ACI で Apply Both Directions / Reverse Filter Ports ごとの Zoning-Rule
Cisco ACI で EPG 間の通信許可/拒否ルールを定義するには Contract 設定が必要になります。 Contract は「Contract → Subject → Filter」という三階層構造を取ります。
Contract の配下に作成する Subject には以下、ふたつの設定が存在します。
Apply Both DirectionsReverse Filter Ports
「Apply Both Directions を無効にすると Reverse Filter Ports も無効になる」特性上、取りうる組み合わせは以下の 3 パターンのみです (Apply Both Directions が無効なのに Reverse Filter Ports が有効、という設定は出来ません。 CLI から無理やり設定することは出来ますが、Apply Both Directions がアンチェックだと Reverse Filter Ports の設定有無による動作の差はありません)。
| No. |
Apply Both Directions |
Reverse Filter Ports |
| 1 |
○ |
○ |
| 2 |
○ |
X |
| 3 |
X |
X |
今回は各々のパターンで Zoning-Rule がどのように表示されるか、確認していきます。 検証は 5.0(2h) 環境で実施しました。
Filter Entory の内容
Filter Entry の内容は 3 つ、定義しています。
- ICMP を許可
- TCP/22 を許可
- UDP/53 を許可
1. EPG 未作成
検証用 Tenant が未作成の状態で Policy Count 数は 65 でした。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 65
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
2. EPG 作成、Contract 未作成
検証用 Tenant を作成し、EPG は作成するものの、Contract 未作成の状態で Policy Count は 69 でした。 明示的に Contract は作成していないものの、VRF に設定されている暗黙的なルール (Implicit Rule) と自動的に Contract されてしまう為、その Policy Count が増加します。 実際には contract_parser.py や show zoning-rule の表示を確認すると implicit や implarp ルールが存在していることが分かります。 これらのルールは Priority 値を見ても分かりますが、EPG Collection for VRF (俗に言う「vzAny」) であることが分かります。 Zoning-Rule の Priority 値については気が向いたら別途、メモを書こうと思います。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 69
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
| leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|
show zoning-filter
Contract を作成していない状態では Specfic EPG to Specfic EPG の Zoning-Filter は存在しません。 show zoning-filter で暗黙的な Zoning-Filter を確認することは出来ますが、「特定の
3. Unidirection (In) / Reverse Filter Ports 無し
Apply Both Directions 設定無し、つまり Unidirection で In 側にだけ Contract を設定します。 Reverse Filter Ports は設定しません。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 72
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
| leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 16386 | 32771 | 237 | uni-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 237 | 237_2 | ip | unspecified | udp | no | no | unspecified | unspecified | dns | dns | dport | unspecified | unspecified | |
| 237 | 237_1 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
| 237 | 237_0 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|
4. Unidirection (In) / Reverse Filter Ports 有り
前項の 3. 同様、Apply Both Directions 設定無し、つまり Unidirection で In 側にだけ Contract を設定します。 但し、Reverse Filter Ports は CLI から無理やり設定します。 但し、Apply Both Direction が無効な場合、CLI から無理やり Reverse Filter Ports を設定しても動作に違いはありません。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 72
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
| leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 16386 | 32771 | 237 | uni-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 237 | 237_2 | ip | unspecified | udp | no | no | unspecified | unspecified | dns | dns | dport | unspecified | unspecified | |
| 237 | 237_1 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
| 237 | 237_0 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|
5. Unidirection (Out) / Reverse Filter Ports 無し
Apply Both Directions 設定無し、つまり Unidirection で Out 側にだけ Contract を設定します。 Reverse Filter Ports は設定しません。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 72
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq 53
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
| leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 32771 | 16386 | 237 | uni-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 237 | 237_2 | ip | unspecified | udp | no | no | unspecified | unspecified | dns | dns | dport | unspecified | unspecified | |
| 237 | 237_1 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
| 237 | 237_0 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|
6. Unidirection (In) / Reverse Filter Ports 有り
前項の 5. 同様、Apply Both Directions 設定無し、つまり Unidirection で Out 側にだけ Contract を設定します。 但し、Reverse Filter Ports は CLI から無理やり設定します。 但し、Apply Both Direction が無効な場合、CLI から無理やり Reverse Filter Ports を設定しても動作に違いはありません。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 72
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq 53
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
| leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 32771 | 16386 | 237 | uni-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 237 | 237_2 | ip | unspecified | udp | no | no | unspecified | unspecified | dns | dns | dport | unspecified | unspecified | |
| 237 | 237_1 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
| 237 | 237_0 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|
7. Both / Reverse Filter Ports 無し
Apply Both Directions を設定します。 Reverse Filter Ports は設定しません。
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 75
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4196] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53
[7:4178] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386) eq 53
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
Apply Both Directions を有効にしているので、逆向きの Rule が作成されています。 但し、どちらも Rule ID が 237 と、同じ Zoning-Rule が適用されています。
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 16386 | 32771 | 237 | uni-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4178 | 32771 | 16386 | 237 | uni-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 237 | 237_2 | ip | unspecified | udp | no | no | unspecified | unspecified | dns | dns | dport | unspecified | unspecified | |
| 237 | 237_1 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
| 237 | 237_0 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|
8. Both / Reverse Filter Ports 有り
Apply Both Directions を設定します。 Reverse Filter Ports も設定します。
Policy Count 数
Reverse Filter Ports 未設定と同様、Policy Count は 75 です。
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 75
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4178] [vrf:Tenant1:Vrf1] permit ip icmp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh
ip udp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53
[7:4196] [vrf:Tenant1:Vrf1] permit ip udp tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq 53 tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(16386)
ip icmp tn-Tenant1/ap-Ap1/epg-Epg2(32771) tn-Tenant1/ap-Ap1/epg-Epg1(16386)
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49154) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4182] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
Reverse Filter Ports を設定したことによって大きく異るのはこの点です。 同じ EPG ペアですが、行き / 帰りで異なる Filter ID が設定されています (237 と 238)。
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4170 | 0 | 49154 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4182 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4183 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4178 | 16386 | 32771 | 237 | bi-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4196 | 32771 | 16386 | 238 | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
Filter ID 237 は指定した通りの設定です。
| leaf# show zoning-filter filter 237
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 237 | 237_2 | ip | unspecified | udp | no | no | unspecified | unspecified | dns | dns | dport | unspecified | unspecified | |
| 237 | 237_1 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
| 237 | 237_0 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|
Reverse Filter Ports 設定によって自動生成された Filter ID 238 は送信元ポートと宛先ポートが Filter ID 237 と逆になっています。
| leaf# show zoning-filter filter 238
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 238 | 238_2 | ip | unspecified | icmp | no | no | unspecified | unspecified | unspecified | unspecified | sport | unspecified | unspecified | |
| 238 | 238_1 | ip | unspecified | tcp | no | no | ssh | ssh | unspecified | unspecified | sport | unspecified | unspecified | |
| 238 | 238_0 | ip | unspecified | udp | no | no | dns | dns | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
|