Implement Cisco ACI Tenant Policies

Note: Be sure to review the Objectives and

Job Aids links above for required
information. Password Information and
Command Lists for Detailed Lab Steps are
in the Job Aids link.

Task 1: Create a Tenant and VRF

Show Steps

• Step 1:

Connect to Cisco APIC GUI.

Tip:
On your Student PC, open Google Chrome and connect to the APIC GUI at https://10.10.1.145.

• Step 2:

Login with admin credentials.

Tip:
Accept the security warning and log in as admin with password 1234QWer.
• Step 3:

Create a new tenant.

Tip:
Click Begin First Time Setup and then Close. In the Cisco APIC GUI, go to Tenants > Add Tenant.

• Step 4:

Name your tenant Sales and save it without creating a VRF.

 Tip:
Enter Sales as the tenant name and click Submit without providing any other parameters.

Note

You can learn about the meaning of an object and its parameters by clicking the question mark (?) button in the top-right corner.

Note

You could create a VRF on this page, but you will configure it in a separate step.

• Step 5:

Within the Sales tenant, create a VRF. A VRF is a Layer 3 context network that provides IP address space isolation for tenants. Each
tenant can have one or more VRFs or share one default VRF with other tenants when no overlapping IP addressing is being used in the
Cisco ACI fabric.

Tip:
Within the Sales tenant, go to Networking, right-click VRFs, and choose Create VRF.
• Step 6:

Name your VRF Presales_VRF and save it. Don’t create a bridge domain at this point.

Tip:
Enter the VRF name Presales_VRF and clear the Create a Bridge Domain check box. Leave other settings at their default values. Click
Finish.
 Note

Enforced policy is the default setting, which indicates that no traffic is permitted between EPGs unless a contract specifically permits it.
This type of operation is known as the allow-list model. It permits unrestricted communication between endpoints of the same EPG and
requires contract-based permissions (allow lists) to allow traffic between EPGs.

• Step 7:

Click Finish.

Task 2: Create Bridge Domain and Subnets

Show Steps

• Step 1:

Create a bridge domain within the Sales tenant.

Tip:
Within the Sales tenant, go to Networking, right-click Bridge Domains, and choose Create Bridge Domain.
• Step 2:

Name the bridge domain Presales_BD and associate it with the Presales_VRF VRF.

Tip:
In the Name field, enter Presales_BD and choose Presales_VRF from the VRF drop-down menu for association with the bridge domain.
Leave all other parameters at their default values, and then click Next.
 Note

The bridge domain type specifies whether the bridge domain supports Fibre Channel over Ethernet (FCoE) communication or regular
Ethernet traffic. The default setting is Regular.

• Step 3:

Examine the default Layer 3 configuration values without changing any of them.

Tip:
Click Next.
 Note

By default, unicast routing and ARP flooding are enabled.

Note

You could define subnets from this page, but you will do it in a separate step.

• Step 4:

Examine the advanced/troubleshooting options of a bridge domain. Do not change the default values.

Tip:
Click Finish.
 Note

First-hop security and other policies are enabled on a bridge domain basis. Because a bridge domain is deployed on a single or across
multiple leaf switches, the first-hop security threat control and mitigation mechanisms cater to a single switch and multiple switch
scenarios.

• Step 5:

Next, you will configure subnets, which define the IP address range that can be used within the bridge domain. While a VRF defines a
unique Layer 3 space, that space can consist of multiple subnets. These subnets are defined per bridge domain. A bridge domain can
contain multiple subnets, but a subnet is contained within a single bridge domain. Within the Sales tenant, expand the Presales_BD
bridge domain.

Tip:
Navigate to Sales tenant > Networking > Presales_BD bridge domain located inside the Bridge Domains folder.
• Step 6:

Create a new subnet.

Tip:
Right-click Subnets and choose Create Subnet.
• Step 7:

Set a gateway IP 10.0.1.254/24 and save the changes.

Tip:
In the Gateway IP field, enter the gateway IP 10.0.1.254/24. Leave other settings at their default values and click Submit.
 Note

The remaining settings allow you to declare the subnet as a virtual IP address configured for the associated bridge domain. Making the
address primary, a setting affecting only the DHCP relay, indicates a preference over the available alternatives. The scope defines the
visibility range of the subnet.

• Step 8:

Use the same procedure to configure three more subnets with default gateways 10.0.2.254/24, 10.0.3.254/24, and 10.0.4.254/24 and
verify the configuration. Observe the created subnets.

Tip:
Right-click Subnets and choose Create Subnet. In the Gateway IP field, enter the gateway IP and click Submit. Repeat this for all three
subnets. When finished, expand the Presales_BD bridge domain and click on the Subnets folder. You should see 4 subnets created.

When finished, expand the Presales_BD bridge domain and click on the Subnets folder. You should see 4 subnets created.
Task 3: Create an Application Profile and EPGs
Show Steps

• Step 1:

Create an application profile within the Sales tenant.

Tip:
Within the Sales tenant, right-click Application Profiles and choose Create Application Profile.
• Step 2:

Name the application profile eCommerce_AP. Add an EPG named Web_EPG and associate it with the Presales_BD.

Tip:
In the Name field, enter eCommerce_AP. Click the plus sign (+) in the EPGs table. Enter Web_EPG as the name of the EPG identity.
From the Bridge Domain drop-down, choose Presales_BD, and click Update.
• Step 3:

Use the same procedure to create two more EPGs: App_EPG and DB_EPG, associated within the same bridge domain.

Tip:
You can click the plus sign (+) button or right-click the application profile to add the new EPGs. Once the three EPGs are created, click
Submit.
 • Step 4:

Examine the App_EPG general policy settings. You will see more options than are presented in the configuration wizard.

• Step 5:

Expand Application Profiles > eCommerce_AP > Application EPGs > App_EPG. Choose App_EPG and examine the configuration
settings by navigating to Policy > General in its work pane.

Note

You can define, among other things, QoS-related parameters and intra-EPG isolation, which provides full isolation for virtual or physical
endpoints. No communication is allowed between endpoints in an EPG that is operating with isolation enforced. Isolation-enforced EPGs
reduce the number of EPG encapsulations required when many clients access a common service but are not allowed to communicate with
each other. The intra-EPG isolation state can be enforced or unenforced.

Task 4: Create Filters and Contracts

Show Steps

• Step 1:

Navigate to the Filters tab under Sales tenant.

Tip:
Within the Sales tenant, go to Contracts > Filters.
• Step 2:

Create a new filter.

Tip:
Right-click Filters and choose Create Filter.
• Step 3:

Name the filter Basic_Fltr, configure the first entry to permit all ICMP traffic, and name it ICMP. A filter entry can be considered a single
permit line in a classic access list.

Tip:
In the Name field, enter the name Basic_Fltr. Click the plus sign (+) to add an entry.

Configure the first entry to permit all ICMP traffic:

◦ Name: ICMP
◦ Ethertype: IP
◦ IP protocol: icmp
• Step 4:

Configure another entry to permit SSH traffic and name it TCP22.

Tip:
Click Update and click the plus sign (+) to add another entry.

Configure to permit SSH:

◦ Name: TCP22
◦ Ethertype: IP
◦ IP protocol: tcp
◦ Stateful option: checked (True)
◦ Source port range: Unspecified
◦ Destination port range: From 22 to 22
• Step 5:

Save the filter configuration with two entries.

Tip:
Click Update, and then Submit.

• Step 6:

Create another filter.

Tip:
Right-click Filters and click Create Filter to create another filter.
• Step 7:

Name the filter HTTP_Fltr, configure an entry to permit HTTP traffic and name it TCP80. Enable stateful packet handling.

Tip:
In the Name field, enter HTTP_Fltr and add an entry named TCP80 to allow TCP traffic to destination port 80 (HTTP).

Configure the entry with the following parameters:

◦ Name: TCP80
◦ Ethertype: IP
◦ IP Protocol: tcp
◦ Stateful Option: checked (True)
◦ Source Port Range: Unspecified
◦ Destination Port Range: From http to http

• Step 8:

Save the filter configuration.

Tip:
Click Update and Submit.
• Step 9:

Create another filter.

Tip:
Right-click Filters and click Create Filter to create a new filter.
• Step 10:

Name the filter FTP_Fltr. Add an entry, named TCP21, to allow TCP traffic to destination port 21. Enable stateful packet handling.

Tip:
In the filter Name field, enter FTP_Fltr. Configure the entry with the following parameters:
◦ Name: TCP21
◦ Ethertype: IP
◦ IP Protocol: tcp
◦ Stateful Option: checked (True)
◦ Source Port Range: Unspecified
◦ Destination Port Range: From 21 to 21
• Step 11:

Save the filter configuration.

Tip:
Click Update and Submit.

Note

A contract provides a service contract relationship between two or more participating EPGs. You will first configure the contract
WebServices_Ct to permit basic (ICMP, SSH) and HTTP access.
• Step 12:

Create a contract under Sales tenant.

Tip:
Within the Sales tenant, go to Contracts > Standard, right-click the menu, and choose Create Contract.

• Step 13:

Name the contract WebServices_Ct and leave the scope selection at the default value (VRF).

Tip:
In the Name field, enter WebServices_Ct. Under the Scope drop-down menu, choose VRF.
 Note

The scope declares the maximum extent of a contract and is related to contract reusability. With VRF, the contract will be applied for EPGs
associated with the same VRF (context). With Application Profile, the contract will be applied for EPGs in the same application profile.
With Tenant, the contract will be applied for EPGs within the same tenant. With Global, the contract will be applied for EPGs throughout
the fabric. If you reuse a contract inside the same scope, you may unexpectedly define undesired permissions.

• Step 14:

Add a subject.

Note

A subject is a sub-application running behind an endpoint group (for example, an email server). A subject is parented by the contract,
which can encapsulate multiple subjects. An endpoint group associated with a contract is providing one or more subjects or is
communicating with the subject as a peer entity.

Tip:
Click the plus sign (+) in the Subjects table to add a subject.
• Step 15:

Configure a subject named WebServices_Subj. The subject name does not have to match the contract name; this choice is made for
simplicity. Apply settings to both directions and reverse filter ports. Add two filters with Action set to Permit: Basic_Fltr and HTTP_Fltr.

Tip:
In the Subject Name field, enter WebServices_Subj.
 Use the following values:

◦ Apply Both Directions: Checked (default setting, filters traffic flowing in both directions)
◦ Reverse Filter Ports: Checked (default setting, proper handling of return traffic)
◦ Add two filters (by clicking the plus sign (+) button) to the filter chain: Basic_Fltr and HTTP_Fltr, clicking Update after each
insertion. Leave other settings at their default values (Directives none, Action permit, Priority default). Similar to an ACL, the
action defines whether to allow or deny the traffic.

• Step 16:

Save the subject and contract configurations and review the created contract.

Tip:
Click OK to complete the subject configuration and Submit to complete the contract configuration. Navigate to Contracts > Standard >
WebServices_Ct > Webservices_Subj to review the created contract.
 Note

If you get an error, discard the previous configuration, recreate the contract, re-add the subject to the contract, and submit the
configuration without adding any filters to the subject. Then edit the contract by adding the filters to the subject.

• Step 17:

Use the same procedure to configure another standard contract, named FileServices_Ct, with the subject FileServices_Subj, which
includes two filters, Basic_Fltr and FTP_Fltr. Save the subject and contract configuration.

Tip:
Within the Sales tenant, go to Contracts > Standard, right-click the menu, and choose Create Contract. In the Name field, enter
FileServices_Ct. Under the Scope drop-down menu, choose VRF. Click the plus sign (+) in the Subjects table to add a subject. In the
Subject Name field, enter FileServices_Subj. Use the following values:
◦ Apply Both Directions: Checked (default setting, filters traffic flowing in both directions)
◦ Reverse Filter Ports: Checked (default setting, proper handling of return traffic)

Add two filters (by clicking the plus sign (+) button) to the filter chain: Basic_Fltr and FTP_Fltr, clicking Update after each insertion. Leave
other settings at their default values (Directives none, Action permit, Priority default). Click OK to complete the subject configuration and
Submit to complete the contract configuration.
 Note

The contract FileServices_Ct will be used to control access from the second application tier (App_EPG) to the third tier (DB_EPG).

• Step 18:

Verify the two standard contracts are present.

Tip:
Navigate to tenant Sales > Contracts > Standard.
Task 5: Apply Contracts to EPGs
Show Steps

• Step 1:

Navigate to your App_EPG.

Tip:
Within the Sales tenant, go to Application Profiles, expand the eCommerce_AP application profile and the Application EPGs, and click
on App_EPG.
• Step 2:

Add the provided contract to App_EPG. App_EPG should act as the contract provider, offering web services to the consumer, Web_EPG.

Tip:
Right-click App_EPG and choose Add Provided Contract.

Note

The available options include the Add Intra-EPG Contract, which would use a contract to control traffic between endpoints of the same
EPG. This option is not supported in AVS, AVE, and Microsoft domains.

• Step 3:

Choose the WebServices_Ct contract and save the configuration.

Tip:
In the Contract drop-down menu, choose WebServices_Ct. Do not set any labels and click Submit.
• Step 4:

Add consumed contract to Web_EPG.

Tip:
Right-click Web_EPG and choose Add Consumed Contract.

• Step 5:

Choose the WebServices_Ct contract and save the configuration.

Tip:
In the Contract drop-down menu, choose WebServices_Ct. Do not set any labels and click Submit.
• Step 6:

Examine the permissions diagram in eCommerce_AP application profile.

Tip:
Click the eCommerce_AP application profile and then click the Topology tab. App_EPG grants services defined in the WebServices_Ct
contract to the Web_EPG.
• Step 7:

Use the same approach to make DB_EPG provide services allowed by the FileServices_Ct contract to App_EPG. (App_EPG is the
consumer, and DB_EPG is the provider.)

Tip:
Repeat all previous steps from this task (steps 1-6) to add a provided contract FileServices_Ct to DB_EPG and a consumed contract
FileServices_Ct to an App_EPG.
• Step 8:

Verify the contracts applied to the EPGs.

Tip:
Click the eCommerce_AP application profile and then click the Topology tab. This step completes the exercise.
 Note

The contract FileServices_Ct will be used to control access from the second application tier (App_EPG) to the third tier (DB_EPG).

Lab Completion Instructions

You have now completed this lab exercise.
Please click 'End Session'.

Choose 'Exit'.