ACI Contract and Zoning rules Explained

ACI Contract and Zoning rules Explained

What is ACI Contract

  • Cisco ACI uses a whitelist model, meaning that all communication is blocked by default, communication must be given explicit permission, this is where contract come into picture.
  • A contract is a policy in ACI and its purpose to define communication between EPGs. Without a contract between EPGs, by default no unicast communication is possible between those EPGs,
    except the cases where the VRF is configured in “unenforced” mode or those EPGs are in a preferred group.


ACI Contract and Zoning Rules

When a Contract is applied on EPGs (Provided/consumed), zoning rule are pushed on the corresponding leaf switches and EPGs are identified by pctag (sclass) value.


In this article, we will through 3 ways to create a Contract subject:

  • Apply Both Direction Unchecked.
  • Apply Both Direction checked + Reverse Filter ports unchecked
  • Apply Both Direction checked + Reverse Filter ports checked

I- Unidirectional Contract (Apply Both Directions unchecked):


When Applying the contract on the consumer and Provider EPG, a zoning rule is created:

LEAF_1# show zoning-rule contract Contract-1
+---------+--------+--------+----------+---------+---------+---------+------------+--------+---------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |    Name    | Action |    Priority   |
+---------+--------+--------+----------+---------+---------+---------+------------+--------+---------------+
|   4892  | 16401  | 32797  |    10    | uni-dir | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+------------+--------+---------------+

The Created rule will show:

  • The consumer EPG as source EPG (SrcEPG)
  • The provider EPG Destination EPG (DstEPG)
  • Filter ID 10

If we check the Filter ID 10, we see that the Destination Port is http:

LEAF_1# show zoning-filter filter 10
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    10    | 10_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    http   |   http  | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+


In summary, the zoning Rule is added when applying the contract “Contract-1” and it’s allowing the traffic sourced from src EPG (16401) to the dst EPG (32797) according to the filter ID 10.

The filter ID specify TCP traffic with Destination port HTTP.

As a result, the tcp traffic sourced from EPG (16401) to the dst EPG (32797) with Destination port HTTP is allowed. In the case, the return traffic is not allowed (unidirectionnal).


Notes:

Even when “Apply both direction” is unchedked, we can establish a bidirectional traffic by adding another filter (to same contract) with reversed ports under “Filter Chain For Provider to Consumer”, the first filter was created under “Filter Chain For Consumer to Provider”:

If we check the zoning rule, we can that another rule is added and the Dir of the first rule is turned into bi-dir and the return traffic is indicated by uni-dir-ignore:

LEAF_1# show zoning-rule contract Contract-1
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |    Name    | Action |    Priority   |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
|   4892  | 16401  | 32797  |    10    |     bi-dir     | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4893  | 32797  | 16401  |    11    | uni-dir-ignore | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+


LEAF_1# show zoning-filter filter 10
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+ -------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |    Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+ -------------+-------------+----------+
|    10    | 10_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    http   |   http  | dport |  unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+--------------+-------------+----------+
LEAF_1# show zoning-filter filter 11
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful | SFromPort | SToPort |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|    11    | 11_0 |   ip   | unspecified | tcp  |      no     |    no    |    http   |   http  | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+


II- Bidirectional Contract (Apply Both Directions checked, Reverse filter ports unchecked):


In the zoning rule, 2 rules were added. Both rules are using the same filter, which means same source and destination ports are used both direction. This will not lead to a bidirectional traffic, we can see that both “Dir” are “uni-dir”.


  • Zoning Rule:
LEAF_1# show zoning-rule contract Contract-1
+---------+--------+--------+----------+---------+---------+---------+------------+--------+---------------+
| Rule ID | SrcEPG | DstEPG | FilterID |   Dir   |  operSt |  Scope  |    Name    | Action |    Priority   |
+---------+--------+--------+----------+---------+---------+---------+------------+--------+---------------+
|   4892  | 16401  | 32797  |    10    | uni-dir | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4893  | 32797  | 16401  |    10    | uni-dir | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
+---------+--------+--------+----------+---------+---------+---------+------------+--------+---------------+
  • Filter id 10:
LEAF_1# show zoning-filter filter 10
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+ -------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |    Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+ -------------+-------------+----------+
|    10    | 10_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    http   |   http  | dport |  unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+--------------+-------------+----------+


Notes:

When Reverse Filter Ports is unchecked, we can’t have a bdidirectional traffic with one Filter (single entry), unless it’s default or filter with unspecified source and destination ports.

Also, we can achieve bidirectional traffic when Reverse Filter Ports is unchecked by:

  • Adding another entry to the filter for the return traffic (with reversed ports):
LEAF_1# show zoning-rule contract Contract-1
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |    Name    | Action |    Priority   |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
|   4893  | 32797  | 16401  |   148    | uni-dir-ignore | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4892  | 16401  | 32797  |   148    |     bi-dir     | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+


  • Adding another filter to the subject containing an entry for the return traffic:
LEAF_1# show zoning-rule contract Contract-1
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |    Name    | Action |    Priority   |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
|   4892  | 16401  | 32797  |    10    |     bi-dir     | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4893  | 32797  | 16401  |    10    | uni-dir-ignore | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4895  | 32797  | 16401  |    11    | uni-dir-ignore | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4894  | 16401  | 32797  |    11    |     bi-dir     | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+


But, this isn’t recommanded due to high usage of TCAM ressources because apply both direction is applied to all filters is the contract subject, as a result, additional rules are created.


III- Bidirectional Contract (Apply Both Directions checked, Reverse filter ports checked):


In the zoning rules, 2 rules were added with different filter.

  • Filter 10 (Destination port HTTP): for the traffic from source (consumer) EPG to destination (provider) EPG.
  • Filter 11 (Source port HTTP): for the traffic from destination (provider) EPG to source (consumer) EPG.
  • Zoning rules:
LEAF_1# show zoning-rule contract Contract-1
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |    Name    | Action |    Priority   |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
|   4893  | 16401  | 32797  |    10    |     bi-dir     | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
|   4892  | 32797  | 16401  |    11    | uni-dir-ignore | enabled | 2654208 | Contract-1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+------------+--------+---------------+
LEAF_1# show zoning-filter filter 10
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful |  SFromPort  |   SToPort   | DFromPort | DToPort |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
|    10    | 10_0 |   ip   | unspecified | tcp  |      no     |    no    | unspecified | unspecified |    http   |   http  | dport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
LEAF_1# show zoning-filter filter 11
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT |    ArpOpc   | Prot | ApplyToFrag | Stateful | SFromPort | SToPort |  DFromPort  |   DToPort   |  Prio |   Icmpv4T   |   Icmpv6T   | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+
|    11    | 11_0 |   ip   | unspecified | tcp  |      no     |    no    |    http   |   http  | unspecified | unspecified | sport | unspecified | unspecified |          |
+----------+------+--------+-------------+------+-------------+----------+-----------+---------+-------------+-------------+-------+-------------+-------------+----------+


TCAM usage Best practice

To overcome the issues caused by the high number of rules (contracts) pushed to the leaf , we have some options:

  1. Lower the number of zoning-rules programmed on the leaf (by re-designing how contracts should be applied between EPGs).
  1. Use vzAny contract:
Cisco ACI VzAny Contract Explained – Any EPG
  1. Verify if the leaf forwarding scale profile can be changed to a profile which allow higher Policy CAM entries value: # moquery topoctrlFwdScaleProfilePol
  1. Enable the Policy compression feature.

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5

Related articles

ACI L3 Multicast Troubleshoot – Part-1: Receiver in ACI and Source Outside

ACI L3 Multicast Troubleshoot – Part-1: Receiver in ACI and Source Outside

ACI Multisite Service Graph PBR Configuration and Troubleshooting

ACI Multisite Service Graph PBR Configuration and Troubleshooting

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 2

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 2

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 1

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 1

Troubleshoot ACI L3 Multicast – Part-2: Source in ACI and Receiver Outside

Quality of Service (QoS) in Cisco ACI – Overview and Configuration Examples

MACsec configuration in ACI Fabric

Cisco ACI Floating L3OUT [Explained & Configuration]

ACI Q in Q Dot1Q Tunnel Data Forwarding

ACI Q in Q Dot1Q Tunnel Data Forwarding

ACI Multisite Connectivity Design and Deployment use cases

ACI Multisite Connectivity Design and Deployment use cases

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x