cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1451
Views
5
Helpful
5
Replies

Source and destination IPs in ACL

How to configure source and destination IPs in a filter for a contract in aci apic as we used to do in access-lists?

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

You can use

You can use

Microsegmentation with Cisco ACI
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_2x/b_ACI_Virtualization_Guide_1_2_2x_chapter_0100.pdf


For example:
------------
dhcp3-epg25.101
Microsegmentation EPG
IP-192.2.25.101

dhcp3-epg27.105
Microsegmentation EPG
IP-192.2.27.105

and then use an exclusive contract between the two devices.

NOTE: Use of VzAny contracts for the VRF can overide the microseg contracts and produce unexpected behavior.

Cisco Employee

Microsegmentation (uSeg) is

Microsegmentation (uSeg) is an option, but it doesn't sound like this is what you really need. uSeg acts as more of an "attribute-based" EPG.  You define criterion for matching Endpoints and "move" then automatically to a new EPG from their base EPG.  You still need to define contracts between uSeg EPGs & any other EPG the EPs need to communicate with.  This is good in many virtual environments where you can enforce EPG classification without having to modify the virtual endpoints port group assignment.

From the sounds of it, your EPG design needs to be more granular.  If you require specific restrictions between EPG-A & EPG-B for a subset of Endpoints - then you should re-think how your EPGs are setup.  The more granular you make then, the more control & flexibility you'll have.  uSeg is not the best solution to accomplish this in my opinion and I wouldn't over-complicate your design with this feature & your requirements.

Robert

5 REPLIES 5
Cisco Employee

Ziad,

Ziad,

Check out these links. They should help you understand contracts and policies and how they are used in ACI.

Cisco Application Centric Infrastructure
Principles of Application Centric Infrastructure
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps13004/ps13460/white-paper-c11-729906_ns1261_Networking_Solutions_White_Paper.html

The ACI fabric security policy model is based on contracts. This approach addresses limitations of traditional access control lists (ACLs). Contracts contain the specifications for security policies that are enforced on traffic between endpoint groups.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI_Fundamentals_BigBook_chapter_0100.html#concept_557B05D402E34B68A2FF1F98CC70AB21

Policies and Contracts
http://aci-troubleshooting-book.readthedocs.io/en/latest/pol_cntr.html

Use vzAny to Automatically Apply Communication Rules to all EPGs in a Context
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html

learning-aci-part-4-application-profiles-epgs-contracts-and-filters
https://adamraffe.com/2015/01/02/learning-aci-part-4-application-profiles-epgs-contracts-and-filters/

Thank you for participating in the Cisco Support Forum for ACI! If you have other questions related to this post, please let us know. If this response answers your questions, please mark this post "answered" and assign a rating to the response(s) provided. This will help notify other viewers that your question(s) is answered and this helps us provide better responses for this and future questions.

Thank you!

T.

Contracts allow communication

Contracts allow communication between all components inside two or more EPGs. What if I want to allow communication between let's say one computer in EPG1 and a specific server in EPG2 and not all components in EPG1 to be able to communicate with all components in EPG2. How will i be able to specify this rule?

Cisco Employee

You can use

You can use

Microsegmentation with Cisco ACI
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_2x/b_ACI_Virtualization_Guide_1_2_2x_chapter_0100.pdf


For example:
------------
dhcp3-epg25.101
Microsegmentation EPG
IP-192.2.25.101

dhcp3-epg27.105
Microsegmentation EPG
IP-192.2.27.105

and then use an exclusive contract between the two devices.

NOTE: Use of VzAny contracts for the VRF can overide the microseg contracts and produce unexpected behavior.

Highlighted
Beginner

Re: You can use

What if one of the source or destination IPs resides behind a L3Out exposing for example the default route?

 

Source L3Out - Dest. uSeg EPG

 

How can I choose the specific source ip for the contract?

 

Regards,

SC

Cisco Employee

Microsegmentation (uSeg) is

Microsegmentation (uSeg) is an option, but it doesn't sound like this is what you really need. uSeg acts as more of an "attribute-based" EPG.  You define criterion for matching Endpoints and "move" then automatically to a new EPG from their base EPG.  You still need to define contracts between uSeg EPGs & any other EPG the EPs need to communicate with.  This is good in many virtual environments where you can enforce EPG classification without having to modify the virtual endpoints port group assignment.

From the sounds of it, your EPG design needs to be more granular.  If you require specific restrictions between EPG-A & EPG-B for a subset of Endpoints - then you should re-think how your EPGs are setup.  The more granular you make then, the more control & flexibility you'll have.  uSeg is not the best solution to accomplish this in my opinion and I wouldn't over-complicate your design with this feature & your requirements.

Robert

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards