らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

ACI で ExtEpg ~ AppEpg 接続時の Zoning-Rule

Cisco ACI で ExtEpg (External EPG) と AppEpg (Application EPG) を Contract した場合に作成される Zoning-Rule は AppEpg 同士を Contract した場合と、特に変わりありません。 今回は実際に ExtEpg と AppEpg を Contract し、作成される Zoning-Rule を確認してみます。 検証は 5.0(2h) 環境で実施しました。

検証環境

以下のように ExtEpg と AppEpg をシンプルに 1 : 1 で Contract しました。 ExtEpg には 3 つの経路を登録しました。 後述の検証結果を見れば分かりますが、ExtEpg へ登録されている Subnet 数は、作成される Zoning-Rule には影響しません。

f:id:sig9:20200915012602p:plain

1. Contract 未設定の状態

Policy Count 数

leaf1 側は以下でした。

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 75 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

leaf2 側は以下でした。

leaf2# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 68 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf1 側は以下でした。

leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4171] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4169] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4172] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4173] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

leaf2 側は以下でした。

leaf2# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4181] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4196] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4183] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf1 側は以下でした。

leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|   4172  |   0    |   0    | implicit | uni-dir | enabled | 2326533 |      | deny,log |   any_any_any(21)    |
|   4169  |   0    |   0    | implarp  | uni-dir | enabled | 2326533 |      |  permit  |  any_any_filter(17)  |
|   4173  |   0    |   15   | implicit | uni-dir | enabled | 2326533 |      | deny,log | any_vrf_any_deny(22) |
|   4171  |   0    | 49153  | implicit | uni-dir | enabled | 2326533 |      |  permit  |   any_dest_any(16)   |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+

leaf2 側は以下でした。

leaf2# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|   4196  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |   any_any_any(21)    |
|   4182  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |  any_any_filter(17)  |
|   4183  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | any_vrf_any_deny(22) |
|   4181  |   0    | 49153  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

Contract 未設定の為、明示的な Filter は設定されていません。

2. Contract 設定済みの状態

Policy Count 数

leaf1 側は以下でした。 +2 されています。

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 77 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

leaf2 側は以下でした。 こちらも +2 されています。

leaf2# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 70 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf1 側は以下でした。

leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4174] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4168] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(16386)  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4171] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4169] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4172] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4173] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

leaf2 側は以下でした。

leaf2# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4178] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4179] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(16386)  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4181] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4196] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4183] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf1 側は以下でした。

leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|   4172  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |   any_any_any(21)    |
|   4169  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |  any_any_filter(17)  |
|   4173  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | any_vrf_any_deny(22) |
|   4171  |   0    | 49153  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
|   4174  | 16386  | 49154  |    18    |     bi-dir     | enabled | 2326533 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
|   4168  | 49154  | 16386  |    19    | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+

leaf2 側は以下でした。

leaf2# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|   4196  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |   any_any_any(21)    |
|   4182  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |  any_any_filter(17)  |
|   4183  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | any_vrf_any_deny(22) |
|   4181  |   0    | 49153  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
|   4178  | 16386  | 49154  |    18    |     bi-dir     | enabled | 2326533 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
|   4179  | 49154  | 16386  |    19    | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf1 側は以下でした。

leaf1# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    18    | 18_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    ssh    |   ssh   | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
leaf1# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful | SFromPort | SToPort |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|    19    | 19_0 |   ip   | unspecified | tcp  |      no     |    no    |    ssh    |   ssh   | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+

leaf2 側は以下でした。

leaf2# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    18    | 18_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    ssh    |   ssh   | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
leaf2# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful | SFromPort | SToPort |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|    19    | 19_0 |   ip   | unspecified | tcp  |      no     |    no    |    ssh    |   ssh   | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+