Cisco ACI Contracts

VRF Behaviors - Policy Control Enforcement Preference:

By default the VRF is « Enforced », the Endpoints Enforced Unenforced
in each EPG attached to this VRF can
communicate inside an EPG, but not between VRF VRF VRF
EPG.
Bridge Domain Bridge Domain Bridge Domain

A way to configure inter-EPG communication is EPG A EPG A EPG A

EPG B EPG C EPG B EPG C EPG B EPG C
to enable « Preferred-Group » on the VRF +
Enable « Preferred-Group » on each EPG. EP EP EP
EP EP EP EP EP EP

If you set a VRF to « Unenforced », inter-EPG EP EP EP EP EP EP EP EP EP

communication is allowed.

By default, intra-EPG communication is allowed EP EP EP EP EP EP EP EP EP

(Unenforced), but you can Enforce an EPG to
Communication denied Preferr ed Group EPG Enforced
block communication between all his endpoints. Communication allowed

What is a contract inside ACI ?

An ACL Flow direction
Client EPG Server EPG
Definition

Configured between EPGs, or between EPGs and L3out. C P

Contracts are used to control traffic flow within the ACI
Ct
fabric between EPGs. Contract

Scope
Contracts are assigned a scope of Global, Tenant, VRF, or Application Profile, which limit the accessibility of the contract.

Global Tenant VRF Application Profile

Contract: Web-to-App Contract: Web-to-App VRF Contract: Web-to-App VRF Contract: Web-to-App
Scope: Global Scope: Tenant Scope: VRF Scope: Application Profile

Ct Ct Ct Ct
Common Common
Tenant Tenant

C C C C C C C C
EPG A EPG C EPG A EPG C EPG A EPG C EPG A EPG C

EPG B
p p EPG D p p p p p p
EPG B EPG D EPG B EPG D EPG B EPG D
User Tenant Use r Tenant User Tenant User Tenant App. Profile App. Profile App. Profile App. Profile

Object Model & Rôle

Subjects A group of filters for a specific application or service.

Tenant User
Used to classify traffic based upon layer 2 to layer 4
(fvTenant) Filters attributes (such as Ethernet type, protocol type, TCP flags
and ports)
Actions Action to be taken on the filtered traffic.
Contract Allow
Permit the traffic (regular contracts, only)
(vzBrCP) Web
Mark the traffic (DSCP/CoS) (regular contracts, only)
Redirect the traffic (regular contracts, only, via SG)
subject Biz Admin Copy the traffic (regular contracts, only, via SG or SPAN)
(vzSubj) Block the traffic (taboo contracts, only)
Log the traffic (taboo contracts, only)

filter (Optional) Used to group objects such as subjects and

Web SSH Ping Labels endpoint groups for the purpose of increasing granularity in
(vzFilter) policy enforcement.

If you don’t configure a contract, the traffic is dropped, except

entry for the following specific « control-plane » traffic :
TCP 80 TCP 443 TCP 22 ICMP
(vzEntry) DHCP v4 (prot 0x11, sport 0x44, dport 0x43) EIGRP (prot 0x58)

DHCP v4 (prot 0x11, sport 0x43, dport 0x44) IGMP (prot 0x2)

DHCP v6 (prot 0x11, sport 0x222, dport 0x223) PIM (prot 0x67)

Filters take place in the Policy CAM (on the Leaf where applied) ND-Sol ICMPv6 (prot 0x3a dport 0x0087) OSPF (prot 0x59)

ND-Advt ICMPv6 (prot 0x3a dport 0x0088)

Author: Benoit GON CALVES – 2020 – ACI 4.2
 Cisco ACI Contracts

Understanding « Apply Both Direction » and « Reverse Filter Ports » options

An HTTP Contract is HTTP Contract

configured to match HTTP EPG Flow direction EPG
traffic : any source and Web Client Web Server
HTTP Subject
destination port TCP 80 C P
Apply Both Directions
Ct HTTP Contract
The Web Client EPG consume
Reverse Filter Ports
the HTTP Contract.
The Web Server EPG provide
the HTTP Contract.
Filter: IP SRC IP DST SRC
Flow
Port
direction
Any DST Port 80 Data
Source any
With the below configuration,
Destination 80
the client can browse a web
page: HTTP Request, and IP SRC IP DST Flow
SRCdirection
Port 80 DST Port Any Data
response will be allowed.

If we remove Reverse Filter

HTTP Contract EPG EPG
Flow direction
Ports option, the contract is Web Client Web Server
HTTP Subject
still applied in both directions, C P
but with a destination port 80 Apply Both Directions
allowed in both direction. Ct HTTP Contract
Reverse Filter Ports
With the below configuration,
the client can browse a web
page: HTTP Request will be Filter: IP SRC IP DST SRC
Flow
Port
direction
Any DST Port 80 Data
allowed, but the response is Source any
denied, unless you add a rule Destination 80
to allow source port TCP 80. IP SRC IP DST Flow
SRC direction
Port Any DST Port 80 Data

HTTP Contract EPG EPG

Flow direction
If we remove Apply Both Web Client Web Server
HTTP Subject
Directions option, the C P
contract is still only applied in Apply Both Directions
Ct HTTP Contract
one direction, from consumer Reverse Filter Ports
to provider.

This option only uses a single

Filter: IP SRC IP DST SRC
Flow
Port
direction
Any DST Port 80 Data
TCAM entry rather than two
Source any
as shown in the above
Destination 80
examples.

Saving CAM table entries with vzAny and TCP Established option

HTTP Contract SQL Contract Established EPG Ct Established

Contract vzAny
HTTP Subject SQL Subject Established Subject
SRC Port DST Po rt ACK flag
Apply Both Directions Apply Both Directions Apply Both Directions Flow direction
Any Any 1

Reverse Filter Ports Reverse Filter Ports Reverse Filter Ports

EPG EPG EPG
Filter TCP80 Filter TCP1443 Filter: establis hed Web Client Web Server SQL Server
Source any Source any Source any
Destination 80 Destination 1443 Destination any
C P C P
TCP Session: establis hed
Ct Ct

The HTTP and SQL contracts allow traffic from the consuming EPGs to reach the HTTP SQL
providing EPGs, while the Established contract allows universal traffic between SRC Port DST Port SRC Port DST Port
Flow direction Flow direction
EPGs so long as the TCP session is established. The HTTP and SQL contracts are only Any 80 Any 1443
needed to allow the initial TCP SYN packet through to establish the session. all other
traffic is handled by the vzAny EPG and its Established contract.

Contracts inheritance
TCAM verification
Check contract counters & hits
Contract rule priorities
Taboo contracts
Author: Benoit GON CALVES – 2020 – ACI 4.2