Device Selection Policy

Location in GUI: Tenants » XXX » Services » L4-L7 » Device Selection Policies

Diagram

Classes

services (apic.tenants)

Name	Type	Constraint	Mandatory	Default Value
device_selection_policies	List	`[device_selection_policies]`	No

device_selection_policies (apic.tenants.services)

Name	Type	Constraint	Mandatory
contract	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
service_graph_template	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
device_name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
node_name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
consumer	Class	`[consumer]`	No
provider	Class	`[provider]`	No
copy_service	Class	`[copy_service]`	No

consumer (apic.tenants.services.device_selection_policies)

Name	Type	Constraint	Mandatory	Default Value
l3_destination	Boolean	`true`, `false`	No	`true`
permit_logging	Boolean	`true`, `false`	No	`false`
logical_interface	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
redirect_policy	Class	`[redirect_policy]`	No
bridge_domain	Class	`[bridge_domain]`	No
external_endpoint_group	Class	`[external_endpoint_group]`	No
service_epg_policy	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
custom_qos_policy	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No

copy_service (apic.tenants.services.device_selection_policies)

Name	Type	Constraint	Mandatory	Default Value
l3_destination	Boolean	`true`, `false`	No	`true`
permit_logging	Boolean	`true`, `false`	No	`false`
logical_interface	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
service_epg_policy	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
custom_qos_policy	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No

redirect_policy (apic.tenants.services.device_selection_policies.consumer)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
tenant	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No

bridge_domain (apic.tenants.services.device_selection_policies.consumer)

Name	Type	Constraint	Mandatory	Default Value
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
tenant	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No

external_endpoint_group (apic.tenants.services.device_selection_policies.consumer)

Name	Type	Constraint	Mandatory
tenant	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	No
l3out	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
name	String	Regex: `^[a-zA-Z0-9_.:-]{1,64}$`	Yes
redistribute	Class	`[redistribute]`	No

redistribute (apic.tenants.services.device_selection_policies.consumer.external_endpoint_group)

Name	Type	Constraint	Mandatory	Default Value
bgp	Boolean	`true`, `false`	No	`false`
ospf	Boolean	`true`, `false`	No	`false`
connected	Boolean	`true`, `false`	No	`false`
static	Boolean	`true`, `false`	No	`false`

Examples

Example-1: This example demonstrates a one-armed Policy-Based Redirect (PBR) Service Graph that redirects all traffic originating from EPG-1 (the PBR_SF_CT contract consumer) to a PBR destination (e.g., a Firewall Cluster connected via the PBR_SG_L3OUT L3Out) for inspection before forwarding it to the final destination (e.g., vzAny, the PBR_SF_CT contract provider). It is one-armed because it is using the same consumer and provider logical interface (Cluster_IF) on the Firewall Cluster.

The data model can be applied as is; however, if referenced elements such as EPGs, L3Out, etc., are not configured, the deployment will not function correctly. This example relies on elements from the following modules:

apic.tenants.contracts
apic.tenants.services.service_graph_templates
apic.tenants.services.l4l7_devices
apic.tenants.services.redirect_policies

---
apic:
  tenants:
    - name: PBR_ServGraph
        device_selection_policies:
          - contract: PBR_SF_CT
            service_graph_template: PBR_SG_template
            node_name: FW_Cluster
            device_name: FW_Cluster
            consumer:
              redirect_policy:
                name: L4L7_PBR
              logical_interface: Cluster_IF
              external_endpoint_group:
                l3out: PBR_SG_L3OUT
                name: PBR_SG_eEPG
                redistribute:
                  bgp: true
                  ospf: true
            provider:
              redirect_policy:
                name: 'L4L7_PBR'
              logical_interface: Cluster_IF
              external_endpoint_group:
                l3out: PBR_SG_L3OUT
                name: 'PBR_SG_eEPG'
                redistribute:
                  bgp: true
                  ospf: true

Example-2: The configuration below links the contract named PROD_EW_PBR_CT and service_graph_template named PROD_EW_FW_SG to a network device. It details how traffic, both consumer and provider, is redirected via Policy-Based Redirect (PBR) using the PROD_EW_FW_PBRPol and OneArm logical interface within the SVC_BD bridge domain.

apic:
  tenants:
    - name: PROD
      services:
        device_selection_policies:
        - contract: PROD_EW_PBR_CT
          service_graph_template: PROD_EW_FW_SG
          node_name: N1
          device_name: PROD_EW_FW
          consumer:
            redirect_policy:
              name: PROD_EW_FW_PBRPol
            logical_interface: OneArm
            bridge_domain:
              name: SVC_BD
          provider:
            redirect_policy:
              name: PROD_EW_FW_PBRPol
            logical_interface: OneArm
            bridge_domain:
              name: SVC_BD

Simple example:

apic:
  tenants:
    - name: ABC
      services:
        device_selection_policies:
          - contract: CON1
            service_graph_template: TEMPLATE1
            consumer:
              redirect_policy:
                name: PBR1
              logical_interface: INT1
              bridge_domain:
                name: BD1
            provider:
              redirect_policy:
                name: PBR1
              logical_interface: INT1
              bridge_domain:
                name: BD1

Copy service:

apic:
  tenants:
    - name: ABC
      services:
        device_selection_policies:
          - contract: CON2
            service_graph_template: TEMPLATE2
            copy_service:
              logical_interface: INT1

Full example:

apic:
  tenants:
    - name: ABC
      services:
        device_selection_policies:
          - contract: CON1
            service_graph_template: TEMPLATE1
            consumer:
              l3_destination: true
              permit_logging: false
              redirect_policy:
                name: PBR1
              logical_interface: INT1
              bridge_domain:
                name: BD1
              service_epg_policy: SERVICE_EPG1
              custom_qos_policy: QOS_POLICY
            provider:
              redirect_policy:
                name: PBR1
              logical_interface: INT1
              bridge_domain:
                name: BD1
              service_epg_policy: SERVICE_EPG2
              custom_qos_policy: QOS_POLICY