Solved: Bidirectional ACI Contracts

weylin.piegorsch · ‎10-24-2024

I think I need assistance understanding the nuance of bi-directional subjects.

We're doing a brownfield->greenfield migration. My securtity team requires me to block TFTP for all EPG-to-everywhere, except for specifically authorized exceptions; thankfully they're ok with unrestricted communication within an EPG. Testing TFTP is kinda hard, so I'm using SSH as a proxy during R&D.

I have host1 attached to EPG-Y. I want to allow off-fabric host 1.2.3.4 to SSH to host1 but not the other way around.

Starting with this:

Under this structure, host1 cannot service SSH from anything, and cannot initiate SSH to anything. So that's cool.

I've tried adding Contract2 like this:

However, under this mode SSH can be sent either direction (though is still blocked between everything else). I've played around with the differences of bidirectional subject, and the differences of reversing the filters within a bidirection subject, for both Contract1 and Contract2, but I always end up with either
- nothing can SSH to host1 or
- host1 and off-fabric 1.2.3.4 can SSH to each other (at least it still blocks all other src/dest IPs)

Remi-Astruc · ‎10-24-2024

Hi @weylin.piegorsch ,

I think you just have to replace the Contract2 Filter with DestPort SSH.

Regards

Remi Astruc

View solution in original post

Remi-Astruc · ‎10-24-2024

Hi @weylin.piegorsch ,

I think you just have to replace the Contract2 Filter with DestPort SSH.

Regards

Remi Astruc

weylin.piegorsch · ‎10-25-2024

🤦

I've been approaching this as "policy applied to EPG" like we do with Router Subinterface ACLs and VLAN Interface ACLs.

I think I had a "Light Dawns over Marblehead" moment, that this is a global policy of which the EPGs are a characteristic. Let me test that out.

weylin.piegorsch · ‎10-30-2024

So, I tried that. Unfortunately, I'm still able to initiate an SSH session whether from 1.2.3.4 or from host1.

If you'll permit me, would the CLI ouput help? My only alterations to the below are to change the EPG names from my lab to the diagram above.

Both AP EPGs: on Leaf-203
Both Ext EPGs: on Leaf-205
All subjects on both contracts have "Apply Both Directions" set to False.

clab-u15-lf203# contract_parser.py --vrf common:LabDefault_VRF
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[7:4111] [vrf:common:LabDefault_VRF] permit ip tcp tn-common/l3out-LabDefault_L3out/instP-ExtEPG-1(16391) tn-RAND_Tenant1_UnTrust/ap-ContractRandD_AP/epg-EPG-Y(10931) eq ssh [contract:uni/tn-common/brc-jump-01-rcs_PermitIPAll_Ct] [hit=?]
[9:4104] [vrf:common:LabDefault_VRF] permit any epg:any tn-RAND_Tenant1_UnTrust/bd-ContractRandD.ContractRandD_BD(16387) [contract:implicit] [hit=?]
[16:4115] [vrf:common:LabDefault_VRF] deny ip tcp epg:any epg:any eq ssh [contract:uni/tn-common/brc-vzAny-vzAny_DenySSHPermitAll_Ct] [hit=?]
[16:4099] [vrf:common:LabDefault_VRF] permit arp epg:any epg:any [contract:implicit] [hit=?]
[21:4113] [vrf:common:LabDefault_VRF] permit any epg:any epg:any [contract:uni/tn-common/brc-vzAny-vzAny_DenySSHPermitAll_Ct] [hit=?]
[21:4100] [vrf:common:LabDefault_VRF] deny,log any epg:any epg:any [contract:implicit] [hit=?]
[22:4109] [vrf:common:LabDefault_VRF] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=?]
clab-u15-lf203#
clab-u15-lf203#
clab-u15-lf203#
clab-u15-lf203#
clab-u15-lf203#clab-u15-lf203# show zoning-rule scope 3080192
+---------+--------+--------+----------+---------+---------+---------+----------------------------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |                  Name                  |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+----------------------------------------+----------+----------------------+
|   4099  |   0    |   0    | implarp  | uni-dir | enabled | 3080192 |                                        |  permit  |  any_any_filter(17)  |
|   4100  |   0    |   0    | implicit | uni-dir | enabled | 3080192 |                                        | deny,log |   any_any_any(21)    |
|   4109  |   0    |   15   | implicit | uni-dir | enabled | 3080192 |                                        | deny,log | any_vrf_any_deny(22) |
|   4104  |   0    | 16387  | implicit | uni-dir | enabled | 3080192 |                                        |  permit  |    src_dst_any(9)    |
|   4113  |   0    |   0    | default  | uni-dir | enabled | 3080192 | common:vzAny-vzAny_DenySSHPermitAll_Ct |  permit  |   any_any_any(21)    |
|   4115  |   0    |   0    |    1     | uni-dir | enabled | 3080192 | common:vzAny-vzAny_DenySSHPermitAll_Ct |   deny   |  any_any_filter(17)  |
|   4111  | 16391  | 10931  |    1     | uni-dir | enabled | 3080192 |   common:jump-01-rcs_PermitIPAll_Ct    |  permit  |   fully_qual(7)      |
+---------+--------+--------+----------+---------+---------+---------+----------------------------------------+----------+----------------------+
clab-u15-lf203#
clab-u15-lf203#
clab-u15-lf203#
clab-u15-lf203#
clab-u15-lf203# show zoning-filter filter 1
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    1     | 1_0  |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    ssh    |   ssh   | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
clab-u15-lf203#

clab-v15-lf205# contract_parser.py --vrf common:LabDefault_VRF
Key:
[prio:RuleId] [vrf:{str}] action protocol src-epg [src-l4] dst-epg [dst-l4] [flags][contract:{str}] [hit=count]

[16:4106] [vrf:common:LabDefault_VRF] deny ip tcp epg:any epg:any eq ssh [contract:uni/tn-common/brc-vzAny-vzAny_DenySSHPermitAll_Ct] [hit=?]
[16:4099] [vrf:common:LabDefault_VRF] permit arp epg:any epg:any [contract:implicit] [hit=?]
[21:4105] [vrf:common:LabDefault_VRF] permit any epg:any epg:any [contract:uni/tn-common/brc-vzAny-vzAny_DenySSHPermitAll_Ct] [hit=?]
[21:4098] [vrf:common:LabDefault_VRF] deny,log any epg:any epg:any [contract:implicit] [hit=?]
[22:4100] [vrf:common:LabDefault_VRF] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=?]
clab-v15-lf205#
clab-v15-lf205#
clab-v15-lf205#
clab-v15-lf205#
clab-v15-lf205# show zoning-rule scope 3080192
+---------+--------+--------+----------+---------+---------+---------+----------------------------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |            Name                        |  Action  |       Priority       |
+---------+--------+--------+----------+---------+---------+---------+----------------------------------------+----------+----------------------+
|   4100  |   0    |   15   | implicit | uni-dir | enabled | 3080192 |                                        | deny,log | any_vrf_any_deny(22) |
|   4099  |   0    |   0    | implarp  | uni-dir | enabled | 3080192 |                                        |  permit  |  any_any_filter(17)  |
|   4098  |   0    |   0    | implicit | uni-dir | enabled | 3080192 |                                        | deny,log |   any_any_any(21)    |
|   4105  |   0    |   0    | default  | uni-dir | enabled | 3080192 | common:vzAny-vzAny_DenySSHPermitAll_Ct |  permit  |   any_any_any(21)    |
|   4106  |   0    |   0    |    1     | uni-dir | enabled | 3080192 | common:vzAny-vzAny_DenySSHPermitAll_Ct |  deny    |  any_any_filter(17)  |
+---------+--------+--------+----------+---------+---------+---------+----------------------------------------+----------+----------------------+
clab-v15-lf205#
clab-v15-lf205#
clab-v15-lf205#
clab-v15-lf205#
clab-v15-lf205# show zoning-filter filter 1
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    1     | 1_0  |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    ssh    |   ssh   | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
clab-v15-lf205#

weylin.piegorsch · ‎10-30-2024

Hmm. I just realized something. Host1 under EPG-Y is multi-homed. I can confirm it was sending traffic via EPG-Y, but not with a Source-IP in a subnet known to ACI. Why, then, was ACI allowing it through?

When I adjust the SSH setting to source it from EPG-Y's subnet ("the subnet configured on the BD to which EPG-Y is aligned"), the contracts work as expected.

Remi-Astruc · ‎11-04-2024

@weylin.piegorsch , to better understand your output and the pcTags, please show the screenshot of Tenant > Operational > VRFs, Tenant > Operational > EPGs, and Tenant > Operational > L3Outs

Remi Astruc

weylin.piegorsch · ‎11-12-2024

@Remi-Astruc Thank you for your help on this. After a lot more poring through the whitepapers and lab experimentation, your first response turned out to be the solution.

The second issue relates to how ACI has no uRPF capability (at least, none that I can find). That's outside the scope of this thread, I'll follow up separately on that with my SE.