らくがきちょう

なんとなく ~所属組織/団体とは無関係であり、個人の見解です~

Cisco ACI で Route Leak した際の Zoning-Rule

以前に下記のメモを書きました。

今回は Route Leak の有る構成 / 無い構成で Resource IDs や Zoning-Rule がどのように表示されるか、確認してみます。 検証は 5.0(2h) で実施しました。

Route Leak の有無に伴う pcTag の値

Cisco ACI で EPG を内部的に識別する pcTag の種類と範囲に記載しましたが、EPG の Class ID (pcTag) は用途に応じて範囲が決まっています。 以降で「Route Leak の無い構成」と「Route Leak の有る構成」を比較します。 この際、pcTag が「Route Leak が無い構成」ではローカルスコープから、「Route Leak が有る構成」ではグルーバルスコープから採番されることが分かります。

pcTag 範囲 用途 説明
1 ~ 15 システム予約済み -
16 ~ 16,384 グローバルスコープ 共有サービスで利用
16,385 ~ 65,535 ローカルスコープ 同一 VRF 内で利用

尚、Fabric 全体で設定されている Global pcTag 数は Capacity Dashboard で確認することが出来ます。

f:id:sig9:20201007073700p:plain

Route Leak の無い構成

Route Leak を設定しておらず、同一 VRF 内だけで Contract している場合、Resource IDs や Zoning-Rule は以下のように表示されます。

Bridge Domains

f:id:sig9:20200927152832p:plain

VRFs

f:id:sig9:20200927152835p:plain

EPGs

f:id:sig9:20200927152839p:plain

show zoning-rule

leaf# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|   4128  |   0    | 16386  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
|   4130  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |   any_any_any(21)    |
|   4142  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |  any_any_filter(17)  |
|   4157  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | any_vrf_any_deny(22) |
|   4158  |   0    | 16387  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_dest_any(16)   |
|   4149  | 49154  | 49155  | default  |     bi-dir     | enabled | 2326533 | Tenant1:Contract1 |  permit  |    src_dst_any(9)    |
|   4140  | 49155  | 49154  | default  | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 |  permit  |    src_dst_any(9)    |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
leaf# show zoning-rule scope 2523141
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|   4148  |   0    | 32771  | implicit | uni-dir | enabled | 2523141 |      |  permit  |   any_dest_any(16)   |
|   4165  |   0    |   0    | implicit | uni-dir | enabled | 2523141 |      | deny,log |   any_any_any(21)    |
|   4181  |   0    |   0    | implarp  | uni-dir | enabled | 2523141 |      |  permit  |  any_any_filter(17)  |
|   4138  |   0    |   15   | implicit | uni-dir | enabled | 2523141 |      | deny,log | any_vrf_any_deny(22) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[9:4149] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg11(49154) tn-Tenant1/ap-Ap1/epg-Epg12(49155) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[9:4140] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg12(49155) tn-Tenant1/ap-Ap1/epg-Epg11(49154) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4128] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd11(16386) [contract:implicit] [hit=0]
[16:4158] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd12(16387) [contract:implicit] [hit=0]
[16:4142] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4130] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4157] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
leaf# contract_parser.py --vrf Tenant1:Vrf2
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4148] [vrf:Tenant1:Vrf2] permit any epg:any tn-Tenant1/bd-Bd21(32771) [contract:implicit] [hit=0]
[16:4181] [vrf:Tenant1:Vrf2] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4165] [vrf:Tenant1:Vrf2] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4138] [vrf:Tenant1:Vrf2] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

Route Leak の有る構成

Route Leak を設定すると Resource IDs や Zoning-Rule は以下のように表示されます。

show zoning-rule

+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |        Priority        |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
|   4140  |   0    |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |    any_any_any(21)     |
|   4149  |   0    |   0    | implarp  |    uni-dir     | enabled | 2326533 |                   |  permit  |   any_any_filter(17)   |
|   4158  |   0    |   15   | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log |  any_vrf_any_deny(22)  |
|   4157  |   0    | 32771  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |    any_dest_any(16)    |
|   4130  | 49154  | 32772  | default  | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 |  permit  |     src_dst_any(9)     |
|   4142  | 32772  | 49154  | default  |     bi-dir     | enabled | 2326533 | Tenant1:Contract1 |  permit  |     src_dst_any(9)     |
|   4165  |   0    | 32770  | implicit |    uni-dir     | enabled | 2326533 |                   |  permit  |    any_dest_any(16)    |
|   4183  |  5474  |   0    | implicit |    uni-dir     | enabled | 2326533 |                   | deny,log | shsrc_any_any_deny(12) |
|   4184  | 32772  |  5474  | default  |     bi-dir     | enabled | 2326533 | Tenant1:Contract2 |  permit  |     src_dst_any(9)     |
|   4137  |  5474  | 32772  | default  | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract2 |  permit  |     src_dst_any(9)     |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
leaf# show zoning-rule scope 2523141
+---------+--------+--------+----------+---------+---------+---------+------+-----------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  | Name |      Action     |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+------+-----------------+----------------------+
|   4138  |   0    |   0    | implicit | uni-dir | enabled | 2523141 |      |     deny,log    |   any_any_any(21)    |
|   4181  |   0    |   0    | implarp  | uni-dir | enabled | 2523141 |      |      permit     |  any_any_filter(17)  |
|   4128  |   0    |   15   | implicit | uni-dir | enabled | 2523141 |      |     deny,log    | any_vrf_any_deny(22) |
|   4148  |   0    | 16387  | implicit | uni-dir | enabled | 2523141 |      |      permit     |   any_dest_any(16)   |
|   4156  |  5474  |   14   | implicit | uni-dir | enabled | 2523141 |      | permit_override |    src_dst_any(9)    |
+---------+--------+--------+----------+---------+---------+---------+------+-----------------+----------------------+

contract_parser.py

leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[9:4142] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg11(32772) tn-Tenant1/ap-Ap1/epg-Epg12(49154) [contract:uni/tn-Tenant1/brc-Contract1] [hit=5]
[9:4184] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg11(32772) tn-Tenant1/ap-Ap1/epg-Epg21(5474) [contract:uni/tn-Tenant1/brc-Contract2] [hit=10]
[9:4130] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg12(49154) tn-Tenant1/ap-Ap1/epg-Epg11(32772) [contract:uni/tn-Tenant1/brc-Contract1] [hit=4]
[9:4137] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg21(5474) tn-Tenant1/ap-Ap1/epg-Epg11(32772) [contract:uni/tn-Tenant1/brc-Contract2] [hit=5]
[12:4183] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/ap-Ap1/epg-Epg21(5474) epg:any [contract:implicit] [hit=0]
[16:4165] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd11(32770) [contract:implicit] [hit=0]
[16:4157] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd12(32771) [contract:implicit] [hit=0]
[16:4149] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4140] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4158] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
leaf# contract_parser.py --vrf Tenant1:Vrf2
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[9:4156] [vrf:Tenant1:Vrf2] permit_override any tn-Tenant1/ap-Ap1/epg-Epg21(5474) int-shrsvc(14) [contract:implicit] [hit=5]
[16:4148] [vrf:Tenant1:Vrf2] permit any epg:any tn-Tenant1/bd-Bd21(16387) [contract:implicit] [hit=0]
[16:4181] [vrf:Tenant1:Vrf2] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4138] [vrf:Tenant1:Vrf2] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4128] [vrf:Tenant1:Vrf2] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]

Bridge Domains

f:id:sig9:20200927152842p:plain

VRFs

f:id:sig9:20200927152848p:plain

EPGs

Route Leak の Provider 側に設定された Epg21 の Class ID がグローバルスコープ範囲に変更されたことが分かります。

f:id:sig9:20200927152851p:plain