Skip to content

Device Selection Policy

Location in GUI: Tenants » XXX » Services » L4-L7 » Device Selection Policies

Diagram
NameTypeConstraintMandatoryDefault Value
device_selection_policiesList[device_selection_policies]No

device_selection_policies (apic.tenants.services)

Section titled “device_selection_policies (apic.tenants.services)”
NameTypeConstraintMandatoryDefault Value
contractStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
service_graph_templateStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
device_nameStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
node_nameStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
consumerClass[consumer]No
providerClass[provider]No
copy_serviceClass[copy_service]No

consumer (apic.tenants.services.device_selection_policies)

Section titled “consumer (apic.tenants.services.device_selection_policies)”
NameTypeConstraintMandatoryDefault Value
l3_destinationBooleantrue, falseNotrue
permit_loggingBooleantrue, falseNofalse
logical_interfaceStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
redirect_policyClass[redirect_policy]No
bridge_domainClass[bridge_domain]No
external_endpoint_groupClass[external_endpoint_group]No
service_epg_policyStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
custom_qos_policyStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No

copy_service (apic.tenants.services.device_selection_policies)

Section titled “copy_service (apic.tenants.services.device_selection_policies)”
NameTypeConstraintMandatoryDefault Value
l3_destinationBooleantrue, falseNotrue
permit_loggingBooleantrue, falseNofalse
logical_interfaceStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
service_epg_policyStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
custom_qos_policyStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No

redirect_policy (apic.tenants.services.device_selection_policies.consumer)

Section titled “redirect_policy (apic.tenants.services.device_selection_policies.consumer)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
tenantStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No

bridge_domain (apic.tenants.services.device_selection_policies.consumer)

Section titled “bridge_domain (apic.tenants.services.device_selection_policies.consumer)”
NameTypeConstraintMandatoryDefault Value
nameStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
tenantStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No

external_endpoint_group (apic.tenants.services.device_selection_policies.consumer)

Section titled “external_endpoint_group (apic.tenants.services.device_selection_policies.consumer)”
NameTypeConstraintMandatoryDefault Value
tenantStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$No
l3outStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
nameStringRegex: ^[a-zA-Z0-9_.:-]{1,64}$Yes
redistributeClass[redistribute]No

redistribute (apic.tenants.services.device_selection_policies.consumer.external_endpoint_group)

Section titled “redistribute (apic.tenants.services.device_selection_policies.consumer.external_endpoint_group)”
NameTypeConstraintMandatoryDefault Value
bgpBooleantrue, falseNofalse
ospfBooleantrue, falseNofalse
connectedBooleantrue, falseNofalse
staticBooleantrue, falseNofalse

Example-1: This example demonstrates a one-armed Policy-Based Redirect (PBR) Service Graph that redirects all traffic originating from EPG-1 (the PBR_SF_CT contract consumer) to a PBR destination (e.g., a Firewall Cluster connected via the PBR_SG_L3OUT L3Out) for inspection before forwarding it to the final destination (e.g., vzAny, the PBR_SF_CT contract provider). It is one-armed because it is using the same consumer and provider logical interface (Cluster_IF) on the Firewall Cluster.

The data model can be applied as is; however, if referenced elements such as EPGs, L3Out, etc., are not configured, the deployment will not function correctly. This example relies on elements from the following modules:

  • apic.tenants.contracts
  • apic.tenants.services.service_graph_templates
  • apic.tenants.services.l4l7_devices
  • apic.tenants.services.redirect_policies
---
apic:
tenants:
- name: PBR_ServGraph
device_selection_policies:
- contract: PBR_SF_CT
service_graph_template: PBR_SG_template
node_name: FW_Cluster
device_name: FW_Cluster
consumer:
redirect_policy:
name: L4L7_PBR
logical_interface: Cluster_IF
external_endpoint_group:
l3out: PBR_SG_L3OUT
name: PBR_SG_eEPG
redistribute:
bgp: true
ospf: true
provider:
redirect_policy:
name: 'L4L7_PBR'
logical_interface: Cluster_IF
external_endpoint_group:
l3out: PBR_SG_L3OUT
name: 'PBR_SG_eEPG'
redistribute:
bgp: true
ospf: true

Example-2: The configuration below links the contract named PROD_EW_PBR_CT and service_graph_template named PROD_EW_FW_SG to a network device. It details how traffic, both consumer and provider, is redirected via Policy-Based Redirect (PBR) using the PROD_EW_FW_PBRPol and OneArm logical interface within the SVC_BD bridge domain.

apic:
tenants:
- name: PROD
services:
device_selection_policies:
- contract: PROD_EW_PBR_CT
service_graph_template: PROD_EW_FW_SG
node_name: N1
device_name: PROD_EW_FW
consumer:
redirect_policy:
name: PROD_EW_FW_PBRPol
logical_interface: OneArm
bridge_domain:
name: SVC_BD
provider:
redirect_policy:
name: PROD_EW_FW_PBRPol
logical_interface: OneArm
bridge_domain:
name: SVC_BD
Simple example:
```yaml
apic:
tenants:
- name: ABC
services:
device_selection_policies:
- contract: CON1
service_graph_template: TEMPLATE1
consumer:
redirect_policy:
name: PBR1
logical_interface: INT1
bridge_domain:
name: BD1
provider:
redirect_policy:
name: PBR1
logical_interface: INT1
bridge_domain:
name: BD1

Copy service:

apic:
tenants:
- name: ABC
services:
device_selection_policies:
- contract: CON2
service_graph_template: TEMPLATE2
copy_service:
logical_interface: INT1

Full example:

apic:
tenants:
- name: ABC
services:
device_selection_policies:
- contract: CON1
service_graph_template: TEMPLATE1
consumer:
l3_destination: true
permit_logging: false
redirect_policy:
name: PBR1
logical_interface: INT1
bridge_domain:
name: BD1
service_epg_policy: SERVICE_EPG1
custom_qos_policy: QOS_POLICY
provider:
redirect_policy:
name: PBR1
logical_interface: INT1
bridge_domain:
name: BD1
service_epg_policy: SERVICE_EPG2
custom_qos_policy: QOS_POLICY