Showing results for 
Search instead for 
Did you mean: 

in which order are filters evaluated?

If I write different filters in a contract in which order are they evaluated? I've read elsewhere that they are given a progressive id and they're read from the most specific to the most generic. Is this written anywhere in the official Cisco documentation? is there a way to force a particular rule to be read before another? or to know in a deterministic way the future ranking of a rule?Filters, Contract, APIC

Cisco Employee

Re: in which order are filters evaluated?

I agree that there really isn't a good public Cisco document on this topic.  I will ask some colleagues if they are up for writing something.  In the interim, I will do my best to summarize here.  I debated how deep I should go because my answer can cover the basics, or it could evolve into a PhD dissertation on all the esoteric possibilities in any given situation.  Because in the real world, I find simpler is often operationally easier, at least when getting started, I opted for the former. 

As you question suggests, filters are given a priority number.  In ACI that number can be from 2-21, but functionally you can really only administratively edit between 2 and 17.  The first thing to consider is that a LOWER number means HIGHER priority (i.e smaller number is better).  There are a few common priorities that you will see when you use "show zoning-rule" in the CLI. 

Permit = 7

Implicit Deny = 21

So far so good, things are easy, and no one really needed to care about priories....

In ACI 3.2 (I think around there) we added the ability to specify a DENY action (if you recall, before this release everything in a filter was designed to say only what you are permitting).  This is where priorities now come into play.

A user configured deny policy is (by default) also 7, same as permit.  So who wins?

Well, in the case of a permit and a deny with the SAME priority contradicting each other, DENY wins. 

So your second part of the question was "Can I influence this?" and the answer is decidedly YES!

In ACI, when you specify a DENY action in a filter, you will see the Priority pull-down menu light up.  Note, priority pull-down menu is ONLY when using DENY, not for PERMIT.  In that pull-down you have four choices (Default, Lowest, Medium, Highest). So what numbers do they get?

Lowest = 17

Medium = 13

Highest = 7 (the default setting)

So far, we agree that the way ACI processes filters is to look for a match, and check priorities if there is more than one.  A lower number priority wins, or if there are no matches, the implicit deny is the catch-all match. 

You might be wondering about other priorities and where they come into play.  I won't delve to deep here other than to say they have to do with more with either ethertypes, or specific rules taking more priority over less specific, and all of that mixed in with a healthy dose of where and when you might use vzAny. 

Hope it helps clear it up even a little bit.

CreatePlease to create content