Solved: Re: ACI mgmt Tenant Out-of-Band Contracts direction

SIMMN · ‎06-30-2021

The short version of my question related is: does ACI Out-of-Band Contracts function the same as regular contracts, flow direction wise?

The long version is:

Say you would like to create contract(s) and External Management Network Instance Profiles to restrict communication between ACI fabric and management servers.

Out-of-Band Contract#1: Protocol/D-port: UDP/161, UDP/1812, UDP/514, TCP/514
Out-of-Band Contract#2: Protocol/D-port: TCP/22, TCP/443
External Management Network Instance Profiles:
- NET-SERVERS(subnet 10.10.0.0/25)
- JUMPBOX (10.10.0.128/25)

All the filters in contracts have "reverse filter ports" enabled.

Due to configuration option:

The "Out-of-Band EPG - default" can be the provider of contracts
NET-SERVERS and JUMPBOX can be consumer of contracts.

So now the question: for Out-of-Band Contract#2 it makes sense the ACI nodes provide the SSH and HTTPs for external to consume. But for Out-of-Band Contract#1, ACI nodes do provide the service to allow SNMP probes to consume but they do not really provide the RADIUS and SYSLOG services but instead of communicating to the external servers to consume those services...

So, I guess am I configuring it incorrectly OR I totally missed the mark?

Robert Burns · ‎07-06-2021

"So if I understand you correctly, my Out-of-Band Contract#1 will only ALLOW RADIUS and SYSLOG outbound (deny other services, such as SSH/SCP) to external servers from the ACI nodes even though the direction where the contract is applied is the opposite of the flow? "

Correct.

Robert

View solution in original post

SIMMN · ‎07-05-2021

Still waiting and hope someone provides better understanding regards.

Robert Burns · ‎07-06-2021

Since you're reversing filters, its not really going to make a functional difference. You have the right idea including all the necessary protocols & ports. You could accomplish the same with a single contract rather than two separate if you wanted.

Another Pro-tip is always create a separate Contract for Management (don't use the default one) - which I believe you are. If you ever lock yourself out, you can easily re-apply the original default (open) OOB Mgmt contract from console/kvm) to restore access.

Robert

PS - don't forget to allow NTP & DNS and ICMP (if you wish)

SIMMN · ‎07-06-2021

@Robert Burns wrote:
Since you're reversing filters, its not really going to make a functional difference. You have the right idea including all the necessary protocols & ports. You could accomplish the same with a single contract rather than two separate if you wanted.

So if I understand you correctly, my Out-of-Band Contract#1 will only ALLOW RADIUS and SYSLOG outbound (deny other services, such as SSH/SCP) to external servers from the ACI nodes even though the direction where the contract is applied is the opposite of the flow? Or maybe there is no outbound traffic filter/contract capability for the ACI nodes on MGMT?

Another Pro-tip is always create a separate Contract for Management (don't use the default one) - which I believe you are. If you ever lock yourself out, you can easily re-apply the original default (open) OOB Mgmt contract from console/kvm) to restore access.
Robert

Good point, will keep in mind. Thanks!

Robert Burns · ‎07-06-2021

"So if I understand you correctly, my Out-of-Band Contract#1 will only ALLOW RADIUS and SYSLOG outbound (deny other services, such as SSH/SCP) to external servers from the ACI nodes even though the direction where the contract is applied is the opposite of the flow? "

Correct.

Robert

SIMMN · ‎07-06-2021

En...Interesting. I guess the MGMT Contract does apply differently than the regular contracts...

e-chuah · ‎04-28-2024

Hi m1xed0ds,

>So if I understand you correctly, my Out-of-Band Contract#1 will only ALLOW RADIUS and SYSLOG outbound (deny other >services, such as SSH/SCP) to external servers from the ACI nodes even though the direction where the contract is applied is the >opposite of the flow? Or maybe there is no outbound traffic filter/contract capability for the ACI nodes on MGMT?

I have exactly the same question as you had. So did you managed to clear this doubt?
My understanding is that there is no outbound tarffic filter/contract capability for ACI nodes on MGMT. Will test it out when i have access to the lab.

Thanks

Eng Wee