らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

ACI で EPG Contract Inheritance 設定した際の Zoning-Rule

Cisco ACI では Contract に同じ接続をする EPG が複数存在する場合、Master と呼ばれる「親 EPG」を作成し、「子 EPG」からは Master を参照させる、という機能があります。 この機能は EPG Contract Inheritance と呼ばれています。 EPG Contract Inheritance (コントラクトの継承) にも記載がありますが、EPG Contract Inheritance は Policy CAM のリソース消費量削減にはなりません。 今回は実際に EPG Contract Inheritance 設定を行い、Zoning-Rule がどのように展開されているか、確認しようと思います。 検証は ACI 5.0(2h) 環境で実施しました。

Contract せず、EPG だけを作成した場合

Contract はせず、EPG を 6 つ作成した場合、今回の環境では policy_count が 73 でした。

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 73 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0 

Zoning-Rule は以下でした。

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4181] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A1(16387) [contract:implicit] [hit=0]
[16:4195] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B3(16388) [contract:implicit] [hit=0]
[16:4175] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A3(32770) [contract:implicit] [hit=0]
[16:4173] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A2(49153) [contract:implicit] [hit=0]
[16:4193] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B1(49154) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B2(49155) [contract:implicit] [hit=0]
[16:4191] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4178] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4168] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

Inheritance は使わず、Contract した場合

EPG Contract Inheritance は使わずに、下図のように Contract します。

f:id:sig9:20200909192456p:plain

policy_count は 91 でした。

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 91 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

Zoning-Rule は以下でした。

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4173] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A1(16387) tn-Tenant1/ap-Ap1/epg-Epg-B1(32772) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4177] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A1(16387) tn-Tenant1/ap-Ap1/epg-Epg-B2(49157) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4189] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A1(16387) tn-Tenant1/ap-Ap1/epg-Epg-B3(49158) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4185] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A2(16388) tn-Tenant1/ap-Ap1/epg-Epg-B1(32772) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4175] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A2(16388) tn-Tenant1/ap-Ap1/epg-Epg-B2(49157) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4179] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A2(16388) tn-Tenant1/ap-Ap1/epg-Epg-B3(49158) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4134] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A3(16389) tn-Tenant1/ap-Ap1/epg-Epg-B1(32772) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4180] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A3(16389) tn-Tenant1/ap-Ap1/epg-Epg-B2(49157) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4178] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A3(16389) tn-Tenant1/ap-Ap1/epg-Epg-B3(49158) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4192] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B1(32772) tn-Tenant1/ap-Ap1/epg-Epg-A1(16387) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4184] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B1(32772) tn-Tenant1/ap-Ap1/epg-Epg-A2(16388) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4191] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B1(32772) tn-Tenant1/ap-Ap1/epg-Epg-A3(16389) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B2(49157) tn-Tenant1/ap-Ap1/epg-Epg-A1(16387) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4188] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B2(49157) tn-Tenant1/ap-Ap1/epg-Epg-A2(16388) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4190] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B2(49157) tn-Tenant1/ap-Ap1/epg-Epg-A3(16389) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4182] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B3(49158) tn-Tenant1/ap-Ap1/epg-Epg-A1(16387) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4170] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B3(49158) tn-Tenant1/ap-Ap1/epg-Epg-A2(16388) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4186] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B3(49158) tn-Tenant1/ap-Ap1/epg-Epg-A3(16389) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A3(16386) [contract:implicit] [hit=0]
[16:4187] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A1(32770) [contract:implicit] [hit=0]
[16:4194] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A2(32771) [contract:implicit] [hit=0]
[16:4168] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B1(49154) [contract:implicit] [hit=0]
[16:4195] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B2(49155) [contract:implicit] [hit=0]
[16:4181] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B3(49156) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4193] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

Inheritance を使って Contract した場合

EPG Contract Inheritance は使い、下図のように Contract します。

f:id:sig9:20200909192715p:plain

policy_count は 91 でした。

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 91 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

Zoning-Rule は以下でした。 Inheritance を使わない場合と同じ内容です。

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4183] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A2(16386) tn-Tenant1/ap-Ap1/epg-Epg-B3(16387) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4181] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A2(16386) tn-Tenant1/ap-Ap1/epg-Epg-B1(32775) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4190] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A2(16386) tn-Tenant1/ap-Ap1/epg-Epg-B2(32776) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4186] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B3(16387) tn-Tenant1/ap-Ap1/epg-Epg-A2(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4179] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B3(16387) tn-Tenant1/ap-Ap1/epg-Epg-A1(32773) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4168] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B3(16387) tn-Tenant1/ap-Ap1/epg-Epg-A3(32774) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4170] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A1(32773) tn-Tenant1/ap-Ap1/epg-Epg-B3(16387) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4188] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A1(32773) tn-Tenant1/ap-Ap1/epg-Epg-B1(32775) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4134] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A1(32773) tn-Tenant1/ap-Ap1/epg-Epg-B2(32776) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4178] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A3(32774) tn-Tenant1/ap-Ap1/epg-Epg-B3(16387) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4187] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A3(32774) tn-Tenant1/ap-Ap1/epg-Epg-B1(32775) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4180] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-A3(32774) tn-Tenant1/ap-Ap1/epg-Epg-B2(32776) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4175] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B1(32775) tn-Tenant1/ap-Ap1/epg-Epg-A2(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4185] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B1(32775) tn-Tenant1/ap-Ap1/epg-Epg-A1(32773) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4182] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B1(32775) tn-Tenant1/ap-Ap1/epg-Epg-A3(32774) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4192] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B2(32776) tn-Tenant1/ap-Ap1/epg-Epg-A2(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4173] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B2(32776) tn-Tenant1/ap-Ap1/epg-Epg-A1(32773) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4174] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg-B2(32776) tn-Tenant1/ap-Ap1/epg-Epg-A3(32774) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4193] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A1(32770) [contract:implicit] [hit=0]
[16:4195] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A2(32771) [contract:implicit] [hit=0]
[16:4177] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-A3(32772) [contract:implicit] [hit=0]
[16:4189] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B1(49154) [contract:implicit] [hit=0]
[16:4191] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B2(49155) [contract:implicit] [hit=0]
[16:4176] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd-B3(49156) [contract:implicit] [hit=0]
[16:4196] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4194] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4184] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

まとめ

結果的に同じ Contract の意味合いになるのであれば、「EPG Contract Inheritance を使う」「使わない」に関わらず、Policy CAM の消費量は同じことが分かります。

No. Test Case policy_count
1 EPG 未作成状態 65
2 EPG 作成のみ・Contract 無し 73
3 EPG Contract Inheritance を使わず Contract した場合 91
4 EPG Contract Inheritance を使って Contract した場合 91

尚、Policy CAM の使用量は下記の式で計算出来ます。

Src EPG 数 x Dst EPG 数 x Filter Entry 数 x (Both なら) 2

今回の場合、下記の式になります。

3 x 3 x 1 x 2 = 18

従って、No.2 の「73」から +18 され、No.3 と 4 では「91」になっています。