Contracts in ACI: Lesson 3: Contracts Verification

     

     

    Lesson 3: Contracts Verification

     

    Lesson 3: Contracts Verification

     

     

    In this free ACI training video, John Meng demonstrates Contracts Verification. The following additional informational resources are provided in this lesson. Show Additional Information

     

    Contract verification in Hardware

    • By default,  in ACI no traffic is allowed between EPG unless a contract allows it.
    • In the setup, there are 2 EPG focus on
      • EPG-Web – VM1
      • EPG-Client – VM2
    • Here a contract is applied allowing icmp between those 2 epg
    • First Step is to find out for each EPG a parameter either called:
      • PcTag (in the object model)
      • Sclass (in the leaf cli)
    • We also need the scope (VRF vxlan id) where the epg sits.
    • PcTag is a unique EPG id in the fabric PER VRF (aka 2 epg may use same pcTag if in different vrf)

     

    Finding PcTag and scope in Object model

    • fvAEPg is the class in logical model representing regular epg
    • l3extInstP is the class in logical model representing L3 out EPG
    • Note:
      • System Reserved pcTag - This pcTag is used for system internal rules (1-15).
      • Globally scoped pcTag - This pcTag is used for shared service (16-16385).
      • Locally scoped pcTag - This pcTag is locally used per VRF (range from 16386-65535).
      • EPG pcTag might change, if the EPG provide service to other VRF.

     

    Zoning rule and rules statistics – Leaf101

    • Check rule between the two EPGs on Leaf101
    • Check the statistics for those rules. Packets are received
    • In EPG-Web(49154) towards EPG-Client (16387)
    • Where is the return traffic?

     

    Zoning rule and rules statistics – Leaf102

    • On Leaf102 check any rule between our two EPGs
    • Check the statistics for those rules. Packets are received In EPG-Client (16387) towards EPG-Web (49154)

     

    Checking Filter on the switch

    • What does the filter look like?
    • Which filter will be hit first? -priority

     

    Deny logs (default)

    • Usually packet denied logs can be checked by CLI:
    • New Cli : show logging ip access-list cache deny

     

    TCAM Usage

    • #show platform internal halhealth-stats

     

    Lesson 1: Contracts Concept and Deployment in ACI part 1

    Lesson 2: Contracts Concept and Deployment in ACI part 2

    Lesson 3: Contracts Verification

    Lesson 4: Demo and Best Practice

    Review ACI Certification Options

    ACI Discussions

    Watch more ACI Training Videos

    ACI Training Resources