Cisco ACI Service Graph Symmetric PBR
Reference: Cisco.com
Contents
What is Symmetric PBR in ACI
If PBR destination group have multiple destination, PBR can load-balance traffic to more than just one PBR destination such as an individual firewall.
If, for example, you have three PBR destinations, IP and MAC address pairs are configured in a PBR policy, and traffic is redirected to one of the three PBR nodes based on hashing. The hash tuple is the source IP address, destination IP address, and protocol number by default.
Because L4-L7 devices are stateful (perform connection/session tracking), they must see both directions of a flow. Therefore, you need to make sure that incoming and return traffic are redirected to the same PBR node.
–> ACI Symmetric PBR is the feature that enables this capability
1- Traffic from consumer to provider redirected to one of service nodes (based on a hash):
Based on the selected hash for the redirect policy (by default the source IP address, destination IP address, and protocol number), a hash is calculated and that hash is associated to one of the PBR destination nodes (part of the destination-group).
2- The return traffic should be redirected to the same node (based on hash):
Since the return traffic is using same tuple for hashing, it will compute the same hash. As a result, it will redirected to the same PBR Destination node:
How to Configure Symmetric PBR
Starting from APIC Release 2.2(3j) and 3.1, the hash tuple is user configurable. You can use the source IP
address only, the destination IP address only, or a combination of the source IP address, destination IP address, and protocol number (default).
If you use the source IP address only or the destination IP address only option, you need to configure options for both directions to keep traffic symmetric.
Using Source IP or Destination for Hash
For example, if you use the source IP address only option for incoming traffic, you must use the destination IP address only option for return traffic to keep traffic symmetric.
The use case for symmetric PBR with the source IP only or the destination IP only is a scenario in which the traffic from a source IP address (user) always needs to go through the same service node.