Service Graph PBR

Introduction

• Pre-PBR Deployment Traffic Flow:

  • Before deploying a service graph with Policy-Based Routing (PBR), Cisco ACI relies on its fabric routing to forward traffic from the client in the EPG client to the server in EPG web.

  • Traffic is allowed based on the established contract between the EPGs.

  • The default gateway for both the client and server is the bridge domain IP address where their endpoints are deployed.

    
    

• Traffic Flow with PBR Service Graph:

  • When a service graph with PBR is implemented:

    • Despite the forwarding table pointing directly to the destination endpoint, traffic is redirected to a service node (e.g., a firewall) based on the contract it matches.

      
      

  • The contract with the PBR service graph defines traffic redirection towards the service node.

    • The service node operates in Layer 3 mode and is integrated into the Cisco ACI fabric.

    • It routes and inspects traffic between the client and server, which are in different EPGs.

      
      

• Service Node Integration Without PBR:

  • A service node can also be integrated into Cisco ACI using a service graph without PBR.

    • Without PBR, packet flow relies solely on the forwarding table.

    • It is necessary to ensure that the forwarding table directs traffic to the inserted service node without any redirection.

    • This is typically achieved through Virtual Routing and Forwarding (VRF) stitching, also known as a VRF sandwich.

• Service Graph Without PBR Configuration:

  • Multiple VRFs and VRF Sandwich:

    • Requires multiple VRFs in a classic VRF sandwich setup.

    • Establishes Layer 3 outside peering between the fabric and both the internal and external firewall interfaces.

      
      

  • Traffic Flow Through Firewall:

    • Traffic between the client and web server passes through the firewall.

      • The firewall acts as a routed Layer 3 hop.

      • It has two interfaces:

        • One interface in VRF1.

        • Another interface in VRF2.

          
          

  • VRF Assignments:

    • VRF2:

      • Contains the web server subnet.

      • Includes the IP subnet of the firewall's internal interface.

    • VRF1:

      • Includes the firewall's external (outside) interface.

      • Contains the Layer 3 interface towards the client.

        
        

• Advantages of Service Graph with PBR:

  
  

  • Simplified Configuration:

    • Utilizes a single VRF, eliminating the need for a VRF sandwich.

    • Simplifies the overall network design and configuration.

  • Traffic Redirection Based on PBR Policy:

    • Traffic is redirected to the service node (e.g., firewall) based on the PBR policy.

    • Removes the reliance on forwarding tables directing traffic through VRF stitching.

  • Selective Traffic Redirection:

    • Allows for selective traffic redirection using subjects and filters in the contract.

    • Provides greater control over which traffic is redirected compared to service graphs without PBR.

Use Cases for Service Graph with Policy-Based Routing (PBR):

Imagine a scenario where specific traffic—such as HTTPS—from one Endpoint Group (EPG) to another must pass through a firewall or an F5 load balancer. All other traffic should flow directly between the two EPGs through a normal contract without additional inspection.

• Insertion of Firewalls or Load Balancers:

  • Seamlessly integrate firewalls or load balancers into the communication path between endpoints while maintaining the default gateway on the Cisco ACI fabric.

• Insertion Between Same Subnet Endpoints:

  • Deploy Layer 4 to Layer 7 devices within the path of endpoints that reside on the same subnet, enabling advanced traffic management without altering the underlying network architecture.

• Selective Traffic Separation:

  • Utilize protocol and port filtering to direct only specific types of traffic to Layer 4 to Layer 7 devices. This allows for granular control, ensuring that only designated traffic—such as HTTPS—is inspected or modified.

• Horizontal Scaling with Symmetric PBR:

  • Implement symmetric PBR to distribute network load across multiple Layer 4 to Layer 7 devices. This approach enhances performance by horizontally scaling resources and ensures efficient load balancing.

    
    

1. Service Graph Templates: How traffic should flow.

True: PBR service graph

2. Device: The Device tells us how many interfaces and logical connectors there are on the Service Devices. Physical Device & Interfaces it connects to the fabric.

3. Device Selection Policy: It defines how devices will communicate with fabric. Ties the physical device to a graph template and contract.

4. Contract: It selects traffic to redirect to Firewall. Places contract between Consumer and Provider and the shadow EGP.

5. Disable data plane learning on PBR node bridge domain.

6. Pending