Configuring Anycast Services

This chapter contains the following sections:

About Anycast Services

Anycast services are supported in the Cisco ACI fabric. A typical use case is to support Cisco Adaptive Security Appliance (ASA) firewalls in the pods of a multipod fabric, but Anycast could be used to enable other services, such as DNS servers or printing services. In the ASA use case, a firewall is installed in every pod and Anycast is enabled, so the firewall can be offered as an Anycast service. One instance of a firewall going down does not affect clients, as the requests are routed to the next, nearest instance available. You install ASA firewalls in each pod, then enable Anycast and configure the IP address and MAC addresses to be used.

Anycast is supported on Cisco Nexus 9000 series switches with names that end in EX, and later (for example, N9K-C93180LC-EX).

Anycast can be configured on application EPGs or through Layer 4 to Layer 7 Services (with or without Policy-Based Redirect (PBR)).

Up to 2000 Anycast services are supported per fabric.

A service node is used for Anycast services in the pod where the policy is applied.

APIC deploys the configuration of the Anycast MAC and IP addresses to the leaf switches where the VRF is deployed or where there is a contract to allow an Anycast EPG.

Initially, each leaf switch installs the Anycast MAC and IP addresses as a proxy route to the spine switch. When the first packet from the Anycast Service is received, the destination information for the service is installed on the leaf switch behind which the service is installed. All other leaf switches continue to point to the spine proxy. When the Anycast service has been learned, located behind a leaf in a pod, COOP installs the entry on the spine switch to point to the service that is local to the pod.

When the Anycast service is running in one pod, the spine receives the route information for the Anycast service present in the pod through BGP-EVPN. If the Anycast service is already locally present, then COOP caches the Anycast service information of the remote pod. This route through the remote pod is only installed when the local instance of the service goes down.

Anycast services are not supported with the following features and options:

  • Multi-Site management

  • Remote leaf switches

  • Two firewalls in an Active/Standby relationship (in this scenario, the Anycast service is active in only one pod and all traffic is sent using the active service)

  • Firewalls that are deployed on two port channels (PCs)

  • Firewalls that are deployed on a single PC with redundant links

  • ECMP

  • Symmetric policy-based redirect

  • Pod ID Aware Redirection

  • IP SLA Monitoring Policies

  • Redirect Health Groups

  • DAD enabled on external devices, when Anycast IPv6 addresses are used

  • For remote IP address learning, to prevent IP address moves across the instances of services, remote learning of the Anycast service MAC and IP addresses is turned off.

  • Anycast services behind L3Outs

  • Using the MAC and IP addresses of an existing static endpoint as Anycast addresses.


Note

If you configure an Anycast MAC and IP address using the addresses for an existing static endpoint, the configuration is pushed from the APIC to the switch and no fault is generated, but the switch does not install the Anycast addresses in the hardware. Deleting the static endpoint does not resolve the problem. You must delete both the static endpoint and the Anycast configurations and reconfigure the Anycast addresses.

Configuring Anycast Services Using the NX-OS Style CLI

These examples show how to configure Anycast services in three methods, using the NX-OS style CLI:

  • Behind an EPG.

  • As part of a Layer 4 to Layer 7 Service Graph with Policy Based Redirect (PBR)

  • As part of a Layer 4 to Layer 7 Service Graph without PBR

Before you begin

  • The tenant, application profile, and application EPG have been created.

  • The node group and L3Out policies have already been created.

  • The Interpod Network (IPN) is already configured.

  • Multipod is configured.

  • In each pod, the spine switch used to connect to the IPN is also connected to at least one leaf switch.

  • ASA firewalls are installed in each pod.

Procedure

Step 1

Configure Anycast services behind an EPG subnet, using the following commands:

  1. configure

    Enters configuration mode.

    Example:

    apic1# configure

  2. tenant tenant-name

    Creates a tenant if it does not exist or enters tenant configuration mode.

    Example:

    apic1(config)# tenant anycast1-it

  3. application app-name

    Creates an application profile if it doesn't exist and enters application profile configuration mode.

    Example:

    apic1(config-tenant)# application AP0

  4. epg epg-name

    Creates an EPG if it doesn't exist and enters EPG configuration mode.

    Example:

    apic1(config-tenant-app)# epg epg1

  5. endpoint ip ip-address anycast mac-address

    Configures the Anycast IP address with netmask and MAC address for the Anycast service behind the EPG. The Anycast subnet must have a /32 or /128 netmask.

    Example:

    apic1(config-tenant-app-epg)# endpoint ip 1.2.3.4/32 anycast 00:11:22:33:44:55
Step 2

Configure Anycast for Layer 4 to Layer 7 services with PBR, using the following commands:

  1. configure

    Enters configuration mode.

    Example:

    apic1# configure

  2. tenant name

    Creates a tenant if it does not exist or enters tenant configuration mode.

    apic1(config)# tenant t1

  3. svcredir-pol name

    Enters service-redirect policy mode and creates a service redirection policy.

    Example:

    apic1(config-tenant)# svcredir-pol N1Ext

  4. anycast enable

    Enables Anycast for the service redirection policy. Use the no form of the command to disable Anycast for the policy.

    Example:

    apic1(svcredir-pol)# anycast enable

  5. redir-dest ip-addr mac-addr

    Defines the Anycast IP and MAC addresses for the Layer 4 to Layer 7 service redirection policy.

    Example:

    apic1(svcredir-pol)# redir-dest 2000::25 00:00:00:00:00:07
Step 3

Configure Anycast for Layer 4 to Layer 7 services without PBR, with the following commands:

  1. configure

    Enters configuration mode.

    Example:

    apic1# configure

  2. tenant name

    Creates a tenant if it does not exist or enters tenant configuration mode.

    apic1(config)# tenant t1

  3. l4l7 graph connector-name contract name

    Creates a Layer 4 to Layer 7 service graph associated with a contract.

    Example:

    apic1(config-tenant)# l4l7 graph WebGraph contract default

  4. service device-cluster-name

    Defines the service with a device cluster.

    Example:

    apic1(config-graph)# service N1

  5. connector name [cluster-interface cluster-interface-name]

    Enters connector configuration mode and defines the device cluster interface.

    Example:

    apic1(config-service)# connector provider

  6. subnet-ip IP-addr_with_netmask subnet-ctrl no-default-gateway

    Defines the Anycast IP address (with /32 netmask and the subnet control, no-default-gateway). To remove it, use the no form of the command.

    Example:

    apic1(config-connector)# subnet-ip 50.50.50.50/32 subnet-ctrl no-default-gateway

  7. mac-address mac-address

    Defines the Anycast MAC address. To remove it, use the no form of the command.

    Example:

    apic1(config-subnet-ip)# mac-address 00.00.00.00.00.50

Example

The following example configures Anycast services behind EPG1:

apic1# configure 
apic1(config)# tenant anycast1-it 
apic1(config-tenant)# application AP0 
apic1(config-tenant-app)# epg epg-1
apic1(config-tenant-app-epg)# endpoint ip 1.2.3.4/32 anycast 00:11:22:33:44:55

The following example configures Anycast services in a Layer 4 to Layer 7 service redirection policy:

apic1# configure
apic1(config)# tenant t1
apic1(config-tenant)# svcredir-pol N1Ext
apic1(svcredir-pol)# anycast enable
apic1(svcredir-pol)# redir-dest 2000::25 00:00:00:00:00:07

The following example configures Anycast services in a Layer 4 to Layer 7 service without PBR:

apic1# configure
apic1(config)# tenant t1
apic1(config-tenant)# l4l7 graph WebGraph contract default
apic1(config-graph)# service N1
apic1(config-service)# connector provider
apic1(config-connector)# subnet-ip 50.50.50.50/32 subnet-ctrl no-default-gateway
apic1(config-subnet-ip)# mac-address 00.00.00.00.00.50