09-13-2022 09:14 AM
We have few vzANY contracts in place, can I setup a quarantine EPG to bypass those vzANY contracts to have a purely isolated EPG? Thanks.
Leo
Solved! Go to Solution.
09-13-2022 10:30 AM - edited 09-14-2022 05:51 AM
Hey Leo,
While you can't bypass zvAny contracts, you can superceed them. If you have a specific EPG you don't want to have access to other EPGs in the VRF, what you can do is apply a discrete contract between the EPG (Consumer) and vzAny (Provider) using a filter with DENY action. Deny actions will always override Permit when applied at the same level.
Beyond this you could still grant access from that isolated EPG to other specific EPGs (if you wanted) by appling a contract between the two EPGs (using regular permit filter). EPG contracts will have a higher precedence over vzAny level contracts.
Take this example:
Goal: I want to exlclude my Web_EPG from talking to any other EPG via vzAny, but I do still want Web_EPG to be able to talk to my App_EPG. All other EPGs should be able to freely communicate within the VRF.
Here's how ACI would process the contracts/filters:
From this result you can see the difference in filter priorities. Lowest priorities get processed first on a match. Per above my filters would process in this order:
1st: Web-to-App discrete contract, assigned between these two EPGs (7)
2nd: deny_vzAny, which is a deny filter between Web_EPG and vzAny (15 & 16 for both directions)
3rd: vzAny, which allows anything else not matched within the same VRF to communicate (21)
4th (Last): Implicit Deny for everything else not matched (22)
(Note there are a couple of additional default filters to allow for internal activities such as Implicit ARP that I didn't include in my explanation)
As soon as the first match is hit, that action is applied and the lookup stops.
Robert
09-13-2022 10:14 AM - edited 09-13-2022 10:14 AM
Hi @a12288
As far as I see, you have two config options, which basically are doing the same thing: provide the EPG with a taboo contract or a standard contract with deny IP filter. I would recommend the standard contract.
Take care,
Sergiu
09-13-2022 10:30 AM - edited 09-14-2022 05:51 AM
Hey Leo,
While you can't bypass zvAny contracts, you can superceed them. If you have a specific EPG you don't want to have access to other EPGs in the VRF, what you can do is apply a discrete contract between the EPG (Consumer) and vzAny (Provider) using a filter with DENY action. Deny actions will always override Permit when applied at the same level.
Beyond this you could still grant access from that isolated EPG to other specific EPGs (if you wanted) by appling a contract between the two EPGs (using regular permit filter). EPG contracts will have a higher precedence over vzAny level contracts.
Take this example:
Goal: I want to exlclude my Web_EPG from talking to any other EPG via vzAny, but I do still want Web_EPG to be able to talk to my App_EPG. All other EPGs should be able to freely communicate within the VRF.
Here's how ACI would process the contracts/filters:
From this result you can see the difference in filter priorities. Lowest priorities get processed first on a match. Per above my filters would process in this order:
1st: Web-to-App discrete contract, assigned between these two EPGs (7)
2nd: deny_vzAny, which is a deny filter between Web_EPG and vzAny (15 & 16 for both directions)
3rd: vzAny, which allows anything else not matched within the same VRF to communicate (21)
4th (Last): Implicit Deny for everything else not matched (22)
(Note there are a couple of additional default filters to allow for internal activities such as Implicit ARP that I didn't include in my explanation)
As soon as the first match is hit, that action is applied and the lookup stops.
Robert
09-22-2022 07:20 AM
Much appreciated! Robert.
We added contracts as you suggested and worked as expected.
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide