EMAIL SUPPORT

LOCATION

PBR Traffic Flow Learning