11-14-2016 12:37 AM - edited 03-01-2019 05:05 AM
How to configure source and destination IPs in a filter for a contract in aci apic as we used to do in access-lists?
Solved! Go to Solution.
11-14-2016 05:13 AM
You can use
Microsegmentation with Cisco ACI
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_2x/b_ACI_Virtualization_Guide_1_2_2x_chapter_0100.pdf
For example:
------------
dhcp3-epg25.101
Microsegmentation EPG
IP-192.2.25.101
dhcp3-epg27.105
Microsegmentation EPG
IP-192.2.27.105
and then use an exclusive contract between the two devices.
NOTE: Use of VzAny contracts for the VRF can overide the microseg contracts and produce unexpected behavior.
11-14-2016 06:40 AM
Microsegmentation (uSeg) is an option, but it doesn't sound like this is what you really need. uSeg acts as more of an "attribute-based" EPG. You define criterion for matching Endpoints and "move" then automatically to a new EPG from their base EPG. You still need to define contracts between uSeg EPGs & any other EPG the EPs need to communicate with. This is good in many virtual environments where you can enforce EPG classification without having to modify the virtual endpoints port group assignment.
From the sounds of it, your EPG design needs to be more granular. If you require specific restrictions between EPG-A & EPG-B for a subset of Endpoints - then you should re-think how your EPGs are setup. The more granular you make then, the more control & flexibility you'll have. uSeg is not the best solution to accomplish this in my opinion and I wouldn't over-complicate your design with this feature & your requirements.
Robert
11-14-2016 03:45 AM
Ziad,
Check out these links. They should help you understand contracts and policies and how they are used in ACI.
Cisco Application Centric Infrastructure
Principles of Application Centric Infrastructure
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps13004/ps13460/white-paper-c11-729906_ns1261_Networking_Solutions_White_Paper.html
The ACI fabric security policy model is based on contracts. This approach addresses limitations of traditional access control lists (ACLs). Contracts contain the specifications for security policies that are enforced on traffic between endpoint groups.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI_Fundamentals_BigBook_chapter_0100.html#concept_557B05D402E34B68A2FF1F98CC70AB21
Policies and Contracts
http://aci-troubleshooting-book.readthedocs.io/en/latest/pol_cntr.html
Use vzAny to Automatically Apply Communication Rules to all EPGs in a Context
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html
learning-aci-part-4-application-profiles-epgs-contracts-and-filters
https://adamraffe.com/2015/01/02/learning-aci-part-4-application-profiles-epgs-contracts-and-filters/
Thank you for participating in the Cisco Support Forum for ACI! If you have other questions related to this post, please let us know. If this response answers your questions, please mark this post "answered" and assign a rating to the response(s) provided. This will help notify other viewers that your question(s) is answered and this helps us provide better responses for this and future questions.
Thank you!
T.
11-14-2016 03:58 AM
Contracts allow communication between all components inside two or more EPGs. What if I want to allow communication between let's say one computer in EPG1 and a specific server in EPG2 and not all components in EPG1 to be able to communicate with all components in EPG2. How will i be able to specify this rule?
11-14-2016 05:13 AM
You can use
Microsegmentation with Cisco ACI
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_2x/b_ACI_Virtualization_Guide_1_2_2x_chapter_0100.pdf
For example:
------------
dhcp3-epg25.101
Microsegmentation EPG
IP-192.2.25.101
dhcp3-epg27.105
Microsegmentation EPG
IP-192.2.27.105
and then use an exclusive contract between the two devices.
NOTE: Use of VzAny contracts for the VRF can overide the microseg contracts and produce unexpected behavior.
12-19-2018 04:31 AM
What if one of the source or destination IPs resides behind a L3Out exposing for example the default route?
Source L3Out - Dest. uSeg EPG
How can I choose the specific source ip for the contract?
Regards,
SC
11-14-2016 06:40 AM
Microsegmentation (uSeg) is an option, but it doesn't sound like this is what you really need. uSeg acts as more of an "attribute-based" EPG. You define criterion for matching Endpoints and "move" then automatically to a new EPG from their base EPG. You still need to define contracts between uSeg EPGs & any other EPG the EPs need to communicate with. This is good in many virtual environments where you can enforce EPG classification without having to modify the virtual endpoints port group assignment.
From the sounds of it, your EPG design needs to be more granular. If you require specific restrictions between EPG-A & EPG-B for a subset of Endpoints - then you should re-think how your EPGs are setup. The more granular you make then, the more control & flexibility you'll have. uSeg is not the best solution to accomplish this in my opinion and I wouldn't over-complicate your design with this feature & your requirements.
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide