Re: ACI Contract on Specific port (443) not working

AHMED_MAKBOUL · ‎12-06-2022

ACI Contract on Specific port (443) no working unless we add default filter in the Contract

attached the filter and the contract after adding Default Filter

brunpere · ‎02-15-2023

Hello AHMED_MAKBOUL,

My name is Bruno Pereira and I’m working in Cisco as a Customer Success Specialist in ACI so I will try to help you.

I analyzed the prints of the contract and filter that you configured and apparently there is no misconfiguration. So, the cause for having this issue could be the way that you applied the contract, because in your cause those filters applied in the contract are permitting all type of traffic.

To keep giving you support in this case I need you to send more information about the way of the contract was applied.

So, my advice is to take a look on this website (https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Contractdesignoptionsformigrationandoperationalsimplification) and explore the content to understand certain behaviors of contracts in ACI.

First, to see some examples of how to apply contracts in ACI, please look on the tab “How contracts work” and inside you will find an excerpt of (“Defining which side …”) where you can see some examples of applying contracts. Also, in this tab go to the Policy programming paragraph that will show you some steps you can take into to troubleshoot and verify the filters applied in the VRF scope.
After this, I strongly recommend exploring the “Other contract types” tab to understand if you didn’t create a taboo contract instead of a standard contract and try to understand the benefits of using the taboo contract in your case.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out Cisco ACI ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs."

RedNectar · ‎02-15-2023

Hi @AHMED_MAKBOUL ,

Firstly, you must understand that Filters anc Contracts in ACI are simply models - like the blueprint for building a car. You can't drive the car with just the blueprint.

So you have shown us a Filter and a Contract. These are the blueprints. By themselves, they do NOTHING.

To make the Filter and Contract active you must:

Identify which devices are supplying the service - in your case the Servers that provide a service on port 443. I'm guessing they will be web-servers based on the port number.
- These servers must be placed in an EPG. Lets assume you've called this EPG WebServers_EPG
- Now have this EPG provide the contract, because they are providing the service
Identify which devices are going to access those services - this group will be the consumer of the Contract. in this case these devices might be:
- Another EPG
  - Have this EPG Consume the contract if this is the case
- An external network/subnet - in ACI we'd call this and External L3EPG
  - If this is your situation, have this L3EPG Consume the contract - which is tricky to configure
- An entire VRF
  - If this is what you want, navigate to the VRF and look for the EPG|ESG Collection for VRF and add the contract there under Consumed contracts.

Once you have configured your contract in this way, Navigate to your Tenant > Contracts > Standard > YourContract >| [Topology} tab and paste a picture here for me to see how your've actually applied your contract. It should look something like this:

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.