Solved: Re: The packet flow is not the same for different ports - Page 2

meidanmeshulam · ‎06-12-2022

Hi all,

I got the next scenario:
Two VMs, each VM is under its own EPG and I got a standard contract between the EPGs.

I noticed that the "stateful" check box in the filter is behaving a little strangely, for example:
If the destination port is set to TCP 80(HTTP), the provider can't initiate a session with the consumer, no matter if the "stateful" checkbox is checked or not, the "stateful" checkbox has no effect at all.

Now, if I'll change the destination port to TCP 22(SSH), the "stateful" button will affect the packet flow, and now if I'll leave it unchecked, both the consumer and the provider can initiate the session.

Can anyone please help me understand this behavior?

Thanks a lot!

Sergiu.Daniluk · ‎06-15-2022

Uuu.. good catch!

meidanmeshulam · ‎06-16-2022

@Robert Burns Thanks for your help with this matter and for your explanations!

I am looking at Leaf 1 and the filter DToPort remains unspecified:

sb-lab-apic-1# fabric 101 show zoning-rule
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)
----------------------------------------------------------------
+---------+--------+--------+----------+----------------+---------+----------+-----------------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+----------+-----------------------------+----------+----------------------+
| 4096 | 0 | 0 | implicit | uni-dir | enabled | 16777200 | | deny,log | any_any_any(21) |
| 4097 | 0 | 0 | implarp | uni-dir | enabled | 16777200 | | permit | any_any_filter(17) |
| 4098 | 0 | 0 | implicit | uni-dir | enabled | 2818048 | | deny,log | any_any_any(21) |
| 4099 | 0 | 0 | implarp | uni-dir | enabled | 2818048 | | permit | any_any_filter(17) |
| 4100 | 0 | 15 | implicit | uni-dir | enabled | 2818048 | | deny,log | any_vrf_any_deny(22) |
| 4102 | 0 | 0 | implicit | uni-dir | enabled | 2949120 | | deny,log | any_any_any(21) |
| 4120 | 0 | 0 | implarp | uni-dir | enabled | 2949120 | | permit | any_any_filter(17) |
| 4118 | 0 | 15 | implicit | uni-dir | enabled | 2949120 | | deny,log | any_vrf_any_deny(22) |
| 4111 | 0 | 49160 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4104 | 0 | 49162 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4101 | 0 | 49164 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4126 | 0 | 49168 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4119 | 16388 | 49171 | 14 | uni-dir-ignore | enabled | 2949120 | Tenant_Skybox1:web-contract | permit | fully_qual(7) |
| 4107 | 49171 | 16388 | 13 | bi-dir | enabled | 2949120 | Tenant_Skybox1:web-contract | permit | fully_qual(7) |
| 4105 | 16387 | 16386 | 64 | uni-dir-ignore | enabled | 2949120 | Tenant_Skybox1:ssh-contract | permit | fully_qual(7) |
| 4108 | 16386 | 16387 | 63 | bi-dir | enabled | 2949120 | Tenant_Skybox1:ssh-contract | permit | fully_qual(7) |
| 4112 | 0 | 0 | implicit | uni-dir | enabled | 2523139 | | deny,log | any_any_any(21) |
| 4115 | 0 | 0 | implarp | uni-dir | enabled | 2523139 | | permit | any_any_filter(17) |
| 4117 | 0 | 15 | implicit | uni-dir | enabled | 2523139 | | deny,log | any_vrf_any_deny(22) |
+---------+--------+--------+----------+----------------+---------+----------+-----------------------------+----------+----------------------+

sb-lab-apic-1# fabric 101 show zoning-filter filter 64
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)

Robert Burns · ‎06-15-2022

As Red pointed out, something is off here. The stateful flag has nothing to do with a provider or consumer being able to initiate communication. This is where the Providing or Consuming of a contract comes into play.

If you have a contract between two EPGs where you want BOTH EPGs to be able to reach each other via Web for example, then simply slapping a bi-directional contract with Reverse Ports and a single filter for dst tcp 80, will not achieve this. Same behavior would apply to SSH (or any protocol using ephemeral ports for that sake).
Let's look at an example:

WebServer2 Providing http contract to WebServer1
Apply in both dir: True
Reverse Ports: True
Filter: IP, TCP, Src any any, Dst 80-80

What these filters have programmed is:

WebServer1 can source from ANY (unspecified) port to a destination port of http (80)
WebServer2 can source from http (80) to destination port of ANY (unspecified)

Result:
WebServer1 can access WebServer2 via http
WebServer2 can not access http on WebServer1.
Why? WebServer2 will use an ephemeral source port (not TCP 80 as the filter restricts) to try and reach WebServer1 on ANY (unspecified) port. We can quickly confirm this via a packet capture.
WebServer1 = 192.168.150.1
WebServer2 = 192.168.150.2

So how do you change this so each EPG can access each other via HTTP or SSH? You have two options. You can have both EPG provide & consume the same contract, or you can add a second filter entry to your existing contract that has the ports reversed (unspecified <> http).

I'd be surprised to see that stateful flag having any impact alone on your observed behavior.

Robert