Cisco ACI Service Graph PBR with L3OUT as Destination

Topology:

Requirements and guidelines for PBR destination in an L3Out:

• The L3Out for the PBR destination must be in either the consumer or provider VRF.

• L3Out with SVI, routed sub-interface, or routed interface is supported. (Infra L3Out, GOLF L3Out, SDA L3Out, or L3Out using floating SVI for PBR destination is not supported.)

• IP SLA tracking is mandatory for the PBR destination in an L3Out for better convergence.

• The L3Out EPG with 0.0.0.0/0 or 0::0 subnet can’t be used for the L3Out EPG for PBR destinations: This is because of the EPG classification behavior specific to the L3Out EPG with 0.0.0.0/0 and 0::0 subnet.
  The workaround is to use 0.0.0.0/1 and 128.0.0.0/1 for the L3Out EPG to catch all subnets.

Step-1: Create L4-L7 device

• In the interface, use the same interface paths used in the L3OUT
• The Encap value will be inherited from the L3OUT, none if routed interface.

Step-2: Configure The PBR redirect Policy:

• IP SLA is required for PBR with L3OUT as destination
• Destination MAC is not required, you can put zeros instead.

Configure IP SLAMON for tracking:

Step-3: Device selection policy:

• Create device selection policy and select the device

• Create consumer and provider connector.
• in the associated network select L3out then specify the L3OUT.

Consumer connector:

Provider connector:

make sure 0.0.0.0/0 is not used int the L3OUT ext EPG subnets: