Replacement of ACL with ACI Contracts

faizal_vi · ‎07-07-2020

Hi

I have a scenario where I need to configure the below kind of ACL in ACI. How is possible to achieve it using contracts?

172.16.2.0/24=BD2 <<<VLAN2_EPG>>>

172.16.3.0/24=BD3 <<<VLAN3_EPG>>>

Currently I have the default contract applied.

SRV01=172.16.2.11

SRV02=172.16.2.12

SRV03=172.16.3.11

SRV04=172.16.3.12

If need to create contract based on the host, how is it possible to achieve.

Please note that this an example. My setup is much bigger where I have a requirement to create such kind policies using multiple end hosts

.

Sergiu.Daniluk · ‎07-08-2020

Hi @faizal_vi

Contracts in ACI do not use IP for filtering. The filter entry in a contract is a rule that allows or denies traffic that is classified based on TCP/IP header fields, such as Layer 3 protocol type or Layer 4 ports.

If you have specific requirements between specific IP addresses, you can group the servers in dedicated uEPG and apply contracts on/between the specific uEPGs:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/virtualization/Cisco-ACI-Virtualization-Guide-42x/Cisco-ACI-Virtualization-Guide-421_chapter_0100.html

Regards,

Sergiu

faizal_vi · ‎07-22-2020

Hi,
Is it possible for an endpoint to be a member of multiple uSeg EPGs?

I am still thinking from the ACL perspective where in we can call multiple acls from hosts/ network (source)to different hosts/ networks (Destination)

Sergiu.Daniluk · ‎07-22-2020

No, you cannot have an EP in multiple uEPGs. However, you can configure multiple contracts on a single uEPG.

Stay safe,

Sergiu