Cisco ACI Contract Priorities Explained & Example

Cisco ACI Contract Priorities Explained & Example

Note: This post is based on Cisco ACI Contract white paper document.

Cisco ACI Contract priorities

When using contracts that include a combination of EPG-to-EPG contracts, with EPGs that may be part of preferred groups or vzAny contracts, it is necessary to understand the relative priority of the rules that are programmed in the TCAM in order to understand the policy enforcement behavior.


Cisco ACI Contract Priorities General Rules

The following list provides a summary of the high-level rules of priority used when filtering traffic:

●     More specific EPGs win over vzAny and preferred groups.

  • EPG-to-EPG (priority 7 or 9) wins over EPG-to-vzAny (priority 13 or 15) and vzAny-to-EPG (priority 14 or 16), which wins over vzAny-to-vzAny (priority 17 or 20)
  • Specific source wins over specific destination (for example, EPG-to-vzAny wins over vzAny-to-EPG).

●     More-specific L4 rules win.

  • Specific filters win over the “any” filter (for example, an EPG-to-EPG contract with a specific filter wins over one with a default filter).
  • Specific destination wins over specific source (for example, sport-any-to-dport-80 wins over sport-80-to-dport-any).

●     Deny actions win. Specific protocol wins.

  • Within the same zoning-rule priority, deny + log wins over deny, which wins over redirect or permit action.
  • Between redirect and permit actions, a more specific protocol and a specific L4 port win.
  • Between redirect and permit, if the filters are the same, redirect wins over the permit.


Note

The lower the number of the priority, the higher the priority.


Cisco ACI Contract Priorities Summary Table

The following table provides a brief (common use cases) of contract priority used when filtering traffic:

When it is used

Source class id

Destination class id

Filter ID

Action

Note

Priority*

Intra-EPG contract

EPG1

EPG1

Specific

Permit, deny, redirect, copy

 

class-eq-filter(1)

Taboo contract

0

EPG1

Specific/default

Deny

Deny traffic destined to an EPG that has a taboo contract

Black_list(5)

inter-VRF EPG-to-vzAny Consumer VRF

Intra-VRF ESG-to-vzAny

EPG1 /ESG1(global)

0

Specific

Permit, deny, redirect, copy

In the case of contract between an ESG and vzAny (*)

shsrc_any_filt_perm
(10)

EPG-to-EPG

EPG1

EPG2

Specific

Permit, deny, redirect, copy

Intra-VRF contract with nondefault filter between EPGs

fully_qual(7)

EPG1

EPG2

Default (permit any)

Permit, deny, redirect, copy

Intra-VRF contract with default filter between EPGs

src_dst_any(9)

EPG-to-vzAny

EPG1

0

Specific

(Default priority is 15)

Permit, deny, redirect, copy

 

src_any_filter(13)

vzAny-to-EPG

0

EPG1

Specific

(Default priority is 16)

Permit, deny, redirect, copy

 

any_dest_filter(14)

vzAny-to-vzAny

0

0

Specific

Permit, deny, redirect, copy

 

any_any_filter(17)

Cisco ACI Contract Priority Illustration Example

The figure below illustrates an example of a priority comparison between a specific EPG and vzAny.

If a vzAny-to-vzAny contract uses the SSH filter with the permit action (priority 17) and the EPG-to-EPG contract uses an SSH filter with a deny action (priority 7), all SSH traffic within the VRF is permitted except for SSH traffic from Web EPG to App EPG.


We can verify the rule priority from the command “show zoning-rule”

Pod1-Leaf1# show zoning-rule scope 2850817

+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |       Priority       |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+

|   4208  |   0    |   15   | implicit |    uni-dir     | enabled | 2850817 |                   | deny,log | any_vrf_any_deny(22) |

|   4247  |   0    | 32777  | implicit |    uni-dir     | enabled | 2850817 |                   |  permit  |   any_dest_any(16)   |

|   4207  |   0    |   0    |    67    | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 |  permit  |  any_any_filter(17)  |

|   4253  |   0    |   0    |    68    |     bi-dir     | enabled | 2850817 | tenant1:Contract1 |  permit  |  any_any_filter(17)  |

|   4249  | 32774  | 32775  |    68    | uni-dir-ignore | enabled | 2850817 | tenant1:Contract2 |   deny   |    fully_qual(7)     |

|   4211  | 32775  | 32774  |    67    |     bi-dir     | enabled | 2850817 | tenant1:Contract2 |   deny   |    fully_qual(7)     |

Bilel-A

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5

Related articles

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 2

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 2

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 1

ACI L3 Multicast Troubleshoot – Part-3: Source and Receiver inside ACI – Topology 1

Troubleshoot ACI L3 Multicast – Part-2: Source in ACI and Receiver Outside

ACI L3 Multicast Troubleshoot – Part-1: Receiver in ACI and Source Outside

Quality of Service (QoS) in Cisco ACI – Overview and Configuration Examples

MACsec configuration in ACI Fabric

Cisco ACI Floating L3OUT [Explained & Configuration]

ACI Multiste PBR Configuration and Troubleshooting

ACI Q in Q Dot1Q Tunnel Data Forwarding

ACI Q in Q Dot1Q Tunnel Data Forwarding

ACI Multisite Connectivity Design and Deployment use cases

ACI Multisite Connectivity Design and Deployment use cases

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x