10-19-2023 11:23 PM
10-20-2023 01:03 AM
Hello @Mario Rosi,
You could achieve similar access control functionality to what you would typically do with "ip access group" on a traditional edge router by using a combination of Contracts and Filter in ACI.
Firrt, create a 'Filter' where you specify the matching criteria for your traffic. In your case, you want to match traffic based on source/destination IP addresses. So, create a filter that matches you conditions.
Then, create a 'Contract' which defines the allowed communication between two EPGs. In your case, you can use a contrat to allow or deny traffic based on your Filter.
Finally, apply the contract to the appropriate EPGs.
Repeat this for both the EPG where you want to control the source and destination traffic.
10-20-2023 01:53 AM
Hello M02@rt37
”Firrt, create a 'Filter' where you specify the matching criteria for your traffic. In your case, you want to match traffic based on source/destination IP addresses. So, create a filter that matches you conditions.”
may you show me how I could choose the ip address subnets? In the filter actually you cannot edit subnet but work only on type, protocol, port…
or I’m missing something?
10-20-2023 02:44 AM
Arf, damm it!
You could create two EPG, one for the source IP address subnet and one for the destination IP address subnet. These EPGs should correspond to the BD) and the desired subnets you want to filter. Ten, create a Contract and define subjects within it. You can create two subjects, one for allowing traffic and one for denying traffic based on IP addresses. Apply the Contract to the appropriate EPGs.
10-20-2023 02:54 AM
M02@rt37 you lost a detail in my initial request:
"In ACI I could use contract between external EPG of L3OUT and the internal EPG where the destination ip subnet of BD is related with, but I couldn’t march the source ip address of packets against a pre-defined ip address subnet."
Now, i'm wondering how you could apply what you wrote when one of the EPGs is not the internal EPG but an external EPG where the traffic coming into is from external world, so, no associated to a BD with its own subnet. Otherwise, it was easy, ins't it?
10-20-2023 03:00 AM
Thanks for that clarification.
When one of the EPGs is an external EPG, and the traffic is coming in from the external world, it becomes a bit more complex because, as you mentioned, there's no associated Bridge Domain with its own subnet for the external EPG. In this case, controlling ingress traffic based on the source IP address from the external world using ACI requires a different approach. Use a combination of contracts, filters, and the external EPG.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide