cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2081
Views
0
Helpful
7
Replies

Interactions between Leaf and Service nodes, and other

moyeonlee
Level 1
Level 1

Hi Experts,

Question 1:

I wonder the interactions between Leafs and FW or/and LB, e.g. Leaf1---FW---Leaf2---Leaf3---LB---Leaf3. Let's say there are multiple sEPGs and dEPGs sharing the same FW and LB, e.g. sEPG1---FW---LB---dEPG1 and sEPG2---FW---LB---dEPG2 in logical flow. As you can see, when each packet leaves Leaf1 for FW service, it will be absolutely de-encapsulated with no iVXLAN Header. In such case, how can the Leaf2 identify which traffic incoming from FW is which sEPG or dEPG to apply its policies for the remaining service? 

And is the service graph programmed in TCAM, too? If then, how can I verify it using CLI command? 

Please let me know the CLI command to get TCAM info of Policies(Contracts).

 

Question 2:

I have another question about the function of Reverse Filter Ports when I create a subject under a contract. If I check the box, what operations happen on each Leaf? In my understand and case of L4 communications, each pair of ports(e.g. sPort(4001) and dPort(80)) and their reverse ports(sPort(80) and dPort(4001)) are dynamically programmed on TCAM, right? If then, how can I verify those two pairs of ports? Please let me know how to do with CLI command or others.

 

Thanks in advance.

Paul

7 Replies 7

dpita
Cisco Employee
Cisco Employee

Hello

I think it depends on whether the FW is goto or gothrough mode. That will influence the data path behavior and how the BDs are configured. Anyway, if the FW and LB are integrated into ACI via a device package and service graphs, the APIC and the API will take care of the programming of the forwarding. there are only a few requirements based on the mode i mentioned earlier which will affect how the BD forwarding and VLANs will be deployed. 

In order to view TCAM usage of policies and contracts, please reference this link for more information. The command are definitely available to use. 

https://supportforums.cisco.com/document/12268026/cisco-aci-cli-commands-cheat-sheet

 

Regarding question 2:

Im not sure on reverse port filtering. i understand how the "apply in both directions" option works on the subject if im not mistaken but im not 100% sure on how hardware is programmed any differently or dynamically in this case compared to usual. 

I can do more research regarding this and get back to you on this thread. 

Hi Dpita,

 

I always appreciate you.

I want to know the interactions between the Leafs and Service nodes more details. 

Let's say that the FW is GOTO mode(routed mode) and BD is set with the default, and the topology like this:

EPGs---L1---L2---FW---L3---L4---LB---L4---WWW EPGs   ; L means Leaf

Let's say that APIC assigns a VLAN 10 to Ext int of FW and also a VLAN 20 to Int int of FW. What does the header info of the frames leaving L2 look like? and How does L3 identify which frame incoming from FW is as a which source EPG for further remaining policy enforcement? 

Could you point out which command is for verifying TCAM usage of policies and contracts through the link above? I've tried but I can't.

 

Thanks a lot

Paul

Hello

i recreated this in the lab. i will analyze the information and run some show commands in order to better answer your question in a working environment! 

Thanks a lot, Dpita

I'm looking forward to seeing detail info such as Packet captured and TCAM status for the Contract with command set, please.

 

Many thanks

Paul

Hello Again, 

 

I have set up the firewall in GOTO mode and am finalizing my findings. i will post a reply by the end of the week!

astefan
Level 1
Level 1

The "ACI Fundamentals" document says this about reverse filter ports:

"revFltPorts is a flag that indicates that the Layer 4 source and destination ports in the filters of this subject
should be used as specified in the filter description in the forward direction (that is, in the direction of from
consumer to producer EPG), and should be used in the opposite manner for the reverse direction. In this
example, the “http” subject contains the “Http” filter that defined TCP destination port 80 and did not specify
the source port. Because the revFltPorts flag is set to true, the policy will be TCP destination port 80 and
any source port for traffic from the consumer to the producer, and it will be TCP destination port any and
source port 80 for traffic from the producer to the consumer. The assumption is that the consumer initiates
the TCP connection to the producer (the consumer is the client and the producer is the server).
The default value for the revFltPrts attribute is false if it is not specified."

 

Can someone explain why this makes sense when the consumer initiates the connection (which is most of the time, and hence the option is selected by default), but not necessarily so when the producer initiates it?

dpita
Cisco Employee
Cisco Employee

Hi

Thank you for posting this!

I don't think i understand the question. It makes sense that the consumer has no source port specified as such it will pick a random unused port as the TCP stack on the operating system determines, and a specific service is being reached (in the example port 80 for HTTP). when reverse communication is established, that is, after the client sets an HTTP get the server replies with the page and uses client source port as the destination port. in order for the contract to work the reverse port filtering needs to be specified so that on the return path from the provider to the consumer, any port is allowed (randomly generated port from the client TCP stack) as source with a destination of 80 toward the client.

I hope that cleared it up and answered your question. worst case, i can draw up a picture =)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License