Device Selection Policy
Location in GUI: Tenants » XXX » Services » L4-L7 » Device Selection Policies
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”services (apic.tenants)
Section titled “services (apic.tenants)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| device_selection_policies | List | [device_selection_policies] | No |
device_selection_policies (apic.tenants.services)
Section titled “device_selection_policies (apic.tenants.services)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| contract | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| service_graph_template | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| device_name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| node_name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| consumer | Class | [consumer] | No | |
| provider | Class | [provider] | No | |
| copy_service | Class | [copy_service] | No |
consumer (apic.tenants.services.device_selection_policies)
Section titled “consumer (apic.tenants.services.device_selection_policies)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| l3_destination | Boolean | true, false | No | true |
| permit_logging | Boolean | true, false | No | false |
| logical_interface | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| redirect_policy | Class | [redirect_policy] | No | |
| bridge_domain | Class | [bridge_domain] | No | |
| external_endpoint_group | Class | [external_endpoint_group] | No | |
| service_epg_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| custom_qos_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No |
copy_service (apic.tenants.services.device_selection_policies)
Section titled “copy_service (apic.tenants.services.device_selection_policies)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| l3_destination | Boolean | true, false | No | true |
| permit_logging | Boolean | true, false | No | false |
| logical_interface | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| service_epg_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| custom_qos_policy | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No |
redirect_policy (apic.tenants.services.device_selection_policies.consumer)
Section titled “redirect_policy (apic.tenants.services.device_selection_policies.consumer)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| tenant | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No |
bridge_domain (apic.tenants.services.device_selection_policies.consumer)
Section titled “bridge_domain (apic.tenants.services.device_selection_policies.consumer)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| tenant | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No |
external_endpoint_group (apic.tenants.services.device_selection_policies.consumer)
Section titled “external_endpoint_group (apic.tenants.services.device_selection_policies.consumer)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| tenant | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | No | |
| l3out | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| name | String | Regex: ^[a-zA-Z0-9_.:-]{1,64}$ | Yes | |
| redistribute | Class | [redistribute] | No |
redistribute (apic.tenants.services.device_selection_policies.consumer.external_endpoint_group)
Section titled “redistribute (apic.tenants.services.device_selection_policies.consumer.external_endpoint_group)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| bgp | Boolean | true, false | No | false |
| ospf | Boolean | true, false | No | false |
| connected | Boolean | true, false | No | false |
| static | Boolean | true, false | No | false |
Examples
Section titled “Examples”Example-1: This example demonstrates a one-armed Policy-Based Redirect (PBR) Service Graph that redirects all traffic originating from EPG-1 (the PBR_SF_CT contract consumer) to a PBR destination (e.g., a Firewall Cluster connected via the PBR_SG_L3OUT L3Out) for inspection before forwarding it to the final destination (e.g., vzAny, the PBR_SF_CT contract provider). It is one-armed because it is using the same consumer and provider logical interface (Cluster_IF) on the Firewall Cluster.
The data model can be applied as is; however, if referenced elements such as EPGs, L3Out, etc., are not configured, the deployment will not function correctly. This example relies on elements from the following modules:
- apic.tenants.contracts
- apic.tenants.services.service_graph_templates
- apic.tenants.services.l4l7_devices
- apic.tenants.services.redirect_policies
---apic: tenants: - name: PBR_ServGraph device_selection_policies: - contract: PBR_SF_CT service_graph_template: PBR_SG_template node_name: FW_Cluster device_name: FW_Cluster consumer: redirect_policy: name: L4L7_PBR logical_interface: Cluster_IF external_endpoint_group: l3out: PBR_SG_L3OUT name: PBR_SG_eEPG redistribute: bgp: true ospf: true provider: redirect_policy: name: 'L4L7_PBR' logical_interface: Cluster_IF external_endpoint_group: l3out: PBR_SG_L3OUT name: 'PBR_SG_eEPG' redistribute: bgp: true ospf: trueExample-2: The configuration below links the contract named PROD_EW_PBR_CT and service_graph_template named PROD_EW_FW_SG to a network device. It details how traffic, both consumer and provider, is redirected via Policy-Based Redirect (PBR) using the PROD_EW_FW_PBRPol and OneArm logical interface within the SVC_BD bridge domain.
apic: tenants: - name: PROD services: device_selection_policies: - contract: PROD_EW_PBR_CT service_graph_template: PROD_EW_FW_SG node_name: N1 device_name: PROD_EW_FW consumer: redirect_policy: name: PROD_EW_FW_PBRPol logical_interface: OneArm bridge_domain: name: SVC_BD provider: redirect_policy: name: PROD_EW_FW_PBRPol logical_interface: OneArm bridge_domain: name: SVC_BD
Simple example:
```yamlapic: tenants: - name: ABC services: device_selection_policies: - contract: CON1 service_graph_template: TEMPLATE1 consumer: redirect_policy: name: PBR1 logical_interface: INT1 bridge_domain: name: BD1 provider: redirect_policy: name: PBR1 logical_interface: INT1 bridge_domain: name: BD1Copy service:
apic: tenants: - name: ABC services: device_selection_policies: - contract: CON2 service_graph_template: TEMPLATE2 copy_service: logical_interface: INT1Full example:
apic: tenants: - name: ABC services: device_selection_policies: - contract: CON1 service_graph_template: TEMPLATE1 consumer: l3_destination: true permit_logging: false redirect_policy: name: PBR1 logical_interface: INT1 bridge_domain: name: BD1 service_epg_policy: SERVICE_EPG1 custom_qos_policy: QOS_POLICY provider: redirect_policy: name: PBR1 logical_interface: INT1 bridge_domain: name: BD1 service_epg_policy: SERVICE_EPG2 custom_qos_policy: QOS_POLICY