らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

ACI で Apply Both Directions / Reverse Filter Ports ごとの Zoning-Rule

Cisco ACI で EPG 間の通信許可/拒否ルールを定義するには Contract 設定が必要になります。 Contract は「Contract → Subject → Filter」という三階層構造を取ります。

f:id:sig9:20200910214711p:plain

Contract の配下に作成する Subject には以下、ふたつの設定が存在します。

  1. Apply Both Directions
  2. Reverse Filter Ports

f:id:sig9:20200910214715p:plain

Apply Both Directions を無効にすると Reverse Filter Ports も無効になる」特性上、取りうる組み合わせは以下の 3 パターンのみです (Apply Both Directions が無効なのに Reverse Filter Ports が有効、という設定は出来ません。 CLI から無理やり設定することは出来ますが、Apply Both Directions がアンチェックだと Reverse Filter Ports の設定有無による動作の差はありません)。

No. Apply Both Directions Reverse Filter Ports
1
2
3

今回は各々のパターンで Zoning-Rule がどのように表示されるか、確認していきます。 検証は 5.0(2h) 環境で実施しました。

Filter Entory の内容

Filter Entry の内容は 3 つ、定義しています。

  • ICMP を許可
  • TCP/22 を許可
  • UDP/53 を許可

1. EPG 未作成

検証用 Tenant が未作成の状態で Policy Count 数は 65 でした。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 65 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

2. EPG 作成、Contract 未作成

検証用 Tenant を作成し、EPG は作成するものの、Contract 未作成の状態で Policy Count は 69 でした。 明示的に Contract は作成していないものの、VRF に設定されている暗黙的なルール (Implicit Rule) と自動的に Contract されてしまう為、その Policy Count が増加します。 実際には contract_parser.pyshow zoning-rule の表示を確認すると implicitimplarp ルールが存在していることが分かります。 これらのルールは Priority 値を見ても分かりますが、EPG Collection for VRF (俗に言う「vzAny」) であることが分かります。 Zoning-Rule の Priority 値については気が向いたら別途、メモを書こうと思います。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 69 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|   4170  |   0    | 49154  | implicit | uni-dir | enabled | 2981891 |      |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit | uni-dir | enabled | 2981891 |      | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  | uni-dir | enabled | 2981891 |      |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit | uni-dir | enabled | 2981891 |      | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit | uni-dir | enabled | 2981891 |      |  permit  |   any_dest_any(16)   |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+

show zoning-filter

Contract を作成していない状態では Specfic EPG to Specfic EPG の Zoning-Filter は存在しません。 show zoning-filter で暗黙的な Zoning-Filter を確認することは出来ますが、「特定の

3. Unidirection (In) / Reverse Filter Ports 無し

Apply Both Directions 設定無し、つまり Unidirection で In 側にだけ Contract を設定します。 Reverse Filter Ports は設定しません。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 72 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53 
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|   4170  |   0    | 49154  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit | uni-dir | enabled | 2981891 |                   | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  | uni-dir | enabled | 2981891 |                   |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit | uni-dir | enabled | 2981891 |                   | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4196  | 16386  | 32771  |   237    | uni-dir | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   237    | 237_2 |   ip   | unspecified | udp  |      no     |    no    | unspecified | unspecified |     dns     |     dns     | dport | unspecified | unspecified |          |
|   237    | 237_1 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |     ssh     |     ssh     | dport | unspecified | unspecified |          |
|   237    | 237_0 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+

4. Unidirection (In) / Reverse Filter Ports 有り

前項の 3. 同様、Apply Both Directions 設定無し、つまり Unidirection で In 側にだけ Contract を設定します。 但し、Reverse Filter PortsCLI から無理やり設定します。 但し、Apply Both Direction が無効な場合、CLI から無理やり Reverse Filter Ports を設定しても動作に違いはありません。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 72 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53 
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|   4170  |   0    | 49154  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit | uni-dir | enabled | 2981891 |                   | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  | uni-dir | enabled | 2981891 |                   |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit | uni-dir | enabled | 2981891 |                   | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4196  | 16386  | 32771  |   237    | uni-dir | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   237    | 237_2 |   ip   | unspecified | udp  |      no     |    no    | unspecified | unspecified |     dns     |     dns     | dport | unspecified | unspecified |          |
|   237    | 237_1 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |     ssh     |     ssh     | dport | unspecified | unspecified |          |
|   237    | 237_0 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+

5. Unidirection (Out) / Reverse Filter Ports 無し

Apply Both Directions 設定無し、つまり Unidirection で Out 側にだけ Contract を設定します。 Reverse Filter Ports は設定しません。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 72 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq 53 
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|   4170  |   0    | 49154  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit | uni-dir | enabled | 2981891 |                   | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  | uni-dir | enabled | 2981891 |                   |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit | uni-dir | enabled | 2981891 |                   | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4196  | 32771  | 16386  |   237    | uni-dir | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   237    | 237_2 |   ip   | unspecified | udp  |      no     |    no    | unspecified | unspecified |     dns     |     dns     | dport | unspecified | unspecified |          |
|   237    | 237_1 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |     ssh     |     ssh     | dport | unspecified | unspecified |          |
|   237    | 237_0 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+

6. Unidirection (In) / Reverse Filter Ports 有り

前項の 5. 同様、Apply Both Directions 設定無し、つまり Unidirection で Out 側にだけ Contract を設定します。 但し、Reverse Filter PortsCLI から無理やり設定します。 但し、Apply Both Direction が無効な場合、CLI から無理やり Reverse Filter Ports を設定しても動作に違いはありません。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 72 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq 53 
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|   4170  |   0    | 49154  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit | uni-dir | enabled | 2981891 |                   | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  | uni-dir | enabled | 2981891 |                   |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit | uni-dir | enabled | 2981891 |                   | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4196  | 32771  | 16386  |   237    | uni-dir | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   237    | 237_2 |   ip   | unspecified | udp  |      no     |    no    | unspecified | unspecified |     dns     |     dns     | dport | unspecified | unspecified |          |
|   237    | 237_1 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |     ssh     |     ssh     | dport | unspecified | unspecified |          |
|   237    | 237_0 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+

7. Both / Reverse Filter Ports 無し

Apply Both Directions を設定します。 Reverse Filter Ports は設定しません。

Policy Count 数

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 75 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53 
[7:4178] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq 53 
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

Apply Both Directions を有効にしているので、逆向きの Rule が作成されています。 但し、どちらも Rule ID が 237 と、同じ Zoning-Rule が適用されています。

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|   4170  |   0    | 49154  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit | uni-dir | enabled | 2981891 |                   | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  | uni-dir | enabled | 2981891 |                   |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit | uni-dir | enabled | 2981891 |                   | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit | uni-dir | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4196  | 16386  | 32771  |   237    | uni-dir | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
|   4178  | 32771  | 16386  |   237    | uni-dir | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   237    | 237_2 |   ip   | unspecified | udp  |      no     |    no    | unspecified | unspecified |     dns     |     dns     | dport | unspecified | unspecified |          |
|   237    | 237_1 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |     ssh     |     ssh     | dport | unspecified | unspecified |          |
|   237    | 237_0 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+

8. Both / Reverse Filter Ports 有り

Apply Both Directions を設定します。 Reverse Filter Ports も設定します。

Policy Count 数

Reverse Filter Ports 未設定と同様、Policy Count は 75 です。

leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 75 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4178] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh 
                                   ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53 
[7:4196] [vrf:Tenant1:Vrf1] permit ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53 tn-Tenant1/ap-Ap1/epg-Epg1(16386)  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
                                   ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(16386) 
                                   ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386)
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

Reverse Filter Ports を設定したことによって大きく異るのはこの点です。 同じ EPG ペアですが、行き / 帰りで異なる Filter ID が設定されています (237 と 238)。

leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|   4170  |   0    | 49154  | implicit |    uni-dir     | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4182  |   0    |   0    | implicit |    uni-dir     | enabled | 2981891 |                   | deny,log |   any_any_any(21)    |
|   4183  |   0    |   0    | implarp  |    uni-dir     | enabled | 2981891 |                   |  permit  |  any_any_filter(17)  |
|   4181  |   0    |   15   | implicit |    uni-dir     | enabled | 2981891 |                   | deny,log | any_vrf_any_deny(22) |
|   4179  |   0    | 49153  | implicit |    uni-dir     | enabled | 2981891 |                   |  permit  |   any_dest_any(16)   |
|   4178  | 16386  | 32771  |   237    |     bi-dir     | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
|   4196  | 32771  | 16386  |   238    | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

Filter ID 237 は指定した通りの設定です。

leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   237    | 237_2 |   ip   | unspecified | udp  |      no     |    no    | unspecified | unspecified |     dns     |     dns     | dport | unspecified | unspecified |          |
|   237    | 237_1 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |     ssh     |     ssh     | dport | unspecified | unspecified |          |
|   237    | 237_0 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+

Reverse Filter Ports 設定によって自動生成された Filter ID 238 は送信元ポートと宛先ポートが Filter ID 237 と逆になっています。

leaf# show zoning-filter filter 238
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId |  Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|   238    | 238_2 |   ip   | unspecified | icmp |      no     |    no    | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified |          |
|   238    | 238_1 |   ip   | unspecified | tcp  |      no     |    no    |     ssh     |     ssh     | unspecified | unspecified | sport | unspecified | unspecified |          |
|   238    | 238_0 |   ip   | unspecified | udp  |      no     |    no    |     dns     |     dns     | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+