Cisco ACI でよく使う common/filter (2019/10/07 版)

以前に Cisco ACI で Common に定義しておきたい「よく使う Filter」というメモを書きました。フィルタに若干、対応アプリケーションを増やした XML ファイルを改めてメモしておきます。

初期の common/Filter¶

ACI 4.2(1j) の場合、初期状態では common テナントに以下の 4 フィルタが設定されていました。

apic# show running-config tenant common access-list
(--snip--)
  tenant common
    access-list arp
      match arp
      exit
    access-list default
      match raw default
      exit
    access-list est
      match raw est etherT ip prot 6 tcpRules est
      exit
    access-list icmp
      match icmp
      exit
    exit

common / filter 用 XML ファイル¶

更新版のフィルタは下記です。 uni/tn-common へ Post します。

<?xml version="1.0" encoding="UTF-8"?>
<imdata totalCount="1">
  <fvTenant descr="" dn="uni/tn-common" name="common" nameAlias="" ownerKey="" ownerTag="">
    <vzFilter descr="" name="Any" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="unspecified" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Arp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="arp" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="unspecified" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Dns" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="dns" dToPort="dns" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Http" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="http" dToPort="http" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Https" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="https" dToPort="https" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Icmpv4" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ipv4" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="icmp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Icmpv6" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ipv6" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="icmpv6" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Imap" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="143" dToPort="143" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ldap" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="389" dToPort="389" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ldaps" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="636" dToPort="636" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ntp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="123" dToPort="123" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Pop3" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="pop3" dToPort="pop3" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Radius" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="1812" dToPort="1813" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Smtp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="smtp" dToPort="smtp" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Snmp" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="161" dToPort="162" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Ssh" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="22" dToPort="22" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Submission" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="587" dToPort="587" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="Syslog" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="514" dToPort="514" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="udp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="TacacsPlus" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="49" dToPort="49" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
    <vzFilter descr="" name="TcpEstablished" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="unspecified" dToPort="unspecified" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules="est"/>
    </vzFilter>
    <vzFilter descr="" name="Telnet" nameAlias="" ownerKey="" ownerTag="">
      <vzEntry applyToFrag="no" arpOpc="unspecified" dFromPort="23" dToPort="23" descr="" etherT="ip" icmpv4T="unspecified" icmpv6T="unspecified" matchDscp="unspecified" name="Entry-01" nameAlias="" prot="tcp" sFromPort="unspecified" sToPort="unspecified" stateful="no" tcpRules=""/>
    </vzFilter>
  </fvTenant>
</imdata>

設定されるフィルタ¶

この XML ファイルを Post した場合、common テナントに設定されるフィルタは以下です。

No.	Filter	Entry Name	EtherType	ARP Flag	IP Protocol	Match Only Fragment	Stateful	Source Port	Destination Port	TCP Session Rules
1	Any	Entry-01	IP		unspecified	False	False
2	Arp	Entry-01	ARP	unspecified
3	Dns	Entry-01	IP		tcp	False	False	unspecified	dns
4	Http	Entry-01	IP		tcp	False	False	unspecified	http
5	Https	Entry-01	IP		tcp	False	False	unspecified	https
6	Icmp	Entry-01	IPv4		icmp	False	False
7	Icmpv6	Entry-01	IPv6		icmpv6	False	False
8	Imap	Entry-01	IP		tcp	False	False	unspecified	143
9	Ldap	Entry-01	IP		tcp	False	False	unspecified	389
10	Ldaps	Entry-01	IP		tcp	False	False	unspecified	636
11	Ntp	Entry-01	IP		udp	False	False	unspecified	123
12	Pop3	Entry-01	IP		tcp	False	False	unspecified	pop3
13	Radius	Entry-01	IP		udp	False	False	unspecified	1812-1813
14	Smtp	Entry-01	IP		tcp	False	False	unspecified	smtp
15	Snmp	Entry-01	IP		udp	False	False	unspecified	161-162
16	Ssh	Entry-01	IP		tcp	False	False	unspecified	22
17	Submission	Entry-01	IP		tcp	False	False	unspecified	587
18	Syslog	Entry-01	IP		udp	False	False	unspecified	514
19	TacacsPlus	Entry-01	IP		tcp	False	False	unspecified	49
20	TcpEstablished	Entry-01	IP		tcp	False	False	unspecified	unspecified	Established
21	Telnet	Entry-01	IP		tcp	False	False	unspecified	23

CLI でコンフィグを確認する¶

この XML ファイルを設定後、CLI を確認すると以下のようになります。

apic# show running-config tenant common access-list
(--sni--)
  tenant common
    access-list Any
      match ip
      exit
    access-list Arp
      match arp
      exit
    access-list Dns
      match udp dest 53
      exit
    access-list Http
      match tcp dest 80
      exit
    access-list Https
      match tcp dest 443
      exit
    access-list Icmpv4
      match raw Entry-01 etherT ipv4 prot 1
      exit
    access-list Icmpv6
      match raw Entry-01 etherT ipv6 prot 58
      exit
    access-list Imap
      match tcp dest 143
      exit
    access-list Ldap
      match tcp dest 389
      exit
    access-list Ldaps
      match tcp dest 636
      exit
    access-list Ntp
      match udp dest 123
      exit
    access-list Pop3
      match tcp dest 110
      exit
    access-list Radius
      match udp dest 1812-1813
      exit
    access-list Smtp
      match tcp dest 25
      exit
    access-list Snmp
      match udp dest 161-162
      exit
    access-list Ssh
      match tcp dest 22
      exit
    access-list Submission
      match tcp dest 587
      exit
    access-list Syslog
      match udp dest 514
      exit
    access-list TacacsPlus
      match tcp dest 49
      exit
    access-list TcpEstablished
      match raw Entry-01 etherT ip prot 6 tcpRules est
      exit
    access-list Telnet
      match tcp dest 23
      exit
    access-list arp
      match arp
      exit
    access-list default
      match raw default
      exit
    access-list est
      match raw est etherT ip prot 6 tcpRules est
      exit
    access-list icmp
      match icmp
      exit
    exit