pcTag for ACI Contracts

In Cisco ACI, all EPGs have their own ID called policy control Tag (pcTag). The pcTag is sometimes referred to as class ID or sclass/dclass for source/destination class ID (source/destination pcTag). The pcTag is assigned to an EPG when it is created by the APIC and used when a contract rule is applied for a packet on a leaf switch. The security rules that use pcTag and that are created from contracts on leaf switches are called zoning rules. Each zoning rule has the following parameters:

Src EPG (src pcTag)
DST EPG (DST pcTag)
Filter ID (traffic type such as TCP DST port 3306)
Scope (VRF VNID for the src and DST EPGs)
Action (permit or deny)

The following is the pcTag types and its range:

System reserved pcTag (1-15): This pcTag is used for system internal rules. Some examples of such reserved pcTags are:

- 15: L3Out Subnet 0.0.0.0/0 for "External Subnets for the External EPG."
- 14: Shared Service (VRF route leaking), is to ensure that a contract is applied on the consumer VRF.
- 1: To allow traffic such as the one destined to ACI switch CPU implicitly.

Global pcTag (16-16385): This pcTag is unique across VRFs and used for shared service (VRF route leaking).
Local pcTag (16386-65535): This pcTag is unique only within a VRF and is the default pcTag for internal EPGs and L3Out EPGs.

By default, EPGs in different VRFs may have overlapping local pcTag, which is not a problem since the traffic should be always within the same VRF. However, when the VRF route leaking is configured, the traffic goes across VRFs and ACI needs to ensure the pcTag of leaked EPGs do not overlap. EPGs with shared service (VRF route leaking) configuration are assigned a new global pcTag as a replacement of the original local pcTag. Precisely speaking, only the provider EPGs with shared service configuration are assigned a global pcTag.

The last parameter Action is to define whether the traffic should be allowed or dropped.

The actual zoning rules on a leaf switch can be checked using the command show zoning-rule on the leaf CLI.

This example shows the names of the contracts with rules that are programmed with filters. Examples are ones with filter IDs 17 to 20 represented by pcTag 49154 and 32772, within FileServices_Ct contract. These rules are defined in the scope 2523136, which is the VRF VNID. The contents of each filter can be checked with the show zoning-filter command on the leaf CLI.

To check the pcTag and VRF VNID (scope), you can also use the APIC user interface. This figure shows the pcTag for an EPG in the APIC user interface:

In case you need to check the pcTag for L3Out EPGs, you can check it from here:

You can check all pcTag occurrences for various objects within a tenant by navigating to Tenants > Tenant name > Operational > Resource IDs.

The VRF VNID (scope for the zoning rules) can be checked in the APIC user interface as well:

Policy TCAM Exhaustion

The physical ternary content-addressable memory (TCAM) in which policy is stored for enforcement is a critical component of switch hardware and important system resource in a Cisco ACI fabric. When an EPG is associated with a contract, zoning rules that are applied on a leaf switch can consume a lot of entries in TCAM, which can lead to TCAM exhaustion.

Options to optimize policy CAM usage and simplify the configuration:

Policy Control Enforcement in VRF set to Unenforced
Contract with vzAny
Contract Preferred Group

VRF provides an option “Policy Control Enforcement” to turn off the allow list security model that is enforced with EPG and contract. By default, it is enforced and no communication between EPGs is allowed without a contract rule. Once it’s unenforced, no contract rules will be applied, and any endpoints can talk to anyone as long as there is Layer 2 or Layer 3 reachability.

Comment

You are will be the first.

Please login here to comment.

EMAIL SUPPORT

LOCATION

pcTag for ACI Contracts