Selecting a Layer 4 to Layer 7 Device to Render a Graph

About Device Selection Policies

A device can be selected based on a contract name, a graph name, or the function node name inside the graph. After you create a device, you can create a device context, which provides a selection criteria policy for a device.

A device selection policy (also known as a device context) specifies the policy for selecting a device for a service graph template. This allows an administrator to have multiple device and then be able to use them for different service graph templates. For example, an administrator can have a device that has high-performance ADC appliances and another device that has lower-performance ADC appliances. Using two different device selection policies, one for the high-performance ADC device and the other for the low-performance ADC device, the administrator can select the high-performance ADC device for the applications that require higher performance and select the low-performance ADC devices for the applications that require lower performance.

Creating a Device Selection Policy Using the GUI

If you did not use the Apply L4-L7 Service Graph Template To EPGs wizard to apply the service graph template, you might need to configure a device selection policy (also known as a logical device context). The device selection policy instructs Cisco Application Centric Infrastructure (ACI) about which firewall or load balancer device to use to render a graph.

If you used the Apply L4-L7 Service Graph Template To EPGs wizard to apply the service graph template, then a device selection policy was configured automatically and you do not need to configure one manually.

The context name in device selection policy needs to be configured if the device cluster interface is used for intra-vrf and inter-vrf contract. The context name shall be identical for the same device shared by different deployed graph instances.

For example, when you have contract1 that is for intra-vrf and contract2 that is for inter-vrf traffic, if both the contracts have service graph, and you use same device cluster interface, you should configure same context name in device selection policy.


Note

When using the NX-OS-style CLI, the device selection policy is configured automatically; there are no equivalent NX-OS-style CLI commands.

If you add copy devices to a service graph template that is already deployed, you must create a device selection policy to use for copy services.

Procedure

Step 1

On the menu bar, choose Tenants > All Tenants.

Step 2

In the Work pane, double click the tenant's name.

Step 3

In the Navigation pane, choose Tenant tenant_name > Services > L4-L7 > Devices Selection Policies.

Step 4

In the Work pane, choose Actions > Create Logical Device Context.

Step 5

In the Create Logical Device Context dialog box, fill in the fields as required, except as specified below:

  1. In the Contract Name drop-down list, choose the contract for the device selection policy. If you do not want to use the contract name as part of the criteria for using a device, choose any.

  2. In the Graph Name drop-down list, choose the graph for the device selection policy. If you do not want to use the graph name as part of the criteria for using a device, choose any.

  3. In the Node Name drop-down list, choose the node for the device selection policy. If you do not want to use the node name as part of the criteria for using a device, choose any.

Step 6

In the Cluster Interface Contexts section, click + to add a cluster interface context.

Step 7

In the Create A Cluster Interface Context dialog, configure the following properties:

Property Description
Connector Name The connector name or label for the logical interface context. The default is Any.
Cluster Interface The unique name of the target interface. This field is required.
Associated Network

Choose the associated network type. The possible choices are:

  • Bridge Domain: A service EPG will be newly created for the interface during the service graph deployment.

  • L3Out: The existing L3Out EPG is used for the interface.

Bridge Domain

Choose the bridge domain for the associated network of the target interface. This drop-down list only displays if you chose Bridge Domain for Associated Network.

For Anycast, the bridge domain should be the same as that used for the node.
L3Out

Choose the L3Out EPG for the associated network of the target interface. This drop-down list only displays if you chose L3Out for Associated Network.

L3 Destination (VIP)

Indicates whether this logical interface is terminating the Layer 3 traffic in the service chain.

The default for this parameter is enabled (checked). However, this setting is not considered if a policy-based redirect policy is configured on the logical interface context.

Note

 

For multi-node PBR, if this logical interface is a consumer construct on a load balancer terminated on a virtual IP address external network, put a check in this box and remove any association to a redirect policy in the next field (L4-L7 Policy Based Redirect).

If this logical interface is a provider construct on a load balancer and it is performing SNAT, then put a check in this box and remove any association to a redirect policy in the next field (L4-L7 Policy Based Redirect).

L4-L7 Policy Based Redirect

Optional. Choose the policy-based redirect policy or Create L4-L7 Policy Based Redirect.

Note

 

For multi-node PBR, if this logical interface is a consumer construct on a load balancer terminated on a virtual IP address external network, remove this association to a redirect policy (if entered) and put a check in the L3 Destination (VIP) box.

L4-L7 Service EPG Policy

Choose to include or exclude the service EPG for the interface in the preferred group. By default, the service EPG is excluded.
Custom QoS Policy

Optional. Choose a Custom QoS Policy, the default policy, or Create Custom QoS Policy. This drop-down list only displays if you chose Bridge Domain for Associated Network.

Preferred Contract Group

The preferred group policy enforcement type. Valid types:

  • Include: EPGs or interfaces configured with this policy option are included in the subgroup and can communicate with others in the subgroup without a contract.

  • Exclude: EPGs or interfaces configured with this policy option are not included in the subgroup and cannot communicate with others in the subgroup without a contract.

Permit Logging

Put a check in the box to enable permit logging for the interface context. The default is disabled.
Subnets

Click + to add a subnet.

Configure the gateway address, the network visibility of the subnet (scope), primary IP address (preferred subnet), and the subnet control state.

Virtual IP Addresses

Click + to add a Virtual IP Address (VIP) if this subnet is used for a Layer 3 virtual destination (L3 Destination (VIP) has a check in the box).

Step 8

Click OK.

Step 9

Click Submit.

Configuring a Device Selection Policy Using REST APIs

You can use the REST APIs to configure a device selection policy.

Creating a Device Selection Policy Using the REST API

The following REST API creates a device selection policy: 

<polUni>
    <fvTenant dn="uni/tn-acme" name="acme">
        <vnsLDevCtx ctrctNameOrLbl="webCtrct" graphNameOrLbl="G1" nodeNameOrLbl="Node1">
            <vnsRsLDevCtxToLDev tDn="uni/tn-acme/lDevVip-ADCCluster1"/>
            
             <!-- The connector name C4, C5, etc.. should match the 
                  Function connector name used in the service graph template -->

             <vnsLIfCtx connNameOrLbl=“C4">
                <vnsRsLIfCtxToLIf tDn="uni/tn-acme/lDevVip-ADCCluster1/LIf-ext"/>
            </vnsLIfCtx>
            <vnsLIfCtx connNameOrLbl=“C5">
                <vnsRsLIfCtxToLIf tDn="uni/tn-acme/lDevVip-ADCCluster1/LIf-int"/>
            </vnsLIfCtx>
        </vnsLDevCtx>
    </fvTenant>
</polUni>

Adding a Logical Interface in a Device Using the REST APIs

The following REST API adds a logical interface in a device: 
<polUni>
    <fvTenant dn="uni/tn-acme" name="acme">
        <vnsLDevVip name="ADCCluster1">

            <!-- The LIF name defined here (such as e.g., ext, or int) should match the 
                 vnsRsLIfCtxToLIf ‘tDn' defined in LifCtx  -->

            <vnsLIf name=“ext">

                <vnsRsMetaIf tDn="uni/infra/mDev-Acme-ADC-1.0/mIfLbl-outside"/>
                <vnsRsCIfAtt tDn="uni/tn-acme/lDevVip-ADCCluster1/cDev-ADC1/cIf-ext"/>
            </vnsLIf>
            <vnsLIf name=“int">
                <vnsRsMetaIf tDn="uni/infra/mDev-Acme-ADC-1.0/mIfLbl-inside"/>
                <vnsRsCIfAtt tDn="uni/tn-acme/lDevVip-ADCCluster1/cDev-ADC1/cIf-int"/>
            </vnsLIf>
        </vnsLDevVip>
    </fvTenant>
</polUni>