Cisco ACI Service Graph PBR Direct Connect Option [Explained with Example]
Contents
When the Direct Connect Option is needed
If you deploy a service graph with PBR with the default configuration, the keepalive messages (Probes) from L4-L7 devices to servers to monitor their availability is failed. It is because by default there is no permit entry for the traffic from the provider EPG to the provider connector of the PBR node (same for consumer connector).
Cisco ACI Service Graph PBR without Direct Connect
In the following example, traffic from the consumer EPG (16388) to the consumer connector (also called shadow EPG) of the PBR node (49154) and from the provider EPG (49153) to the provider connector of the PBR node (49154) is not permitted.
Let’s check the zoning rules with Direct option Enabled before activating it:
Leaf-101# show zoning-rule scope 3047424
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4228 | 49153 | 16388 | default | uni-dir-ignore | enabled | 3047424 | | redir(destgrp-2) | src_dst_any(9) |
| 4231 | 16388 | 49153 | default | bi-dir | enabled | 3047424 | | redir(destgrp-2) | src_dst_any(9) |
| 4232 | 49154 | 49153 | default | uni-dir | enabled | 3047424 | | permit | src_dst_any(9) |
| 4229 | 49154 | 16388 | default | uni-dir | enabled | 3047424 | | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
Cisco ACI Service Graph PBR with Direct Connect Enabled
For situations in which you require permit entries for this traffic (from consumer/Provider EPG to PBR node consumer/provider connector), you can set the Direct Connect option to True.
This configuration is located in Tenant > L4-L7 Services > L4-L7 Service Graph Templates > Policy. The default setting is False. You just need to check the box to make it True:
Let’s recheck the zoning rules after enabling the Direct Connect Option, the new added zoning rules are highlighted in red:
In my example, I enabled Direct Connect on the provider connect and consumer connector as well, but, of course, it’s allowed to just chose one according to your design requirement.
We can see 2 rules added in the zoning rules:
- From the consumer EPG (16388) to the consumer connector (shadow EPG) of the PBR node (49154)
- From the provider EPG (49153) to the provider connector of the PBR node (49154), and the action is permit.
# show zoning-rule scope 3047424
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+
| 4228 | 49153 | 16388 | default | uni-dir-ignore | enabled | 3047424 | | redir(destgrp-2) | src_dst_any(9) |
| 4231 | 16388 | 49153 | default | bi-dir | enabled | 3047424 | | redir(destgrp-2) | src_dst_any(9) |
| 4232 | 49154 | 49153 | default | bi-dir | enabled | 3047424 | | permit | src_dst_any(9) |
| 4229 | 49154 | 16388 | default | uni-dir-ignore | enabled | 3047424 | | permit | src_dst_any(9) |
| 4234 | 49153 | 49154 | default | uni-dir-ignore | enabled | 3047424 | | permit | src_dst_any(9) |
| 4233 | 16388 | 49154 | default | bi-dir | enabled | 3047424 | | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+------+------------------+----------------------+