If I write different filters in a contract in which order are they evaluated? I've read elsewhere that they are given a progressive id and they're read from the most specific to the most generic. Is this written anywhere in the official Cisco documentation? is there a way to force a particular rule to be read before another? or to know in a deterministic way the future ranking of a rule?Filters, Contract, APIC
I agree that there really isn't a good public Cisco document on this topic. I will ask some colleagues if they are up for writing something. In the interim, I will do my best to summarize here. I debated how deep I should go because my answer can cover the basics, or it could evolve into a PhD dissertation on all the esoteric possibilities in any given situation. Because in the real world, I find simpler is often operationally easier, at least when getting started, I opted for the former.
As you question suggests, filters are given a priority number. In ACI that number can be from 2-21, but functionally you can really only administratively edit between 2 and 17. The first thing to consider is that a LOWER number means HIGHER priority (i.e smaller number is better). There are a few common priorities that you will see when you use "show zoning-rule" in the CLI.
Permit = 7
Implicit Deny = 21
So far so good, things are easy, and no one really needed to care about priories....
In ACI 3.2 (I think around there) we added the ability to specify a DENY action (if you recall, before this release everything in a filter was designed to say only what you are permitting). This is where priorities now come into play.
A user configured deny policy is (by default) also 7, same as permit. So who wins?
Well, in the case of a permit and a deny with the SAME priority contradicting each other, DENY wins.
So your second part of the question was "Can I influence this?" and the answer is decidedly YES!
In ACI, when you specify a DENY action in a filter, you will see the Priority pull-down menu light up. Note, priority pull-down menu is ONLY when using DENY, not for PERMIT. In that pull-down you have four choices (Default, Lowest, Medium, Highest). So what numbers do they get?
Lowest = 17
Medium = 13
Highest = 7 (the default setting)
So far, we agree that the way ACI processes filters is to look for a match, and check priorities if there is more than one. A lower number priority wins, or if there are no matches, the implicit deny is the catch-all match.
You might be wondering about other priorities and where they come into play. I won't delve to deep here other than to say they have to do with more with either ethertypes, or specific rules taking more priority over less specific, and all of that mixed in with a healthy dose of where and when you might use vzAny.
APIC 4.1(2u)vCenter appliance 220.127.116.11000 I followed the instructions at "https://[APIC FQDN]/vcplugin/", using PowerCLI to install the plugin. It seemed to work - "[x] Installed vCenter plugin version 4.1.2000.21". However, on logging into...
Login to Cisco Communities
Go to the Cisco Intersight Community and to Intersight Product updates
*This means you will get an email only if content is posted specifically to Intersight Product Updates. And all product updates wi...
Hi,There was a leaf Switch live in our fabric which was having some issues . We got an RMA for it and replaced the new leaf Switch with the same Node ID. After replacement we are unable to SSH the new leaf Switch from APIC .getting some error for RSA keys...
Hi, I am trying to create multiple subnets in one bridge domain using postman for ACI automation. I want to know if there is a document specific to the automation mentioned above. Can someone help me with this please. I am using global variables for ...