Cisco ACI Service Graph PBR with L3OUT as Destination

Topology:

Requirements and guidelines for PBR destination in an L3Out:

The L3Out for the PBR destination must be in either the consumer or provider VRF.

L3Out with SVI, routed sub-interface, or routed interface is supported. (Infra L3Out, GOLF L3Out, SDA L3Out, or L3Out using floating SVI for PBR destination is not supported.)

IP SLA tracking is mandatory for the PBR destination in an L3Out for better convergence.

The L3Out EPG with 0.0.0.0/0 or 0::0 subnet can’t be used for the L3Out EPG for PBR destinations: This is because of the EPG classification behavior specific to the L3Out EPG with 0.0.0.0/0 and 0::0 subnet.
The workaround is to use 0.0.0.0/1 and 128.0.0.0/1 for the L3Out EPG to catch all subnets.

Step-1: Create L4-L7 device

In the interface, use the same interface paths used in the L3OUT
The Encap value will be inherited from the L3OUT, none if routed interface.

Step-2: Configure The PBR redirect Policy:

IP SLA is required for PBR with L3OUT as destination
Destination MAC is not required, you can put zeros instead.

Configure IP SLAMON for tracking:

Step-3: Device selection policy:

Create device selection policy and select the device

Create consumer and provider connector.
in the associated network select L3out then specify the L3OUT.

Consumer connector:

Provider connector:

make sure 0.0.0.0/0 is not used int the L3OUT ext EPG subnets:

Bilel-A

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5