ACI PBR Resilient Hashing Overview and Configuration

Without Resilient Hashing

If one of the PBR nodes in a PBR policy is down, and PBR is still enabled, traffic will be rehashed by using the available PBR nodes in the PBR policy by default. Some traffic that has been going through the available PBR nodes could be load-balanced to different PBR nodes and could be affected, even though they haven’t been going through the failed PBR node, because a new PBR node that receives the traffic does not have existing connection information 

With Resilient Hashing Enabled

With Resilient hash PBR (introduced in APIC Release 3.2), only the traffic that went through a failed node will be redirected to a different available PBR node. Other traffic will still be redirected to the same node, so that the traffic going through other PBR nodes will not be impacted:

Resilient Hashing Configuration

Resilient hash can be set on L4-L7 Policy Based Redirect policy:

The traffic that went through the failed node will be redirected to one of the available PBR nodes,
not redistributed to multiple available PBR nodes. This is a tradeoff between resiliency and load-balancing distribution.

If the capacity of PBR node during PBR node failure is a concern, you can use backup PBR node to take care of the traffic that went through the failed node.

Please refer to following post about PBR backup Policy configuration:

Reference: these are short notes from Cisco white paper


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x