About Anycast Services
Anycast services are supported in the Cisco ACI fabric. A typical use case is to support Cisco Adaptive Security Appliance (ASA) firewalls in the pods of a multipod fabric, but Anycast could be used to enable other services, such as DNS servers or printing services. In the ASA use case, a firewall is installed in every pod and Anycast is enabled, so the firewall can be offered as an Anycast service. One instance of a firewall going down does not affect clients, as the requests are routed to the next, nearest instance available. You install ASA firewalls in each pod, then enable Anycast and configure the IP address and MAC addresses to be used.
Anycast is supported on Cisco Nexus 9000 series switches with names that end in EX, and later (for example, N9K-C93180LC-EX).
Anycast can be configured on application EPGs or through Layer 4 to Layer 7 Services (with or without Policy-Based Redirect (PBR)).
Up to 2000 Anycast services are supported per fabric.
A service node is used for Anycast services in the pod where the policy is applied.
APIC deploys the configuration of the Anycast MAC and IP addresses to the leaf switches where the VRF is deployed or where there is a contract to allow an Anycast EPG.
Initially, each leaf switch installs the Anycast MAC and IP addresses as a proxy route to the spine switch. When the first packet from the Anycast Service is received, the destination information for the service is installed on the leaf switch behind which the service is installed. All other leaf switches continue to point to the spine proxy. When the Anycast service has been learned, located behind a leaf in a pod, COOP installs the entry on the spine switch to point to the service that is local to the pod.
When the Anycast service is running in one pod, the spine receives the route information for the Anycast service present in the pod through BGP-EVPN. If the Anycast service is already locally present, then COOP caches the Anycast service information of the remote pod. This route through the remote pod is only installed when the local instance of the service goes down.
Anycast services are not supported with the following features and options:
-
Multi-Site management
-
Remote leaf switches
-
Two firewalls in an Active/Standby relationship (in this scenario, the Anycast service is active in only one pod and all traffic is sent using the active service)
-
Firewalls that are deployed on two port channels (PCs)
-
Firewalls that are deployed on a single PC with redundant links
-
ECMP
-
Symmetric policy-based redirect
-
Pod ID Aware Redirection
-
IP SLA Monitoring Policies
-
Redirect Health Groups
-
DAD enabled on external devices, when Anycast IPv6 addresses are used
-
For remote IP address learning, to prevent IP address moves across the instances of services, remote learning of the Anycast service MAC and IP addresses is turned off.
-
Anycast services behind L3Outs
-
Using the MAC and IP addresses of an existing static endpoint as Anycast addresses.
Note |
If you configure an Anycast MAC and IP address using the addresses for an existing static endpoint, the configuration is pushed from the APIC to the switch and no fault is generated, but the switch does not install the Anycast addresses in the hardware. Deleting the static endpoint does not resolve the problem. You must delete both the static endpoint and the Anycast configurations and reconfigure the Anycast addresses. |