Re: "IP access group ingress" how to reproduce in ACI?

Mario Rosi · ‎10-19-2023

I have a question about porting of a feature on ACI world.

Let’s suppose that I’ve a traffic coming into the fabric and based on source/destination ip address I’ve to let in traffic or drop it.

In the legacy data center, on the edge router this is done by using “ip access group …” applied in ingress.

In ACI I could use contract between external EPG of L3OUT and the internal EPG where the destination ip subnet of BD is related with, but I couldn’t march the source ip address of packets against a pre-defined ip address subnet.

How could I implement basically the same”ip access group” in ACI? This is the question.

Thanks
Mario

M02@rt37 · ‎10-20-2023

Hello @Mario Rosi,

You could achieve similar access control functionality to what you would typically do with "ip access group" on a traditional edge router by using a combination of Contracts and Filter in ACI.

Firrt, create a 'Filter' where you specify the matching criteria for your traffic. In your case, you want to match traffic based on source/destination IP addresses. So, create a filter that matches you conditions.

Then, create a 'Contract' which defines the allowed communication between two EPGs. In your case, you can use a contrat to allow or deny traffic based on your Filter.

Finally, apply the contract to the appropriate EPGs.

Repeat this for both the EPG where you want to control the source and destination traffic.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Howcontractswork

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Mario Rosi · ‎10-20-2023

Hello M02@rt37

”Firrt, create a 'Filter' where you specify the matching criteria for your traffic. In your case, you want to match traffic based on source/destination IP addresses. So, create a filter that matches you conditions.”

may you show me how I could choose the ip address subnets? In the filter actually you cannot edit subnet but work only on type, protocol, port…

or I’m missing something?

M02@rt37 · ‎10-20-2023

@Mario Rosi

Arf, damm it!

You could create two EPG, one for the source IP address subnet and one for the destination IP address subnet. These EPGs should correspond to the BD) and the desired subnets you want to filter. Ten, create a Contract and define subjects within it. You can create two subjects, one for allowing traffic and one for denying traffic based on IP addresses. Apply the Contract to the appropriate EPGs.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Mario Rosi · ‎10-20-2023

M02@rt37 you lost a detail in my initial request:

"In ACI I could use contract between external EPG of L3OUT and the internal EPG where the destination ip subnet of BD is related with, but I couldn’t march the source ip address of packets against a pre-defined ip address subnet."

Now, i'm wondering how you could apply what you wrote when one of the EPGs is not the internal EPG but an external EPG where the traffic coming into is from external world, so, no associated to a BD with its own subnet. Otherwise, it was easy, ins't it?

M02@rt37 · ‎10-20-2023

@Mario Rosi,

Thanks for that clarification.

When one of the EPGs is an external EPG, and the traffic is coming in from the external world, it becomes a bit more complex because, as you mentioned, there's no associated Bridge Domain with its own subnet for the external EPG. In this case, controlling ingress traffic based on the source IP address from the external world using ACI requires a different approach. Use a combination of contracts, filters, and the external EPG.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.