ACI で ExtEpg ~ AppEpg 接続時の Zoning-Rule
Cisco ACI で ExtEpg (External EPG) と AppEpg (Application EPG) を Contract した場合に作成される Zoning-Rule は AppEpg 同士を Contract した場合と、特に変わりありません。 今回は実際に ExtEpg と AppEpg を Contract し、作成される Zoning-Rule を確認してみます。 検証は 5.0(2h) 環境で実施しました。
検証環境
以下のように ExtEpg と AppEpg をシンプルに 1 : 1 で Contract しました。 ExtEpg には 3 つの経路を登録しました。 後述の検証結果を見れば分かりますが、ExtEpg へ登録されている Subnet 数は、作成される Zoning-Rule には影響しません。
1. Contract 未設定の状態
Policy Count 数
leaf1 側は以下でした。
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 75
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
leaf2 側は以下でした。
| leaf2# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 68
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
leaf1 側は以下でした。
| leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[16:4171] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4169] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4172] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4173] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
leaf2 側は以下でした。
| leaf2# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[16:4181] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4196] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4183] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
leaf1 側は以下でした。
| leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| 4172 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4169 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4173 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4171 | 0 | 49153 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|
leaf2 側は以下でした。
| leaf2# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4196 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4182 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4183 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4181 | 0 | 49153 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
Contract 未設定の為、明示的な Filter は設定されていません。
2. Contract 設定済みの状態
Policy Count 数
leaf1 側は以下でした。 +2 されています。
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 77
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
leaf2 側は以下でした。 こちらも +2 されています。
| leaf2# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 70
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
leaf1 側は以下でした。
| leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4174] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4168] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4171] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4169] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4172] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4173] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
leaf2 側は以下でした。
| leaf2# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4178] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(16386) tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4179] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/l3out-L3Out1/instP-ExtEpg1(49154) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(16386) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4181] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49153) [contract:implicit] [hit=0]
[16:4182] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4196] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4183] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
leaf1 側は以下でした。
| leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4172 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4169 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4173 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4171 | 0 | 49153 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4174 | 16386 | 49154 | 18 | bi-dir | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4168 | 49154 | 16386 | 19 | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
leaf2 側は以下でした。
| leaf2# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4196 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4182 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4183 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4181 | 0 | 49153 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4178 | 16386 | 49154 | 18 | bi-dir | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4179 | 49154 | 16386 | 19 | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
leaf1 側は以下でした。
1
2
3
4
5
6
7
8
9
10
11
12 | leaf1# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 18 | 18_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
leaf1# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 19 | 19_0 | ip | unspecified | tcp | no | no | ssh | ssh | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|
leaf2 側は以下でした。
1
2
3
4
5
6
7
8
9
10
11
12 | leaf2# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 18 | 18_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
leaf2# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 19 | 19_0 | ip | unspecified | tcp | no | no | ssh | ssh | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|