06-12-2022 07:16 AM
Hi all,
I got the next scenario:
Two VMs, each VM is under its own EPG and I got a standard contract between the EPGs.
I noticed that the "stateful" check box in the filter is behaving a little strangely, for example:
If the destination port is set to TCP 80(HTTP), the provider can't initiate a session with the consumer, no matter if the "stateful" checkbox is checked or not, the "stateful" checkbox has no effect at all.
Now, if I'll change the destination port to TCP 22(SSH), the "stateful" button will affect the packet flow, and now if I'll leave it unchecked, both the consumer and the provider can initiate the session.
Can anyone please help me understand this behavior?
Thanks a lot!
Solved! Go to Solution.
06-15-2022 11:58 AM
Uuu.. good catch!
06-16-2022 01:11 AM
@Robert Burns Thanks for your help with this matter and for your explanations!
I am looking at Leaf 1 and the filter DToPort remains unspecified:
sb-lab-apic-1# fabric 101 show zoning-rule
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)
----------------------------------------------------------------
+---------+--------+--------+----------+----------------+---------+----------+-----------------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+----------+-----------------------------+----------+----------------------+
| 4096 | 0 | 0 | implicit | uni-dir | enabled | 16777200 | | deny,log | any_any_any(21) |
| 4097 | 0 | 0 | implarp | uni-dir | enabled | 16777200 | | permit | any_any_filter(17) |
| 4098 | 0 | 0 | implicit | uni-dir | enabled | 2818048 | | deny,log | any_any_any(21) |
| 4099 | 0 | 0 | implarp | uni-dir | enabled | 2818048 | | permit | any_any_filter(17) |
| 4100 | 0 | 15 | implicit | uni-dir | enabled | 2818048 | | deny,log | any_vrf_any_deny(22) |
| 4102 | 0 | 0 | implicit | uni-dir | enabled | 2949120 | | deny,log | any_any_any(21) |
| 4120 | 0 | 0 | implarp | uni-dir | enabled | 2949120 | | permit | any_any_filter(17) |
| 4118 | 0 | 15 | implicit | uni-dir | enabled | 2949120 | | deny,log | any_vrf_any_deny(22) |
| 4111 | 0 | 49160 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4104 | 0 | 49162 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4101 | 0 | 49164 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4126 | 0 | 49168 | implicit | uni-dir | enabled | 2949120 | | permit | any_dest_any(16) |
| 4119 | 16388 | 49171 | 14 | uni-dir-ignore | enabled | 2949120 | Tenant_Skybox1:web-contract | permit | fully_qual(7) |
| 4107 | 49171 | 16388 | 13 | bi-dir | enabled | 2949120 | Tenant_Skybox1:web-contract | permit | fully_qual(7) |
| 4105 | 16387 | 16386 | 64 | uni-dir-ignore | enabled | 2949120 | Tenant_Skybox1:ssh-contract | permit | fully_qual(7) |
| 4108 | 16386 | 16387 | 63 | bi-dir | enabled | 2949120 | Tenant_Skybox1:ssh-contract | permit | fully_qual(7) |
| 4112 | 0 | 0 | implicit | uni-dir | enabled | 2523139 | | deny,log | any_any_any(21) |
| 4115 | 0 | 0 | implarp | uni-dir | enabled | 2523139 | | permit | any_any_filter(17) |
| 4117 | 0 | 15 | implicit | uni-dir | enabled | 2523139 | | deny,log | any_vrf_any_deny(22) |
+---------+--------+--------+----------+----------------+---------+----------+-----------------------------+----------+----------------------+
sb-lab-apic-1# fabric 101 show zoning-filter filter 14
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)
----------------------------------------------------------------
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 14 | 14_0 | ip | unspecified | tcp | no | no | http | http | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
sb-lab-apic-1# fabric 101 show zoning-filter filter 13
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)
----------------------------------------------------------------
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 13 | 13_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | http | http | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
sb-lab-apic-1#
sb-lab-apic-1#
sb-lab-apic-1# fabric 101 show zoning-filter filter 63
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)
----------------------------------------------------------------
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
| 63 | 63_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | unspecified | unspecified | proto | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-------------+-------------+-------+-------------+-------------+----------+
sb-lab-apic-1# fabric 101 show zoning-filter filter 64
----------------------------------------------------------------
Node 101 (sb-lab-leaf-1)
06-15-2022 12:30 PM - edited 06-15-2022 12:35 PM
As Red pointed out, something is off here. The stateful flag has nothing to do with a provider or consumer being able to initiate communication. This is where the Providing or Consuming of a contract comes into play.
If you have a contract between two EPGs where you want BOTH EPGs to be able to reach each other via Web for example, then simply slapping a bi-directional contract with Reverse Ports and a single filter for dst tcp 80, will not achieve this. Same behavior would apply to SSH (or any protocol using ephemeral ports for that sake).
Let's look at an example:
WebServer2 Providing http contract to WebServer1
Apply in both dir: True
Reverse Ports: True
Filter: IP, TCP, Src any any, Dst 80-80
WebServer1_EPG SrcEGP = 16397
WebServer2_EPG SrcEPG = 16398
leaf2# show zoning-rule
+---------+--------+--------+----------+----------------+---------+----------+----------------------------+-----------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+----------+----------------------------+-----------------+----------------------+
| 4169 | 16397 | 16398 | 27 | bi-dir | enabled | 3047424 | Rob:Stateful_web | permit | fully_qual(7) |
| 4114 | 16398 | 16397 | 39 | uni-dir-ignore | enabled | 3047424 | Rob:Stateful_web | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+----------+----------------------------+-----------------+----------------------+
leaf2# show zoning-filter filter 27
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 27 | 27_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | http | http | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
leaf2# show zoning-filter filter 39
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 39 | 39_0 | ip | unspecified | tcp | no | no | http | http | unspecified | unspecified | sport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
leaf2#
What these filters have programmed is:
Result:
WebServer1 can access WebServer2 via http
WebServer2 can not access http on WebServer1.
Why? WebServer2 will use an ephemeral source port (not TCP 80 as the filter restricts) to try and reach WebServer1 on ANY (unspecified) port. We can quickly confirm this via a packet capture.
WebServer1 = 192.168.150.1
WebServer2 = 192.168.150.2
So how do you change this so each EPG can access each other via HTTP or SSH? You have two options. You can have both EPG provide & consume the same contract, or you can add a second filter entry to your existing contract that has the ports reversed (unspecified <> http).
I'd be surprised to see that stateful flag having any impact alone on your observed behavior.
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide