Cisco ACI PBR Health Group Explained and Configuration Example

What is a Health group for ACI service graph PBR

To prevent traffic from being black-holed, In case one of the legs of PBR node is down, Cisco ACI must avoid use of the PBR node for traffic in both directions (consumer and provider side). Some L4-L7 devices can bring down an interface if another interface is down. You can use this capability on the L4-L7 device to avoid black-holing. If the PBR node doesn’t have this capability, you should use the health group feature to disable PBR for the node if either the consumer or provider connector is down.


Each PBR destination IP and MAC address can be in a health group. Let’s take the example below, in such case:

  • From consumer to provider (correspond to consumer connector), you will use a Redirect Policy with destination 172.30.10.1
  • From provider to consumer (correspond to Provider connector), you will use a Redirect Policy with destination 172.30.20.1

If for some reason Firewall leg was down (let’s say leg corresponding to consumer connector is down), the traffic still can forwarded from Provider EPG to consumer direction. But, after hitting the FW 172.30.20.1, it will be blackholed (since other leg was down).

To resolve such traffic blackholing scenario, we should configure the PBR destinations for the same PBR node (FW) to belong to the same Health group.

Health Group Configuration

Navigate to Tenant > Policies > Protocol > L4-L7 Redirect Health Groups. By default, this setting is not used in L4-L7 PBR.

You create the health groups here. In L4-L7 PBR, you select a health group for each PBR destination IP address, so you can group a consumer side address and a provider side address together.


As per previous example, I have 2 redirect Policies (one for consumer connector and other for provider connector to the PBR node). I will configure the destination for both Redirect Policy in the same Health group:

Consumer side:


Provider side:

So once consumer leg (destination is down), the corresponding provider leg (which part of same Health group) won’t be used.


Another example:

For example, assume that you have two PBR node destinations.

  • One has 172.16.1.1 as the consumer connector and 172.16.2.1 as the provider connector, and these are in Health-group1.
  • The other node has 172.16.1.2 as the consumer connector and 172.16.2.2 as the provider connector, and these are in Health-group2.

➜ If either of the PBR destinations in the same health group is down, that node will not be used for PBR


Reference: PBR white paper

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x