cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1358
Views
5
Helpful
3
Replies
Highlighted
Beginner

ACI convert access-list to contract

Hi All,

I want to migrate the access-list from old environment to ACI, below is sample of the access-list:

 

1 permit tcp 192.168.50.77 0.0.0.0 172.16.30.21 0.0.0.0 eq 37
2 permit tcp 192.168.50.77 0.0.0.0 172.16.30.22 0.0.0.0 eq 37
3 permit tcp 192.168.50.77 0.0.0.0 172.16.30.21 0.0.0.0 eq 73
4 permit tcp 192.168.50.77 0.0.0.0 172.16.30.22 0.0.0.0 eq 73
5 permit tcp 192.168.50.78 0.0.0.0 172.16.30.21 0.0.0.0 eq 37
6 permit tcp 192.168.50.78 0.0.0.0 172.16.30.22 0.0.0.0 eq 37
7 permit tcp 192.168.50.78 0.0.0.0 172.16.30.21 0.0.0.0 eq 73
8 permit tcp 192.168.50.78 0.0.0.0 172.16.30.22 0.0.0.0 eq 73

 

Thanks

3 REPLIES 3
Highlighted
Collaborator

Steven,

ACI doesn't filter between IP addresses, but between EPGs.  So this is what you need to do (I've assumed /24 subnets and default gateway addresses of x.x.x.1):

  1. Create a Bridge Domain - let's call it 192.168.50.0-BD
    • Add an IP address to the BD - make it the default gateway for the 192.168.50.0/24 network, presumably 192.168.50.1/24
  2. Create another Bridge Domain - let's call it 172.16.30.0-BD
    • Add an IP address to the BD - make it the default gateway for the 172.16.30.0/24 network, presumably172.16.30.1/24
  3. Create an EPG - let's call it 192.168.50-EPG
    • and put host 192.168.50.77 and 192.168.50.78 in that EP
  4. Create another EPG - let's call it 172.16.30-EPG
    • and put hosts 172.16.30.21 and 172.16.30.22 in that EPG
  5. Create a filter for TCP Port 37
  6. Create a filter for TCP Port 73
  7. Create a contract
    • Add a subject to the contract
    • Add the two filters to the subject
  8. Apply the contract between the two EPGs, presumably with 172.16.30-EPG providing the contract and 192.168.50-EPG consuming the contract.

Try searching for Cisco ACI Configuration Tutorial for more detailed steps.

 

I hope this helps 


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar
aka Chris Welsh


Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

Highlighted

 

 

Highlighted

Hi Sir,

Thanks for your reply, in this case do i need to change the vlan  tag on servers for new EPG, since these servers are VMs on UCS?

 

Thanks