Lesson 3: Contracts Verification
|In this free ACI training video, John Meng demonstrates Contracts Verification. The following additional informational resources are provided in this lesson. Show Additional Information|
Contract verification in Hardware
- By default, in ACI no traffic is allowed between EPG unless a contract allows it.
- In the setup, there are 2 EPG focus on
- EPG-Web – VM1
- EPG-Client – VM2
- Here a contract is applied allowing icmp between those 2 epg
- First Step is to find out for each EPG a parameter either called:
- PcTag (in the object model)
- Sclass (in the leaf cli)
- We also need the scope (VRF vxlan id) where the epg sits.
- PcTag is a unique EPG id in the fabric PER VRF (aka 2 epg may use same pcTag if in different vrf)
Finding PcTag and scope in Object model
- fvAEPg is the class in logical model representing regular epg
- l3extInstP is the class in logical model representing L3 out EPG
- System Reserved pcTag - This pcTag is used for system internal rules (1-15).
- Globally scoped pcTag - This pcTag is used for shared service (16-16385).
- Locally scoped pcTag - This pcTag is locally used per VRF (range from 16386-65535).
- EPG pcTag might change, if the EPG provide service to other VRF.
Zoning rule and rules statistics – Leaf101
- Check rule between the two EPGs on Leaf101
- Check the statistics for those rules. Packets are received
- In EPG-Web(49154) towards EPG-Client (16387)
- Where is the return traffic?
Zoning rule and rules statistics – Leaf102
- On Leaf102 check any rule between our two EPGs
- Check the statistics for those rules. Packets are received In EPG-Client (16387) towards EPG-Web (49154)
Checking Filter on the switch
- What does the filter look like?
- Which filter will be hit first? -priority
Deny logs (default)
- Usually packet denied logs can be checked by CLI:
- New Cli : show logging ip access-list cache deny
- #show platform internal halhealth-stats