cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
1
Helpful
6
Replies

IP Addresses and Subnets in Contracts

I feel like I'm missing something that should be obvious. I'm at a loss for identifying where to define a host or a subnet as a source or destination within the contract policy heirarchy.

If I have a contract, I can specificy allowed/denied TCP and UDP port ranges between two EPGs.  But I can't define subnets and IPs?

If I'm doing a brownfield migration, and I'm starting with endpoints within a VLAN/subnet that need different policies to replicate their existing ACL (there's no firewall in the particular set of cases I'm considering), do they need to be in different EPGs with different contracts?  That will NOT scale at all for what I need - I'll end up with hundreds or possibly thousands of EPGs, with something approaching a full mesh of several thousands of contracts, for just a handful of ACI subnets, compared to IOS's max of #ACL's = 2x #VLANs.

weylin

6 Replies 6

Ali Aghababaei
Level 1
Level 1

@weylin.piegorsch 

In Cisco ACI, you cannot directly specify individual subnets or IPs within a contract. Contracts in ACI apply to the entire Endpoint Groups (EPGs) they are associated with. To achieve more granular control similar to traditional ACLs, you need to:

  1. Use Micro-Segmentation: Use micro-segmentation with Endpoint Security Groups (ESGs) or use attributes like IP addresses to create smaller EPGs.
  2. Use Application Profiles: Define specific EPGs for different sets of hosts or subnets requiring unique policies.
  3. Leverage Filters: Use filters within contracts to allow or deny specific types of traffic (TCP/UDP port ranges).
  4. To handle more granular policies without creating numerous EPGs, you can leverage Cisco ACI's Layer 4 to Layer 7 (L4-L7) service insertion. This approach allows you to use service devices, like firewalls or load balancers, to enforce more specific rules for traffic within the same EPG or between EPGs.