ACI L4-L7 基于策略的重定向 （PBR） 深入探討和提示.pdf

《ACI L4-L7 基于策略的重定向 （PBR） 深入探討和提示.pdf》由會員分享，可在線閱讀，更多相關《ACI L4-L7 基于策略的重定向 （PBR） 深入探討和提示.pdf（91頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveMinako Higuchi,Technical Marketing Engineer,Cloud Networking Business GroupBRKDCN-3982ACI L4-L7 Policy-Based Redirect(PBR)Deep Dive and tips 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cis

2、co Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343htt

3、ps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-3982 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSession ObjectivesAt the end of the session,the participants should be able to:Understand ACI PBR use cases.Understand how ACI PBR works.Unders

4、tand design considerations.What is not covered in this session.Cloud ACI.We are going to focus on on-prem ACI.Initial assumption:The audience already has a good knowledge of ACI main concepts:VRF,BD,EPG,ESG,L3Out,Contract,Multi-Pod,Multi-Site,Remote Leaf etcNote:This session uses ESGs mainly,but the

5、 PBR features are applicable to EPGs and uSeg EPGs.4BRKDCN-3982#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaACI PBR Use casesPBR Forwarding and zoning-rulesFAQs and Advanced use casesMulti-location Data Centers5BRKDCN-3982ACI PBR Use Cases 2023 Cisco and/or its a

6、ffiliates.All rights reserved.Cisco PublicPBR(redirect)is one of the contract actions!PermitDenyRedirectRedirectCopyESG1ESG2ContractproviderconsumerRedirectFirewallBRKDCN-39827 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere can we use PBR?Wherever contracts can be a

7、pplied!8BRKDCN-3982PBR is a contract action.Its based on source,destination EPG/ESG andfilter matching.Between EPGs or ESGs.Between L3Out EPGs.L3Out EPG110.0.0.0/8L3Out EPG2172.16.0.0/16Between EPGs or ESGs in the same subnet.ESG1ESG210.1.1.110.1.1.2Between endpoints in the same EPG or ESG.10.1.1.11

8、0.1.1.2ESG1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePBR use casesInspect specific traffic9Use different FirewallLB without SNAT(uni-directional PBR)BRKDCN-3982PBR can be applied toeach directionESG1ESG2LB(no SNAT)ESG1L3OutESG2FW1FW2ESG1ESG2TCP traffic is redirected

9、 to FWOther traffic is just permittedESG1 goes to L3Out via FW1ESG2 goes to L3Out via FW2Return traffic goes back to LB without SNAT 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Copy serviceCopy specific traffic instead of redirect.10BRKDCN-3982ESG1ESG2Original traf

10、fic goes to Web endpoint directly.Traffic is copied to IDSIDSESG1ESG2ContractCopyproviderconsumerIDS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveImportant noteACI must be Layer 3ACI must be Layer 3.(L2Out EPG is not supported)VRF must be in enforced mode.VRF must be in

11、 enforced mode.(PBR cannot be used in a VRF with unenforced mode)If you want common permit or redirect rules in the VRF,you can use vzAny(All EPGs and ESGs in a VRF)If you dont need contract enforcement for specific EPGs/ESGs in the VRF,you can still use Preferred Group.11BRKDCN-3982Please seeACI Co

12、ntract guidefor detailRedirectVRF1vzAnyExtEPGAppWebDBContractvzAnyExtEPGAppWebDBvzAnyconsumerproviderVRF1ExtEPGAppWebDBNFSContractRedirectPBRForwarding and zoning-rules 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive13Zoning-rules(1-node Service Graph)BRKDCN-3982Pod1-Leaf

13、1#show zoning-rule scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4144|29|10934|14|bi-dir|enabled|2195459|redir(destgrp-11)|fully_qual(7)|4157|10934|29|14|uni-dir-ignore|enabled|2195459|redir(destgrp-12)|fully_qual(7)|414

14、0|32|10934|default|uni-dir|enabled|2195459|permit|src_dst_any(9)|4136|30|29|14|uni-dir|enabled|2195459|permit|fully_qual(7)|+-+-+-+-+-+-+-+-+-+-+Without PBR(permit action)With PBR(Service Graph)1093429ESG1ESG2contract1providerconsumerPod1-Leaf1#show zoning-rule scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rul

15、e ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4157|29|10934|14|bi-dir|enabled|2195459|tenant1:contract1|permit|fully_qual(7)|4144|10934|29|14|uni-dir-ignore|enabled|2195459|tenant1:contract1|permit|fully_qual(7)|+-+-+-+-+-+-+-+-+-+-+1093429ESG1ESG2contract1S

16、ervice Graph(PBR)providerconsumer3032By default,unspecified default filter(any)is used for a zoning-rule entry without the consumer EPG.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFilter-from-contractTo use the specific filter in the contract,“filters-from-contract”nee

17、ds to be checked.Use case:use a different forwarding action based on the filter.14BRKDCN-3982Default is“allow-all”Contract2(TCP)1093429ESG1ESG2Contract1(UDP)providerconsumer3032FW13032FW1IPS1109375481By default,forwarding actions are duplicated.32-to-10934:permit(contract1 with UDP)32-to-10934:redir

18、ect to IPS1(contract2 with TCP)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive15PBR destination statusBRKDCN-3982Pod1-Leaf1#show service redir info=LEGENDTL:Threshold(Low)|TH:Threshold(High)|HP:HashProfile|HG:HealthGrp|BAC:Backup-Dest|TRA:Tracking|RES:Resiliency=List of D

19、est GroupsGrpID NamedestinationHG-nameBACoperStoperStQualTL TH HP TRAC RES=11destgrp-11dest-192.168.11.1-vxlan-2195459tenant1:HG1 Nenabledno-oper-grp 00symyesno 12destgrp-12dest-192.168.12.1-vxlan-2195459tenant1:HG1 Nenabledno-oper-grp 00symyesno List of destinationsName bdVnidvMacvrfoperStoperStQua

20、lHG-name=dest-192.168.11.1-vxlan-2195459vxlan-1667878200:50:56:AF:6C:16tenant1:VRF1enabledno-oper-desttenant1:HG1dest-192.168.12.1-vxlan-2195459vxlan-1612179000:50:56:AF:DF:55tenant1:VRF1enabledno-oper-desttenant1:HG1List of Health GroupsHG-NameHG-OperStHG-DestHG-Dest-OperSt=tenant1:HG1 enableddest-

21、192.168.11.1-vxlan-2195459 updest-192.168.12.1-vxlan-2195459 up1:Local tracking from the service leaf to node.HealthHealth-groupgroupIf one of them is down,PBR to this node is disabled for both directions.192.168.11.1(destgrp-11)192.168.12.1(destgrp-12)2:Periodic System-wide broadcast to all leaf no

22、des from the service leaf,announcing the FWs aliveness 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive16Zoning-rules(2-nodes Service Graph)BRKDCN-3982With Service Graph(PBR)First node:FW(PBR for both directions)Second node:LB(PBR for provider to consumer direction only)ES

23、GClientESGWebContractproviderconsumer109375481Pod1-Leaf1#show zoning-rule scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4195|29|10937|14|bi-dir|enabled|2195459|redir(destgrp-11)|fully_qual(7)|4196|32|10937|default|uni-di

24、r|enabled|2195459|permit|src_dst_any(9)|4193|5481|10934|default|uni-dir|enabled|2195459|permit|src_dst_any(9)|4198|10934|29|14|uni-dir|enabled|2195459|redir(destgrp-17)|fully_qual(7)|4181|10937|29|14|uni-dir-ignore|enabled|2195459|redir(destgrp-12)|fully_qual(7)|4194|30|29|14|uni-dir|enabled|2195459

25、|permit|fully_qual(7)|+-+-+-+-+-+-+-+-+-+-+Consumer to provider direction Provider to consumer directionTo permit traffic from the provider EPG to the LB(10934 to 5481),Direct Connect option must be enabled.10934293032VIP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDir

26、ect Connect(False by default)Tenant Services L4-L7 Service Graph templates Service Graph_NAME Policy 17BRKDCN-3982Direct Connect must be“True”for communication between the consumer/provider endpointand the PBR destination.Default is“False”2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

27、blic#CiscoLiveHow forwarding works1 node Topology 18BRKDCN-3982IP:192.168.1.1MAC:MAC-conIP:192.168.2.1MAC:MAC-provIP:172.16.2.1MAC:VMAC-prov192.168.1.254MAC:Leaf MACBD1IP:172.16.1.1MAC:VMAC-conLeaf1Leaf3Leaf2192.168.2.254MAC:Leaf MACBD2172.16.2.254MAC:Leaf MACSvc-BD2172.16.1.254MAC:Leaf MACSvc-BD1 2

28、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive4:Traffic goes to Leaf3 where destination is located.How forwarding works1 node Topology(incoming traffic)19BRKDCN-3982IP:192.168.1.1MAC:MAC-conIP:192.168.2.1MAC:MAC-provIP:172.16.2.1MAC:VMAC-provIP:172.16.1.1MAC:VMAC-conLeaf1

29、Leaf3Leaf21:Traffic from consumerSrc IP:192.168.1.1Src MAC:MAC-conDest IP:192.168.2.1Dest MAC:Leaf MAC2:Leaf1 doesnt know 192.168.2.1EndpointEndpointlocationlocation192.168.1.11/1(local)3:Go to Spine proxyEndpointEndpointlocationlocation192.168.1.1Leaf1192.168.2.1Leaf3=VXLAN Encap/Decap172.16.2.254M

30、AC:Leaf MACSvc-BD2172.16.1.254MAC:Leaf MACSvc-BD1192.168.1.254MAC:Leaf MACBD1192.168.2.254MAC:Leaf MACBD2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow forwarding works1 node Topology(incoming traffic)20BRKDCN-3982IP:192.168.1.1MAC:MAC-conIP:192.168.2.1MAC:MAC-provIP

31、:172.16.2.1MAC:VMAC-prov172.16.2.254MAC:Leaf MACSvc-BD2172.16.1.254MAC:Leaf MACSvc-BD1IP:172.16.1.1MAC:VMAC-conLeaf1Leaf3Leaf25:Policy check and Leaf3 learns 192.168.1.1Src class:ConsumerDest Class:Provider6:Policy applied(PBR)6:Policy applied(PBR)Src IP:192.168.1.1Dest IP:192.168.2.1Dest MAC:VMAC-c

32、onSegment ID:Svc-BD18:Traffic to Service nodeSrc IP:192.168.1.1Dest IP:192.168.2.1Dest MAC:VMAC-conEndpointEndpointlocationlocation192.168.1.1Leaf1192.168.2.11/1(local)7:Spine-proxyLeaf applies policy.Its always spine-proxy toreach the PBR destinationif the PBR destination is in a BD.192.168.1.254MA

33、C:Leaf MACBD1192.168.2.254MAC:Leaf MACBD2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow forwarding works1 node Topology(incoming traffic)21BRKDCN-3982IP:192.168.1.1MAC:MAC-conIP:192.168.2.1MAC:MAC-provIP:172.16.2.1MAC:VMAC-prov172.16.2.254MAC:Leaf MACSvc-BD2172.16.1.

34、254MAC:Leaf MACSvc-BD1IP:172.16.1.1MAC:VMAC-conLeaf1Leaf3Leaf29:Traffic from Service nodeSrc IP:192.168.1.1Src MAC:VMAC-provDest IP:192.168.2.1Dest MAC:Leaf MAC11:Policy checkSrc class:FW-providerDest Class:Provider12:Traffic to DestinationSrc IP:192.168.1.1Src MAC:Leaf MACDest IP:192.168.2.1Dest MA

35、C:MAC-provEndpointEndpointlocationlocation192.168.1.1Leaf1192.168.2.11/1(local)Leaf3 doesnt reLeaf3 doesnt re-learn 192.168.1.1 herelearn 192.168.1.1 hereBecause of disable Because of disable dataplanedataplane IP learningIP learning10:Go to Spine proxyDataplane IP learningis automatically disabledf

36、or the service EPG.(starting from 3.1)192.168.1.254MAC:Leaf MACBD1192.168.2.254MAC:Leaf MACBD2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive172.16.2.254MAC:Leaf MACSvc-BD2172.16.1.254MAC:Leaf MACSvc-BD1How forwarding works1 node Topology(return traffic)22BRKDCN-3982IP:1

37、92.168.1.1MAC:MAC-conIP:192.168.2.1MAC:MAC-provIP:172.16.2.1MAC:VMAC-provIP:172.16.1.1MAC:VMAC-conLeaf1Leaf3Leaf21:Traffic from providerSrc IP:192.168.2.1Src MAC:MAC-provDest IP:192.168.1.1Dest MAC:Leaf MAC2:Policy check and Leaf3 knows 192.168.1.1Src class:ProviderDest Class:ConsumerEndpointEndpoin

38、tlocationlocation192.168.1.1Leaf1192.168.2.11/1(local)3:Policy applied(PBR)3:Policy applied(PBR)Src IP:192.168.2.1Dest IP:192.168.1.1Dest MAC:VMAC-leg2Segment ID:Svc-BD25:Traffic to Service nodeSrc IP:192.168.2.1Dest IP:192.168.1.1Dest MAC:VMAC-prov4:Spine-proxy192.168.1.254MAC:Leaf MACBD1192.168.2.

39、254MAC:Leaf MACBD2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive172.16.2.254MAC:Leaf MACSvc-BD2172.16.1.254MAC:Leaf MACSvc-BD1How forwarding works1 node Topology(return traffic)23BRKDCN-3982IP:192.168.1.1MAC:MAC-conIP:192.168.2.1MAC:MAC-provIP:172.16.2.1MAC:VMAC-provIP:

40、172.16.1.1MAC:VMAC-conLeaf1Leaf3Leaf26:Traffic from Service nodeSrc IP:192.168.2.1Src MAC:VMAC-conDest IP:192.168.1.1Dest MAC:Leaf MAC8:Policy checkSrc class:FW-consumerDest Class:Consumer9:Traffic to DestinationSrc IP:192.168.2.1Src MAC:Leaf MACDest IP:192.168.1.1Dest MAC:MAC-conLeaf1 doesnt know 1

41、92.168.2.1EndpointEndpointlocationlocation192.168.1.11/1(local)Leaf1 doesnt learn 192.168.2.1 hereLeaf1 doesnt learn 192.168.2.1 hereBecause of disable Because of disable dataplanedataplane IP learningIP learning7:Go to Spine proxy192.168.1.254MAC:Leaf MACBD1192.168.2.254MAC:Leaf MACBD2 2023 Cisco a

42、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere is the policy applied?24BRKDCN-3982Please seeACI Contract guidefor detailScenarioScenarioVRF enforcement VRF enforcement modemodeConsumerConsumerProviderProviderPolicy enforced onPolicy enforced onIntra-VRFIngress/egressEPGEPGIf de

43、stination endpoint is learned:ingress leafIf destination endpoint is not learned:egress leafingressEPGL3Out EPGConsumer leaf(non-border leaf)ingressL3Out EPGEPGProvider leaf(non-border leaf)egressEPGL3Out EPGBorder leaf-non-border leaf trafficIf destination endpoint is learned:border leafIf destinat

44、ion endpoint is not learned:non-border leafNon-border leaf-border leaf trafficBorder leafegressL3Out EPGEPGIngress/egressL3Out EPGL3Out EPGIngress leafInter-VRFIngress/egressEPGEPGConsumer leafIngress/egressEPGL3Out EPGConsumer leaf(non-border leaf)Ingress/egressL3Out EPGEPGIngress leafIngress/egres

45、sL3Out EPGL3Out EPGIngress leaf 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntra-VRF ESG-to-ESGingress leaf enforcement25Intra-VRF ESG-to-ESGegress leaf enforcementBRKDCN-3982How ingress/egress leaf enforcement works?Policy Applied(PA)bitESG1ESG2Contract1providerconsu

46、mer2910934ESG1ESG2IP:192.168.1.1IP:192.168.2.1Leaf1Leaf2ESG1ESG2IP:192.168.1.1IP:192.168.2.1Leaf2Leaf11:Traffic from 192.168.1.1 to 192.168.2.12:If Leaf1 knows the destination class ID,policy is applied.Source class:29Destination class:10934Permit(PA=1)Permit(PA=1)3:Because PA=1,Leaf2 doesnt apply p

47、olicy.1:Traffic from 192.168.1.1 to 192.168.2.12:If Leaf1 doesnt know the destination,policy is not applied.Source class:29Destination class:1Implicit permit(PA=0)Implicit permit(PA=0)3:Because PA=0,Leaf2 applies policy.Source class:29Destination class:10934PermitPermit 2023 Cisco and/or its affilia

48、tes.All rights reserved.Cisco Public#CiscoLiveContract PriorityMore specific EPGs win over vzAny and preferred groups.EPG-to-EPG wins over EPG-to-vzAny/vzAny-to-EPG that wins over vzAny-to-vzAny.Specific source wins over specific destination.(EPG-to-vzAny wins over vzAny-to-EPG)Deny actions win.Spec

49、ific protocol wins.If the zoning-rule priority is the same,deny wins over redirect or permit action.Between redirect and permit,a more specific protocol and a specific L4 protocol wins.More specific L4 rules win.Specific filter wins over“any”filter.Specific destination wins over specific source(“s-a

50、ny to d-80”wins over“s-80 to d-any”)26BRKDCN-3982Look at your zoning-rule priority and then filter priority!Please seeACI Contract guidefor detail 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample 127ESG1-to-ESG2(IP)PermitESG1-to-L3OutEPG3(IP)PermitESG2-to-L3OutEPG3(

51、IP)PermitBRKDCN-3982Whats the forwarding action?Pod1-Leaf1#show zoning-rule scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4194|0|0|74|uni-dir|enabled|2195459|tenant1:vzAny-to-vzAny|permit|any_any_filter(17)|+-+-+-+-+-+-+

52、-+-+-+-+vzAnyVRF1ESG2ESG1L3OutEPG3providerconsumervzAny-to-vzAny(permit-IP)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample 228ESG1-to-ESG2(TCP)RedirectESG1-to-ESG2(UDP)PermitBRKDCN-3982Whats the forwarding action?Pod1-Leaf1#show zoning-rule scope 2195459+-+-+-+-+-+

53、-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4194|0|0|74|uni-dir|enabled|2195459|tenant1:vzAny-to-vzAny|permit|any_any_filter(17)|4248|0|0|14|uni-dir|enabled|2195459|redir(destgrp-20)|any_any_filter(17)|4186|5477|0|14|uni-dir|enabled|2195459|p

54、ermit|shsrc_any_filt_perm(10)|4193|5477|0|default|uni-dir|enabled|2195459|permit|shsrc_any_any_perm(11)|+-+-+-+-+-+-+-+-+-+-+In this example:Filter ID 74:Permit-IP allFilter ID 14:Permit-TCP allMore specific L4 rules win though the zoning-rule priority is the same.vzAnyVRF1ESG2ESG1L3OutEPG3providerc

55、onsumervzAny-to-vzAny(permit-IP)(redirect-TCP)5477 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample 329ESG1-to-ESG2(TCP)RedirectESG1-to-L3OutEPG3(IP)RedirectESG1-to-ESG2(UDP)PermitBRKDCN-3982Whats the forwarding action?vzAnyVRF1ESG1L3OutEPG3ESG2vzAny-to-vzAny(permit

56、-IP)vzAny-to-External(redirect-IP)consumerproviderESG1-to-ESG2(redirect TCP)providerconsumer 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample 3ESG-to-ESG(priority 7)wins over External-to-vzAny/vzAny-to-External(priority 13 or 14)that wins over vzAny-to-vzAny(priorit

57、y 17).30BRKDCN-3982Pod1-Leaf1#show zoning-rule scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4194|0|0|74|uni-dir|enabled|2195459|tenant1:vzAny-to-vzAny|permit|any_any_filter(17)|4172|0|32782|74|uni-dir|enabled|2195459|re

58、dir(destgrp-1)|any_dest_filter(14)|4196|5477|32782|default|uni-dir|enabled|2195459|permit|src_dst_any(9)|4201|32782|0|74|uni-dir|enabled|2195459|redir(destgrp-1)|src_any_filter(13)|4242|5477|0|74|uni-dir|enabled|2195459|permit|shsrc_any_filt_perm(10)|4186|24|10936|14|bi-dir|enabled|2195459|redir(des

59、tgrp-1)|fully_qual(7)|4193|5477|10936|default|uni-dir|enabled|2195459|permit|src_dst_any(9)|4209|5477|24|14|uni-dir|enabled|2195459|permit|fully_qual(7)|4248|10936|24|14|uni-dir-ignore|enabled|2195459|redir(destgrp-1)|fully_qual(7)|+-+-+-+-+-+-+-+-+-+-+ESG1L3OutEPG3ESG22410936327825477Why?FAQs and a

60、dvanced use cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOne-armSimple routing design on service node.One-arm must be used for intra-subnet or intra-EPG/ESG contract.Some firewall doesnt allow intra-interface traffic by default.One-arm vs Two-arm?32Two-armNeed to

61、manage routing design on service node.Different security level on each interface.BRKDCN-3982ESG1BD1(192.168.1.254/24)BD2(192.168.2.254/24)192.168.2.1/24ESG2Svc-BD1(172.16.1.254/24).100192.168.1.1/24VRF1Svc-BD2(172.16.2.254/24).100192.168.2.1ESG2ESG1BD1(192.168.1.254/24)BD2(192.168.2.254/24)Svc-BD1(1

62、72.16.1.254/24).100192.168.1.1VRF1Routing table192.168.0.0/16 via 172.16.1.254Routing table192.168.1.0 via 172.16.1.254192.168.2.0 via 172.16.2.254 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCan we reuse same PBR destination multiple times?33BRKDCN-3982Multiple consum

63、er/provider ESGs/EPGsMultiple contracts can use the same PBR destination and Service Graph.NoteIt could consume more TCAM resources if many EPGs consume and provide the same contract.The use of vzAny might be more efficient.Depending on routing design,one-arm mode deployment may be required.ESGClien

64、t1ESGWeb1Contract(SG1)providerconsumerESGClient2ESGWeb2RedirectESGClient1ESGWeb1Contract1(SG1)providerconsumerRedirectESGClient2ESGWeb2Contract2(SG1)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat types of devices can be PBR destinations?L1/L2/L3 device34BRKDCN-3982Pr

65、ior to ACI Release 5.0,a PBR destination must be an L3 routed device(L3 PBR).Starting from ACI Release 5.0,L1/L2 PBR is supported to insert L1/L2 devices.Insert firewall without relying on BD/VLAN stitching.L1/L2 service device BD must be dedicated BD that cannot be shared with other endpoints.L1/L2

66、/L3 PBR can be mixed in a service graph.ESG1ESG2ContractRedirectproviderconsumerL1 PBRL1 PBR(inline(inline-IPS)IPS)L2 PBRL2 PBR(transparent FW)(transparent FW)L3 PBRL3 PBRLB(PBR for return traffic)LB(PBR for return traffic)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCo

67、ntract2providerL3Out EPGExternal 10.0.0.0/8Can we use North-South firewall for East-West inspection?PBR destination in an L3Out35BRKDCN-3982Prior to ACI Release 5.2,PBR destination must be in a BD.Starting from ACI Release 5.2,PBR destination can be in an L3Out.ESG1ESG2Contract1Redirectproviderconsu

68、merconsumerconsumerESG1L3Out EPGExternal 10.0.0.0/8ESG2East-West(contract1 with PBR):Insert firewall between ESG1 and ESG2North-South(contract2 with permit):Firewall is in the path between ESGs and L3Out EPG.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced use case

69、sInter-VRF inter-tenant contract with PBRThe provider is in the common tenant.The consumer is in a user tenant.The provider is in a user tenant.The consumer is in the common tenant.The provider is in a user tenant.The consumer is in another user tenant.High Availability designsActive/StandbyActive/A

70、ctiveIndependent Active nodes with Symmetric PBR36BRKDCN-3982 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInter-VRF,Inter-tenant contract with PBRConfiguration for PBR37Contract in the provider or common tenantService Graph templateService Graph template is attached to

71、 a contract subjectL4-L7 DeviceDevice Selection PolicyIts based onContract nameService Graph template nameNode name in the Service GraphThen,select BD/L3Out etc,for the consumer and provider connector of the service node.Note:vzAny cannot be a provider for an inter-VRF contract.BRKDCN-3982Important

72、consideration Device Selection policy must be in the provider tenant.Device Selection policy must be able to refer:L4-L7 Device The BD/L3Out for the service device 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInter-VRF,Inter-tenant contract with PBR38BRKDCN-3982consumer

73、providerContractContract192.168.1.0/24VRF2VRF1User tenantCommon tenantESGAppESGWeb192.168.2.0/24BD:BD1BD:BD1BD:BD2BD:BD2BDBDFWFW-externalexternalBDBDFWFW-internalinternalL4L4-L7 DeviceL7 DeviceDevice Selection PolicyDevice Selection PolicyService Graph templateService Graph templateRoute-leakingThe

74、Device Selection Policy can refer BDs in the common tenant.Example 1:The provider is in the common tenant.(BDs for PBR destinations are in the provider tenant)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive39BRKDCN-3982Inter-VRF,Inter-tenant contract with PBRExample 2:The

75、 provider is in a user tenant and the consumer is in the common tenant.providerconsumerContract192.168.1.0/24VRF2VRF1User tenantCommon tenantESGAppESGWeb192.168.2.0/24BD:BD1BD:BD1BD:BD2BD:BD2ContractExportRoute-leakingBDBDFWFW-externalexternalBDBDFWFW-internalinternalL4L4-L7 DeviceL7 DeviceDevice Se

76、lection PolicyDevice Selection PolicyService Graph templateService Graph templateThe Device Selection Policy can refer BDs in the provider or the common tenant.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive40BRKDCN-3982Inter-VRF,Inter-tenant contract with PBRExample 3:Th

77、e provider is in a user tenant and the consumer is in another user tenant.providerconsumerContract192.168.1.0/24VRF2VRF1User tenant2User tenant1ESGWebESGClient192.168.2.0/24BD:BD1BD:BD1BD:BD2BD:BD2ContractExportIf the provider and the consumer are in different user tenants,BDs for the service device

78、 must be in the provider user tenant.BDBDFWFW-externalexternalBDBDFWFW-internalinternalL4L4-L7 DeviceL7 DeviceDevice Selection PolicyDevice Selection PolicyService Graph templateService Graph templateRoute-leaking 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive41HA design

79、 optionsBRKDCN-3982One PBR destination IPOne Logical device with two concrete devicesActive/Standby ClusterActive/Standby ClusterPBR is not mandatoryThe Active/Standby pair represents a single MAC/IP entry.IP:10.1.1.1One PBR destination IPOne Logical device with one concrete devicePBR is required if

80、 the cluster is stretched across pods.The Active/Active cluster represents a single MAC/IP entry.Spanned Ether-Channel Mode supported with Cisco ASA/FTD platformsActive/Active ClusterActive/Active Cluster(Scale-Up Model)IP:10.1.1.1Multiple PBR destination IPs(Symmetric PBR)One Logical device with mu

81、ltiple concrete devicesPBR is required.Each Active node represent a unique MAC/IP entry.Use of Symmetric PBR to ensure each flow is handled by the same Active node in both directionsActive Node 1IP:10.1.1.1Independent Active Nodes(Scale-Out Model)Active Node 2IP:10.1.1.2Active Node 3IP:10.1.1.3 2023

82、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveActive/Active clusterFirewalls in the same cluster must be connected via the same PC/vPC in each pod.Otherwise,the same endpoint will be learned via different locations,which results in endpoint flapping.42BRKDCN-3982L3 ModeActiv

83、e/Active ClusterXFirewall IP:10.1.1.1Spines 10.1.1.1 via Service Leaf vPC pair1?10.1.1.1 via Service Leaf vPC pair2?L3 ModeActive/Active ClusterFirewall IP:10.1.1.1Spines 10.1.1.1 via Service Leaf vPC pair1One PC/vPC to all devices in the cluster 2023 Cisco and/or its affiliates.All rights reserved.

84、Cisco Public#CiscoLiveActive/Active cluster across podsFor Multi-pod,Anycast service feature must be enabled.43BRKDCN-3982IPNActiveActiveSpines in Pod1Spines in Pod110.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Pod2Service Leaf in Pod110.1.1.1 l

85、ocalService Leaf in Pod210.1.1.1 localSpines in Pod2Spines in Pod210.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Pod1Pod1Pod2L3 Mode Active/Active ClusterFirewall IP:10.1.1.1Anycast service 2023 Cisco and/or its affiliates.All rights reserved.Cis

86、co Public#CiscoLiveIndependent Active NodesEnsure incoming and return traffic go to the same firewall44BRKDCN-3982IP:192.168.1.1IP:192.168.2.1192.168.1.254MAC:Leaf MAC172.16.2.254MAC:Leaf MAC172.16.1.254MAC:Leaf MAC192.168.2.254MAC:Leaf MACnode1:172.16.1.1node2:172.16.1.2node3:172.16.1.3Service node

87、 LeafConsumer LeafProvider LeafESG1ESG2ESG1ESG2ContractRedirect(Load-Balancing)providerconsumernode1:172.16.2.1node2:172.16.2.2node3:172.16.2.3Based on hash,traffic is load-balanced.PBR destinations can bedistributed acrossmultiple leaf nodes.Symmetric PBR:Scale Firewall Easily 2023 Cisco and/or its

88、 affiliates.All rights reserved.Cisco Public#CiscoLiveIndependent Active NodesSymmetric PBR:Hash algorithm option45BRKDCN-3982Example:same user(IP)will go through the same devicePBR destinationsUser1User2User3User4PBR for incoming trafficPBR for incoming trafficSource IP Based hashSource IP:consumer

89、 IPSource IP:consumer IPDestination IP:provider IPPBR for return trafficPBR for return trafficDestination IP Based hashSource IP:provider IPDestination IP:consumer IPDestination IP:consumer IPSource IP,Destination IP and Protocol number(default)Source IP onlyDestination IP only 2023 Cisco and/or its

90、 affiliates.All rights reserved.Cisco Public#CiscoLiveWhat happens if an L4-L7 device is down?Without Resilient Hash(Default behavior)46BRKDCN-3982If one of the PBR nodes goes down,existing traffic flows will be rehashed.This could lead to the connection being reset.PBR forPBR forincoming trafficinc

91、oming trafficPBRPBRfor return trafficfor return trafficUser1User2User3User4IncomingTrafficReturnTrafficThanks to Symmetric PBR,incoming and return traffic go to same PBR node.PBR destinationsPBR forPBR forincoming trafficincoming trafficPBRPBRfor return trafficfor return trafficUser1User2User3User4I

92、ncomingTrafficReturnTrafficXSome traffic could be load-balanced to different PBR nodes that dont have existing connection info.PBR destinations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveI want to minimize impact on the existing flow!With Resilient Hash47BRKDCN-3982Wi

93、th Resilient Hash PBR,only the traffics that went through failed node will be rerouted to one of the available nodes.PBR forPBR forincoming trafficincoming trafficPBRPBRfor return trafficfor return trafficUser1User2User3User4IncomingTrafficReturnTrafficPBR destinationsPBR forPBR forincoming traffici

94、ncoming trafficPBRPBRfor return trafficfor return trafficUser1User2User3User4IncomingTrafficReturnTrafficPBR destinationsX 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCan we use standby PBR destination?Resilient Hash PBR with N+M backup48BRKDCN-3982PBR forPBR forincomi

95、ng trafficincoming trafficPBRPBRfor return trafficfor return trafficPBR nodes(Primary)User1User2User3User4IncomingTrafficReturnTrafficBackup node is not used unless a primary node is down.BackupAs all the traffic that went through the failed node will go to one of the available nodes,capacity of the

96、 node is a concern.(The node would have doubled amount of traffic compared with usual)Instead of using one of the available primary nodes,a backup node in the group will be used.(N+M)PBR destinationsPBR forPBR forincoming trafficincoming trafficPBRPBRfor return trafficfor return trafficPBR nodes(Pri

97、mary)User1User2User3User4IncomingTrafficReturnTrafficXPBR destinationsMulti-location Data Centers 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveService insertion in multiple DC locationsWhat is the challenge of service insertion in multiple DC locations?50BRKDCN-3982Traf

98、fic Symmetricity is importantSite 1Site 2Inter-Site NetworkActive/StandbyTraffic dropped because of lack of state in the FWActive/StandbyX X 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicMulti-location Data CentersRemote LeafMulti-PodMulti-Site51BRKDCN-3982 2023 Cisco and/or its a

99、ffiliates.All rights reserved.Cisco Public#CiscoLiveACI Remote LeafDesign consideration52BRKDCN-3982Service devices in the same service chain shouldnt be distributed across main location and remote location.Recommendation:Connect service device,consumer and provider EPs in vPC mode at Remote Locatio

100、n for local forwardingIP NetworkRemote LocationRemote LocationACI Main DCACI Main DCEPG1EPG2EPG1EPG2contract1PBRproviderconsumerFWActive/Standby 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Remote LeafPBR traffic forwarding after ACI 4.053BRKDCN-3982Prior to ACI 4.0

101、,PBR traffic was always sent to Spine even when the source EP,destination EP and service EP(PBR destination)are under same Remote Leaf pair.Starting from ACI 4.0,service EPs(PBR destinations)information are learnt on Remote Leaf.So that traffic is locally forwarded.IP NetworkRemote LocationRemote Lo

102、cationACI Main DCACI Main DCFWActive/StandbyEPG1EPG2EPG1EPG2contract1PBRproviderconsumerPBR policy is applied.Traffic is forwarded locally 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Remote LeafIf its not vPC(orphan port)54BRKDCN-3982If the end points and service n

103、ode is connected using orphan port,traffic to peer Remote Leaf is sent over upstream router.IP NetworkRemote LocationRemote LocationACI Main DCACI Main DCFWActive/StandbyEPG1EPG2EPG1EPG2contract1PBRproviderconsumerPBR policy is applied.Because the destination TEP is Remote Leaf2,traffic is forwarded

104、 back via upstream router.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-PodDesign options55BRKDCN-3982For your referenceActiveStandbyIPNActive and Standby pair deployed across PodsNo issues with asymmetric flowsTypical options for an Typical options for an Acti

105、ve/Active DC use caseActive/Active DC use caseActive/StandbyActive/StandbyIPNIndependent Active/Standby pairs deployed in separate PodsUse of Symmetric PBR to avoid the creation of asymmetric paths crossing different active FW nodesActive/Active FW cluster nodes stretched across Sites(single logical

106、 FW)Requires the ability of discovering the same MAC/IP info in separate pods at the same timeSupported from ACI release 3.2(4d)with the use of Service-Graph with PBRIPNActive/Active Cluster 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Pod:Active/Active cluste

107、r across podsNorth-South Traffic Flow56BRKDCN-3982IPNActiveActiveSpines in Pod1Spines in Pod110.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Pod2Spines in Pod2Spines in Pod210.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Service Leaf in P

108、od2(preferred)10.1.1.1 via Pod1Pod1Pod2L3 Mode Active/Active ClusterFirewall IP:10.1.1.1EPGWebEPGWebL3OutL3Out-Pod1Pod1L3OutL3Out-Pod2Pod2External EPGCompute leaf always applies the PBR policyProviderConsumerEPGWebCExtEPGCompute leaf always applies the PBR policy 2023 Cisco and/or its affiliates.All

109、 rights reserved.Cisco Public#CiscoLiveACI Multi-Pod:Active/Active cluster across podsEast-West Traffic Flow(Intra-Pod)57BRKDCN-3982IPNActiveActiveSpines in Pod1Spines in Pod110.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Pod2Spines in Pod2Spines

110、 in Pod210.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Pod1Pod1Pod2L3 Mode Active/Active ClusterFirewall IP:10.1.1.1EPGWebEPGAppEPGWebEPGAppProviderConsumerEPGAppEPGWebC 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA

111、CI Multi-Pod:Active/Active cluster across podsEast-West Traffic Flow(Inter-Pod)incoming traffic58BRKDCN-3982IPNActiveActiveSpines in Pod1Spines in Pod110.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Service Leaf in Pod1(preferred)10.1.1.1 via Pod2Pod1Pod2L3 Mode Active/Active ClusterFirewal

112、l IP:10.1.1.1EPGWebEPGAppProviderConsumerEPGAppEPGWebCIf ingress leaf knows the destination class ID,the ingress leaf applies policy and traffic is redirected to FW in Pod1.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Pod:Active/Active cluster across podsEast-

113、West Traffic Flow(Inter-Pod)return traffic59BRKDCN-3982IPNActiveActiveSpines in Pod2Spines in Pod210.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Service Leaf in Pod2(preferred)10.1.1.1 via Pod1Pod1Pod2L3 Mode Active/Active ClusterFirewall IP:10.1.1.1EPGWebEPGAppEven if asymmetric redirecti

114、on happens,ASA/FTD clustering ensures traffic is forwarded to the same firewall via control link.ProviderConsumerEPGAppEPGWebCIf ingress leaf knows the destination class ID,the ingress leaf applies policy and traffic is redirected to FW in Pod2.2023 Cisco and/or its affiliates.All rights reserved.Ci

115、sco Public#CiscoLiveACI Multi-SiteDesign options60BRKDCN-3982For your referenceActive/StandbyActive/StandbyRecommendedRecommended deployment model for ACI Multideployment model for ACI Multi-SiteSiteSupported from 3.2 release with the use of Service Graph with Policy Based Redirection(PBR)ISNActive

116、and Standby pair deployed across PodsLimited supported optionsLimited supported optionsActiveStandbyISNActive/Active ClusterActive/Active FW cluster nodes stretched across Sites(single logical FW)Not supportedNot supportedISNDeployment options fully supported with ACI Multi-Pod 2023 Cisco and/or its

117、 affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site:service nodes in each siteNorth-South Traffic Flow:compute leaf enforcement61BRKDCN-3982Policy is alwaysapplied onthe compute leafEPGWebProviderConsumerL3 ModeActive/StandbySite1Site2EPGWebCInter SiteNetworkNorth-South(L3Out-to-EPG

118、)intra-VRF and inter-VRF contract with PBRFor inter-VRF contract,L3Out must be the provider.L3OutL3Out-Site1Site1L3OutL3Out-Site2Site2Compute leaf always applies the PBR policyCompute leaf always applies the PBR policyEPGWebExternal EPGExtEPGL3 ModeActive/Standby 2023 Cisco and/or its affiliates.All

119、 rights reserved.Cisco Public#CiscoLiveACI Multi-Site:service nodes in each siteEast-West Traffic Flow:provider leaf enforcement62BRKDCN-3982Policy is alwaysapplied onthe provider leafEPGWebEPGAppProviderConsumerSite1Site2EPGAppEPGWebCProvider leaf always applies the PBR policyConsumer leaf does not

120、 does not apply the PBR policyThe provider leaf can always resolve the consumer EPG class ID based on the consumer EPG subnet configuration.East-West(EPG-to-EPG)intra-VRF and inter-VRF contract with PBRThe consumer EPG subnet must be configured,which means the design must be 1 BD subnet=1 EPG(networ

121、k centric).L3 ModeActive/StandbyL3 ModeActive/StandbyInter SiteNetwork 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow to ensure the provider leaf enforcement?Special rule for consumer-to-provider traffic63BRKDCN-3982redir_override:If the destination is NOT a local end

122、point,the leaf doesnt apply policy(PA=0)EPGWebEPGAppL3 ModeActive/StandbySite1Site2322713227249156ProviderConsumerEPGAppEPGWebCL3 ModeActive/StandbyInter SiteNetwork1:Implicit permit(PA=0)Implicit permit(PA=0)2:Because PA=0,the provider leaf applies policy.RedirectRedirectPod1-Leaf1#show zoning-rule

123、 scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Action|Priority|+-+-+-+-+-+-+-+-+-+-+|4144|32271|32272|14|bi-dir|enabled|2195459|redir(destgrp-1),redir_override|fully_qual(7)|4157|32272|32271|14|uni-dir-ignore|enabled|2195459|redir(destgrp-1)|fully_qual(7)|41

124、40|49156|32272|default|uni-dir|enabled|2195459|permit|src_dst_any(9)|4136|49156|32271|14|uni-dir|enabled|2195459|permit|fully_qual(7)|+-+-+-+-+-+-+-+-+-+-+2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow to ensure the provider leaf enforcement?Special rule for consumer-

125、to-provider traffic64BRKDCN-3982If the destination is under the same leaf,the leaf applies policy.EPGWebEPGAppL3 ModeActive/StandbyL3 ModeActive/StandbySite1Site2Inter SiteNetworkPod1-Leaf1#show zoning-rule scope 2195459+-+-+-+-+-+-+-+-+-+-+|Rule ID|SrcEPG|DstEPG|FilterID|Dir|operSt|Scope|Name|Actio

126、n|Priority|+-+-+-+-+-+-+-+-+-+-+|4144|32271|32272|14|bi-dir|enabled|2195459|redir(destgrp-1),redir_override|fully_qual(7)|4157|32272|32271|14|uni-dir-ignore|enabled|2195459|redir(destgrp-1)|fully_qual(7)|4140|49156|32272|default|uni-dir|enabled|2195459|permit|src_dst_any(9)|4136|49156|32271|14|uni-d

127、ir|enabled|2195459|permit|fully_qual(7)|+-+-+-+-+-+-+-+-+-+-+1:the ingress leaf applies policyRedirectRedirect322713227249156ProviderConsumerEPGAppEPGWebC 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicMulti-Site PBRRoadmapvzAny-to-EPGvzAny-to-vzAny65BRKDCN-3982ProviderConsumerAppv

128、zAnyCNDO 4.2(1)ACI 6.0(3)Redirect 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-EPG PBRChallenges66BRKDCN-3982How to keep traffic symmetric Provider leaf enforcementHow to ensure the provider leaf nodes can resolve destination class ID without EPG

129、 subnet.Conversational learningProviderConsumerAppvzAnyCNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-EPG PBR Consumer to provider direction67BRKDCN-3982Site1Site2Inter SiteNetworkActive/StandbyActive/StandbyFW1FW2 EPGWebEPGAppPro

130、viderConsumerAppvzAnyCRedirect-TCPProvider leaf always applies the PBR policyProvider leaf enforcement to keep traffic symmetric.NDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-EPG PBR Provider to consumer direction68BRKDCN-3982Site

131、1Site2Active/StandbyActive/StandbyFW1FW2 EPGWebEPGAppProviderConsumerAppvzAnyCRedirect-TCPProvider leaf always applies the PBR policyProvider leaf enforcement to keep traffic symmetric.Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI

132、 Multi-Site vzAny-EPG PBR What if the provider leaf doesnt know the consumer endpoint?(1/2)69BRKDCN-3982Site1Site2Active/StandbyActive/StandbyFW1FW2 EPGWebEPGAppProviderConsumerAppvzAnyCRedirect-TCPForce traffic inspected by the service device in the provider site1:app1:app-toto-web TCP trafficweb T

133、CP trafficDestination class:1Traffic is implicitly permitted(PA=0)2:TCP traffic from another site(PA=0)2:TCP traffic from another site(PA=0)If traffic comes from site2 AND PA=0,traffic is If traffic comes from site2 AND PA=0,traffic is redirected to FW2 in site2.redirected to FW2 in site2.The egress

134、 leaf learns the source IP.The egress leaf learns the source IP.3:Traffic from firewall to 3:Traffic from firewall to the destinationthe destinationInter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-EPG PBR What if the

135、 provider leaf doesnt know the consumer endpoint?(2/2)70BRKDCN-3982Site1Site2Active/StandbyActive/StandbyFW1FW2 EPGWebEPGAppProviderConsumerAppvzAnyCRedirect-TCPConversational Learning to get the ingress leaf learn the destination EP.2:The consumer sends the copy of traffic to CPU 2:The consumer sen

136、ds the copy of traffic to CPU and sends a control packet to the ingress leaf.and sends a control packet to the ingress leaf.(SIP:192.168.1.1,DIP:192.168.2.1)(SIP:192.168.1.1,DIP:192.168.2.1)1:app1:app-toto-web TCP trafficweb TCP trafficDestination class:1Traffic is implicitly permitted(PA=0)192.168.

137、1.1/24192.168.2.1/243:the provider leaf receives the traffic 3:the provider leaf receives the traffic and learns 192.168.1.1.and learns 192.168.1.1.(Its not forwarded to 192.168.2.1)(Its not forwarded to 192.168.2.1)Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights res

138、erved.Cisco PublicMulti-Site PBRRoadmapvzAny-to-EPGvzAny-to-vzAny71BRKDCN-3982ProviderConsumervzAnyvzAnyCRedirectNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBRChallenges72BRKDCN-3982How to keep traffic symmetric redire

139、ct“inter-site”traffic in both ingress and egress sites.Note:If its intra-site traffic,redirect doesnt happen twice.How to ensure the ingress leaf nodes can resolve the destination class ID without the EPG subnet.Conversational learningNDO 4.2(1)ACI 6.0(3)ProviderConsumervzAnyvzAnyCRedirect 2023 Cisc

140、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR Consumer to provider direction73BRKDCN-3982Site1Site2Inter SiteNetworkEPGWebEPGAppActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/StandbyFW1FW21:web1:web-toto-app TCP trafficapp TCP traffi

141、cRedirect to FW1Redirect to FW12:TCP traffic from FW12:TCP traffic from FW1PermitPermit3:Traffic from another site3:Traffic from another siteMatches the special ACL.Matches the special ACL.If traffic from another site was redirected,If traffic from another site was redirected,redirect traffic to FW2

142、redirect traffic to FW24:Traffic from FW24:Traffic from FW2PermitPermitRedirection doesnt happen again Redirection doesnt happen again because its intrabecause its intra-site traffic.site traffic.Redirect“inter-site”traffic in both ingress and egress sites.NDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its a

143、ffiliates.All rights reserved.Cisco Public#CiscoLivePA bit(2 bit):Source Policy(SP)bit and Destination Policy(DP)bit74BRKDCN-3982How to identify traffic was redirected?Policy Applied(PA)bitSPSPDPDPBehaviorBehaviorPA=111The egress leaf doesnt apply policy because policy was applied.PA=000The egress l

144、eaf should apply policy because policy is not applied yet.EPG1EPG2IP:192.168.1.1IP:192.168.2.1Leaf2Leaf11:Traffic from 192.168.1.1 to 192.168.2.12:If Leaf1 knows the destination class ID,policy is applied.Permit(PA=1)Permit(PA=1)3:Because PA=1,Leaf2 doesnt apply policy.“SP=1,DP=0”will be used for tr

145、affic from service EPG to indicate traffic was redirected 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR Consumer to provider direction75BRKDCN-3982Site1Site2EPGWebEPGAppActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/StandbyF

146、W1FW21:web1:web-toto-app TCP trafficapp TCP trafficRedirect to FW1Redirect to FW1ACL:ACL:Inter-Site Tunnel=YesVNID=VRF1SP=1,DP=0Action=Redirect to FW22:TCP traffic from FW12:TCP traffic from FW1Permit.SP=1,DP=0Permit.SP=1,DP=03:Traffic from another site3:Traffic from another siteMatches the special

147、ACL.Matches the special ACL.Redirect to FW2Redirect to FW24:Traffic from FW24:Traffic from FW2Permit.SP=1,DP=0Permit.SP=1,DP=0Does NOT the special match ACL Does NOT the special match ACL because its intrabecause its intra-site traffic.site traffic.SP=1,DP=0for traffic fromthe service EPGInter SiteN

148、etworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR Provider to consumer direction76BRKDCN-3982Site1Site2EPGWebEPGAppActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/Standby1:app1:app-toto-web TCP trafficwe

149、b TCP trafficRedirect to FW2Redirect to FW2ACL:ACL:Inter-Site Tunnel=YesVNID=V1SP=1,DP=0Action=Redirect to FW12:TCP traffic from FW22:TCP traffic from FW2Permit.SP=1,DP=0Permit.SP=1,DP=03:Traffic from another site3:Traffic from another siteMatches the special ACL.Matches the special ACL.Redirect to

150、FW1Redirect to FW14:Traffic from FW14:Traffic from FW1Permit.SP=1,DP=0Permit.SP=1,DP=0Does NOT the special match ACL Does NOT the special match ACL because its intrabecause its intra-site traffic.site traffic.FW1FW2Inter SiteNetworkSP=1,DP=0for traffic fromthe service EPGNDO 4.2(1)ACI 6.0(3)2023 Cis

151、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR What if the ingress leaf doesnt know the destination class ID(1/3)77BRKDCN-3982Site1Site2EPGWebEPGAppActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/Standby2:TCP traffic from another site

152、(PA=0)2:TCP traffic from another site(PA=0)If traffic comes from site1 AND PA=0,traffic is If traffic comes from site1 AND PA=0,traffic is redirected to FW1 in site1.redirected to FW1 in site1.The egress leaf learns the source IP.The egress leaf learns the source IP.1:web1:web-toto-app TCP trafficap

153、p TCP trafficDestination class:1Destination class:1Traffic is implicitly permitted Traffic is implicitly permitted(PA=0)(PA=0)Force traffic inspected by the service device in the source site.FW1FW2Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

154、CiscoLiveACI Multi-Site vzAny-to-vzAny PBR What if the ingress leaf doesnt know the destination class ID(2/3)78BRKDCN-3982Site1Site2EPGWebEPGAppActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/StandbyForce traffic inspected by the service device in the destination siteACL:ACL:Inter-Site T

155、unnel=YesVNID=VRF1SP=1,DP=0Action=Redirect to FW23:TCP traffic from FW13:TCP traffic from FW1Permit.SP=1,DP=0Permit.SP=1,DP=04:Traffic from another site4:Traffic from another siteMatches the special ACL.Matches the special ACL.Redirect to FW2Redirect to FW25:Traffic from FW25:Traffic from FW2Permit.

156、SP=1,DP=0Permit.SP=1,DP=0Does NOT the special match ACL Does NOT the special match ACL because its intrabecause its intra-site traffic.site traffic.FW1FW2Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR

157、What if the ingress leaf doesnt know the destination class ID(3/3)79BRKDCN-3982Site1Site2EPGWebEPGAppActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/StandbyConversational Learning to get the ingress leaf learn the destination EP.1:web1:web-toto-app TCP trafficapp TCP trafficDestination c

158、lass:1Destination class:1Traffic is implicitly permitted(PA=0)2:The egress leaf sends the copy of 2:The egress leaf sends the copy of traffic to CPU and sends a control packet traffic to CPU and sends a control packet to the ingress leaf.to the ingress leaf.(SIP:192.168.2.1,DIP:192.168.1.1)(SIP:192.

159、168.2.1,DIP:192.168.1.1)3:the ingress leaf receives the traffic 3:the ingress leaf receives the traffic and learns 192.168.2.1.and learns 192.168.2.1.(Its not forwarded to 192.168.1.1)(Its not forwarded to 192.168.1.1)FW1FW2192.168.1.1/24192.168.2.1/24Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco

160、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR Intra-EPG traffic80BRKDCN-3982Site1Site2EPGWebActive/StandbyProviderConsumervzAnyvzAnyCRedirect-TCPActive/StandbyIntra-EPG permit rule(priority 3)wins over vzAny-to-vzAny rule(priority 17).FW1FW2EPGWeb2

161、:TCP traffic from another site 2:TCP traffic from another site Source class:WebDestination class:WebIf PA=0,It hits intra-EPG permit rule.If PA=1,no policy enforcement on the egress leaf.1:web1:web-toto-app TCP trafficapp TCP trafficSource class:WebDestination class:Web or 1Traffic is implicitly per

162、mitted(PA=0)or hits intra-EPG permit rule(PA=1)Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-Site vzAny-to-vzAny PBR Bypass firewall for specific EPG-to-EPG traffic81BRKDCN-3982Site1Site2EPGWebActive/StandbyProviderConsumerv

163、zAnyvzAnyCRedirect-TCPActive/StandbyEPG-to-EPG permit rule(priority 7 or 9)wins over vzAny-to-vzAny rule(priority 17).FW1FW2AppWebCProviderConsumerEPGApp2:TCP traffic from another site.2:TCP traffic from another site.Source class:WebDestination class:AppIf PA=0,Permit.If PA=1,policy is not applied o

164、n the leaf.1:web1:web-toto-app TCP trafficapp TCP trafficSource class:WebDestination class:App or 1Traffic is implicitly permitted(PA=0)or hits Web-to-App permit rule(PA=1)Inter SiteNetworkNDO 4.2(1)ACI 6.0(3)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI Multi-SiteRo

165、admap:vzAny PBR and L3Out-to-L3Out PBR82BRKDCN-3982By configuring specific EPG-to-EPG contract,firewall can be bypassed.EPG subnet configuration is not required for the specific EPGs.Each site needs to have PBR destination with decent high availability within the site.ESG is not supported in Multi-S

166、ite(Roadmap)vzAnyvzAny-toto-vzAnyvzAnyvzAnyvzAny-toto-EPGEPGvzAnyvzAny-toto-L3OutL3OutL3OutL3Out-toto-L3OutL3OutRedirectionBoth sitesSite for the specific EPGBoth sitesBoth sitesService nodeOne-nodeOne-armOne-nodeOne-armOne-nodeOne-armOne-nodeOne-armVRFIntra-VRFIntra-VRFIntra-VRFIntra-VRF and Inter-

167、VRFNDO 4.2(1)ACI 6.0(3)Conclusions 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummaryHow ACI PBR works,use cases and design tipsFlexible traffic redirection.Redirect specific traffic based on contract.Intra-subnet and intra-EPG/ESG redirection.Any-to-Any,Any-to-EPG/ES

168、G redirection.Scale easily.Symmetric PBR with tracking and resilient hashPBR destinations can be L1/L2/L3 devices anywhere in the fabric.Multi-Location Data CentersMulti-Site vzAny PBR will be coming!For configuration steps,please check ACI PBR white paper!84BRKDCN-3982 2023 Cisco and/or its affilia

169、tes.All rights reserved.Cisco Public#CiscoLiveUseful LinksCisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paperhttps:/ ACI Contract Guidehttps:/ Graph Design with Cisco ACI(Updated to Cisco APIC Release 5.2)White Paperhttps:/ Fabric Endpoint Learning White P

170、aperhttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUseful LinksCisco ACI and F5 BIG-IP Design Guide White Paperhttps:/ ACI Multi-Pod and Service Node Integration White Paperhttps:/ ACI Multi-Site and Service Node Integration White Paperhttps:/ Multi-Site/Multi-Pod

171、 and F5 BIG-IP Design Guidehttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!87BRKDCN-3982These

172、points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcas

173、e for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive90Gamify

174、your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123490 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-3982#CiscoLive