Cisco ACI Service Graph Symmetric PBR
What is Symmetric PBR in ACI
PBR can load-balance traffic to more than just one PBR destination such as an individual firewall. If, for example, you have three PBR destinations, IP and MAC address pairs are configured in a PBR policy, and traffic is redirected to one of the three PBR nodes based on hashing. The hash tuple is the source IP address, destination IP address, and protocol number by default.
Because L4-L7 devices perform connection tracking, they must see both directions of a flow. Therefore, you need to make sure that incoming and return traffic are redirected to the same PBR node.
–> Symmetric PBR is the feature that enables this capability
1- Traffic from consumer to provider redirected to one of service nodes (based on a hash):
2- The return traffic should be redirected to the same node (based on hash):
How to Configure Symmetric PBR
Starting from APIC Release 2.2(3j) and 3.1, the hash tuple is user configurable. You can use the source IP
address only, the destination IP address only, or a combination of the source IP address, destination IP address, and protocol number (default).
If you use the source IP address only or the destination IP address only option, you need to configure options for both directions to keep traffic symmetric.
For example, if you use the source IP address only option for incoming traffic, you must use the destination IP address only option for return traffic to keep traffic symmetric.
The use case for symmetric PBR with the source IP only or the destination IP only is a scenario in which the traffic from a source IP address (user) always needs to go through the same service node.