L2 PBR Configuration – Cisco ACI

In L2 PBR design, traffic is redirected to a PBR destination MAC that is static MAC endpoint programmed on a leaf interface connected to an L1/L2 device interface.

The client endpoint generates traffic destined for the web endpoint. If Leaf1 has already learned the destination endpoint, Leaf1 can resolve the source and destination EPG class IDs, so PBR is performed on Leaf1, otherwise, it will be sent to spine proxy and redirect will be applied on destination leaf.

Assuming Destination Web EP is learned (Xr) for leaf-1, as per zoning-rules, it hit the rule with redirect action and destination group corresponding the consumer redirect policy (in which we have destination MAC is MAC-A)

  • The destination MAC address is rewritten to the static MAC endpoint MAC-A. It means traffic is redirected to the consumer connector of the PBR device.
  • Redirect traffic destined to a PBR destination is always sent to the L2 spine proxy (VNID of the BD Svc-Con-BD).
  • If tracking is enabled on PBR node, it must be disabled., as it it should not learn source MAC. The PBR node will have MAC statically configured, in this example, it must have a MAC address table entry that says MAC-A is via G0/1, which is connected to Leaf3 Eth1/1.

Even that PBR node bridge domains do not have a BD subnet, traffic can be routed on Leaf3. Because Leaf3 does not know the destination endpoint ( in Web EPG), the traffic goes to the L2 spine proxy again and then to Leaf4.

Leaf4 does not learn the client IP address from this traffic because Endpoint Dataplane Learning is disabled for the PBR node bridge domain.

Basic L2 PBR Configuration Example

1- L4-L7 Device configuration:

2- Service graph template:

IP SLA Monitoring Policy:

3- Create Redirect Policy for Consumer connector:

In the L2 Destination section:

  • specify the MAC address (Static EP MAC for the consumer connector)
  • Specify the Health group (Each PBR node legs, consumer/provider belong to same Health group)

4- Create Redirect Policy for Provider connector:

4- Create consumer/provider service Bridge Domains:

●     IP routing must be enabled (but no BD subnet is required).

5- Configure device selection policies and define consumer and provider connectors:


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x