EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

AF

Understand Contract Priorities

Understand Contract Priorities

Understand Contract Priorities

The following list provides a summary of the high-level rules of priority used when filtering traffic:

  • More-specific EPGs win over vzAny and preferred groups.

    1. EPG-to-EPG (priority 7 or 9) wins over EPG-to-vzAny (priority 13 or 15) and vzAny-to-EPG (priority 14 or 16), which wins over vzAny-to-vzAny (priority 17 or 20)

    2. A specific source wins over specific destination (for example, EPG-to-vzAny wins over vzAny-to-EPG).

  • More-specific Layer 4 rules win.

    1. Specific filters win over the “any” filter (for example, an EPG-to-EPG contract with a specific filter wins over one with a default filter).

    2. A specific destination wins over a specific source (for example, sport-any-to-dport-80 wins over sport-80-to-dport-any).

  • Deny actions win. A specific protocol wins.

    1. Within the same zoning-rule priority, deny + log wins over deny, which wins over redirect or permit action.

    2. Between redirect and permit actions, a more specific protocol and a specific Layer 4 port wins.

    3. Between redirect and permit, if the filters are the same, redirect wins over permit. If the filter rules have overlapping ports and have the same priority, the priority is not deterministic. The contract-rule configuration should not have conflicting rules of this type if you want the action to be deterministic.

The lower the number of the priority, the higher the priority; therefore, rules with a lower value (that is, a higher priority) win over rules with a higher value (that is, a lower priority).

You will notice that the same rule type has two priorities, depending on whether the EtherType is “unspecified” (which, you can say, is the “any” keyword in traditional access lists) or whether it is IPv4, IPv6, FCoE, ARP, and so on. The same rule type has a higher priority with an EtherType of IPv4 than with an EtherType of “unspecified”; for instance, an EPG-to-EPG rule has priority 7 with an EtherType of IPv4, and priority 9 with an EtherType of “unspecified”; similarly, an EPG-to-vzAny rule has priority 13 (if the EtherType is IPv4) and priority 15 (if the EtherType is “unspecified”).

The following figure and CLI output from the show zoning-rule command after the figure show an example of priority comparison between specific filter and default filter. If EPG-to-EPG has two contract subjects: one uses an SSH filter with permit action (priority 7), and the other uses a default filter with a redirect action (priority 9), with a result that all, except SSH, traffic between the EPGs will be redirected.

Example of contract priorities (specific filter vs. default filter):

The following figure and the CLI output from the show zoning-rule command after the figure show an example of priority comparison between a specific EPG and vzAny. If a vzAny-to-vzAny contract uses the SSH filter with the permit action (priority 17) and the EPG-to-EPG contract uses an SSH filter with a deny action (priority 7), all SSH traffic within the VRF is permitted except for SSH traffic from Web EPG to App EPG.

Deny Action in Filter

The Deny action was introduced in Cisco APIC Release 3.2.Using the Deny action is helpful if you want to use a block-list model for security enforcement. For example, you could configure a vzAny-to-vzAny permit contract to permit all EPG-to-EPG communication within a VRF, and then you can configure a contract with a deny action to deny specific EPG-to-EPG communication. Using the deny action can simplify the configuration and reduce TCAM consumption.

Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.

TABLE OF CONTENTS

RECENT POSTS

Membership Plan

Monthly

$100/Monthly
Half Yearly

$200/6 Months
Half Yearly

$350/Year