Multiple contract labels in ACI

Alex Moore · ‎03-30-2021

I am trying to use contract labels in ACI, and have settled on a scheme in which the provider of a contract may often have many labels associated with a given contract that it is providing, whereas the consumer will just have a single label (essentially the label on the provider side is used to identify which consumers are allowed to consume the contract from that provider). That seems to work fine. However as far as manageability of this arrangement moving forward is concerned, I am rather puzzled... I can't find a way to remove one of the labels from the provider once it has more than one label assigned (without removing all of them, which I don't want to do, as it would be disruptive). This is important because requirements will occasionally go away over time, and I need to be able to remove any labels that are no longer needed, without impacting the traffic that is dependent on the other labels that are still needed.

Here is a simple example... Let's say I have 5 EPGs:

"EPG-P1" and "EPG-P2" both contain web servers listening on ports 80 and 443
"EPG-C1", "EPG-C2", and "EPG-C3" contain clients that need to access the web servers in "EPG-P1" and "EPG-P2"
However "EPG-C1" should only be able to access the web servers in "EPG-P1"; "EPG-C2" should only be able to access the web servers in "EPG-P2"; and "EPG-C3" should be able to access the web servers in both "EPG-P1" and "EPG-P2"

I appreciate that there are many ways this can be implemented... and in this simple case it could easily be achieved without using labels by configuring each provider EPG to provide a different contract (even though the subject / filter configuration within those contracts will be identical), and having each of the client EPGs consume either one or both of those contracts as appropriate. However I envisage ending up needing to create large numbers of identical contracts if I take that approach, so I want to use labels to avoid that. So my plan involves doing the following in this example:

I create a single contract named "web", which permits traffic to TCP ports 80 and 443
"EPG-C1" consumes contract "web" using a label of "EPG-C1"
"EPG-C2" consumes contract "web" using a label of "EPG-C2"
"EPG-C3" consumes contract "web" using a label of "EPG-C3"
"EPG-P1" provides contract "web" using two labels: "EPG-C1" and "EPG-C3"
"EPG-P2" provides contract "web" using two labels: "EPG-C2" and "EPG-C3"

This achieves what I was hoping. However, if I later retire "EPG-C2", and therefore also want to remove its associated label from "EPG-P2"'s provision of the "web" contract, I can't figure out how to do that...

The GUI allows me to delete the provided "web" contract from "EPG-P2" entirely, which isn't what I want. I can also double-click on the entry for the contract in the list of contracts associated with "EPG-P2" which appears to allow me to edit various fields, including the field listing the associated labels - however as soon as I do so to make that field editable, it no longer shows me the list of associated labels - instead it only contains one of the labels (a somewhat arbitrary one), and what's even more frustrating is that even if it happens to be the label I want to remove, deleting the text and applying the change sometimes results in one of the other associated labels being removed!

It seems to me to be a GUI bug / limitation, so I then started trying to see whether I could achieve it via the APIC's CLI instead, but I can't even figure out how to do anything with the labels via the CLI... none of the labels I have defined so far show up anywhere in the "show run" output from the APIC.

Can anyone point me in the right direction?