らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

ACI で Preferred Group 設定時の Zoning-Rule

Cisco ACI で Contract Preferred Groups を使うと EPG を優先グループ / 非優先グループに分けることが出来ます。 Preferred Group 設定には「include」と「exclude」があり、各々以下のように「通信する際に Contract を必要とするか? 否か?」という違いがあります。

設定 意味 説明
include 優先グループ 優先グループ同士は Contract が無くても通信可能
exclude 非優先グループ 通信するには Contract が必要

今回は Preferred Group を設定した場合 / していない場合で「実際に Zoning-Rule がどう見えるか?」を確認してみました。 検証は 5.0(2h) 環境で実施しています。

検証の前提

検証を行う際、Contract は以下の方針で設定しています。

  • Apply Both Directions は有効にする (デフォルト)
  • Reverse Path Filter は有効にする (デフォルト)
  • Filter Entry は「TCP/22」のひとつだけ、とする

Preferred Group の設定

Preferred Group 自体の有効 / 無効は VRF で設定します。 デフォルトでは無効になっている為、利用したい場合は明示的に有効化する必要があります。

f:id:sig9:20200917225739p:plain

VRF で Preferred Group を有効化した上で、EPG ごとに「その EPG を include (優先グループ) にするのか? exclude (非優先グループ) にするのか?」を設定していきます。

f:id:sig9:20200917231128p:plain

Preferred Group の基本的な設定はこれだけです。

1. Tenant 未作成

Policy Count 数

Tenant 未作成状態で Policy Count は 72 でした。

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 72 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

2. EPG のみ作成 (Contract 未設定)

f:id:sig9:20200917155505p:plain

Policy Count 数

Contract は設定せずに EPG を 2 つだけ、作成した場合、Policy Count は 76 でした。

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 76 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0 

contract_parser.py

leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4173] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16387) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49153) [contract:implicit] [hit=0]
[16:4168] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4172] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|   4174  |   0    | 49153  | implicit | uni-dir | enabled | 2326533 |      |  permit  |   any_dest_any(16)   |
|   4172  |   0    |   0    | implicit | uni-dir | enabled | 2326533 |      | deny,log |   any_any_any(21)    |
|   4168  |   0    |   0    | implarp  | uni-dir | enabled | 2326533 |      |  permit  |  any_any_filter(17)  |
|   4176  |   0    |   15   | implicit | uni-dir | enabled | 2326533 |      | deny,log | any_vrf_any_deny(22) |
|   4173  |   0    | 16387  | implicit | uni-dir | enabled | 2326533 |      |  permit  |   any_dest_any(16)   |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+

show zoning-filter

Contract 設定していない為、Contract 間の Zoning-Filter は存在しません。

3. Contract 設定 (Preferred Group は未使用)

f:id:sig9:20200917155557p:plain

Policy Count 数

(Preferred Group は使わず) 1 : 1 の EPGApply Both Directions 設定の Contract (Subject) を設定した為、「行き+帰り」の Zoning-Rule が作成され、結果として Policy Count は +2 されています。

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 78 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4169] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(32770) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4168] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(32770)  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16386) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49154) [contract:implicit] [hit=0]
[16:4172] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4173] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

show zoning-rule

leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|   4176  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |   any_any_any(21)    |
|   4172  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |  any_any_filter(17)  |
|   4173  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | any_vrf_any_deny(22) |
|   4174  |   0    | 49154  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
|   4168  | 32771  | 32770  |    19    | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
|   4169  | 32770  | 32771  |    18    |     bi-dir     | enabled | 2326533 | Tenant1:Contract1 |  permit  |    fully_qual(7)     |
|   4179  |   0    | 16386  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+

show zoning-filter

leaf1# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful | SFromPort | SToPort |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|    19    | 19_0 |   ip   | unspecified | tcp  |      no     |    no    |    ssh    |   ssh   | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
leaf1# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    18    | 18_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    ssh    |   ssh   | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+

4. Contract 設定 (Preferred Group を使用)

f:id:sig9:20200917155611p:plain

Policy Count 数

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 78 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4168] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(32770) [contract:implicit] [hit=0]
[16:4173] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49153) [contract:implicit] [hit=0]
[16:4176] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[18:4179] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/vrf-Vrf1(16386) epg:any [contract:implicit] [hit=0]
[19:4169] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
[20:4172] [vrf:Tenant1:Vrf1] permit any epg:any epg:any [contract:implicit] [hit=24]

show zoning-rule

leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |  Action  |          Priority          |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------------+
|   4173  |   0    | 49153  | implicit | uni-dir | enabled | 2326533 |      |  permit  |      any_dest_any(16)      |
|   4172  |   0    |   0    | implicit | uni-dir | enabled | 2326533 |      |  permit  | grp_any_any_any_permit(20) |
|   4176  |   0    |   0    | implarp  | uni-dir | enabled | 2326533 |      |  permit  |     any_any_filter(17)     |
|   4179  | 16386  |   0    | implicit | uni-dir | enabled | 2326533 |      | deny,log |  grp_src_any_any_deny(18)  |
|   4169  |   0    |   15   | implicit | uni-dir | enabled | 2326533 |      | deny,log | grp_any_dest_any_deny(19)  |
|   4168  |   0    | 32770  | implicit | uni-dir | enabled | 2326533 |      |  permit  |      any_dest_any(16)      |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------------+

show zoning-filter

優先グループに所属する EPG しか存在しない為、暗黙の Zoning-Filter しか存在しません。

5. Preferred Group 設定し、優先グループと非優先グループが混在する場合

「Preferred Group を使う」多くの場合、優先グループと非優先グループを混在して利用することになると思われます。

f:id:sig9:20200917155626p:plain

Policy Count 数

(EPG だけ作成した 76 に比べて) Policy Count が 86 と、大幅に増加していることが分かります。

leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count                  : 86 
max_policy_count              : 65536 
policy_label_count                : 0 
max_policy_label_count            : 0

contract_parser.py

Preferred Group を利用すると Zoning-Rule が大幅に変わります。 要約すると以下のルールが生成されます。

  1. Priority 7 で明示的 Contract を許可するルールが作成される
  2. Priority 18 で非優先グループを拒否するルールが作成される
  3. Priority 20 で any:any を許可するルールが生成される

これは以下のように言い換えることが出来ます。

  1. 明示的に許可している部分は最優先 (Priority 7) で許可する
  2. 非優先グループはやや低い優先度 (Priority 16) で拒否する
  3. いずれのルールにも一致しない=優先グループ同士の通信は最低優先度 (Priority 20) で許可する

「Priority 20 で許可」の部分ですが、Preferred Group を利用しない場合は「Priority 21 ~ 22 で deny」する暗黙のルールが生成されるはずですので、比較してみると理解が進むと思います。 実際の Zoning-Rule は以下の通りです。

leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4182] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg3(16390) tn-Tenant1/ap-Ap1/epg-Epg4(16391) eq ssh  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4178] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg4(16391) eq ssh tn-Tenant1/ap-Ap1/epg-Epg3(16390)  [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4180] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16386) [contract:implicit] [hit=0]
[16:4172] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16387) [contract:implicit] [hit=0]
[16:4171] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd3(16388) [contract:implicit] [hit=0]
[16:4177] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd4(32771) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[18:4168] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/ap-Ap1/epg-Epg3(16390) epg:any [contract:implicit] [hit=0]
[18:4179] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/ap-Ap1/epg-Epg4(16391) epg:any [contract:implicit] [hit=0]
[18:4181] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/vrf-Vrf1(32770) epg:any [contract:implicit] [hit=0]
[19:4175] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
[19:4169] [vrf:Tenant1:Vrf1] deny,log any epg:any tn-Tenant1/ap-Ap1/epg-Epg3(16390) [contract:implicit] [hit=0]
[19:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any tn-Tenant1/ap-Ap1/epg-Epg4(16391) [contract:implicit] [hit=0]
[20:4173] [vrf:Tenant1:Vrf1] permit any epg:any epg:any [contract:implicit] [hit=24]

show zoning-rule

leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |          Priority          |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
|   4168  | 16390  |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |  grp_src_any_any_deny(18)  |
|   4169  |   0    | 16390  | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | grp_any_dest_any_deny(19)  |
|   4179  | 16391  |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |  grp_src_any_any_deny(18)  |
|   4176  |   0    | 16391  | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | grp_any_dest_any_deny(19)  |
|   4172  |   0    | 16387  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |      any_dest_any(16)      |
|   4173  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  | grp_any_any_any_permit(20) |
|   4174  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |     any_any_filter(17)     |
|   4181  | 32770  |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |  grp_src_any_any_deny(18)  |
|   4175  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | grp_any_dest_any_deny(19)  |
|   4171  |   0    | 16388  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |      any_dest_any(16)      |
|   4178  | 16391  | 16390  |    19    | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 |  permit  |       fully_qual(7)        |
|   4182  | 16390  | 16391  |    18    |     bi-dir     | enabled | 2326533 | Tenant1:Contract1 |  permit  |       fully_qual(7)        |
|   4177  |   0    | 32771  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |      any_dest_any(16)      |
|   4180  |   0    | 16386  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |      any_dest_any(16)      |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+

show zoning-filter

leaf1# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful | SFromPort | SToPort |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|    19    | 19_0 |   ip   | unspecified | tcp  |      no     |    no    |    ssh    |   ssh   | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
leaf1# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    18    | 18_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    ssh    |   ssh   | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+

まとめ

Preferred Group を「Policy Count の消費」という観点から分析すると、以下と言えると思います。

  • 「許可 → 拒否 → 全許可」という Zoning-Rule になる
  • その分、Zoning-Rule が肥大化し、結果として Policy Count を多く消費する
  • 柔軟な Contract 設計をしやすくなるが、その分、Policy Count の消費量には気をつける必要がある