In the example, EPG Client, Web, and App consume the same contract that allows SSH traffic. This contract is provided by EPG DB. By matching the class ID numbers, you can see the corresponding entries from the programming output of the strategy camera. The value 0 used in the source or destination EPG (source or target class ID) is the class ID identified by vzAny. in other words, it is the equivalent of any “arbitrary” entry for EPG values. ● vzAny: vzAny represents all EPGs in the VRF. This option is also known as the EPG collection. By applying contracts to vzAny, the administrator can create security rules that apply to all EPGs in the VRF. Here`s what XML filtering looks like. Just type this into something like Postman to automatically create the filter (and have the right URL path for your environment). Figure 131 illustrates the overall design and configuration.
The vzAny-to-vzAny contract is used to allow all IP traffic in the VRF tenant1. The EPG1 to EPG2 treaty rejects traffic between EPG1 and EPG2. The EPG2 to EPG3 contract includes a redirection action (service graph with PBR) to route traffic to a firewall. The following example shows how different contracts would control the flow of traffic between endpoint groups in a 3-tier application that contains a Group of Web servers in one endpoint group, an Application Server Group in a second endpoint group, and a database server group in a third endpoint group. The Web endpoint group (provider) provides a contract (contract1) that is used by the L3Out endpoint group (traffic outside the ACI structure). This allows web traffic to reach web servers from outside the ACI framework. The application endpoint group (provider) provides a contract (contract2) for the communication used by the web endpoint group (consumer). This allows the Web server to call applications on the application servers.
Finally, the application endpoint group (consumer) consumes a contract (contract3) provided by the DATABASE endpoint group (provider). This allows the application servers to access the application database. Reverse port filtering is not required for nonackacked UDP traffic. However, for TCP traffic, the responder cannot establish a TCP session without reverse port filtering being enabled or another contract allowing traffic from the responder. ◦ On the Operational > Agreement tab, go to Application > > EPG Tenant Profile and view EPG to EPG traffic counters and related contracts ◦ Use the Contract Viewer app to view aggregated traffic between EPG pairsAveave the application profile topology view to view the two EPGs we created in the previous step. The APIC GUI provides a drag-and-drop function to allow us to create a contract between them. If you need to apply the same security configuration to all EPGs in a VRF, vzAny is the best configuration choice, but if you need to apply the same set of contracts to a subset of the EPGs in the VRF, using Master EPG can be useful. Figure 18 shows where the policy is applied when the VRF file is configured to filter incomings. In the case of an intra-VRF EPG to EPG L3Out contract, the policy is applied by default to the out-of-borders sheet where the internal ACI endpoint is located. In the case of an EPG-EPG L3Out contract, an unbounding sheet can resolve the source and target class IDs because the internal ACI endpoint is local to the non-crossborder leaf nodes and the L3Out EPG class ID can be derived by looking for the IP address in the list of subnets defined for the L3Out EPG classification instead of the learning state of the endpoint. In short, contracts consist of 1 or more themes. Each topic contains 1 or more filters.
Each filter contains 1 or more inputs. Each entry corresponds to a row in an access control list (ACL) applied to the sheet switch to which the endpoint is attached in the endpoint group. Details on the use of ELAM are not explained in this document. For more information, see the “Intra-fabric Transfer” section of the Cisco ACI Troubleshooting Guide: www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/troubleshooting/Cisco_TroubleshootingApplicationCentricInfrastructureSecondEdition.pdf specify the filter rules you want, and then continue with the contract. Note: An interface with contract consumption represents one or more topics defined in the contract. By mapping to an interface, a group of endpoints begins to consume all the topics represented by the interface. There may be times when the ACI administrator needs to allow traffic between two tenants. Interface contracts are a special type of contract that an ACI administrator can use to authorize specific traffic using a contract export. The contract is essentially exported to the source tenant and imported into the target tenant. Similar to traditional contracts, the source EPG will be of the Supplier type. However, in the target client, the contract is imported as a type contract interface.
A few examples of use cases show the complete process in the next chapter. Figure 136 illustrates the overall design and configuration. EPG4 has the same security requirements as EPG1 to access epg shared in Tenant-Shared and other EPGs in the same VRF, with the exception of EPG2 and EPG3 over UDP. Using EPG1 as the main EPG for EPG4, EPG4 can access EPG Shared in Tenant-Shared and other EPGs in VRF1, with the exception of EPG2 over UDP. In addition, UDP traffic between EPG3 and EPG4 must be rejected. Setting up an EPG3 to EPG4 contract with a deny action for UDP traffic denies UDP traffic between EPG3 and EPG4. EPG1 can still communicate with EPG3 because the refusal rule does not apply to EPG1. In the case of inter-VRF contracts for L3Out-to-L3Out or L3Out-to-EPG (with the L3Out EPG as the consumer), the input sheet applies the contractual guidelines. This means that the policy is applied to the first sheet hit by the package. Some objects must be created on an APIC before the contract is configured. This document does not discuss the creation of tenants, FILES, BD, EPG and L3Out.
It assumes that the following are already configured: ● Define global rules that apply to all traffic between all EPGs in a particular VRF. For example, you might have specific EPG to EPG rules that have a higher priority (priority 7) than vzAny, and then a contract provided and used by vzAny for certain types of traffic that must be allowed under all EPGs. Part of the beauty of Cisco Application Centric Infrastructure is the idea of contracts. In ACI, we talk a lot about the idea of the policy-oriented network. We call these guidelines contracts. Contracts are not entirely different from access control lists, but there are big differences. First, ACLs are typically transmitted between IP addresses or subnets, while contracts are concluded between groups of endpoints and do not address a specific IP address. ACI is also a whitelisted model, so contracts typically allow traffic, while ACLs spend a lot of time denying traffic on a traditional network. Finally, they can easily be made bidirectional, which means they can apply the same policy from your web EPG, e.B. to your EPG application and vice versa.
You can do this bidirectionally by simply clicking on a checkbox instead of writing several other ACLs to make it work. You can also assign traffic to a qos group by configuring QoS priority in the contract subject; You can also rewrite the DSCP value (“Target DSCP”) at the contract object level. ● A reject action has a priority configuration option. Before using a rejection action, you should familiarize yourself with denial priorities. If you don`t understand which rule wins, adding reject entries may result in filter results that are different from your expectations. For more information on rejecting priorities, see the “Contractual Priorities” section of this document. .