The CLI output of the show zoning-rule command below shows an example with the Direct Connect option on the connector between the provider side of the service node and the provider EPG that has a trust entry for traffic from the EPG provider (32774) to the provider side of the service node (49157). In the most common designs, you don`t need to define more than one contract between an EPG pair. If it is necessary to add more filtering rules to the same EPG pair, this can be achieved by adding more topics to the same contract. Note: In a multi-site deployment, Cisco ACI Multi-Site Orchestrator (MSO) creates a contract for each topic. Scope – This is a unique identifier of the VRF that uses the zoning rule. Figure 121 and the CLI output of the show zoning-rule command below the figure show an example. Web EPG and App EPG have contract1 to allow all IP traffic between them. Web EPG has a taboo contract1 that denies SSH traffic destined for Web EPG. Therefore, an endpoint in the web EPG can communicate with an endpoint in the application EPG and vice versa, except for SSH traffic from an endpoint in the application EPG to an endpoint in the web EPG. By default, denying in the same zoning rule priority wins approval, even if the approval has a more specific filter. Figure 118, as well as the CLI output of the show zoning-rule command below the figure, and Tables 22 and 23 help to understand this point. The contract_parser.py script is used to parse zoning rules and match them to EPG or contract names or L4 ports. For example, it also displays hardware statistics for the amount of traffic that encounters a policy camera rule.
Zoning rules are essentially an entry in a packet filter that applies policy enforcement to transit traffic. Therefore, it is a tuple that defines the frames/packets to be matched and the actions to be performed if the rule matches. Rules are processed in the correct order (depending on the rule identifier and priority, see the Priority section of zoning rules later in this article) until a match is found. Using preferred groups for scalability is less obvious. This is because setting up the preferred group of a particular VRF results in the creation of several deny rules for EPGs that are outside the preferred group. This could potentially take up a lot of space if there are a lot of EPGs that are not in the preferred group. The vzAny-to-vzAny rules apply to traffic between EPGs and not to traffic “within” the EPG (i.e. traffic from an EPG to itself).
For more information, see Contract Priorities. The show zoning-filter command prints actrl:Entry managed objects for a specific actrl:Flt id. After the service diagram template is removed from the contract object, the service node`s internal EPGs are removed and the zoning rule is replaced with the two entries that allow traffic between the consumer and provider EPGs. The CLI output of the show zoning-rule command below shows an example. Table 9. Deny action vs. Allow action in the same zoning rule priorities: TCAM Configuration In addition to the rules described above, Cisco ACI programs include implicit deny rules based on the configuration of the L3Out EPG subnet (please note that the information in this paragraph is intended for advanced readers). Figure 32 and the CLI output of the show zoning-rule command below the figure show an example. VRF2 learned route 10.0.0.0/8 through L3Out in VRF2 and leaked subnet 10.0.0.0/8 to VRF1, but only IP addresses from subnet 10.0.0.0/16 are supposed to communicate with L3Out-EPG1 (192.168.1.0/24) in VRF1. To do this, L3Out-EPG2 requires two subnets with different ranges: 10.0.0.0/8 with shared route control subnet to transfer the subnet to VRF1, and 10.0.0.0/16 with external subnets for external EPG and shared security import subnet for L3Out EPG2 classification in VRF1 and VRF2. In this case, an IP in 10.0.0.0/16 is classified as L3Out EPG2, but the other IP addresses in 10.0.0.0/8 are classified as special class ID 13 in VRF2. Traffic from each class ID up to class 13 is implicitly removed in VRF1, even though VRF1 has the disclosed route to VRF2 10.0.0.0/8.
If there were no other zoning rules, Web EPG would not be able to communicate with App EPG. Instead, Web EPG can communicate with App EPG because the administrator sets up a specific contract between the two EPGs and that contract takes precedence over the implicit rejection rules programmed for the preferred group. For example, between “Allow” and “Deny,” “Deny” wins, even if the approval has a more specific filter.