ACI Contract showing as uni-dir-ignore

sandevsingh · ‎05-07-2019

Hi experts, We have noticed some issues in our ACI contracts. All contracts are at the default setting, which is apply both directions and reverse filter ports. So the src-egg (provider) is providing icmp and ssh and the destination-epg (consumer) is consuming it. The contract being both directions under the GUI, this should work! BUT its not working.

On checking the show zoning-rule command in the leaf SW between the src-epg and dst-epg, the contract`s direction is "uni-dir-ignore" instead of "bi-dir". I am wondering where did this come from?? Please advise?

We are running ver 4.0.

joezersk · ‎11-29-2019

Hello. Under normal contract deployment, when you have the "Apply Both Directions" and "Reverse Filter Ports" boxes ticked in the Contract Subject, you should see two entries when you use the 'show zoning-rule' command from a leaf where that contract exists. One should be marked as 'bi-dir' and one marked as 'uni-dir-ignore'. If you don't see those, it likely means that your contract was not correctly programmed into the TCAM. You might try removing the contract from the EPGs and re-adding, making sure you have properly chosen the consumer and provider EPGs.

Think of the 'uni-dir-ignore' entry as a short cut to tell ACI that you simply want return traffic to be allowed. If you don't tick "Reverse Filter Ports" you would need to manually make a 2nd entry in the filter to allow the return traffic, which is more work.

To give an example that is working, see my contract called TEST-C.