Ltraci 2226 PDF

ACI L4-L7 Practice Lab
Policy Based Redirect (PBR)

Daniel Pita – Solutions Architect
Goran Saradzic – Solutions Architect
Ricardo Trentin – Solutions Architect
LTRACI-2226
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• ACI Service Insertion
• L4-L7 Lab
Introduction
Deploying Services in a Traditional Network
slb1 (CONFIG)
fw1(config)#
Internet Front switch1(config)#
probe http http-probe
fw1(config)#
switch1(config)#
intervalint
fw1(config)#
slb2
switch1(config)#
int
30 eth
nameif
(CONFIG)
switch
eth 0/1
1/1
outside
mode
router1(config)#
router1(config)# int eth 1/1
0
200 acc
End
expect status 200
fw1(config)# int eth router1(config)# ip address 1.1.1.0 255.255.255.0
switch1(config)# switch
rserver host acc 0/2
appsrvr1
websrvr1 vlan 999
fw1(config)# nameif
description app webfrontrouter1(config)#
web server 20 router bgp 1000
slb3
switch1(config)#
fw1(config)# (CONFIG)
no shut
object router1(config)# network 1.1.1.0 mask 255.255.255.0
network webfront_vip
Firewall
ip address 5.5.5.1
3.3.3.1
rserver
fw1(config)#hosthost
inservice dbsrvr16.6.6.6 router1(config)# network 2.2.2.0 mask 255.255.255.0
description db server
Load Balancing
rserver
fw1(config)#hoststatic
appsrvr2
websrvr2 router1(config)#
(webfront,outside) ...
1.1.1.6
Web Tier
ip address
description 6.6.6.1
app
web server outside_web permit tcp any host 6.6.6.6 eq 80
fw1(config)#
inservice access-list
switch2(config)#
ip address 5.5.5.2
fw1(config)#
rserver host
inservice
3.3.3.2
access-list
dbsrvr2 outside_web permit tcp any host 6.6.6.6 eq 443
fw1(config)#
switch1(config)# int access-group
description
rserver host eth 2/3-5 outside_web in interface outside
db server
appsrvr3
websrvr3
ip address
description 6.6.6.2
app
webmode acc
server
inservice
ip address acc vlan 80
5.5.5.3
3.3.3.3
fw2(config)#
rserver host
inservice dbsrvr3
switch1(config)# no shut
description dbeth
server
fw2(config)#
serverfarm int
host 0/1
APPFARM
FWEBFARM
Firewall ip address
fw2(config)#
probe 6.6.6.3
nameif
http-probe
inservice
webfront 20
Application
rserver appsrvr1
fw2(config)# int eth 8081
websrvr1 0/2
80
Load Balancing serverfarm
probe
host DBFARM
inservice
fw2(config)# nameif appfront 50
http-probe
rserver appsrvr2
websrvr2 8081
80
fw2(config)#
rserver object 1531
dbsrvr1 network appfarm_vip
inservice
Tier switch3(config)#
fw2(config)# host 5.5.5.5
inservice
rserver appsrvr3
websrvr3 8081
80
rserver
fw2(config)# dbsrvr2 1531
intnat
inservice
switch1(config)#
inservice
eth(appfront,webfront)
3/3-5 static 4.4.4.4
fw2(config)#
class-map
switch1(config)# access-list
type http accweb_to_app
modeloadbalance
match-all
switch SSL_VIP_CLASS permit
match-any APP tcp any host 4.4.4.4 eq 8081
rserver
2 2
match dbsrvr3
match 1531
http virtual-address
virtual-address 4.4.4.44
2.2.2.22 tcp eq tcp eq 8081
https
switch1(config)#
class-map
class
switch
inservice acc
match-all
match-all
vlan 90
APP_VIP_CLASS
SSL_VIP_CLASS
Firewall fw3(config)#
switch1(config)#
class-mapnotype
policy-map shut
type http loadbalance
loadbalance match-any
first-match DB
APP-MATCH
SSL-MATCH
Database Tier
2 match
fw3(config)#
class
class http
int virtual-address
APP eth
L7_WEB 0/1 5.5.5.55 tcp eq 1531
Load Balancing class-map
fw3(config)#
policy-map
match-all
nameif
type
DB_VIP_CLASS
sticky-serverfarm
sticky-serverfarmwebfront
loadbalance
sn_cookie
sn_cookie
20
first-match DB-MATCH
policy-map int
fw3(config)# multi-match
eth 0/2APP-VIP
WEB-VIP
class
class DB
APP_VIP_CLASS
class SSL_VIP_CLASS
fw3(config)# nameif appfront
sticky-serverfarm 50
sn_cookie
switch3(config)#
fw3(config)#
loadbalance
loadbalance
policy-map object
vip vip inservice
inservice
network
multi-match appfarm_vip
DB-VIP
loadbalance
loadbalance policy
policy APP-MATCH
SSL-MATCH
switch1(config)# int
class
fw3(config)# ethvip
host
loadbalance
4/3-5
DB_VIP_CLASS
5.5.5.5
loadbalance vip icmp-reply
icmp-reply
switch1(config)#
fw3(config)# switch mode
loadbalance
loadbalance
loadbalance vip vip
vipacc
inservice
nat (appfront,webfront)
advertise
advertise static 4.4.4.4
active
active
switch1(config)# loadbalance
switch
interface vlan acc
222 policy
vlan DB-MATCH
100
fw3(config)# access-list
loadbalance
web_to_app
vipWEB-VIP
icmp-reply
permit tcp any host 4.4.4.4 eq 8081
switch1(config)# no shut input
service-policy
loadbalance vip advertise active
Service Insertion
Traditional Service Insertion Inserting additional
VRF Route pcTag Flags
Service devices
V1 S1 1 proxy
significantly increases
V1 S2 FW1 Enforce Policy
contracts & VLANs to
V2 S1 FW2 Enforce Policy
manage
V2 S2 1 proxy
EP1 EP2
Contract VRF Action Src Dst Filter
C1 V1 permit EPG1 FW1 HTTP
V1 permit FW1 EPG1 HTTP Consumer Provider
implicit V1 deny any any all BD1, EPG1 BD2, EPG2
C1 V2 permit EPG2 FW2 HTTP Subnet S1 Subnet S2
V2 permit FW2 EPG2 HTTP
implicit V2 deny any any all
The Networking Challenge
• Configuration on multiple devices

• Allocation of VLANs
• Missing VLANs
• Misconfigured trunks
• VLAN mismatch between hypervisor & switch
• Firewall/Load Balancer/SSL misconfiguration
The Application Challenge
• I.T. is all about applications

• Application owners need agility
• Quick turnaround on firewall/SLB change requests
• Unbounded number of endpoints in a virtualized datacenter
• Framework for pre-approved, secure changes
• Ever increasing number of stale firewall rules
ACI Service
Insertion
A Unified Approach to Service Insertion
• Configure Once –> deploy multiple times

• The benefits of the service graph are:
• Configuration templates that can be reused multiple times
• Automatic management of VLAN assignments
• Collecting Health scores from the device
• Collecting statistics from the device
• Updating ACLs and Pools automatically with endpoint discovery
Contract Structure
• A contract contains:
• One or more subjects. A subject points to:
• One or more filters. A filter contains:
• One or more entries. The entry defines the sport/dport.
Filter
Contract …n
Subject
Subject Filter Filter
…n FilterEntry
from unspecified to port 80
…n
…n
How Service Graphs work The Device tells us how many
interfaces and logical
connectors on the Service
Service Graph Templates Devices
defines HOW traffic should
flow L1 L2
EP1 EP2
EPG EPG Shadow

Client Web EPG
Contract selects traffic to The Device Selection Policy

redirect defines how the Device will
communicate with the fabric
Service Template and Graph Definition
Connectors (VLANs) Connectors (VLANs) Connectors (VLANs)
(Redirect?)
Service Graph: “web-application”
Function Function Function Provider

Consumer
Firewall SSL offload Load Balancer
Terminal Terminal
L4-L7 Parameters ipaddress <vip> port 80

Virtual-ip <vip>
Port 80
lb-aglorithm: round-robin
SNAT: none
permit ip tcp * dest-ip <vip> dest-port 80
deny ip udp *
What are shadow EPGs? External and internal
interfaces
A ‘two armed’ example L1 L2
• Shadow EPGs connect to the service

Device EP1 EP2
• External Interface is called the
“Consumer Connector” EPG Shadow EPG
• Internal interface is the “Provider Client EPG Web
Connector”
• Each is represented by a VLAN and Provider Connector
has its own PCTag
Cons Prov
Consumer Connector
How Service Graphs work
A quick review
• Service Graph Template

• Define the flow of traffic
• Devices
• Physical Device & interfaces it connects to in fabric. Converted to Consumer Connector and Provider
Connector
• Device Selection Policy

• Ties the physical device to a Graph template and contract
• Contract
• Places Contract between Consumer & Provider and the shadow EPG
So, What is Managed vs Unmanaged?
Service Policy mode vs Network Policy mode
• Completely unmanaged – EPG stitching with contracts

• Network-only automation
• Network-only automation – the lite-weight package
• Network and policy automation – the complete package
What is L4-L7 Device Package?
• Service functions are added to APIC

Configuration Model (XML File) through device package
Device Scripts • Device Package contains a device
model/specification and device script
APIC– Policy Manager • Device Model/Specification defines

Configuration Model
service function
Script Engine • Device script translates Service

APIC Script Interface Functions from APIC to service device
Device Scripts
Device Interface: REST/CLI • Script can interface with the device
using REST, SSH or any mechanism
Service Device
Cloud Orchestrators + ACI : FW-aaS & LB-aaS
• APIC provides Normalized set of

configuration parameters for ANY L4-L7
Normalized Service Configuration Service. (LB-aaS and FW-aaS)
(LB-aaS, FW-aaS) • Cloud controllers (WAP, CliqR or vRealize
etc.) provision services using normalized
parameters in a vendor agnostic manner
• APIC provides mapping of normalized
parameters to vendor specific
……Configuration
Vendor Specific parameters and programs services using
vendor specific constructs.
Logical Devices and Concrete Devices
• Create a ‘cluster’ of device(s)

• How do you reach them
• What credentials to use
• How are they connected to the fabric
• Virtual vs physical
• Dynamic nature of VLAN (or VXLAN) pool
• High Availability, cluster, etc.
• DNS, NTP, Syslog, etc. etc.
• What are concrete devices then?
Policy Based
Redirect (PBR)
Policy Based Redirect (PBR) EPG EPG
Client Web
Contract
Redirect
• Inspect all OR specific traffic by FW
• One-arm ADC w/o SNAT
• APIC 2.0 or later
Only HTTP traffic is redirected to FW, and Other traffic permitted by contract are
then forwarded onto Web endpoint by FW going to Web endpoint directly.
Traffic from client Return traffic

Policy applied (PBR) Policy applied (PBR)
EPG Client EPG Web

Path of Packet
1. EP1 sends packet to EP2 via Leaf 1

(L1)
2. L1 does route & policy lookup –
Redirect to Service BD/Service
MAC. Send to Proxy rewrite 2
L1 L2
L4/Payload Proto DIP SIP 00
802.1Q SMAC FW MAC
1
EP1 EP2
L4/Payload BD VNID VXLAN DIP SIP 802.1Q SMAC DMAC
Service BD
Path of Packet
3
(L1)
2. L1 does policy lookup – Redirect to
Service BD/Service MAC. Send to
4
Proxy 2
L1 L2
5
1
EP1 EP2
Path of Packet
3
(L1)
4
Proxy 2
3. MAC Proxy does MAC lookup in L1 L2
hardware COOP DB 5
4. Traffic is sent to Service Leaf (L2) &
L2 sends traffic to Service Device 1
EP1 EP2
Path of Packet
3
(L1)
4
Proxy 2
3. MAC Proxy does MAC lookup in L1 L2
hardware COOP DB 5
4. Traffic is sent to Service Leaf (L2) &
L2 sends traffic to Service Device 1
5. Service Device sends traffic back EP1 EP2
to router MAC. Dest IP is EP2
Policy lookup is made
PBR Features
• Node Tracking with Health Groups

• Resilient hashing
• IP SLA Monitoring
• Backup Redirect
• Location Aware PBR for Multi-Pod Designs

• Unidirectional PBR
• Symmetric PBR
• MultiSite PBR
• L1/L2 PBR
Policy Based Redirect (PBR) EPG EPG
Client Web
Contract
Redirect
EPG EPG
BD-Out BD-In
Cons Prov
.250 .250
Lab Time!
Lab Guide
• URL - http://bit.ly/cl20-2226
Remote Desktop
173.36.211.5:443
Username:
studentXX@lab.test.local
SuperPuTTY
Overall Lab Topology
• ACI Fabric
• Spines
• Leafs
• APICs
• Servers
• ASAv
• F5 Big-IP VE
• Ansible server
• Linux VMs
• ASA 5585-X
Pre-Lab and Lab 1
RDP RDP
Server Server
External External
Router Router
lab1-l3out lab1-l3out
ACI Border ACI Border

Leafs Leafs
gateway gateway gateway
ASA H/A
Multi-CTX
svc-
web-bd web-bd bd
Lab 2
RDP RDP
Server Server
External External
Router Router
lab2-l3out lab2-l3out
ACI Border ACI Border

Leafs Leafs
gateway gateway gateway
BIG-IP
vip-
web-bd web-bd bd
F5 ACI ServiceCenter – API driven native BIG-IP + ACI solution
Shipping
F5 Supported
Phase
Release
Quarterly Release Phase I
2
Future
Future
Cadence Visibility Enhanced visibility Cloud ACI

vCMP Support
Independent of ACI Network Stitching
AS3 Templates Enhanced logging and ACI Services Engine
and BIG-IP Application Services
Releases faults reporting ACI UI widget
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab 3
ISN
web services app
studentXX-vm04 studentXX-vm05
F5 Labs now available in dCloud
Available to all Cisco dcloud users today
CISCO LIVE EMEA
BOOTH NUMBER
24C
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the Walk-in

Cisco campus self-paced labs
Meet the engineer

Related sessions
1:1 meetings
Thank you

Ltraci 2226 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ltraci 2226 PDF

Uploaded by

Copyright:

Available Formats

ACI L4-L7 Practice Lab

Policy Based Redirect (PBR)

• Configuration on multiple devices

• I.T. is all about applications

• Configure Once –> deploy multiple times

EPG EPG Shadow

Contract selects traffic to The Device Selection Policy

Function Function Function Provider

L4-L7 Parameters ipaddress <vip> port 80

• Shadow EPGs connect to the service

• Service Graph Template

• Device Selection Policy

• Completely unmanaged – EPG stitching with contracts

• Service functions are added to APIC

APIC– Policy Manager • Device Model/Specification defines

Script Engine • Device script translates Service

• APIC provides Normalized set of

• Create a ‘cluster’ of device(s)

• What are concrete devices then?

Traffic from client Return traffic

EPG Client EPG Web

1. EP1 sends packet to EP2 via Leaf 1

L4/Payload BD VNID VXLAN DIP SIP 802.1Q SMAC DMAC

• Node Tracking with Health Groups

• Location Aware PBR for Multi-Pod Designs

ACI Border ACI Border

gateway gateway gateway

ACI Border ACI Border

gateway gateway gateway

Cadence Visibility Enhanced visibility Cloud ACI

web services app

Cisco Live sessions will be available for viewing on

Demos in the Walk-in

Meet the engineer

You might also like