ACI で Preferred Group 設定時の Zoning-Rule
Cisco ACI で Contract Preferred Groups を使うと EPG を優先グループ / 非優先グループに分けることが出来ます。 Preferred Group 設定には「include」と「exclude」があり、各々以下のように「通信する際に Contract を必要とするか? 否か?」という違いがあります。
| 設定 |
意味 |
説明 |
| include |
優先グループ |
優先グループ同士は Contract が無くても通信可能 |
| exclude |
非優先グループ |
通信するには Contract が必要 |
今回は Preferred Group を設定した場合 / していない場合で「実際に Zoning-Rule がどう見えるか?」を確認してみました。 検証は 5.0(2h) 環境で実施しています。
検証の前提
検証を行う際、Contract は以下の方針で設定しています。
Apply Both Directions は有効にする (デフォルト)Reverse Path Filter は有効にする (デフォルト)- Filter Entry は「TCP/22」のひとつだけ、とする
Preferred Group の設定
Preferred Group 自体の有効 / 無効は VRF で設定します。 デフォルトでは無効になっている為、利用したい場合は明示的に有効化する必要があります。
VRF で Preferred Group を有効化した上で、EPG ごとに「その EPG を include (優先グループ) にするのか? exclude (非優先グループ) にするのか?」を設定していきます。
Preferred Group の基本的な設定はこれだけです。
1. Tenant 未作成
Policy Count 数
Tenant 未作成状態で Policy Count は 72 でした。
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 72
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
2. EPG のみ作成 (Contract 未設定)
Policy Count 数
Contract は設定せずに EPG を 2 つだけ、作成した場合、Policy Count は 76 でした。
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 76
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[16:4173] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16387) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49153) [contract:implicit] [hit=0]
[16:4168] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4172] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
| leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| 4174 | 0 | 49153 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4172 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4168 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4176 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4173 | 0 | 16387 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|
show zoning-filter
Contract 設定していない為、Contract 間の Zoning-Filter は存在しません。
3. Contract 設定 (Preferred Group は未使用)
Policy Count 数
(Preferred Group は使わず) 1 : 1 の EPG で Apply Both Directions 設定の Contract (Subject) を設定した為、「行き+帰り」の Zoning-Rule が作成され、結果として Policy Count は +2 されています。
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 78
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4169] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg1(32770) tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4168] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg2(32771) eq ssh tn-Tenant1/ap-Ap1/epg-Epg1(32770) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4179] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16386) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(49154) [contract:implicit] [hit=0]
[16:4172] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4173] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4176 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4172 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4173 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4174 | 0 | 49154 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4168 | 32771 | 32770 | 19 | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4169 | 32770 | 32771 | 18 | bi-dir | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4179 | 0 | 16386 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
show zoning-filter
1
2
3
4
5
6
7
8
9
10
11
12 | leaf1# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 19 | 19_0 | ip | unspecified | tcp | no | no | ssh | ssh | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
leaf1# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 18 | 18_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|
4. Contract 設定 (Preferred Group を使用)
Policy Count 数
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 78
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
| leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[16:4168] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(32770) [contract:implicit] [hit=0]
[16:4173] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(49153) [contract:implicit] [hit=0]
[16:4176] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[18:4179] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/vrf-Vrf1(16386) epg:any [contract:implicit] [hit=0]
[19:4169] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
[20:4172] [vrf:Tenant1:Vrf1] permit any epg:any epg:any [contract:implicit] [hit=24]
|
show zoning-rule
| leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------------+
| 4173 | 0 | 49153 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4172 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | permit | grp_any_any_any_permit(20) |
| 4176 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4179 | 16386 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_src_any_any_deny(18) |
| 4169 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_any_dest_any_deny(19) |
| 4168 | 0 | 32770 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------------+
|
show zoning-filter
優先グループに所属する EPG しか存在しない為、暗黙の Zoning-Filter しか存在しません。
5. Preferred Group 設定し、優先グループと非優先グループが混在する場合
「Preferred Group を使う」多くの場合、優先グループと非優先グループを混在して利用することになると思われます。
Policy Count 数
(EPG だけ作成した 76 に比べて) Policy Count が 86 と、大幅に増加していることが分かります。
| leaf1# vsh_lc -c 'show platform internal hal health-stats asic-unit all' | grep -e policy_count -e policy_label_count
policy_count : 86
max_policy_count : 65536
policy_label_count : 0
max_policy_label_count : 0
|
contract_parser.py
Preferred Group を利用すると Zoning-Rule が大幅に変わります。 要約すると以下のルールが生成されます。
- Priority 7 で明示的 Contract を許可するルールが作成される
- Priority 18 で非優先グループを拒否するルールが作成される
- Priority 20 で
any:any を許可するルールが生成される
これは以下のように言い換えることが出来ます。
- 明示的に許可している部分は最優先 (Priority 7) で許可する
- 非優先グループはやや低い優先度 (Priority 16) で拒否する
- いずれのルールにも一致しない=優先グループ同士の通信は最低優先度 (Priority 20) で許可する
「Priority 20 で許可」の部分ですが、Preferred Group を利用しない場合は「Priority 21 ~ 22 で deny」する暗黙のルールが生成されるはずですので、比較してみると理解が進むと思います。 実際の Zoning-Rule は以下の通りです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18 | leaf1# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[7:4182] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg3(16390) tn-Tenant1/ap-Ap1/epg-Epg4(16391) eq ssh [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[7:4178] [vrf:Tenant1:Vrf1] permit ip tcp tn-Tenant1/ap-Ap1/epg-Epg4(16391) eq ssh tn-Tenant1/ap-Ap1/epg-Epg3(16390) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4180] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd1(16386) [contract:implicit] [hit=0]
[16:4172] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd2(16387) [contract:implicit] [hit=0]
[16:4171] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd3(16388) [contract:implicit] [hit=0]
[16:4177] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd4(32771) [contract:implicit] [hit=0]
[16:4174] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[18:4168] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/ap-Ap1/epg-Epg3(16390) epg:any [contract:implicit] [hit=0]
[18:4179] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/ap-Ap1/epg-Epg4(16391) epg:any [contract:implicit] [hit=0]
[18:4181] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/vrf-Vrf1(32770) epg:any [contract:implicit] [hit=0]
[19:4175] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
[19:4169] [vrf:Tenant1:Vrf1] deny,log any epg:any tn-Tenant1/ap-Ap1/epg-Epg3(16390) [contract:implicit] [hit=0]
[19:4176] [vrf:Tenant1:Vrf1] deny,log any epg:any tn-Tenant1/ap-Ap1/epg-Epg4(16391) [contract:implicit] [hit=0]
[20:4173] [vrf:Tenant1:Vrf1] permit any epg:any epg:any [contract:implicit] [hit=24]
|
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 | leaf1# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
| 4168 | 16390 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_src_any_any_deny(18) |
| 4169 | 0 | 16390 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_any_dest_any_deny(19) |
| 4179 | 16391 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_src_any_any_deny(18) |
| 4176 | 0 | 16391 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_any_dest_any_deny(19) |
| 4172 | 0 | 16387 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4173 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | permit | grp_any_any_any_permit(20) |
| 4174 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4181 | 32770 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_src_any_any_deny(18) |
| 4175 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | grp_any_dest_any_deny(19) |
| 4171 | 0 | 16388 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4178 | 16391 | 16390 | 19 | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4182 | 16390 | 16391 | 18 | bi-dir | enabled | 2326533 | Tenant1:Contract1 | permit | fully_qual(7) |
| 4177 | 0 | 32771 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4180 | 0 | 16386 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
|
show zoning-filter
1
2
3
4
5
6
7
8
9
10
11
12 | leaf1# show zoning-filter filter 19
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 19 | 19_0 | ip | unspecified | tcp | no | no | ssh | ssh | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
leaf1# show zoning-filter filter 18
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 18 | 18_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | ssh | ssh | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|
まとめ
Preferred Group を「Policy Count の消費」という観点から分析すると、以下と言えると思います。
- 「許可 → 拒否 → 全許可」という Zoning-Rule になる
- その分、Zoning-Rule が肥大化し、結果として Policy Count を多く消費する
- 柔軟な Contract 設計をしやすくなるが、その分、Policy Count の消費量には気をつける必要がある