In the following use case, EPG-1 in Cisco-1 VRF requires communication with EPG-2 in Cisco VRF 2. This is achieved by using the subnet field in the EPG. By creating the subnet under the EPG and selecting Shared, the route is transmitted to the VRF specified in the contract with the operator`s area. Global Agreement – The name of a service contract to be shared by two or more participating peer entities. Tags —(Optional) The keyword or search phrase assigned to the application profile. With a tag, you can group multiple objects by a descriptive name. You can assign the same tag name to multiple objects and assign one or more tag names to an object. By default, when contracts are assigned to an endpoint group as a consumer or provider, all topics in an endpoint group apply to the endpoint group. For tags, only groups of endpoints in application profiles with corresponding criteria implement the object of the contract. We have created a very simple regular contract to provide another tenant. There are other types of contracts that we can create. Taboo contracts are used to deny and record traffic. Like traditional ACLs, to refuse traffic, they must come first.
An example would be if we want to allow a large number of ports and refuse one or two specific ports; We would do this with a taboo contract to refuse the traffic created before the regular contract that allows full scope. If there are a very large number of contracts within the VRF, it can take up to an hour or more before the contracts are reimplemented in the sheet switches when the VRF is re-forced. In short, contracts consist of 1 or more themes. Each topic contains 1 or more filters. Each filter contains 1 or more inputs. Each entry corresponds to a row in an access control list (ACL) applied to the sheet switch to which the endpoint is attached in the endpoint group. This use case is useful if you are implementing a contract with the ability to apply the object of the contract in both directions, and without the ability to apply the reverse filter. This allows the end user the greatest possible granularity when deploying contracts, but it is also the most comprehensive. There may be times when the ACI administrator needs to allow traffic between two tenants. Interface contracts are a special type of contract that an ACI administrator can use to authorize specific traffic using a contract export. The contract is essentially exported to the source tenant and imported into the target tenant. Similar to traditional contracts, the source EPG will be of the Supplier type.
However, in the target client, the contract is imported as a type contract interface. A few examples of use cases show the complete process in the next chapter. A single contract with (1) item and (1) filter with a single supplier and a single consumer. In this example, www. Name – The name of the contract or the subject of the contract. Mark Traffic (DSCP/CoS) (regular contracts only) The following iShell command checks the contracts of a VRF: ACME Inc., like most companies, uses shared services such as DNS for name resolution and Active Directory for user management. These services are used by most of their tenants, so ACME Inc. must allow this traffic throughout the structure. Communication between EPGs belonging to different tenants is only allowed if they share the same contract.
To use the same contract, it must be exported from the source client to the corresponding target client. This contract appears in the Imported Contract section of the target client`s security policies. Policy – The filtering strategies associated with the taboo contract. VRF instance-wide contracts are traditionally contracts that allow established traffic, so endpoint group contracts can only define traffic in one direction, from the consumer to the provider, without the need to enable reverse port forwarding for TCP traffic. Because all endpoint groups within the VRF instance allow established traffic, there is no need to forward the reverse port in the contract that is applied directly to the endpoint group. Matching – Criteria for matching the topic across all groups of consumer endpoints. Labels can be applied to a variety of vendor- and consumer-managed objects, including endpoint groups, contracts, bridge domains, DHCP relay policies, and DNS policies. When verifying a match between vendor identifiers and consumer labels, the matching parameter is determined by the provider`s endpoint group. The different options are as follows: To mimic traditional network concepts, a “allow all traffic” contract can be applied, with taboo contracts configured to restrict certain types of traffic. 2) Should I apply the taboo contract to two EPGs or to one and how does it work? An interface for consumed contracts is used to assign an EPG from the target customer to the imported contract.
If a filter allows traffic from any consumer port to a provider port (e.B. 8888), if reverse port filtering is enabled and the contract is applied in both directions (e.B. for TCP traffic), the consumer or provider can initiate the communication. The provider can open a TCP socket to the consumer through port 8888, regardless of whether the provider or the consumer sent the traffic first. Click + next to the object to add a contract object. In detail, the contracts consist of the following elements: Two contracts with (1) subject (1) filter. Each contract will have a single supplier and a single consumer referring to the same contract. The difference is that the contract is explicitly applied in BOTH directions. A filter is a set of filter inputs that aim to filter traffic.
Each filter entry is a rule that allows or denies traffic that is classified based on TCP/IP header fields, such as . B layer 3 protocol type or layer 4 ports. The filter is set for the contract associated with an endpoint group. It can be either a group of inbound endpoints, from a group of endpoints, or both. An object is an entity that connects the filter to the contract, thereby affecting traffic between the groups of endpoints provided and used by that contract. One. Taboo contract entries are searched with a higher priority than entries in regular contracts If you do not set up a contract, traffic is only allowed for the following packet types, as well as for the default allowed types for multicast traffic and traffic of the same class: A quick tip to see if contracts, or lack thereof, block traffic within the VRF instance in an ACI fabric, to disable the VRF instance. This allows communication between all endpoint groups within the VRF instance without the need for contracts. This corresponds to the application of the vzAny common tenant agreement to the VRF instance endpoint group.
Can someone ask me the following questions about standard contracts and taboo contracts: Contracts provide the Cisco Application Centric Infrastructure (ACI) administrator with the ability to control the flow of traffic within the ACI structure between device groups. .