Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5149
Views
0
Helpful
4
Replies

ACI Contract Permit any

pat1848
Level 1
Level 1

‎10-31-2017 02:20 AM - edited ‎03-01-2019 05:22 AM

Question about ACI contracts.

 

Situation:
EPG A provicer, EPG B consumer
Contract with subject apply in both directions/reverse filter path enabled
Filter permit any

 

Question:
Can EPG A (Provider) open a session to EPG B (Consumer)? -> according to my tests it can.

 

My understandig was that a provider can never open a session to a consumer doesn't matter how the contract/filters look like. Because just the consumer can open a session.


If the filters contains a specific port (TCP/UDP, etc) it works as expected, but if the filter contains permit any also the provider can open sessions to the consumer.

There are a couple of documents around which cover the topic but i couldn't figure out what influence the permit any in combination with the apply both direction / reverse filter path has.

If i check the contracts with the show zoning-rule there are indeed to entries with the according pc-tags and Permit src/dst in both directions also the contract was just deployed in one direction between provider and consumer.

My conlusion. If you deploy a permit any in one direction between a provider and consumer both can communicate fully in both directions if apply in both directions is enabled.

 

Am i right or am i missing something?

 

Cheers, Pat

Labels:
0 Helpful
4 Replies 4

Rick1776
Level 5
Level 5

‎10-31-2017 02:46 AM

You are correct, An EPG can be a provider of a contract, a consumer of a contract, or can perform both functions, providing and consuming at the same time.
0 Helpful

pat1848
Level 1
Level 1
In response to Rick1776

‎10-31-2017 03:17 AM

Hi Rick

 

Thanks for your reply. I'm aware that a EPG can be both - provider and consumer at the same time.

 

But the question was: If i have only one contract between EPG A (Provider) and EPG B (Conumser) the Provider can open a session to the consumer because the contract consists of a permit any rule with the settings apply in both directions/ reverse filter path. So i thought only the consumer can fully communicate to the provider. But tests show that the provider can fully communicate and initiate sessions to the consumer, which is usually not the case if you limit the filters to certain ports instead of having a fully permit any.

 

Regards

0 Helpful

Rick1776
Level 5
Level 5
In response to pat1848

‎10-31-2017 09:52 AM

Correct, it's bi directional by default.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License