らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

Cisco ACI でよく使う common/filter (2019/10/07 版)

以前に Cisco ACI で Common に定義しておきたい「よく使う Filter」 というメモを書きました。 フィルタに若干、対応アプリケーションを増やした XML ファイルを改めてメモしておきます。

初期の common/Filter

ACI 4.2(1j) の場合、初期状態では common テナントに以下の 4 フィルタが設定されていました。

apic# show running-config tenant common access-list
(--snip--)
  tenant common
    access-list arp
      match arp
      exit
    access-list default
      match raw default
      exit
    access-list est
      match raw est etherT ip prot 6 tcpRules est
      exit
    access-list icmp
      match icmp
      exit
    exit

common / filter 用 XML ファイル

更新版のフィルタは下記です。 uni/tn-common へ Post します。

<?xml version="1.0" encoding="UTF-8"?>
<imdata totalCount="1">
  <fvTenant descr="" dn="uni/tn-common" name="common" nameAlias="" ownerKey="" ownerTag="">
    <vzFilter descr="" name="Any" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="unspecified" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Arp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="arp" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="unspecified" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Dns" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="dns" dToPort="dns" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Http" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="http" dToPort="http" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Https" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="https" dToPort="https" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Icmpv4" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ipv4" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="icmp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Icmpv6" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ipv6" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="icmpv6" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Imap" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="143" dToPort="143" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ldap" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="389" dToPort="389" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ldaps" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="636" dToPort="636" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ntp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="123" dToPort="123" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Pop3" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="pop3" dToPort="pop3" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Radius" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="1812" dToPort="1813" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Smtp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="smtp" dToPort="smtp" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Snmp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="161" dToPort="162" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ssh" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="22" dToPort="22" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Submission" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="587" dToPort="587" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Syslog" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="514" dToPort="514" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="TacacsPlus" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="49" dToPort="49" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="TcpEstablished" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules="est"/>
    </vzFilter>
    <vzFilter descr="" name="Telnet" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="23" dToPort="23" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
  </fvTenant>
</imdata>

設定されるフィルタ

この XML ファイルを Post した場合、common テナントに設定されるフィルタは以下です。

No. Filter Entry Name EtherType ARP Flag IP Protocol Match Only Fragment Stateful Source Port Destination Port TCP Session Rules
1 Any Entry-01 IP unspecified False False
2 Arp Entry-01 ARP unspecified
3 Dns Entry-01 IP tcp False False unspecified dns
4 Http Entry-01 IP tcp False False unspecified http
5 Https Entry-01 IP tcp False False unspecified https
6 Icmp Entry-01 IPv4 icmp False False
7 Icmpv6 Entry-01 IPv6 icmpv6 False False
8 Imap Entry-01 IP tcp False False unspecified 143
9 Ldap Entry-01 IP tcp False False unspecified 389
10 Ldaps Entry-01 IP tcp False False unspecified 636
11 Ntp Entry-01 IP udp False False unspecified 123
12 Pop3 Entry-01 IP tcp False False unspecified pop3
13 Radius Entry-01 IP udp False False unspecified 1812-1813
14 Smtp Entry-01 IP tcp False False unspecified smtp
15 Snmp Entry-01 IP udp False False unspecified 161-162
16 Ssh Entry-01 IP tcp False False unspecified 22
17 Submission Entry-01 IP tcp False False unspecified 587
18 Syslog Entry-01 IP udp False False unspecified 514
19 TacacsPlus Entry-01 IP tcp False False unspecified 49
20 TcpEstablished Entry-01 IP tcp False False unspecified unspecified Established
21 Telnet Entry-01 IP tcp False False unspecified 23

CLI でコンフィグを確認する

この XML ファイルを設定後、CLI を確認すると以下のようになります。

apic# show running-config tenant common access-list
(--sni--)
  tenant common
    access-list Any
      match ip
      exit
    access-list Arp
      match arp
      exit
    access-list Dns
      match udp dest 53
      exit
    access-list Http
      match tcp dest 80
      exit
    access-list Https
      match tcp dest 443
      exit
    access-list Icmpv4
      match raw Entry-01 etherT ipv4 prot 1
      exit
    access-list Icmpv6
      match raw Entry-01 etherT ipv6 prot 58
      exit
    access-list Imap
      match tcp dest 143
      exit
    access-list Ldap
      match tcp dest 389
      exit
    access-list Ldaps
      match tcp dest 636
      exit
    access-list Ntp
      match udp dest 123
      exit
    access-list Pop3
      match tcp dest 110
      exit
    access-list Radius
      match udp dest 1812-1813
      exit
    access-list Smtp
      match tcp dest 25
      exit
    access-list Snmp
      match udp dest 161-162
      exit
    access-list Ssh
      match tcp dest 22
      exit
    access-list Submission
      match tcp dest 587
      exit
    access-list Syslog
      match udp dest 514
      exit
    access-list TacacsPlus
      match tcp dest 49
      exit
    access-list TcpEstablished
      match raw Entry-01 etherT ip prot 6 tcpRules est
      exit
    access-list Telnet
      match tcp dest 23
      exit
    access-list arp
      match arp
      exit
    access-list default
      match raw default
      exit
    access-list est
      match raw est etherT ip prot 6 tcpRules est
      exit
    access-list icmp
      match icmp
      exit
    exit