Cisco ACI で Route Leak した際の Zoning-Rule
以前に下記のメモを書きました。
今回は Route Leak の有る構成 / 無い構成で Resource IDs や Zoning-Rule がどのように表示されるか、確認してみます。 検証は 5.0(2h) で実施しました。
Route Leak の有無に伴う pcTag の値
Cisco ACI で EPG を内部的に識別する pcTag の種類と範囲に記載しましたが、EPG の Class ID (pcTag) は用途に応じて範囲が決まっています。 以降で「Route Leak の無い構成」と「Route Leak の有る構成」を比較します。 この際、pcTag が「Route Leak が無い構成」ではローカルスコープから、「Route Leak が有る構成」ではグルーバルスコープから採番されることが分かります。
| pcTag 範囲 |
用途 |
説明 |
| 1 ~ 15 |
システム予約済み |
- |
| 16 ~ 16,384 |
グローバルスコープ |
共有サービスで利用 |
| 16,385 ~ 65,535 |
ローカルスコープ |
同一 VRF 内で利用 |
尚、Fabric 全体で設定されている Global pcTag 数は Capacity Dashboard で確認することが出来ます。
Route Leak の無い構成
Route Leak を設定しておらず、同一 VRF 内だけで Contract している場合、Resource IDs や Zoning-Rule は以下のように表示されます。
Bridge Domains
VRFs
EPGs
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12 | leaf# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4128 | 0 | 16386 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4130 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4142 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4157 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4158 | 0 | 16387 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4149 | 49154 | 49155 | default | bi-dir | enabled | 2326533 | Tenant1:Contract1 | permit | src_dst_any(9) |
| 4140 | 49155 | 49154 | default | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
|
| leaf# show zoning-rule scope 2523141
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| 4148 | 0 | 32771 | implicit | uni-dir | enabled | 2523141 | | permit | any_dest_any(16) |
| 4165 | 0 | 0 | implicit | uni-dir | enabled | 2523141 | | deny,log | any_any_any(21) |
| 4181 | 0 | 0 | implarp | uni-dir | enabled | 2523141 | | permit | any_any_filter(17) |
| 4138 | 0 | 15 | implicit | uni-dir | enabled | 2523141 | | deny,log | any_vrf_any_deny(22) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
|
contract_parser.py
| leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[9:4149] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg11(49154) tn-Tenant1/ap-Ap1/epg-Epg12(49155) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[9:4140] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg12(49155) tn-Tenant1/ap-Ap1/epg-Epg11(49154) [contract:uni/tn-Tenant1/brc-Contract1] [hit=0]
[16:4128] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd11(16386) [contract:implicit] [hit=0]
[16:4158] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd12(16387) [contract:implicit] [hit=0]
[16:4142] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4130] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4157] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
| leaf# contract_parser.py --vrf Tenant1:Vrf2
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[16:4148] [vrf:Tenant1:Vrf2] permit any epg:any tn-Tenant1/bd-Bd21(32771) [contract:implicit] [hit=0]
[16:4181] [vrf:Tenant1:Vrf2] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4165] [vrf:Tenant1:Vrf2] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4138] [vrf:Tenant1:Vrf2] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
Route Leak の有る構成
Route Leak を設定すると Resource IDs や Zoning-Rule は以下のように表示されます。
show zoning-rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 | leaf# show zoning-rule scope 2326533
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
| 4140 | 0 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_any_any(21) |
| 4149 | 0 | 0 | implarp | uni-dir | enabled | 2326533 | | permit | any_any_filter(17) |
| 4158 | 0 | 15 | implicit | uni-dir | enabled | 2326533 | | deny,log | any_vrf_any_deny(22) |
| 4157 | 0 | 32771 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4130 | 49154 | 32772 | default | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract1 | permit | src_dst_any(9) |
| 4142 | 32772 | 49154 | default | bi-dir | enabled | 2326533 | Tenant1:Contract1 | permit | src_dst_any(9) |
| 4165 | 0 | 32770 | implicit | uni-dir | enabled | 2326533 | | permit | any_dest_any(16) |
| 4183 | 5474 | 0 | implicit | uni-dir | enabled | 2326533 | | deny,log | shsrc_any_any_deny(12) |
| 4184 | 32772 | 5474 | default | bi-dir | enabled | 2326533 | Tenant1:Contract2 | permit | src_dst_any(9) |
| 4137 | 5474 | 32772 | default | uni-dir-ignore | enabled | 2326533 | Tenant1:Contract2 | permit | src_dst_any(9) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
|
| leaf# show zoning-rule scope 2523141
+---------+--------+--------+----------+---------+---------+---------+------+-----------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+-----------------+----------------------+
| 4138 | 0 | 0 | implicit | uni-dir | enabled | 2523141 | | deny,log | any_any_any(21) |
| 4181 | 0 | 0 | implarp | uni-dir | enabled | 2523141 | | permit | any_any_filter(17) |
| 4128 | 0 | 15 | implicit | uni-dir | enabled | 2523141 | | deny,log | any_vrf_any_deny(22) |
| 4148 | 0 | 16387 | implicit | uni-dir | enabled | 2523141 | | permit | any_dest_any(16) |
| 4156 | 5474 | 14 | implicit | uni-dir | enabled | 2523141 | | permit_override | src_dst_any(9) |
+---------+--------+--------+----------+---------+---------+---------+------+-----------------+----------------------+
|
contract_parser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14 | leaf# contract_parser.py --vrf Tenant1:Vrf1
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[9:4142] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg11(32772) tn-Tenant1/ap-Ap1/epg-Epg12(49154) [contract:uni/tn-Tenant1/brc-Contract1] [hit=5]
[9:4184] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg11(32772) tn-Tenant1/ap-Ap1/epg-Epg21(5474) [contract:uni/tn-Tenant1/brc-Contract2] [hit=10]
[9:4130] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg12(49154) tn-Tenant1/ap-Ap1/epg-Epg11(32772) [contract:uni/tn-Tenant1/brc-Contract1] [hit=4]
[9:4137] [vrf:Tenant1:Vrf1] permit any tn-Tenant1/ap-Ap1/epg-Epg21(5474) tn-Tenant1/ap-Ap1/epg-Epg11(32772) [contract:uni/tn-Tenant1/brc-Contract2] [hit=5]
[12:4183] [vrf:Tenant1:Vrf1] deny,log any tn-Tenant1/ap-Ap1/epg-Epg21(5474) epg:any [contract:implicit] [hit=0]
[16:4165] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd11(32770) [contract:implicit] [hit=0]
[16:4157] [vrf:Tenant1:Vrf1] permit any epg:any tn-Tenant1/bd-Bd12(32771) [contract:implicit] [hit=0]
[16:4149] [vrf:Tenant1:Vrf1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4140] [vrf:Tenant1:Vrf1] deny,log any epg:any epg:any [contract:implicit] [hit=24]
[22:4158] [vrf:Tenant1:Vrf1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
| leaf# contract_parser.py --vrf Tenant1:Vrf2
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]
[9:4156] [vrf:Tenant1:Vrf2] permit_override any tn-Tenant1/ap-Ap1/epg-Epg21(5474) int-shrsvc(14) [contract:implicit] [hit=5]
[16:4148] [vrf:Tenant1:Vrf2] permit any epg:any tn-Tenant1/bd-Bd21(16387) [contract:implicit] [hit=0]
[16:4181] [vrf:Tenant1:Vrf2] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4138] [vrf:Tenant1:Vrf2] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4128] [vrf:Tenant1:Vrf2] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
|
Bridge Domains
VRFs
EPGs
Route Leak の Provider 側に設定された Epg21 の Class ID がグローバルスコープ範囲に変更されたことが分かります。
