Cisco Application Centric Infrastructure - Cisco ACI Contract Guide
Cisco Application Centric Infrastructure - Cisco ACI Contract Guide
cisco.com
vzAny Tenant > Networking > VRFs > 1.0 Collection of EPGs in
VRF_name > EPG Collection for a VRF
VRF
Simplify
configuration.
Reduce TCAM
resource
consumption
Unenforced Tenant > Networking > VRFs > 1.0 Permit all traffic Contract can’t be
mode VRF_name within VRF enforced on the VRF at
all.
Simplify
configuration.
Reduce TCAM
resource
consumption.
Preferred Tenant > Networking > VRFs > 2.2 Permit all traffic This might not contribute
group VRF_name between EPGs in to reducing TCAM
preferred group resource consumption.
Tenant > Application Profiles >
Application_Profile_name >
Application EPGs > EPG_name Simplify
configuration.
Contract can be still
enforced on the VRF.
Policy Based Tenant > Contracts > 2.0 Redirect traffic based Service graph is
Redirect (PBR) Contract_name > Subject_name > on contract mandatory when using
L4-L7 Service Graph PBR.
Flexible and granular
service insertion
based on contract
Intra EPG Application_Profile_name > 1.2(2g) Deny communication This denies all
isolation Application EPGs > EPG_name between endpoints in communication in the
the EPG EPG. PVLAN (Private
VLAN) is used behind the
Enforce security scene.
within EPG
Intra EPG Application_Profile_name > 3.0 Enforce contract PVLAN (Private VLAN) is
contract Application EPGs > EPG_name > between endpoints in used behind the scene.
Contracts the EPG
Granular security
enforcement within
EPG
1 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Simplify configuration
Enable Policy Tenant > Contracts > 3.2: Bidirectional subjects Bidirectional rule
Compression Contract_name > Subject_name > Bidirectional take one entry only in compression requires EX
filter_name in Filters rule TCAM (3.2). leaf or later.
compression
Reuse filter (4.0) Policy table compression
4.0: Policy table requires FX leaf or later.
compression Reduce TCAM Statistics information is
resource missing if compression is
consumption enabled.
Logging Tenant > Contracts > 1.0: Deny Enable logging for Packet logging has rate
Contract_name > Subject_name > logging permitted and denied limit and requires EX or
filter_name in Filters packet and flow later. (500 pps for deny,
2.0: Permit 300 pps for permit)
logging
Take logs for
important permit
traffic
Deny action Tenant > Contracts > 3.2 Explicitly deny traffic
Contract_name > Subject_name > based on contract
filter_name in Filters
Block-list model
policy enforcement
* This document shows the GUI navigation in Cisco Application Policy Infrastructure Controller (APIC) Release 5.0.
Figure 1.
EPGs and contracts
An EPG provides or consumes contracts. For instance, the App EPG in the example in Figure 1 provides a contract that the
Web consumes, and consumes a contract that the DB EPG provides.
An endpoint can belong to one EPG. Physical, virtual, and container endpoints can coexist in the same EPG. How to define
which EPG an endpoint belongs to is based on the EPG type, as described below:
● L3Out EPG based on the IP subnet (longest prefix match)
● EPG that is based on the leaf interface and VLAN ID, or the leaf interface and VXLAN
◦ uSeg EPG (also called micro EPG) that is based on IP, MAC VM attributes, such as VM name, or a combination of IP,
MAC, and those attributes
Defining which side is the provider and which one is the consumer of a given contract allows establishing a direction of the
contract where to apply ACL (Access Control List) filtering; for instance, if the Web EPG is a consumer of the contract
provided by the App EPG, you may want to define a filter that allows HTTP port 80 as a destination in the consumer-to-
provider direction and as a source in the provider-to-consumer direction. In the case of a traditional network, those two filters
for both directions are separate ACLs. In the case of an ACI fabric, when a contract with an HTTP filter: source port of “Any,”
and a destination port of “80,” is configured between Web EPG and App EPG, two filters (one per direction) are deployed in
Cisco ACI by default, as shown in Figure 2.
2 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Figure 2.
Web as consumer and App as provider
If, instead, you had defined Web EPG as the provider and App EPG as the consumer of the contract, you would define the
same filters in the opposite direction; that is, you would allow HTTP port 80 as the source in the consumer-to-provider
direction and as the destination in the provider-to-consumer direction.
Figure 3.
App as consumer and Web as provider
In the most common designs, you do not need to define more than one contract between any EPG pair. If there is a need to
add more filtering rules to the same EPG pair, this can be achieved by adding more subjects to the same contract.
Note: In case of Multi-Site deployment, Cisco Multi-Site Orchestrator (MSO) creates one contract for each subject.
Subjects and filters
A subject is a construct contained within a contract and references a filter. A contract contains one or more subjects and a
subject contains one or more filters. A filter contains one of more filter entries. A filter entry is a rule specifying fields such as
the TCP port and protocol type. Figure 4 provides an example.
Figure 4.
Contract, subject, filter, and filter entries
Figure 5 shows how contracts, subjects, and filters are configured.
The following configurations are performed per filter entry level: whether to permit or deny traffic.
The following configurations are performed per subject level: whether to apply an L4-L7 Service Graph and which QoS
priority to assign to the traffic.
3 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Figure 5.
Contracts, subjects, and filters
Figure 6 shows how filters and filter entries are configured. A filter is collection of filter entries: The configurations related to
the match criteria for the traffic are defined in a filter entry.
Figure 6.
Filters and filter entries
The configuration options at the subject level and the ones defined as a filter entry will be explained later in this document.
Unless the configuration options are specifically mentioned, examples and behaviors explained in this document are based
on the default configuration:
● Apply Both Directions: The filter protocol and the source and destination ports are deployed exactly as defined for both
consumer-to-provider and provider-to-consumer directions.
● Reverse Filter ports: This option should be used always when Apply Both Directions is enabled. The filter protocol and
the source and destination ports are deployed exactly as defined for the consumer-to-provider direction, and with source and
destination ports reversed for the provider-to-consumer direction. Figure 2 illustrates the use of Apply Both Directions in
conjunction with reverse filter ports (which is the default configuration).
● Permit Action: Traffic that is matched with filter entries is permitted between EPGs.
How a contract works for intra-VRF traffic
This section covers how a contract works if the consumer and provider EPGs are in the same VRF.
Overview
Figure 7 illustrates an example of an Intra-VRF contract. Consumer and provider EPGs are in the same VRF. Consumer and
provider EPGs can be in the same or in a different BD. The CLI outputs in this section are based on this topology.
Figure 7.
Intra-VRF contract example
Configuration steps
Some objects must be created on an APIC before contract configuration. This document doesn’t cover how to create
tenants, VRFs, BDs, EPGs, and L3Out. The assumption is that the items below are already configured:
● Initial setup of the ACI fabric (such as discovering APIC, leaf, and spine)
4 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Figure 8.
Create a filter
Note: “Unspecified” means “any.”
The filter entry in the following configuration example (Figure 9) uses “Unspecified.” If EtherType is “Unspecified,” other
options can’t be entered because this filter matches all EtherTypes.
Figure 9.
Filter configuration example: match all
Figure 10 illustrates how to configure a filter to match all IPv4 TCP traffic. Because of this, the filter defines both source and
destination ports as unspecified.
5 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
6 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4220 | 0 | 16386 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4250 | 0 | 0 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_any_any(21) |
| 4208 | 0 | 0 | implarp | uni-dir | enabled | 2850817 | | permit | any_any_filter(17) |
| 4249 | 0 | 15 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_vrf_any_deny(22) |
| 4248 | 0 | 32773 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4247 | 32775 | 32774 | 67 | bi-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4246 | 32774 | 32775 | 68 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
In this example, red-highlighted Rule ID 4247 and 4246 are created by Contract1 to permit traffic between Web EPG (class
ID 32775) and App EPG (class ID 32774) in tenant1 VRF1 (scope 2850817). Other entries are implicit rules created by the
system. This will be explained in the next subsection “Implicit rules”.
● Rule ID: the ID of the rule entry. This has no real significance other than to act as a unique identifier.
● Src EPG: a unique class ID (pcTag) per VRF of the source EPG
● Dst EPG: a unique class ID (pcTag) per VRF of the destination EPG
● FilterID: the ID of the filter associated with the policy-cam rule. The filter contains the protocol information and L4 ports
that the rule will match against.
● Dir: the directionality of the zoning rule:
◦ uni-dir: This is a unidirectional zoning rule.
◦ bi-dir and uni-dir-ignore: These are also unidirectional zoning rules, but bi-dir and uni-dir-ignore rule pair are combined
into one hardware entry if policy compression is enabled.
● OperSt: the operating state of the rule. It should be “enabled.” If the rule is not programmed properly in the hardware, it
becomes disabled.
● Scope: a unique ID of the VRF that the rule will match against
● Name: the name of the contract that resulted in that entry being programmed
● Action: what the leaf will do when it matches that entry. It includes: [Drop, Permit, Log, Redirect].
● Priority: the order in which the zoning rules will be validated for action, given a matching scope, SrcEPG, DstEPG, and
Filter Entries. The lower the number, the higher the priority.
Note: Zoning-rule entries are used to perform stateless filtering. If you need Cisco ACI to perform stateful filtering, such as
a firewall, you need also to deploy the Application Virtual Edge on the server.
show zoning-filter
Each individual filter ID in the zoning-rule table can be verified by “show zoning-filter filter_id.”
Pod1-Leaf1# show zoning-filter filter 67
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio
| Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 67 | 67_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | 22 | 22 | dport | unspecified |
unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
Pod1-Leaf1# show zoning-filter filter 68
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio
| Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| 68 | 68_0 | ip | unspecified | tcp | no | no | 22 | 22 | unspecified | unspecified | sport | unspecified |
unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
The filter 67 is used to match traffic with any source port to destination port 22; the filter 68 is for the opposite direction. The
figure below illustrates the effect on traffic of the zoning rules from the previous example.
7 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Implicit rules are rules that are not defined by the administrator but are programmed by Cisco ACI. ACI always creates
implicit rules unless the VRF is configured in unenforced mode.
Pod1-Leaf1# show zoning-rule scope 2850817
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4220 | 0 | 16386 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4250 | 0 | 0 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_any_any(21) |
| 4208 | 0 | 0 | implarp | uni-dir | enabled | 2850817 | | permit | any_any_filter(17) |
| 4249 | 0 | 15 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_vrf_any_deny(22) |
| 4248 | 0 | 32773 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4247 | 32775 | 32774 | 67 | bi-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4246 | 32774 | 32775 | 68 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
In the example above, the red-highlighted Rule IDs are implicit rules. Table 2, below, explains these implicit rules.
● Deny any to any: to deny all inter-EPG communication in the VRF. This is the implicit deny, which takes effect when
there are no explicit contracts between EPGs.
● Permit ARP unicast: to permit all ARP unicast communication between EPGs
● L3Out: to deny any to 0.0.0.0/0 L3Out EPG traffic unless a contract is configured. This is used only when preferred
group is enabled.
● Permit Any to BD where the EPG resides: to permit and flood unknown unicast traffic on the ingress leaf and enforce
the policy on the egress leaf
Table 2. Implicit rules
When it’s used Source Destination Filter ID Action Explanation Priority*
class id class id
Permit unknown 0 BD class ID** Implicit Permit Permit and flood the unknown unicast 16
unicast traffic traffic on ingress leaf and enforce the
(unspecified) policy on egress leaf
L3Out EPG with 0 15*** Implicit Deny It is not used, and is not even 22
0.0.0.0/0 subnet programmed on hardware, unless
(unspecified) preferred group is enabled.
In order to understand Table 2, you need to consider that the contract action is enforced based on the priorities of the
entries. A lower number (*) has a higher priority. Please see the “Contract priorities” section for more details. Class ID 0
means “any” EPG in the VRF (it may help to think of class ID 0 as the “any” in classic access-lists), and class ID 15 (***) is
reserved for 0.0.0.0/0 L3Out EPG as a destination. Please see L3Out EPG with 0.0.0.0/0 subnet for more details.
The BD class ID (**) is an identifier for the traffic destined to the entire bridge domain, similar to the identifier for the VRF or
the identifier of the EPG. The BD class ID information can be found at Tenant > Operational > Resource IDs > Bridge
Domains. In Figure 15, BD-Web where Web EPG resides has BD class ID 16386 and BD-App where App EPG resides has
a BD class ID 32773.
8 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Egress EPG L3Out EPG Border leaf -> non-border leaf traffic
If destination endpoint is learned: border leaf
If destination endpoint is not learned: non-border leaf
Egress L3Out EPG EPG Non-border leaf-> border leaf traffic
Border leaf
9 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
10 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
11 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
12 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
VRFs.” The configuration is located at Tenant > Networking > Bridge Domains > Consumer_BD_name > Subnets.
13 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
14 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
15 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
16 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+------------------------+
Pod1-Leaf1# show zoning-rule scope 2850817
+---------+--------+--------+----------+----------------+---------+---------+-------------------+-----------------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+-----------------+----------------------+
| 4209 | 0 | 0 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_any_any(21) |
| 4229 | 0 | 0 | implarp | uni-dir | enabled | 2850817 | | permit | any_any_filter(17) |
| 4207 | 0 | 15 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_vrf_any_deny(22) |
| 4206 | 5481 | 14 | implicit | uni-dir | enabled | 2850817 | | permit_override | src_dst_any(9) |
| 4276 | 5481 | 5482 | 71 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4204 | 5482 | 5481 | 69 | bi-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4245 | 0 | 13 | implicit | uni-dir | enabled | 2850817 | | deny | black_list(5) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+-----------------+----------------------+
The red-highlighted implicit deny rules are programmed on the consumer VRF and the provider VRF in addition to the zoning
rules to permit consumer-to-provider (5482-to-5481) and provider-to-consumer (5481-to-5482) traffic. The provider VRF has
the implicit zoning-rule to deny traffic from any to the special class ID 13 (Rule ID 4245), and the consumer VRF has the
implicit zoning-rule to deny traffic from provider to any (Rule ID 4269). These are to deny inter-VRF traffic except between
192.168.1.0/24 and 10.0.0.0/16.
For example, traffic with destination IP 10.1.1.1 entering the fabric via the L3Out in VRF1 is classified to destination class ID
13 and dropped because of the implicit deny rule (0 to 13), whereas traffic with destination IP 10.0.0.1 is classified to the
destination class ID 5482. Traffic with source IP 10.1.1.1 entering the fabric via the L3Out in VRF2 is also dropped because
it is not classified to the L3Out-EPG2 class ID (5482). Even if inter-VRF traffic from L3Out-EPG1 is permitted in VRF1 on the
ingress leaf because of the implicit permit rule (5481 to 14), VRF2 on the egress leaf drops the traffic unless a specific permit
rule is in place, because of the implicit deny rule (5481 to 0).
Inter-tenant contract
An inter-tenant contract is a contract where the provider and the consumer EPGs are in different tenants, but not necessarily
in different VRFs.
The primary design and configuration difference between intra-tenant contracts and inter-tenant contracts is the “visibility” of
the contract from both tenants: the contract object must be visible in both tenants.
There are two ways for a contract to be visible to both tenants:
● The contract is defined in the common tenant and therefore is visible to all tenants.
● The contract is defined in a user tenant and “exported” to a different tenant through the configuration called “contract
interface.”
The scope of the contract depends on whether the contract is between VRFs or not.
This section categorizes the inter-tenant deployments based on where the contract definition is located and whether or not
there is VRF leaking:
● Inter-tenant intra-VRF contract with contract in the common tenant
● Inter-tenant inter-VRF contract with contract in the common tenant
● Inter-tenant inter-VRF contract with contract in the user tenant
Figure 33 illustrates the first design example. In this example, the administrator defines a VRF in the common tenant that is
referred by BDs (to which the EPGs are attached) in different tenants. In this example, the two tenants are the common
tenant and a user tenant (but you could also define a contract in a common tenant that is used by two user tenants). A
variation of this design consists in defining a contract between EPGs of different user tenants that are using the same VRF
from the common tenant, and a contract from the common tenant.
This type of design is very simple to implement, for the following reasons:
● There are no configurations required for route-leaking.
● Because you define the contract in the common tenant, this contract is automatically visible in any tenant (like any
object configured in the common tenant); therefore, the EPG in the common tenant and in the user tenant can, respectively,
provide (or consume) and consume (or provide) the contract.
17 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Because contract scope and route-leak configurations are covered in a previous section, this section explains how to export
a contract to a consumer tenant.
Export contract
The configuration to export a contract is in provider Tenant > Contracts > Standard.
18 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
19 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
20 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
21 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
22 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
23 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
24 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
25 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
26 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Physical domain Cisco ACI Cisco ACI IP based EPG: IP-based EPG requires -E leaf or later
Release 1.2(2g) Release 3.0 Cisco ACI Release
1.2 uSeg attribute logical operator (AND/OR)
requires Cisco ACI Release 2.3 or later
MAC based EPG:
Cisco ACI Release
2.1
VMware Cisco ACI Cisco ACI Cisco ACI Release uSeg EPG requires -EX leaf or later
Release 1.2(2g) Release 3.0 1.3
vDS VMM domain uSeg attribute logical operator (AND/OR)
requires Cisco ACI Release 2.3 or later
VMware Cisco ACI Not supported Cisco ACI Release AVE doesn’t enforce policy. Leaf
Release 3.1 3.1 enforces policy the same as with a vDS
AVE VMM domain VMM domain.
(enterprise mode) VXLAN mode
only
Microsoft Cisco ACI Not supported Cisco ACI Release Intra EPG isolation requires -EX leaf or
Release 3.0 1.2 later
SCVMM VMM domain
uSeg attribute Logical operator requires
Cisco ACI Release 3.0 or later
Custom attribute Cisco ACI Requires
3.2(2)
Intra-EPG isolation
Intra-EPG isolation can be configured at Tenant > Application Profiles > Application_Profile_name > Application EPGs >
EPG_name > Policy > General. Default is “Unenforced.”
27 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
28 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
29 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
VM – tag 11 Equals, Contains, Ends Category: ACME Available from Cisco APIC
with, Starts with Release 2.3.
Tag: Prod-Web
VMware VMM domain only
VM – VM folder 14 Equals, Contains, Ends Prod-folder Beta available from Cisco APIC
(beta) with, Starts with Release 3.2.
VMware VMM domain only
VM – VM folder path 15 Equals, Contains, Ends Prod-folder/Web Beta available from Cisco APIC
(beta) with, Starts with Release 4.2.
VMware VMM domain only
*In case of physical domain and VMware vDS VMM domain, there is no precedence between MAC-based EPG and IP-
based EPG. MAC-based EPG is used for bridged traffic, and IP based EPG is used for IP traffic.
The uSeg EPG configuration location is at Tenant > Application Profiles > Application_Profile_name > uSeg EPGs >
EPG_name. uSeg EPG requires a domain association, as shown in Figure 60. In the case of physical domains, a “Static
Leafs” configuration under the uSeg EPG is also required, to indicate to which leaf it should be provisioned. This is in
addition to the Base EPG Static Port Configuration (which already includes the information about leaf nodes). This is
because a base EPG and uSeg EPGs for physical domains are managed as independent entities in ACI.
30 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
uSeg EPGs. If, for some reason, traffic is incorrectly classified based on VLANs instead of MAC, Cisco ACI assigns this
traffic to class ID 10.
If “Allow Micro-Segmentation” is enabled on an EPG with a VMware vDS VMM domain, two implicit deny rules are created in
order to drop traffic that has been incorrectly classified. The following “show zoning-rule” output shows an example:
Pod1-Leaf1# show zoning-rule scope 2850817
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
| 4211 | 0 | 16386 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4208 | 0 | 0 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_any_any(21) |
| 4222 | 0 | 0 | implarp | uni-dir | enabled | 2850817 | | permit | any_any_filter(17) |
| 4221 | 0 | 15 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_vrf_any_deny(22) |
| 4254 | 0 | 32773 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4215 | 10 | 0 | implicit | uni-dir | enabled | 2850817 | | deny,log | class-eq-deny(2) |
| 4251 | 0 | 10 | implicit | uni-dir | enabled | 2850817 | | deny,log | class-eq-deny(2) |
+---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
The red-highlighted rules are created because of “Allow Micro-Segmentation” on an EPG with VMware vDS VMM domain.
As in any EPG, uSeg EPGs also have a unique class ID that is used in zoning-rules. An endpoint matched with a uSeg EPG
attribute is classified to the uSeg EPG, and contract security is enforced based on the uSeg EPG class ID instead of the
base EPG class ID.
31 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
● The deployment immediacy is user-configurable on a base EPG and a uSeg EPG with a VMM domain; this option
optimizes contracts programming. If you want to minimize traffic downtime because of the policy deployment during a new
attachment, such as vMotion, the deployment immediacy should be “Immediate.”
● The deployment immediacy of base EPGs works as described in the next bullets:
◦ If the deployment immediacy of the base EPG is “Immediate,”, the policies related to the base EPG are programmed on a
leaf once the policies are pushed to the leaf. This means that, when a VMM domain association with “Allow Micro-
segmentation” is added to the base EPG, the policies are programmed on the leaf, because the resolution immediacy for
base EPGs with a vDS VMM domain is always “Immediate” if “Allow Micro-Segmentation” is set to “True.”
◦ If the deployment immediacy of the base EPG is “On Demand,” the following happens. Cisco ACI deploys contracts for
all base EPGs sharing the same PVLAN pair as soon as the first endpoint is learned in any of the base EPGs configured for
“On Demand” deployment. (All base EPGs, with “Allow Micro-Segmentation” enabled, associated with the same BD and
VMM domain share the same PVLAN pair.) In short, once a leaf receives a packet that is from any of the base EPG
regardless of the endpoint is classified to a uSeg EPG or not, the policies related to the base EPG are programmed on the
leaf, but also the policies related to the other base EPGs in the same BD.
● The deployment immediacy of uSeg EPGs works as described in the next bullets:
◦ If the deployment immediacy of the uSeg EPG is “Immediate,” the policies related to the uSeg EPG are programmed on
a leaf once the policies are pushed to the leaf.
◦ If the deployment immediacy of the uSeg EPG is “On Demand,” the policies related to the uSeg EPG are programmed on
a leaf once the leaf learns the first endpoint in the uSeg EPG.
* Note for advanced readers: You may wonder, why not use “Pre-provision”? This is related to the fact that, when “Allow
Micro-Segmentation” is set on a base EPG, ACI creates an l2MacCktEp object in each leaf based on the endpoints that have
been discovered in the base EPG in the VMM domain. Then, if a uSeg EPG is created, the EPG classification for each
l2MacCktEp is modified on the leaf nodes. This means that EPG derivation relies on the endpoint discoveries. Thus, the use
of “Pre-provision” – that is, downloading policies on leaf nodes where the VMM domain is configured regardless of
hypervisor or endpoint connection – would, when using uSeg EPGs, have no actual effect.
The following is a list of uSeg EPG configuration-and-design points to keep in mind:
● uSeg EPG requires “Ingress” enforcement mode on the VRF
● The uSeg EPG domain must be configured to match the base EPG domain.
● Base EPG(s) and uSeg EPG(s) must be in the same BD, and the BD must have an IP subnet.
● uSeg EPG is also part of vzAny and supports preferred group, intra-EPG isolation, intra-EPG contract, and other
configurations per EPG.
● The use of logical operators (Match-Any/Match-All) for the uSeg attribute is supported since Cisco APIC Release 2.3.
● In physical domains and VMware vDS VMM domains, there is no precedence between MAC-based EPG and IP-based
EPG. MAC-based EPG is used for bridged traffic, and IP-based EPG is used for IP traffic.
● In a physical domain, under the uSeg EPG configuration, you need to define the static-leaf mappings (see Figure 63),
which tells ACI on which leaf the policies related to the uSeg EPG should be programmed.
● In a VMware vDS VMM domain, “Allow Micro-Segmentation” must be checked at the base EPG (this automatically
configures Private VLANs on the port-group for the base EPG and proxy-ARP within the base EPG). If there is an
intermediate switch, such as a Cisco UCS fabric interconnect, between an ACI leaf and a VMware vDS, PVLAN must be
configured at the intermediate switch.
● Custom QoS and QoS class configurations at uSeg EPGs are not supported. Custom QoS and QoS class
configurations at base EPGs are supported unless intra-EPG isolation or intra-EPG contract is enabled on the base EPG.
Endpoint Security Group (ESG)
Endpoint Security Groups are an evolution of the EPG and microsegmentation concepts. This feature has been introduced in
Cisco ACI Release 5.0 and requires -EX leaf nodes or newer. ESGs are a security zone but, differently from EPGs, ESGs
are not bound to a bridge domain; instead, they are a security zone that works across the entire VRF. ESGs differ from EPGs
also because ESGs are only a security zone; they do not have network-related configurations (such as subnets). The
security rules are defined by using contracts between ESGs.
The example in Figure 64 helps to clarify. Imagine that web servers are in two different bridge domains and that application
servers are also in two different bridge domains (Figure 64-a). Imagine that you need to configure security rules to allow web
servers to talk to application servers. If each security zone (Web and App) can be in two different subnets or Layer 2
domains, you would have to configure four EPGs: EPG1-1 for the Web servers in BD1, EPG1-2 for the Web servers in BD2,
EPG2-3 for the App servers in BD3, EPG2-4 for the App servers in BD4, and the configuration would require four to six
contracts (Figure 64-b): four contracts if you just want to enable Web servers to talk to the App servers, six contracts if you
also want to enable communication between the Web EPGs (and, similarly, between the App EPGs). But, with ESGs, you
need to configure only two ESGs (Figure 63-c) and one contract. If you define another ESG for shared services, this ESG is
also available for any bridge domain under the same VRF.
32 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
For the outside to ACI traffic, you would use a contract between the L3Out EPG and the ESG, but contracts between ESGs
and EPGs are not possible.
The classification of the endpoints in ESGs is similar to the uSeg EPG configuration. As of Cisco APIC Release 5.0, the only
classification criteria are based on matching the IP address of the endpoint. For example, the user can enter a specific IP
(/32, /128, or without a subnet mask) or a subnet match with any mask length. Future releases will add more classification
options.
The configuration of the ESG is performed at Tenant > Application Profiles > Endpoint Security Groups.
For VRF-sharing purposes, route-leaking with ESGs is configured at the VRF level by entering which bridge domain subnet
should be leaked and to which tenant and VRF it should be leaked to. This makes the VRF-sharing configuration more
flexible because there is no need to map ESGs to subnets.
The configuration is performed at Tenant > Networking > VRFs > VRF_name > Inter- VRF Leaked Routes for ESG >
Configure EPG/BD Subnets.
The following list provides a summary of which commonly used EPG features are equally applicable and available with
ESGs:
● Preferred groups
● vzAny
● Service Graph with PBR
At of Cisco APIC Release 5.0, the following limitations apply:
● Contracts between ESGs and EPGs are not supported.
● The ESG feature is not integrated with Cisco ACI Multi-Site Orchestrator.
● The available ESG selector is by IP address only. Selection by MAC addresses, VM tags, or other criteria are not yet
implemented.
● An ESG contract can be applied only for routed traffic with IP as the selector.
● Taboo contracts are not implemented with ESGs.
● Inter-VRF service graphs between ESGs are not yet implemented.
● ESGs do not work on first-generation leaf nodes (Cisco Nexus® 9396PX Switch, Cisco Nexus 93128TX Switch and so
on).
Note: As of Cisco ACI Release 5.0, this feature has just been released. The fact that the only classification option
available is IP-address-based classification can make it difficult to migrate workloads to ESG-based security policies without
an automation tool. The following releases will add more classification options in order to give more flexibility to migrate the
existing configurations to security policies based on ESGs.
For more information, please refer to this link: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/5-
x/security/cisco-apic-security-configuration-guide-50x/m-endpoint-security-groups.html
Contract configuration options
This section explains the following configuration options for contracts, contract subjects or filters:
● Per-contract configurations:
◦ Scope (Please also see the “Inter-VRF and inter-tenant contracts” section.)
◦ QoS Class
◦ Target DSCP (This works only if the QoS class is set.)
● Contract subject configurations for the contract:
◦ Apply Both Directions and Reverse Filter Ports
◦ L4-L7 Service Graph
◦ QoS Priority
◦ Target DSCP (This works only if the QoS priority is set, or if the QoS class is set on the contract.)
◦ WAN SLA policy (For Cisco SD-WAN integration)
● Filter configurations for the contract subject:
◦ Deny action
◦ Log
◦ Enable Policy Compression
In Cisco ACI, QoS configurations are very much related to the EPG and contract configurations. The next section
summarizes the key concepts about QoS in ACI in order to understand the configurations that follow.
QoS configurations
You might notice that QoS and DSCP (Differentiated Services Code Point) configurations are in multiple locations. The QoS-
related configurations can be found in the EPG, in the contract, and in the contract subject.
As with normal QoS, QoS in ACI deals with class and marking to place traffic into one of the QoS classes. Each QoS class
represents a class of service and is equivalent to a “qos-group” in traditional Cisco NX-OS. Each class of service maps to a
queue or a set of queues in hardware.
The QoS configuration at the contract and the contract subject specifies the assignment of the traffic to a given qos-group
(QoS class) based on the source EPG, destination EPG, and filters. The custom QoS configuration at the EPG specifies the
assignment of the traffic to a given qos-group based on the dot1p or DSCP values of the incoming traffic from that EPG. The
QoS class configuration at the EPG defines which qos-group based on the traffic from that to which the EPG belongs if none
of the other previous criteria are matched.
Figure 65 illustrates the purpose of QoS Class configuration at the EPG versus a Custom QoS configuration at the EPG
versus a QoS configuration in the contract and the contract subject, and in which order they are looked up. Notice that a
Custom QoS at the EPG can be used not just to classify traffic into a qos-group but also to rewrite the DSCP value (this is
called “Target DSCP”) of the payload packet.
33 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
34 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
35 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Note: Custom QoS and QoS class configurations at uSeg EPGs are not supported. Custom QoS and QoS class
configurations at base EPGs are supported unless intra-EPG isolation or intra-EPG contract is enabled on the base EPG.
Figure 69.
QoS configuration at EPG (Custom QoS policy and QoS class at source EPG)
In the case of the L3Out, the QoS configuration is at the L3Out EPG and the L3Out logical interface profile. The QoS
configuration at the L3Out logical interface profile was introduced in Cisco APIC Release 4.0.
● The QoS Class (QoS Priority) and Custom QoS configuration for L3Out logical interfaces is at Tenant > Networking >
L3Outs > L3Out_name > Logical Node Profiles > Logical_Node_Profile_name > Logical Interface Profiles >
Logical_Interface_Profile_name > Policy > General.
● The QoS Class configuration location for the L3Out EPG is at Tenant > Networking > L3Outs > L3Out_name >
External EPGs > External_EPG_name > Policy > General.
36 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
37 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Figure 74 illustrates an example in which both options are enabled. By enabling Apply Both Directions, two TCAM entries for
consumer-to-provider and provider-to-consumer directions are created. The entry for the consumer-to-provider direction uses
the source and destination ports that have been defined in the filter. The entry for the provider-to-consumer direction uses as
a source port the port defined in the filter as the destination port, and as a destination port the port defined in the filter as the
source port – in other words, the filter’s ports are reversed. Thus, bidirectional traffic between consumer EPG and provider
EPG is permitted.
38 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
39 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
40 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
| 4225 | 32774 | 32775 | 71 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
Service graph with redirect action (bidirectional PBR)
This subsection covers how Cisco ACI programs the policy-cam when using a service graph to redirect traffic to an L4-L7
device for both consumer-to-provider and provider-to-consumer directions. This is typically used for firewall or IPS insertion
where the firewall or IPS does not change the source or destination IP (meaning that the firewall or IPS does not perform
Network Address Translation (NAT) on the traffic). The service device can be in the same or a different bridge domain from
the consumer/provider endpoints.
Figure 81 and the CLI output from the “show zoning-rule” command, below the figure, illustrate an example with redirect
action. Once the service graph is deployed, internal EPGs for the service node are created and zoning rules are updated to
permit traffic between the consumer and the provider EPGs through the service node. (This example doesn’t use the Filters-
from-contract option.)
41 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
42 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
graph with copy action. Once a service graph is deployed, zoning rules are updated to send a copy of traffic between the
consumer and the provider EPGs to the service node.
43 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
44 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
● If a deny rule is configured by the user (the action is “Deny”) and the “Log” option is not checked, the traffic that is
dropped because of this rule is not logged.
● If the action is “Deny” and “Log” is checked, logging for denied traffic is enabled.
● If the action is “Permit” and “Log” is checked, logging for permitted traffic is enabled. Permit logging requires Cisco
APIC Release 2.0 or later, and EX or later.
If you are exporting the logs from the leaf nodes to a syslog server, in addition to entering the syslog server information in the
monitoring policies, you also need to set the logging level by changing the policy for syslog messages from “default” to “info”
at Fabric > Fabric Policies > Monitoring Policies > Common Policy > Syslog Message Policies > Policy for system syslog
messages.
Figure 88 and the CLI output from the “show zoning-rule” command, below the figure, illustrate an example with permit
logging.
45 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
46 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
*Leaf models with FX2 and FXP require Cisco APIC Release 4.1 or later. Leaf model with GX require Cisco APIC Release
4.2(2) or later.
Note: Even if bidirectional rule compression and policy table compression can work at the same time by using the same
configuration knob “Enable Policy Compression,” each compression works separately. If bidirectional rule compression is not
applicable because “Apply Both Directions and Reverse Filter Ports” are not enabled, Cisco ACI performs only policy table
compression. If policy table compression fails for some reason (such as hash collision), ACI applies only bidirectional rule
compression.
The capability to compress bidirectional rules to one entry (bidirectional rule compression) requires Cisco APIC Release 3.2
or later and EX leaf or later. This capability requires that both Apply Both Directions and Reverse Filter Ports are enabled in
the contract, which is the default configuration. If both are enabled, one contract creates two entries for both directions
(consumer-to-provider and provider-to-consumer) of the traffic, as shown in Figure 91. If “Enable Policy Compression” is
checked, bidirectional entries will take one entry only in the TCAM, instead of two.
47 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
48 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
● Policy Compression can be enabled for user-defined rules only. It is not applicable to implicit rules.
● Policy Compression cannot be enabled for vzAny contracts.
● Policy Compression cannot be enabled on contracts that have labels and subject exceptions associated with them.
Deny action
“Deny action” was introduced in Cisco APIC Release 3.2. If a contract is defined between EPGs, protocols in filters defined
in the contract are permitted because the default action is “Permit.” For each filter in a contract subject, the administrator can
set the action to “Deny” instead of “Permit.” Using deny action is helpful if you want to use a block-list model for security
enforcement. For example, you could configure a vzAny-to-vzAny permit contract to permit all EPG-to-EPG communication
within a VRF, and then you can configure a contract with a deny action to deny specific EPG-to-EPG communication. Using
deny action can simplify the configuration and reduce TCAM consumption.
49 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
50 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
to IP fragments with an offset greater than 0 because the TCP/UDP port information can only be checked in the first
fragment. Thus, by default all IP fragments except the first one will be dropped by the implicit deny rule.
Match DSCP
This option is to specify DSCP (Differentiated Services Code Point) value to match in the traffic in addition to EtherType, IP
protocol, source port, and destination port. By using this option, different actions can be taken depending on which DSCP
value is in the packet, even if other parameters, such as source EPG, destination EPG, and filter matching, are the same.
This option is set, by default, to “Unspecified” (which in Cisco ACI is the equivalent of “Any” in classic IOS or NX-OS
terminology). This requires leaf nodes with “EX” or “FX” onward.
TCP Flags
This option is to specify the TCP flag values to match traffic in addition to EtherType, IP protocol, source port, and destination
port. The available TCP flags are:
● Synchronize: SYN
● Established: ACK or RST
● Acknowledgement: ACK
● Reset: RST
● Finish: FIN
Stateful
The Stateful option is to allow TCP packets from provider to consumer only if the ACK flag is set. This option is disabled by
default. It is recommended to enable the Stateful option in TCP filter entries for better security except in those cases where
Enable Policy Compression is required, because Policy compression cannot be applied if the Stateful option is enabled.
Figure 99 illustrates a use case. In order to let the consumer access a specific provider TCP port, the administrator must
configure a consumer-side TCP port (the source port configuration in the contract filter) as wide range, to cover non-well-
known source ports. The example below has two zoning rules: one rule to permit traffic from a consumer using an any-
source TCP port to a provider with destination TCP port 80, and the other rule for the opposite direction. If a provider
endpoint performs a SYN attack using the source TCP port 80 to a consumer endpoint, the traffic is automatically not
dropped by the ACI fabric, because the traffic from the provider using source TCP port 80 to the consumer with an any
destination TCP port is permitted by the contract.
51 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
● FIN packet: FIN packets with ACK bit set are permitted. FIN packets without ACK will be dropped. The handling of FIN
packets without ACK differs based on the type of the operating system; therefore, it can be used for a FIN scan attack to
determine the operating system. Dropping such packets can prevent such attacks.
Figure 101 and the CLI output from the “show zoning-rule” command, below the figure, illustrate an example of a policy
programmed on a leaf with the Stateful option enabled.
52 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
53 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
54 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Figure 107 illustrates an example of unintended permit. The L3Out-EPG1 with 0.0.0.0/0 subnet and the Web EPG have a
contract that creates two entries: permit 32775-to-15 and 49153-to-32775, as shown in the “show zoning-rule” output, above.
L3Out1 is deployed on Leaf1 and Leaf2. The L3Out logical interface subnet range is 192.168.11.0/24. External router1
(192.168.11.1) is connected to Leaf1, and External router2 (192.168.11.2) is connected to Leaf2. An endpoint 192.168.1.1 in
Web EPG is connected under Leaf1. VRF1 uses ingress enforcement mode.
55 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
destination Leaf1, and Leaf1 permits the traffic because of the implicit rule.
56 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4211 | 0 | 16386 | implicit | uni-dir | enabled | 2850817 | | permit | any_dest_any(16) |
| 4208 | 0 | 0 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_any_any(21) |
| 4222 | 0 | 0 | implarp | uni-dir | enabled | 2850817 | | permit | any_any_filter(17) |
| 4221 | 0 | 15 | implicit | uni-dir | enabled | 2850817 | | deny,log | any_vrf_any_deny(22) |
| 4244 | 32775 | 15 | 71 | uni-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4206 | 49153 | 32775 | 69 | uni-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4216 | 32775 | 49161 | 71 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4243 | 49161 | 32775 | 69 | bi-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
Contract priorities
This section explains contracts and filtering rule (or “zoning rule”) priorities. When using contracts that include a combination
of EPG-to-EPG contracts, with EPGs that may be part of preferred groups, or vzAny contracts, it is necessary to understand
the relative priority of the rules that are programmed in the TCAM in order to understand the policy enforcement behavior.
Overview
The following list provides a summary of the high-level rules of priority used when filtering traffic:
● More-specific EPGs win over vzAny and preferred groups.
◦ EPG-to-EPG (priority 7 or 9) wins over EPG-to-vzAny (priority 13 or 15) and vzAny-to-EPG (priority 14 or 16), which wins
over vzAny-to-vzAny (priority 17 or 20)
◦ Specific source wins over specific destination (for example, EPG-to-vzAny wins over vzAny-to-EPG).
● More-specific L4 rules win.
◦ Specific filters win over the “any” filter (for example, an EPG-to-EPG contract with a specific filter wins over one with a
default filter).
◦ Specific destination wins over specific source (for example, sport-any-to-dport-80 wins over sport-80-to-dport-any).
● Deny actions win. Specific protocol wins.
◦ Within the same zoning-rule priority, deny + log wins over deny, which wins over redirect or permit action.
◦ Between redirect and permit actions, a more specific protocol and a specific L4 port wins.
◦ Between redirect and permit, if the filters are the same, redirect wins over permit. If the filter rules have overlapping ports
and have the same priority, the priority is not deterministic. The contract-rule configuration should not have conflicting rules
of this type if you want the action to be deterministic.
The lower the number of the priority, the higher the priority; therefore, rules with a lower value (that is, a higher priority) win
over rules with a higher value (that is, a lower priority).
You will notice that the same rule type has two priorities, depending on whether the EtherType is “unspecified” (which, you
can say, is the “any” keyword in traditional access lists) or whether it is IPv4, IPv6, FCoE, ARP, and so on. The same rule
type has a higher priority with an EtherType of IPv4 than with an EtherType of “unspecified”; for instance, an EPG-to-EPG
rule has priority 7 with an EtherType of IPv4, and priority 9 with an EtherType of “unspecified”; similarly, an EPG-to-vzAny
rule has priority 13 (if the EtherType is IPv4) and priority 14 (if the EtherType is “unspecified”).
Note: This document refers to filters with an EtherType that is unspecified or to the default filter from the common tenant
as the “any” filter.
Table 8 summarizes the zoning-rule priorities. The behavior within same zoning-rule priorities is explained in the sections
“Priorities between actions” and “Filter priorities.” Unless otherwise indicated, the information in the table shall be applicable
to both EPGs and ESGs. Exception is an intra-VRF contract between an ESG and vzAny.
Table 8. Contract zoning-rule priorities
When it is Source class Destination Filter ID Action Note Priority*
used id class id
57 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
58 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
*Priorities of non-user-defined rules may change. Priorities 4 and 6 are reserved by the system.
** When preferred group is enabled on the VRF, the priority is changed to 19 from 22.
Note: When using the deny action in a contract, the administrator can choose which priority to give to the filtering rule.
The priorities in the table are based on the assumption that the configuration of the contract with the deny action is using the
default priority. Please see “Deny priorities” for more details.
Figure 113 and the CLI output from the “show zoning-rule” command, below the figure, illustrate an example of priority
comparison between specific filter and default filter. If EPG-to-EPG has two contract subjects: one uses an SSH filter with
permit action (priority 7), and the other uses a default filter with redirect action (priority 9), with a result that all, except SSH,
traffic between the EPGs will be redirected.
59 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
60 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Table 9. Deny action vs. permit action within same zoning-rule priorities: TCAM configuration
EtherType Protocol Source port Destination port Action
Table 10. Deny action vs. permit action within same zoning-rule priorities: ACI forwarding action
EtherType Protocol Source port Destination port Action
Table 12. Permit action vs. permit action within same zoning-rule priorities: ACI forwarding action
EtherType Protocol Source port Destination port Action
If both permit and redirect have a specific protocol and L4 port, the rule with a specific source L4 port is considered less
specific than a rule with a specific destination L4 port. For example, permit wins over redirect in the example covered in
tables 13 and 14.
Table 13. L4 source port is considered less specific than the L4 destination port: TCAM configuration
EtherType Protocol Source port Destination port Action
Table 14. L4 source port is considered less specific than the L4 destination port: ACI forwarding action
61 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
IP TCP 63 80 Permit
Table 16. Redirect wins over permit if two rules use the same filter: ACI forwarding decision
EtherType Protocol Source port Destination port Action
IP TCP 63 80 Redirect
If permit and redirect have overlapping ports and have the same priority, the priority is not deterministic; therefore, you
should not configure overlapping rules, as the one in the example. Tables 17 and 18 show an example. Such a configuration
does NOT support a meaning that the traffic forwarding action is expected to be indeterministic.
Table 17. TCAM configuration with overlapping rules with permit and redirect
EtherType Protocol Source port Destination port Action
Table 20. Rules with permit vs. rules with permit + “Log” enabled: ACI forwarding action
EtherType Protocol Source port Destination port Action
Filter priorities
An ACI forwarding decision includes filter priorities if the permit and redirect actions have the same zoning-rule priority. Table
21 summarizes the filter priorities. Specific protocols and L4 ports win. The source port is considered less specific than the
destination port.
Table 21. Filter priorities
EtherType/protocol/filter entry option Source port Destination port Priority
EtherType: unspecified - - 7
(default filter)
EtherType: unspecified - - 8
(implicit filter created by system)
Deny priorities
The administrator can set the deny entry with different priorities. The configuration location is at Tenant > Contracts >
Standard > Contract_name > Subject_name > Filter_name.
62 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Table 23. ACI forwarding action for traffic that matches both a deny rule and a more specific permit rule
EtherType Protocol Source port Destination port Action
By changing the priority for the deny entry, the deny action can be deprioritized. The “show zoning-rule” output, below, is
63 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
64 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
65 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
● Define the out-of-band contracts (vzOOBBrCP) that control which protocol and ports can be used by the above hosts to
connect to the APIC, leaf nodes, and spine nodes.
● Provide the out-of-band contract from the out-of-band EPG and consuming the contract from the External Management
Instance Profile.
Figure 122 illustrates the configuration of out-of-band management in the mgmt tenant. Notice that the name of the default
Out-of-Band EPG is “default,” just like the name of the default In-band EPG, but these are two different objects so the names
can be identical.
66 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Default Release 3.0 24K 24K 12K 20K 61K (Cisco 8K (Cisco
(IPv4) ACI Release ACI Release
3.0) 3.0)
10k
(IPv6) 64K (Cisco
ACI Release
3.2)
High dual stack for: Release 3.1 64k 64k 24K 38K 8K (Cisco 0 (in Cisco
(IPv4) ACI Release ACI Release
EX, -FX2 3.1) 3.1)
19K
(IPv6) 512 (in Cisco
ACI Release
3.2)
High dual stack for: FX, Release 3.1 64K 64K 24K (ACI 38K 8K (Cisco 0 (in Cisco
-GX Release (IPv4) ACI Release ACI Release
(FX only) 3.1) 3.1) 3.1)
19K
48K (ACI (IPv6) 128K (Cisco 512 (in Cisco
Release ACI Release ACI Release
3.2) 3.2) 3.2)
32K (in Cisco
ACI Release
4.0)
High Policy (Cisco Nexus Release 4.2 24K 24K 12K 20K 256K 8K
93180YC-FX and Cisco (IPv4)
Nexus 93600CD-GX with
32GB of RAM only) 10k
(IPv6)
Note: For more information about the scale profiles, please refer to this page: https://www.cisco.com/c/en/us/td/docs
/switches/datacenter/aci/apic/sw/kb/b_Cisco_APIC_Forwarding_Scale_Profile_Policy.html
and to the scalability guide:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/verified-scalability/Cisco-ACI-Verified-Scalability-
Guide-424.html
The configuration of the hardware profiles can be performed at Fabric > Access Policies > Switches > Leaf Switches > Policy
Groups > Forwarding Scale Profile Policy, as illustrated in Figure 123.
67 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
● L4 port ranges (for instance, a security rule matching TCP with L4 ports ranging from 6000 to 6063)
● Bidirectional contracts (bidirectional rule compression)
● Reuse of the same contract among multiple EPG pairs (policy table compression)
L4 port ranges in traditional hardware have been a source of scalability concerns because they would be using some limited
hardware resources (called Logical Operation Units [LOUs]), and then, once the hardware limit was exceeded, the range
would be expanded into multiple entries, thus taking a significant amount of space in the TCAM.
Note: For more information about this issue with traditional switches, please refer to: https://community.cisco.com
/t5/networking-documents/acl-tcam-and-lous-in-catalyst-6500/ta-p/3115339
In the case of ACI leaf nodes, starting with -EX leaf nodes and newer, L4 operation ranges use one single entry in the
TCAM.
The section titled Enable Policy Compression, and the next section, below, cover the other two optimizations: bidirectional
contracts and reuse of filters with contract reuse.
Policy compression
With -EX leaf nodes and -FX leaf nodes and newer, it is possible to optimize the usage of the policy-cam as described in the
section titled Enable Policy Compression.
In summary, by configuring the option to perform compression at the filter level configuration, Cisco ACI optimizes the policy-
cam usage depending on the capabilities offered by the hardware:
● With -EX, -FX, -FX2, -FXP, and -GX leaf nods, ACI is able to use a single policy-cam entry to perform both directions of
the lookup of a bidirectional contract.
● With -FX, -FX2, -FXP, and -GX leaf nodes, ACI can reallocate the policy-cam to carve out a policy-group label table
where the EPG pairs are stored together with a pointer to the policy-cam portion that has the filters. This allows the reuse of
filters in case the same contract is reused multiple times between EPG pairs.
The carving of the policy-cam for compression reserves some space for the EPG pairs’ programming. For a default profile,
this means that 10,000 entries of policy-cam space are used for EPG pairs pointing to label entries. The space required for
EPG pairs and labels is much less than a full entry programmed with EPG class IDs and filters. For instance, with 10,000
entries of policy-cam, ACI can accommodate 20,000 EPG pairs. This means that the remaining 54,000 can be used for non-
compressed entries and for filter entries that are reused multiple times.
For a high dual stack profile, ACI allocates 20,000 entries for the policy-group table and keeps 108,000 entries for non-
compressed contracts and for filters pointed from the policy-group table (i.e. filters used by compressed entries.) This results
in the capacity to store 40,000 EPG pairs with compressed contracts.
ACI carves the policy-cam for policy-group labels only if there are contracts that include filters with compression.
One of the key points to remember for the filter reuse optimization is that even if the configuration is at the filter level, ACI can
configure the indirection only if the same contract is reused multiple times.
The following list provides a few additional important points about the filter-reuse compression feature:
● A contract can include both filters with compression enabled, and filters without compression enabled. This is
compatible with compression: the entries that have compression enabled will be referred to by the policy-group label table;
the other entries will be programmed normally.
● The optimization is applied for the rules that are present in re-used contracts. ACI is not going to compare the filters
across different contracts in order to figure out whether it is possible to reuse them. Prior to APIC Release 5.0, if a contract is
re-used across VRFs, the optimization works in each VRF independently. Starting from APIC Release 5.0, the optimization is
applied across VRFs if the same contract is reused. For example, if multiple EPGs in different VRFs and/or different tenants
reuse the same contract in common tenant, ACI is able to compress the contract filters by reusing them. The use of contract
scope set to “Application”, “VRF” or “Tenant” can be used to avoid un-intended communication while the optimization still
takes effect.
Resolution and deployment immediacy
Cisco ACI can optimize the use of hardware and software resources by programming the hardware of a given leaf with
VRFs, bridge domains, SVIs, EPGs, and contracts only if endpoints are present in the EPG of interest on that leaf. This
optimization is configurable as two separate options: Resolution Immediacy and Deployment Immediacy.
These options are configurable as part of the EPG configuration, as follows:
● For physical domains, the Deployment Immediacy option is configured as part of the EPG static port configuration
● For VMM domains, the Resolution Immediacy and Deployment Immediacy options are configured as part of the EPG
domain configuration
The two options control different aspects of the hardware programming:
● Resolution Immediacy: This option controls when VRF, bridge domains, and SVIs are programmed on the leaf nodes.
● Deployment Immediacy: This option controls when contracts are programmed in the hardware.
The options for Resolution Immediacy (that is, for programming of the VRF, bridge domain, and SVI) are as follows:
● Pre-provision: This option means that the VRF, bridge domain, SVI, and EPG VLAN mappings are configured on the
leaf nodes based on where the domain (or, to be more precise, the attachable access entity profile) is mapped within the
fabric access configuration. If an EPG (in this example, “EPG1”) is associated with a VMM domain (“VMM domain1”), the
bridge domain and the VRF to which EPG1 refers are instantiated on all of the leaf nodes where the VMM domain1 is
configured. If another EPG (“EPG2”) is also associated with VMM domain1, the bridge domain and VRF that EPG2 refers to
are also instantiated on all the leaf nodes where this VMM domain is configured.
● Immediate: This option means that the VRF, bridge domain, SVI, and EPG VLAN mappings are configured on a leaf as
soon as a hypervisor that is connected to this leaf is attached to an APIC VMM virtual distributed switch. A discovery
protocol, such as Cisco Discovery Protocol (CDP) and LLDP (Link Layer Discovery Protocol) (or the OpFlex protocol), is
used to form the adjacency and discover to which leaf the virtualized host is attached. If EPG1 and EPG2 are associated
with VMM domain1, the bridge domains and the VRFs to which these EPGs refer are instantiated only on the leaf node(s)
where the host is attached.
● On Demand: This option means that the VRF, bridge domain, SVI, and EPG VLAN mappings are configured on a leaf
switch only when a hypervisor that is connected to this leaf is connected to a virtual switch managed by the APIC, and at
least one virtual machine on the host is connected to a port group and EPG that is associated with this physical NIC and
leaf. If a virtual machine vNIC is associated with an EPG1 whose physical NIC is connected to a leaf, only the VRF, bridge
domain, and EPG VLAN related to EPG1 are instantiated on that leaf (and not the VRF, bridge domain and EPG VLAN
related to EPG2)
The options for Deployment Immediacy (that is, for programming of the policy CAM) are as follows:
● Immediate: The policy CAM is programmed on the leaf as soon as the policy is resolved to the leaf (see resolution
immediacy, above), regardless of whether the virtual machine on the virtualized host has sent traffic.
● On Demand: The policy CAM is programmed after the virtual machine sends the first packet, as soon as the first data-
plane packet reaches the leaf to trigger an endpoint learning for the EPG. The policy CAM programming is maintained and
updated while an endpoint is learned on the leaf, and also for a certain time interval even after the last endpoint for the given
EPG aged out on the leaf. The interval is the longer between the BD bounce timer and the VRF bounce timer (BD and VRF
relative to the EPG that the endpoint belongs to). The BD and VRF bounce timer configurations are found in the endpoint
retention policy for the BD and VRF respectively.
The use of the deployment on-demand option can help significantly in reducing the policy-cam utilization.
Tables 25, 26, and 27 illustrate the configuration options.
Table 25. Resolution Pre-provision and hardware programming
68 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Hardware resource VRF, bridge domain, and SVI Policy CAM VRF, bridge domain, Policy CAM
and SVI
Domain associated to On leaf nodes where AEP - On leaf nodes where On leaf nodes where
EPG (Attachable Entity Profile) and AEP and domain are AEP and domain are
domain are present present present
Leaf receives traffic Same as above On leaf Same as above Same as above
where traffic
arrives
Hardware resource VRF, bridge domain, Policy CAM VRF, bridge domain, Policy CAM
and SVI and SVI
Host discovered on leaf On leaf where host is - On leaf where host is On leaf where host is
through CDP/LLDP connected connected connected
Leaf receives traffic Same as above On leaf where Same as above Same as above
traffic arrives
Hardware resource VRF, bridge domain, Policy CAM VRF, bridge domain, Policy CAM
and SVI and SVI
Domain associated to - - - -
EPG
Host discovered on - - - -
leaf through
CDP/LLDP
Virtual machine On leaf where virtual - On leaf where virtual On leaf where virtual
associated with port machine is associated machine is associated machine is associated
group with the EPG with the EPG with the EPG
Leaf receives traffic Same as above On leaf Same as above Same as above
where traffic
arrives
Note: The On Demand option is compatible with vMotion migration of virtual machines and is based on the coordination
between APIC and the VMM.
You can choose to use the Pre-provision option for Resolution Immediacy when you need to help ensure that resources on
which the resolution depends are allocated immediately. This setting may be needed, for instance, when the management
interface of a virtualized host is connected to the ACI leaf.
For all other virtual machines, using the On Demand option saves hardware resources.
Using vzAny
The concept of vzAny was discussed in this document in the “vzAny” section of this document.
vzAny can be leveraged to avoid using too many entries in the policy-cam or too many contracts from the validated limits.
The usual ways to use vzAny to achieve this goal are as follows:
● Use vzAny as a consumer of an EPG that provides services to all the EPGs under a given VRF, thus configuring one
contract instead of using as many contracts as the consumer EPGs
● Define global rules that apply to all of the traffic between all of the EPGs of a given VRF. As an example, you may have
specific EPG-to-EPG rules which have higher priority (priority 7) than vzAny, and then a contract provided and consumed by
vzAny for some traffic types that need to be allowed among all of the EPGs.
● The last approach could also be used to deploy a combination of Cisco ACI and one or multiple firewalls, where certain
rules are configured on ACI with EPG-to-EPG contracts and other rules are defined on the firewalls. The rules that are
applied by ACI in the hardware (EPG-to-EPG rules) have a higher priority. The vzAny-to-vzAny contract would have a
redirect to a given firewall for all traffic that does not match these rules. The firewall would apply access control lists to the
redirected traffic.
The use of preferred groups for scalability purposes is less obvious; this is because the configuration of the preferred group
of a given VRF results in the creation of multiple deny rules for EPGs that are outside of the preferred group. This could
potentially take a lot of space if there are many EPGs that are not included in the preferred group.
Contracts and filters validated scalability limits
In order to plan and design for Cisco ACI, you need also to consider the verified scalability guide, which is regularly updated
at every new release.
At the time of this writing, the latest verified scalability guide is available at this location:
69 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/5-x/verified-scalability/cisco-aci-verified-scalability-
guide-501.html
This guide includes information about the hardware scale as well as the scales related to control-plane processing.
The most relevant scalability parameters related to the configuration of EPGs are the following ones:
● EPGs per tenant: At the time of this writing, the validated number is a maximum of 4000 EPGs in a single tenant for a
fabric with a single tenant, and a maximum of 500 EPGs per tenant in a fabric with multiple tenants.
● EPGs per leaf: Cisco ACI can have a maximum of 3960 EPGs on a given leaf if all of the EPGs are associated to the
same bridge domain. If, instead, each EPG is associated to a bridge domain, the maximum number if 3960/2. In general,
you can think of the limit in terms of EPG + BD <= 3960.
● EPGs per bridge domain: ACI can have a maximum of 3960 EPGs per BD on a given leaf, and a maximum of 4000
EPGs per bridge domain fabric-wide.
● Number of EPGs that consume or provide a given contract: The validated number is a maximum of 100 EPGs providing
the same contract or a maximum of 100 EPGs consuming the same contract. The maximum number of consumers from a
single EPG and single contract is 1000.*
● Overall number of EPGs per fabric: 21,000 EPGs with a Layer 2 fabric and 15,000 EPGs with a Layer 3 fabric, across
all tenants.
● Number of uSeg EPGs (IP-based or MAC based): 4000 per leaf (tested with 500 base EPGs per leaf)
The most relevant scalability parameters related to the configuration of contracts are the following ones:
● Number of contracts per fabric: 10,000 contracts per fabric, 10,000 filters per fabric
● Number of consumer EPGs x number of provider EPGs x number of filters in the contract <= 50,000
The most relevant scalability parameters related to the configuration of vzAny are the following ones:
● Maximum number of contracts provided or consumed by vzAny within a VRF for nonshared services is 70.
● Maximum number of contracts consumed by vzAny for inter-VRF traffic shared services is 16.
These numbers can change at every release as the Quality Assurance (QA) department validates scenarios with more and
more configurations, ensuring that the control plane remains responsive and that configuration changes do not become too
slow as a result of the larger configurations. You are requested to deploy solutions based on the validated limits for the
release that you are using.
Even if Cisco cannot test every single possible customer topology with all dimensions, when the scale requirements of your
design seem to require more than the validated numbers, you can ask your Cisco contact to discuss these numbers with the
QA department. Depending on the scale and complexity of your design, the QA department may be able to express an
opinion on whether the scale requested is viable or not.
*Note: It is important to consider carefully the possible impact on changing a configuration on a contract that has many
provider and consumer EPGs. If one configuration change on APIC is related to multiple zoning-rule changes at the same
time, it would take time to finish programming the hardware of a given leaf node. For example, if a permit filter that has a filter
entry for HTTP is added to a contract that has one consumer EPG and one provider EPG, it will add two zoning-rules, which
won’t take much time. However, it will add around 10,000 zoning-rules If the contract has 100 consumer EPGs and 100
provider EPGs, which will take around 10 minutes. It will take longer if the filter has multiple filter entries or if a service graph
is attached to the contract subject, which is related to more zoning-rule changes at the same time.
Contract re-use misconceptions and dos and don’ts
Cisco ACI provides the ability to reuse objects. For instance, you could define a filter once in a tenant and put the same filter
definition in multiple contracts. This is a usability feature so that you do not have to enter the same configuration multiple
times. Reusing the same filter in multiple contracts does not save space in the policy-cam. If the filter is defined in the
common tenant, you could use the same filter from any tenant, and this would save configuration time for the administrator,
because you could define a filter for HTTP and not have to rewrite the same filter rule in each and every tenant where you
define the contract. Reusing filters is a useful operational simplification.
Similarly, you could define a contract and reuse it multiple times. However, differently from reusing a filter, reusing a contract
can have traffic forwarding effects that differ from your intended configuration; this depends, among other things, on the
scope of the contract. Please refer to the section titled “Contract scope” for more information about the scope configuration.
It is a common mistake to define a contract in the common tenant (with the scope set to global, for instance) and reuse it in
different tenants. This creates VRF-sharing rules between the VRFs of the different tenants, thus enabling a communication
path between the different tenants. Unless you want to achieve inter-tenant inter-VRF forwarding, you should refrain from
reusing contracts from the common tenant that has the scope set to global. If you still think or want to define a contract in the
common tenant for operational reasons, make sure to set the scope to tenant or VRF. In summary, it is recommended to
define contracts inside the tenant where it needs to be used, unless there is a need to configure inter-tenant or inter-VRF
communication.
A common misconception related to scale consists in putting contracts in the common tenant and then using the same
contracts multiple times in different tenants in order to keep the configuration of the number of contracts within the stated
limit of 10,000. This approach does not help in terms of scalability of the control plane, but it helps for scalability of the
policy-cam utilization if Contract scope is set and Policy Compression is used. From a control plane perspective, considering
the architecture of the APIC, it is more beneficial to have contracts in different tenants.
Monitoring scale and planning for scale
You can see how much hardware is consumed by the security configurations by using the Operations / Capacity Dashboard
view in the APIC. As you can see in Figure 124, from the Capacity Dashboard you can see the policy-cam utilization of each
leaf, and in case you have contract filters with compression, you can also see the policy-group label table utilization.
70 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Another tool that can be useful to manage the policy-cam capacity utilization is the Cisco® Network Assurance Engine
(NAE). With NAE you have the ability to select multiple “dimensions” in order to see how many policy-cam entries that a
tenant is using, or a specific pair of EPGs, or a specific contract within that pair, or a specific filter. Figure 125 illustrates this
point. At the top of the figure, you can see the selection of tenant(s), EPGs, and contracts performed by the administrator; at
the bottom, you can see how many rules this specific portion of the ACI configuration is using on each leaf.
Note: For more information about Cisco NAE, please refer to https://www.cisco.com/c/en/us/products/data-center-
analytics/network-assurance-engine/index.html.
71 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
The first requirement is that EPG1 needs to access EPG Shared in a different tenant. Figure 127 illustrates the design and
overall configuration. EPG Shared in tenant-shared is the provider EPG, and EPG1 in tenant1 is the consumer EPG.
72 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
73 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
74 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
75 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
priority (priority 17); IP traffic within the VRF is permitted except for traffic that hits the rules created through user-defined
contracts (which have priority 7 or 9).
Add more EPGs
After the initial deployment, EPG4 is added, which has requirements similar but not identical to EPG1:
● EPG4 needs to access the EPG Shared in tenant-shared.
● EPG4 needs to access other EPGs in the VRF, except EPG2 and EPG3 via UDP.
Figure 136 illustrates the design and overall configuration. EPG4 has the same security requirements as EPG1 to access the
EPG Shared in tenant-shared and other EPGs in the same VRF, except EPG2 and EPG3 via UDP. By using EPG1 as the
master EPG for EPG4, EPG4 can access EPG Shared in tenant-shared and other EPGs in VRF1, except EPG2 via UDP. In
addition to this, UDP traffic between EPG3 and EPG4 needs to be denied. By configuring EPG3-to-EPG4 contract with a
deny action for UDP traffic, UDP traffic between EPG3 and EPG4 will be denied. EPG1 can still communicate with EPG3 as
the deny rule is not applicable to EPG1.
76 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Set the deny action in the UDP filter entry in the EPG1-to-EPG2 contract subject
Once contracts are defined between the EPGs, zoning rules are programmed on tenant1 VRF1. The CLI output from the
“show zoning-rule” command, shown below Figure 139, shows the zoning rules that use class ID allocations illustrated in the
figure.
77 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
78 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
+----------+----------+-------------+-------------+-------------+-------------+----------+-------------+-------------+-------------+-------------+----------+-------------+-------------+----------+
| implarp | implarp | arp | unspecified | unspecified | no | no | unspecified | unspecified | unspecified |
unspecified | dport | unspecified | unspecified | |
| implicit | implicit | unspecified | unspecified | unspecified | no | no | unspecified | unspecified | unspecified |
unspecified | implicit | unspecified | unspecified | |
| 9 | 9_0 | ip | unspecified | tcp | no | no | http | http | unspecified | unspecified | sport |
unspecified | unspecified | |
| 8 | 8_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | http | http | dport |
unspecified | unspecified | |
| 32 | 32_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | unspecified | unspecified |
proto | unspecified | unspecified | |
| default | any | unspecified | unspecified | unspecified | no | no | unspecified | unspecified | unspecified |
unspecified | def | unspecified | unspecified | |
| 57 | 57_0 | ip | unspecified | unspecified | no | no | unspecified | unspecified | unspecified | unspecified
| def | unspecified | unspecified | |
| 12 | 12_0 | ip | unspecified | udp | no | no | unspecified | unspecified | unspecified | unspecified |
proto | unspecified | unspecified | |
+----------+----------+-------------+-------------+-------------+-------------+----------+-------------+-------------+-------------+-------------+----------+-------------+-------------+----------+
Migration example
This section explains migration of traditional access-lists to ACI contracts based on the following scenario. (Please refer to
each section to understand what each feature does.)
Imagine that you are going to migrate your non-ACI network to an ACI fabric, as a result of which you might need to redefine
security policies from a block-list model to an allow-list model. At first, you might not be fully aware of which traffic should be
allowed explicitly in contracts. Table 28 summarizes typical approaches in such a situation.
Table 28. Typical migration approaches
Options Pros Cons
Use of unenforced Simple Contract policy enforcement is completely disabled in the VRF.
mode at the VRF
Use of vzAny-to- Contract policy enforcement There is no option to exclude specific EPGs from vzAny in the VRF,
vzAny contract is still possible. but you can configure specific contracts for EPGs for which you don’t
want the traffic to be implicitly allowed by the vzAny contracts.
Use of preferred Contract policy enforcement It doesn’t always help to reduce TCAM consumption.
group is still possible.
An EPG can be
added/removed to/from the
preferred group.
This section focuses on the option using preferred group, because the other options are explained in previous sections:
Unenforced mode and Design example. The advantage of using preferred group is that contract-policy enforcement is still
possible whereas unenforced mode can’t enforce policies at all, and an EPG can be added/removed to/from the preferred
group whereas vzAny includes all EPGs in the VRF. This enables you to mix the traditional block-list model with the ACI
allow-list model and to migrate security policies to the ACI allow-list model in increments as needed.
The configuration steps explained in this section are as follows:
● Enable preferred group configuration at the VRF and all EPGs in the VRF, so that all endpoints in the VRF can
communicate each other.
● After you identify what traffic should be permitted explicitly for a particular EPG, exclude the EPG from the preferred
group and add contracts to permit the specified traffic between the EPG and other EPGs.
● Add contracts between EPGs that are in the preferred group, so that specific actions, such as deny and redirect, can be
applied to particular traffic, whereas other traffic is still permitted between them.
This section does not cover how to create tenants, VRFs, BDs, EPGs, filters, and contracts. The assumption is that the items
listed below are already configured:
● ACI fabric initial setup (such as discovering APIC, leaf, and spine)
● Access policy and domain configurations
● Tenants, VRFs, BDs, EPGs, and filters
Enable preferred group configuration at the VRF and all EPGs in the VRF
Figure 141 illustrates the design and configuration in this step. Because all of EPGs in the VRF are in the preferred group, all
endpoints can communicate with each other within the VRF, which essentially means permit-all within the VRF.
79 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
80 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
81 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
82 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
83 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
84 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
[contract:uni/tn-tenant1/brc-Contract1] [hit=0]
[16:4257] [vrf:tenant1:VRF1] permit any epg:any tn-tenant1/bd-BD1(32772) [contract:implicit] [hit=0]
[16:4277] [vrf:tenant1:VRF1] permit any epg:any tn-tenant1/bd-BD2(32776) [contract:implicit] [hit=0]
[16:4259] [vrf:tenant1:VRF1] permit arp epg:any epg:any [contract:implicit] [hit=0]
[21:4220] [vrf:tenant1:VRF1] deny,log any epg:any epg:any [contract:implicit] [hit=0]
[22:4210] [vrf:tenant1:VRF1] deny,log any epg:any pfx-0.0.0.0/0(15) [contract:implicit] [hit=0]
Using the object store browser to find EPGs using a specific class-ID
Another tool that you can use for troubleshooting is the object store browser, which can be accessed at https://APIC_IP
/visore.html. As an example, you may want to find which EPG is using a specific class ID. Figure 150 shows how to perform
that search. This example is to search an EPG with class ID 16388. The class “fvAEPg” is the class name for EPG. The
property “pcTag” means class ID.
85 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
SMac: 0x005056af31d3, DMac:0x0022bdf819ff, SIP: 192.168.1.1, DIP: 192.168.2.1, SPort: 52878, DPort: 22, Src Intf: port-
channel1, Proto: 6, PktLen: 66
[2020-04-23T17:06:47.049224000+00:00]: CName: tenant1:VRF1(VXLAN: 2850817), VlanType: FD_VLAN, Vlan-Id: 89,
SMac: 0x005056af31d3, DMac:0x0022bdf819ff, SIP: 192.168.1.1, DIP: 192.168.2.1, SPort: 52878, DPort: 22, Src Intf: port-
channel1, Proto: 6, PktLen: 66
[2020-04-23T17:06:46.316771000+00:00]: CName: tenant1:VRF1(VXLAN: 2850817), VlanType: FD_VLAN, Vlan-Id: 89,
SMac: 0x005056af31d3, DMac:0x0022bdf819ff, SIP: 192.168.1.1, DIP: 192.168.2.1, SPort: 52878, DPort: 22, Src Intf: port-
channel1, Proto: 6, PktLen: 66
[2020-04-23T17:06:46.273541000+00:00]: CName: tenant1:VRF1(VXLAN: 2850817), VlanType: FD_VLAN, Vlan-Id: 89,
SMac: 0x005056af31d3, DMac:0x0022bdf819ff, SIP: 192.168.1.1, DIP: 192.168.2.1, SPort: 52878, DPort: 22, Src Intf: port-
channel1, Proto: 6, PktLen: 110
<snip>
The commands above are for per-packet information. Per-flow information can be verified by using the “show logging ip
access-list cache deny” and “show logging ip access-list cache permit” commands on a leaf node. Deny- and permit-log
information is available on the APIC GUI as well. Please refer to the section “Log” for more details.
Viewing contract rules statistics from the APIC GUI
In the APIC GUI, you can also troubleshoot ACI contracts and rules in certain cases at the Tenant level (with an aggregate
view of the statistics from all leaf nodes) or from the Fabric Inventory view (which is the GUI equivalent of the per-leaf CLI
commands).
Adding the log option to contract filter rules enables troubleshooting at the Tenant level, but it requires adding the log
configuration to policy-cam rules and logging packets to the CPU: this requires extra configurations, and does not provide
accurate counters (please see the section “Log” for details).
ACI also lets you see the aggregate information for the traffic going between EPGs and allowed by a given contract, as you
can see in Figure 151. In order to view these statistics, you need to go to Tenant > Application Network Profile > EPG. Select
the EPG, then look at the tab: Operational > Contracts > To EPG Traffic. This displays, for instance, the SSH traffic between
the Web EPG and App EPG, whose respective 15-minute packet counters indicate 66 and 51. These are aggregate counters
across all leaf nodes and do not offer a per-filter rule view.
86 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
87 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
88 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Q. Can we use vzAny as the consumer and provider to the same contract?
A. Yes; however, vzAny cannot be a provider of an inter-VRF contract.
Q. What protocols are implicitly permitted by default? Do you have a list of implicit rules?
A. If you do not configure a contract, traffic is permitted only for the following types of packets and the traffic where the
source and destination class IDs are the same (intra-EPG traffic):
● ARP reply (unicast)
● DHCP v4 (prot 0x11, sport 0x44, dport 0x43)
● DHCP v4 (prot 0x11, sport 0x43, dport 0x44)
● DHCP v6 (prot 0x11, sport 0x222, dport 0x223)
● OSPF (prot 0x59)
● EIGRP (prot 0x58)
● PIM (prot 0x67)
● IGMP (prot 0x2)
● ND-Sol ICMPv6 (prot 0x3a dport 0x0087)
● ND-Advt ICMPv6 (prot 0x3a dport 0x0088)
Table 29 summarizes other implicit rules.
Table 29. Implicit rule list
When it is used Source Destination Filter ID Action Explanation Priority*
class ID class ID
Permit traffic from 1 0 Implicit Permit This is to permit traffic from pervasive 0
pervasive routes routes such as BD SVI and L3Out
logical interface subnet to any. It does
not appear in “show zoning-rule”
output.
Allow micro- 0 10 Implicit Deny, Deny traffic if for some reason traffic 2
segmentation on an log is incorrectly classified based on
EPG in VMware vDS 10 0 (unspecified) VLANs instead of MAC
VMM domain
Intra EPG permit EPG1 EPG1 Implicit Permit This is to permit intra-EPG 3
communication. It is programmed in
(unspecified) hardware during system startup on
leaf nodes. It does appear not in
"show zoning-rule” output.
Inter-VRF contract Provider 14 Implicit Permit The implicit rule is programmed in the 9
EPG provider VRF to permit traffic from the
Provider VRF Global provider EPG to the consumer EPG.
class ID Then policy is enforced at the
consumer VRF.
Permit unknown 0 BD class ID Implicit Permit Permit and flood the unknown unicast 16
unicast traffic traffic on the ingress leaf and enforce
(unspecified) the policy on the egress leaf.
Permit ARP unicast 0 0 Implarp Permit Permit any-to-any ARP unicast traffic 17
(EtherType:
ARP)
L3Out EPG with 0 15 Implicit Deny, It is not used and not even 22
0.0.0.0/0 subnet log programmed on hardware unless
(unspecified) preferred group is enabled.
Preferred group at VRF At EPG 2.1(1) If at least one EPG is in a preferred group,
the preferred group is automatically
Preferred group at EPG enabled at the VRF.
vzAny at VRF At VRF 2.2(3) vzAny with Service Graph PBR is not
supported.
89 of 90 07/11/2021 16:44
Cisco Application Centric Infrastructure - Cisco ACI Co... about:reader?url=https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.cisco.com%...
Apply Both Directions at At contract 1.0 Reverse Filter Port option is not available
contract subject at MSO. It is always enabled if Apply Both
Directions is enabled.
Service graph at contract At contract 1.2(1) A two-node service graph requires MSO
subject Release 2.0(1) or later.
90 of 90 07/11/2021 16:44