ACI の Filter Entry で Port を Range 設定した場合の Zoning-Rule
Cisco ACI では Policy CAM の消費量は「SrcEPG 数 x DstEPG 数 x Filter Entry 数 x 1 (both direction なら 2)」で算出出来る、とされています。 ですが、Filter Entry は TCP/UDP のポートを Range (範囲) 設定することが可能です。 幾つかのパターンで Range 設定を実施し、各々の状態における Policy Count 数や Zoning-Rule、Zoning-Filter の状態を見ていきます。
検証環境
検証は以下の条件下で実施しました。
- ACI 5.0(2h)
- Leaf は EX シャーシ
- EPG は 2 つ作成
- Contract は Comsumer : Provider = 1 : 1 の構成
- Subject は以下の設定
Apply Both Directions 設定有りReverse Filter Ports 設定有り
- Policy Count 数は以下
- Tenant 未設定時で 65
- Tenant を作成、EPG も作成、Contract 未作成状態で 69 (※ つまり、この数字から「幾つ Policy Count が増えたのか?」を観測することになる)
テスト計画
テストは以下のパターンで実施します ( 下記では先に Policy Count 数がどう遷移したのか?」の結果も記載しています )。
| No. |
概要 |
Src Port |
Dst Port |
Policy Count |
No.1 からの差分 |
| 1 |
Contract 未設定 (EPG は作成済み) |
- |
- |
69 |
- |
| 2 |
Src Port を Range 設定した場合 |
10001 - 10005 |
Unspecified |
79 |
+10 |
| 3 |
Src Port を Range 設定した場合 |
10001 - 10005 |
1 - 65535 |
71 |
+2 |
| 4 |
Dst Port を Range 設定した場合 |
Unspecified |
20001 - 20010 |
89 |
+20 |
| 5 |
Dst Port を Range 設定した場合 |
1 - 65535 |
20001 - 20010 |
71 |
+2 |
| 6 |
Src / Dst Port を Range 設定した場合 |
10001 - 10005 |
20001 - 20010 |
71 |
+2 |
1. EPG 作成済み / Contract 未設定
EPG だけ作成し、Contract 未設定の状態では Policy Count は 69 でした。
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 69
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
2. Src 10001 - 10005 / Dst Unspecified
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 79
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4196] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(49153) range 10001-10005 tn-Tenant1/ap-Ap1/epg-Epg2(49154) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4178] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(49154) tn-Tenant1/ap-Ap1/epg-Epg1(49153) range 10001-10005 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4170] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16387) [contract:implicit] [hit=0]
[16:4183] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16388) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4179] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4181 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4182 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4179 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4170 | 0 | 16387 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 49153 | 49154 | 241 | bi-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4178 | 49154 | 49153 | 242 | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4183 | 0 | 16388 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 241
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 241 | 241_0 | ip | unspecified | tcp | no | no | 10001 | 10005 | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|
| leaf# show zoning-filter filter 242
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 242 | 242_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | 10001 | 10005 | dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|
3. Src 10001 - 10005 / Dst 1 - 65535
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 71
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4170] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(32770) range 10001-10005 tn-Tenant1/ap-Ap1/epg-Epg2(49154) range 1-65535 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4178] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(49154) range 1-65535 tn-Tenant1/ap-Ap1/epg-Epg1(32770) range 10001-10005 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4196] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16387) [contract:implicit] [hit=0]
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4183] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4183 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4182 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4179 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4196 | 0 | 16387 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4178 | 49154 | 32770 | 244 | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4170 | 32770 | 49154 | 243 | bi-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 244
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| 244 | 244_0 | ip | unspecified | tcp | no | no | 1 | 65535 | 10001 | 10005 | sport_dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
|
| leaf# show zoning-filter filter 243
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| 243 | 243_0 | ip | unspecified | tcp | no | no | 10001 | 10005 | 1 | 65535 | sport_dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
|
4. Src Unspecified / Dst 20001 - 20010
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 89
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4183] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16388) tn-Tenant1/ap-Ap1/epg-Epg2(49153) range 20001-20010 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4170] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(49153) range 20001-20010 tn-Tenant1/ap-Ap1/epg-Epg1(16388) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4196] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16387) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(32770) [contract:implicit] [hit=0]
[16:4179] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4178] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4182 | 0 | 32770 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4181 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4179 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4178 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4183 | 16388 | 49153 | 241 | bi-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4170 | 49153 | 16388 | 242 | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4196 | 0 | 16387 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 241
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 241 | 241_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | 20001 | 20010 | dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|
| leaf# show zoning-filter filter 242
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 242 | 242_0 | ip | unspecified | tcp | no | no | 20001 | 20010 | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|
5. Src 1 - 65535 / Dst 20001 - 20010
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 71
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4179] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32770) range 20001-20010 tn-Tenant1/ap-Ap1/epg-Epg1(49154) range 1-65535 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4170] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(49154) range 1-65535 tn-Tenant1/ap-Ap1/epg-Epg2(32770) range 20001-20010 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4196] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16387) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4181] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4178] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4183] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4178 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4181 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4183 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4182 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4170 | 49154 | 32770 | 241 | bi-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4179 | 32770 | 49154 | 242 | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4196 | 0 | 16387 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 241
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| 241 | 241_0 | ip | unspecified | tcp | no | no | 1 | 65535 | 20001 | 20010 | sport_dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
|
| leaf# show zoning-filter filter 242
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| 242 | 242_0 | ip | unspecified | tcp | no | no | 20001 | 20010 | 1 | 65535 | sport_dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
|
6. Src 10001 - 10005 / Dst 20001 - 20010
Policy Count 数
| leaf# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 71
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4183] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(16387) range 20001-20010 tn-Tenant1/ap-Ap1/epg-Epg1(49154) range 10001-10005 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4170] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(49154) range 10001-10005 tn-Tenant1/ap-Ap1/epg-Epg2(16387) range 20001-20010 [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16386) [contract:implicit] [hit=0]
[16:4196] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49153) [contract:implicit] [hit=0]
[16:4179] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4178] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=506]
[22:4181] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2981891
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4179 | 0 | 0 | implarp | uni-dir | enabled | 2981891 | | permit | any_any_filter(17) |
| 4181 | 0 | 15 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_vrf_any_deny(22) |
| 4182 | 0 | 16386 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
| 4178 | 0 | 0 | implicit | uni-dir | enabled | 2981891 | | deny,log | any_any_any(21) |
| 4170 | 49154 | 16387 | 241 | bi-dir | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4183 | 16387 | 49154 | 242 | uni-dir-ignore | enabled | 2981891 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4196 | 0 | 49153 | implicit | uni-dir | enabled | 2981891 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
| leaf# show zoning-filter filter 241
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| 241 | 241_0 | ip | unspecified | tcp | no | no | 10001 | 10005 | 20001 | 20010 | sport_dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
|
| leaf# show zoning-filter filter 242
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
| 242 | 242_0 | ip | unspecified | tcp | no | no | 20001 | 20010 | 10001 | 10005 | sport_dport | unspecified | unspecified | |
+----------+-------+--------+-------------+------+-------------+----------+-----------+---------+-----------+---------+-------------+-------------+-------------+----------+
|
まとめ
No.2 と 3 は意味的に同じに思えるのですが、Policy Count の消費数は No.3 の方が圧倒的に少なくなっています (No.4 と 5 も同様)。
| No. |
概要 |
Src Port |
Dst Port |
Policy Count |
No.1 からの差分 |
| 1 |
Contract 未設定 (EPG は作成済み) |
- |
- |
69 |
- |
| 2 |
Src Port を Range 設定した場合 |
10001 - 10005 |
Unspecified |
79 |
+10 |
| 3 |
Src Port を Range 設定した場合 |
10001 - 10005 |
1 - 65535 |
71 |
+2 |
| 4 |
Dst Port を Range 設定した場合 |
Unspecified |
20001 - 20010 |
89 |
+20 |
| 5 |
Dst Port を Range 設定した場合 |
1 - 65535 |
20001 - 20010 |
71 |
+2 |
| 6 |
Src / Dst Port を Range 設定した場合 |
10001 - 10005 |
20001 - 20010 |
71 |
+2 |