Working with Contracts
|
|
- Lynne Cook
- 6 years ago
- Views:
Transcription
1 Contracts, page 1 Filters, page 9 Taboo Contracts, page 12 Inter-Tenant Contracts, page 15 Contracts Contracts provide a way for the Cisco Application Centric Infrastructure (ACI) administrator to control traffic flow within the ACI fabric between endpoint groups. These contracts are built using a provider-consumer model where one endpoint group provides the services it wants to offer and another endpoint group consumes them. Contracts are assigned a scope of Global, Tenant, VRF, or Application Profile, which limit the accessibility of the contract. In brief, contracts consist of 1 or more subjects. Each subject contains 1 or more filters. Each filter contains 1 or more entries. Each Entry is equivalent to a line in an Access Control List (ACL) that is applied on the leaf switch to which the endpoint within the endpoint group is attached. In detail, contracts are comprised of the following items: Subjects A group of filters for a specific application or service. Filters Used to classify traffic based upon layer 2 to layer 4 attributes (such as Ethernet type, protocol type, TCP flags and ports). Actions Action to be taken on the filtered traffic. The following actions are supported: Permit the traffic (regular contracts, only) Mark the traffic (DSCP/CoS) (regular contracts, only) Redirect the traffic (regular contracts, only, through a service graph) Copy the traffic (regular contracts, only, through a service graph or SPAN) Block the traffic (taboo contracts, only) Log the traffic (taboo contracts, only) 1
2 Contracts Labels (Optional) Used to group objects such as subjects and endpoint groups for the purpose of increasing granularity in policy enforcement. While different endpoint groups can only communicate with other endpoint groups based upon the contract rules defined, there is no contract required for intra-endpoint group communication. Intra-endpoint group communication from endpoint to endpoint in the same endpoint group is allowed by default. If a filter allows traffic from any consumer port to a provider port (e.g. 8888), if reverse port filtering is enabled and the contract is applied both directions (say for TCP traffic), either the consumer or the provider can initiate communication. The provider could open up a TCP socket to the consumer using port 8888, whether the provider or consumer sent traffic first. If you do not configure a contract, traffic is permitted only for the following types of packets as well as the types that are permitted by default for multicast traffic and class equal traffic: DHCP v4 (prot 0x11, sport 0x44, dport 0x43) DHCP v4 (prot 0x11, sport 0x43, dport 0x44) DHCP v6 (prot 0x11, sport 0x222, dport 0x223) OSPF (prot 0x59) EIGRP (prot 0x58) PIM (prot 0x67) IGMP (prot 0x2) ND-Sol ICMPv6 (prot 0x3a dport 0x0087) ND-Advt ICMPv6 (prot 0x3a dport 0x0088) The following example shows how different contracts would control traffic flow between endpoint groups in a 3-tiered application containing a group of web servers in one endpoint group, a group of application servers in a second endpoint group, and a group of database servers in a third endpoint group. The Web endpoint group (provider) provides a contract (contract1) which is consumed by the L3Out endpoint group (traffic external to the ACI fabric). This allows for web traffic to reach the web servers from outside the ACI fabric. The Application endpoint group (provider) provides a contract (contract2) for communications which the Web endpoint group (consumer) consumes. This allows the web server to call applications on the application servers. Finally, the Application endpoint group (consumer) consumes a contract (contract3), which the Database endpoint group (provider) provides. This allows the application servers to access the database for the applications. For un-acked UDP traffic, reverse port filtering is not necessary. But, for TCP traffic, the 2
3 Contract Configuration Parameters responder cannot set up a TCP session without reverse port filtering enabled or a different contract that allows any established traffic from the responder. Figure 1: Contract Policies Between End Point Groups The following types of Contracts that can be applied in ACI: Regular contracts Taboo contracts Out-Of-Band (OOB) contracts Contracts govern the following types of endpoint group communications: Between application endpoint groups Between application endpoint groups and external networks Between application endpoint groups and in-band management endpoint group, for example if in-band management is configured for the ACI fabric and certain endpoint groups are to be allowed to access it Out-of-band contracts apply only to out-of-band traffic from the management tenant. Taboo contracts are used to deny and log traffic related to regular contracts and are configured into the hardware before the regular contract. For example, if the objective was to allow traffic with source ports 50 through 500 with the exception of port 305, then the regular contract would allow all ports in the range of 50 through 500 while the taboo contract would have a single entry denying port 305. The taboo contract denying port 305 would be programmed into the hardware before the regular contract allowing ports 50 through 500. Contract Configuration Parameters When configuring contracts you can define the following options: Application-profile This contract can be applied to any endpoint groups in the same application profile. Contract Scope The scope of a service contract between two or more participating peer entities or endpoint groups. The contract will not be applied to any consumer endpoint group outside the scope of the provider endpoint group. The states are: 3
4 Create/Modify/Remove Regular Contracts Private Network This contract can be applied to any endpoint groups within the same VRF. Tenant This contract can be applied to any endpoint groups within the same tenant. Global This contract can be applied to any endpoint groups throughout the fabric. The default state is Private Network. QoS Class The priority level of the service contract. The priority level can be: Unspecified Level1 Class 1 Differentiated Services Code Point (DSCP) value. Level2 Class 2 DSCP value. Level3 Class 3 DSCP value. The default is Unspecified. Tags (labels) (Optional) The search keyword or term that is assigned to the application profile. A tag allows you to group multiple objects by a descriptive name. You can assign the same tag name to multiple objects and you can assign one or more tag names to an object. When contracts are assigned to an endpoint group as either a consumer or provider, by default all subjects within a contract apply to the endpoint group. With tags, only endpoint groups in application profiles with matching criteria will implement the subject of the contract. Match -The subject match criteria across consumer endpoint groups. Labels can be applied to a variety of provider and consumer managed objects, including endpoint groups, contracts, bridge domains, DHCP relay policies, and DNS policies. When checking for a match of provider labels and consumer labels, the match setting is determined by the provider endpoint group. The different options are: AtleastOne At least 1 label matches on Provider and Consumer endpoint groups. Blank labels are considered a match. AtmostOne Matches only when all labels on the endpoint groups are exactly the same. Blank labels are considered a match. None None of the subject labels match. All Only matches when both endpoint groups have all labels, excluding blank labels. The default is AtleastOne. Create/Modify/Remove Regular Contracts Create Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Contracts. 4 In the Work pane, choose Actions > Create Contract. 4
5 Create/Modify/Remove Regular Contracts 5 In the Create Contract dialog box, perform the following actions: a b c d Enter a Contract Name. Choose a Contract Scope (optional). Choose a QoS Class (optional). Click + next to the Subject to add a Contract Subject. a In the Create Contract Subject dialog box, perform the following actions: a Enter a Contract Subject Name. b Click + in the Filter Chain field. For information regarding filter creation, see the "Filters" section. 6 Click Update. 7 Click OK. 8 Click Submit. Modify Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Contracts > Contract_Name. 4 In the Work pane, choose the Policy tab. a b c Choose a Contract Scope (optional). Choose a Qos Class (optional). Click + next to the Subject field. to add a Contract Subject. a In the Create Contract Subject dialog box, perform the following actions: a Enter a Contract Subject Name. b Click + next to Filter Chain. Note: For information regarding filter creation, see the "Filters" section. 5 Click Update. 6 Click OK. 7 Click Submit. Remove Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Contracts > Contract_Name. 4 In the Work pane, choose Actions > Delete. 5
6 Apply/Remove EPG Contracts Verify Contracts REST :: /api/node/class/vzbrcp.xml CLI :: moquery -c vzbrcp Apply/Remove EPG Contracts Apply a Contract to an EPG 3 In the Navigation pane choose Tenant_Name > Application Profiles > Application_Profile_Name > Application EPGs > EPG_Name > Contracts. 4 In the Work pane, choose Actions > Add Provided Contract or Actions > Add Consumed Contract. Note: Choose the action depending on how the contract is to be deployed. 5 In the Add Contract dialog box, perform the following actions: a b c Enter a Contract_Name. Choose a QOS policy (optional). Choose a Label (optional). 6 Click Submit. Remove a Contract from an EPG 3 In the Navigation pane choose Tenant_Name > Application Profiles > Application_Profile_Name > Application EPGs > EPG_Name > Contracts > Contract_Name. 4 In the Work pane, choose Actions > Delete. Verify Contract on an EPG Provider REST :: /api/node/class/fvrsprov.xml CLI :: moquery -c fvrsprov Consumer REST :: /api/node/class/fvrscons.xml CLI :: moquery -c fvrscons 6
7 Apply/Remove External Network Contracts Apply/Remove External Network Contracts Apply a Contract to an External Network 3 In the Navigation pane choose Tenant_Name > Networking > External Routed Networks > Routed Outside_Name > Networks > External_Network_Instance_Profile. 4 In the Work pane, click + next to either Add Provided Contract or Add Consumed Contract. Note: Make a selection depending on how the contract is to be deployed. a b c Choose a Contract_Name. Choose a QOS Type. Choose a Match Criteria. 5 Click Update. Remove a Contract from an External Network 3 In the Navigation pane choose Tenant_Name > Networking > External Routed Networks > Routed Outside_Name > Networks > External_Network_Instance_Profile. 4 In the Work pane, choose the Contract_Name and click x. Verify External Network Contracts Provider REST :: /api/node/class/fvrsprov.xml CLI :: moquery -c fvrsprov Consumer REST :: /api/node/class/fvrscons.xml CLI :: moquery -c fvrscons Applying or Removing VRF Contracts To apply contracts to all endpoint groups within a VRF, contracts can be applied directly to the VRF. This concept is also referred as "vzany" endpoint group. It eases contract management by allowing the contract configuration for all endpoint groups within a VRF from a single location as well as optimizing hardware resource consumption. 7
8 Applying or Removing VRF Contracts For example, if an Cisco Application Centric Infrastructure (ACI) administration has 100 endpoint groups that are all part of the same VRF, they can apply the contracts to this one vzany group under the VRF, rather than to each endpoint group. VRF-wide contracts are traditionally contracts that allow established traffic allowing endpoint group contracts to only define traffic in one direction, from consumer to provider, without the need to have reverse port forwarding enabled for TCP traffic. Since all endpoint groups within the VRF allow established traffic, reverse port forwarding is unnecessary in the contract applied to the endpoint group directly. A quick trick to see if contracts, or the lack thereof, are blocking traffic within the VRF in an ACI fabric is to unenforce the VRF. This allows communication between all endpoint groups within the VRF without the need for contracts. This is equivalent to applying the common tenant contract vzany to the VRF endpoint group. Note If there is a very large number of contracts within the VRF, it can take up to an hour or more to re-implement the contracts in the leaf switches when the VRF is moved back to enforced. Applying a Contract to a VRF (vzany) Using the GUI 3 In the Navigation pane choose Tenant_Name > Networking > Private Networks > Private_Network_Name > EPG Collection for Context. 4 In the Work pane, click + next to either Add Provided Contract or Add Consumed Contract. Note: Make a selection depending on how the contract is to be deployed. a b c Enter a Contract_Name. Choose a QOS Type. Choose a Match Criteria. 5 Click Update. Removing a Contract from a VRF (vzany) Using the GUI 3 In the Navigation pane choose Tenant_Name > Networking > Private Networks > Private_Network_Name > EPG Collection for Context. 4 In the Work pane, choose the Contract_Name and click x. Verifying VRF Contracts The following API verifies a VRF's contracts: /api/node/class/vzbrcp.xml The following ishell command verifies a VRF's contracts: admin@apic1:~> moquery -c vzbrcp 8
9 Filters Filters A filter is a group of filter entries that are aimed to filter traffic. Each filter entry is a rule that allows or denies traffic that is classified based on TCP/IP header fields, such as Layer 3 protocol type or Layer 4 ports. The filter is defined on the contract that is associated with an endpoint group. This can be either incoming toward an endpoint group, outgoing away from an endpoint group, or both. A subject is an entity that connects the filter to the contract, thereby affecting the traffic between endpoint groups that are provided and consumed by this contract. Filter Entry Configuration Parameters When configuring a filter, the following options can be defined: Name The name of a filter entry. EtherType The EtherType of the filter entry. The EtherTypes are: ARP FCOE IP MAC Security MPLS Unicast Trill Unspecified ARP Flag The Address Resolution Protocol flag for a filter entry. The filter entry is a combination of network traffic classification properties. IP Protocol The IP protocol for a filter entry. The filter entry is a combination of network traffic classification properties. Match Only Fragments Match only packet fragments. When enabled, the rule applies to any IP fragment with an offset that is greater than 0 (all IP fragments except the first). When disabled, the rule will not apply to IP fragments with an offset greater than 0 because TCP/UDP port information can only be checked in initial fragments. Port Ranges (Source, Destination) The port fields for the source and destination. You can define a single port by specifying the same value in the From and To fields, or you can define a range of ports from 0 to by specifying different values in the From and To fields. Instead of specifying a number, you can instead choose one of the following server types to use the pre-defined port of that type: HTTPS SMTP HTTP FTP-Data Unspecified 9
10 Creating Filters Using the GUI DNS POP3 RTSP The default is Unspecified. TCP Session Rules The TCP session rules for a filter entry. The filter entry is a combination of network traffic classification properties. Creating Filters Using the GUI The following procedure creates a filter using the GUI: Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 On the menu bar, choose Tenants > All Tenants. In the Work pane, double click the tenant's name. In the Navigation pane, choose Tenant tenant_name > Security Policies > Filters. In the Work pane, choose Actions > Create Filter. In the Create Filter dialog box, fill in the fields as required, except as specified below: a) In the Name field, enter a name for the filter. b) On the Entries table, click +. In the Entries table, fill in the fields as specified below: a) In the Name field, enter a name for the filter entry. b) In the Ethertype drop-down list, choose an ethertype. c) (Optional) In the ARP Flag drop-down list, choose an ARP flag. d) (Optional) In the IP Protocol drop-down list, choose an IP protocol. e) (Optional) If required, put a check in the Match Only Fragments check box. f) (Optional) In the Source Port From drop-down list, choose a source port. g) (Optional) In the Source Port To drop-down list, choose a source port. h) (Optional) In the Destination Port From drop-down list, choose a destination port. i) (Optional) In the Destination Port To drop-down list, choose a destination port. j) (Optional) In the TCP Session Rules drop-down list, choose a TCP session rule. k) Click Update. Click Submit. Modifying Filters Using the GUI The following procedure modifies a filter using the GUI: 10
11 Removing Filters Using the GUI Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 On the menu bar, choose Tenants > All Tenants. In the Work pane, double click the tenant's name. In the Navigation pane, choose Tenant tenant_name > Security Policies > Filters > filter_name. In the Navigation pane, in the Entries table, double click on the filter entry that you want to modify. Modify the values. Click Update. Removing Filters Using the GUI 3 In the Navigation pane choose Tenant_Name > Security Policies > Filters > Filter_Name. 4 In the Work pane, choose Actions > Delete. Configuring Filters Using the NX-OS-Style CLI The filters can be created and accessed in the NX-OS-style CLI through the tenant shell. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 SSH to an APIC in the fabric. # ssh admin@node_name Enter the configure mode: apic1# configure Go to the desired tenant: apic1(config)# tenant tenant1 Create a filter called "FilterHTTPS" with the entries of "match tcp dest 80" and "match ip": apic1(config-tenant)# access-list FilterHTTPS apic1(config-tenant-acl)# match tcp dest 80 apic1(config-tenant-acl)# match ip apic1(config-tenant-acl)# exit Access the contract to which you want to apply the "FilterHTTPS" filter: apic1(config-tenant)# contract WebHTTPS Create a subject "SubjectHTTPS", which will connect the filter to the contract. This way we can impose the same filter on several contracts without having to create multiple filters with identical entries. apic1(config-tenant-contract)# subject SubjectHTTPS 11
12 Removing and Deleting Filters Using the NX-OS-Style CLI Step 7 Tie the filter to the contract. You can use the filter to match traffic that is incoming to the endpoint group that is tied to the contract "WebHTTPs", to match traffic that is outgoing from the endpoint group that is tied to the contract, or for both. apic1(config-tenant-contract-subj)# access-group FilterHTTPS both match traffic in both direction in match traffic from provider to consumer out match traffic from consumer to provider apic1(config-tenant-contract-subj)# access-group FilterHTTPS both Removing and Deleting Filters Using the NX-OS-Style CLI Procedure Step 1 Step 2 The following command removes the filter association: apic1(config-tenant-contract-subj)# no access-group FilterHTTPS both The following command deletes the entire filter: apic1(config-tenant)# no access-list FilterHTTPS Verifying Filters You can use any of the following methods to verify the filters: In the GUI, navigate to the following location: Tenant_Name > Security Policies > Filters > Filter_Name Use the following API: /api/node/class/vzfilter.xml Enter the following NX-OS-style CLI command: apic1# show run Enter the following object model CLI command: admin@apic1:~> moquery -c vzfilter Taboo Contracts There may be times when the ACI administrator might need to deny traffic that is allowed by another contract. Taboos are a special type of contract that an ACI administrator can use to deny specific traffic that would otherwise be allowed by another contract. Taboos can be used to drop traffic matching a pattern (any EPG, a specific EPG, matching a filter, and so forth). Taboo rules are applied in the hardware before the rules of regular contracts are applied. 12
13 Taboo Contract Configuration Parameters To imitate the traditional networking concepts, an "allow-all-traffic" contract can be applied, with taboo contracts configured to restrict certain types of traffic. Taboo Contract Configuration Parameters When configuring Taboo Contracts you can define the following options: Name - The name of the contract or contract object. Subjects - The network domain name label. Labels enable classification of the objects which can and cannot communicate with one another (optional). Directive - The filter directives assigned to the taboo contract. Create/Modify/Delete Taboo Contracts Create Taboo Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Taboo Contracts. 4 In the Work pane, choose Action > Create Taboo Contract. 5 In the Create Taboo Contract dialog box, perform the following actions: a b Enter a Taboo Contract Name. Click + to next to the Subject field to add a Taboo Subject. a Enter a Filter Name. b Choose Directives. 6 Click Update. 7 Click OK. 8 Click Submit. Modify Taboo Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Taboo Contracts > Taboo_Contract_Name. 4 In the Work pane, choose policy. a b Click + to next to the Subject field. In the Create Taboo Contract Subject dialog box, perform the following actions: a Enter a Taboo Contract Subject Name. b Click + in the Filter Chain field. 13
14 Apply/Remove Taboo Contracts a b Enter a Filter Name. Choose Directives. 5 Click Submit. Delete Taboo Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Taboo Contracts > Taboo_Contract_Name. 4 In the Work pane, choose Action > Delete. Verify Taboo Contracts REST :: /api/node/class/vztaboo.xml CLI :: moquery -c vztaboo Apply/Remove Taboo Contracts Apply a Taboo Contract to an EPG 3 In the Navigation pane choose Tenant_Name > Application Profiles > Application_Profile_Name > Application EPGs > EPG_Name > Contracts. 4 In the Work pane, choose Actions > Add Taboo Contract. 5 In the Add Taboo Contract dialog box, a Choose the Taboo Contract. 6 Click Submit. Remove a Taboo Contract from an EPG 3 In the Navigation pane choose Tenant_Name > Application Profiles > Application_Profile_Name > Application EPGs > EPG_Name > Contracts. 4 In the Work pane, choose the Taboo Contract_Name > Actions > Delete. 14
15 Inter-Tenant Contracts Verify Taboo Contracts Applied to an EPG Provider REST :: /api/node/class/fvrsprov.xml CLI :: moquery -c fvrsprov Consumer REST :: /api/node/class/fvrscons.xml CLI :: moquery -c fvrscons Inter-Tenant Contracts Configuration Parameters There may be times when the ACI administrator might need to allow traffic between two tenants. Interface contracts are a special type of contract that an ACI administrator can use to allow specific traffic through the use of a contract export. The contract in essence is exported in the source tenant and imported into the target tenant. Similar to traditional contracts, the source EPG will be of type provider. However, in the target tenant, the contract is imported as type contract interface. Some use case examples show the complete process in the next chapter. When importing a contract, the following options can be defined: Name - The name of the contract interface. Global Contract - Name of a service contract to be shared between two or more participating peer entities. Tenant - The Tenant name of the targeted Export contract. Create/Modify/Remove Export Contracts Export Contract 3 In the Navigation pane choose Tenant_Name > Security Policies > Contracts. 4 In the Work pane, choose Actions > Export Contract. 5 In the Export Contract dialog box, perform the following actions: a b c Enter an Export Contract Name. Choose the Global Contract. Enter the Tenant Name. 15
16 Ingress-Based ACLs 6 Click Finish. Modify Exported Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Contracts > Contract_Name. 4 In the Work pane, choose policy. a b c Enter an Export Contract Name. Choose the Global Contract. Enter the Tenant Name. 5 Click Finish. Remove Exported Contracts 3 In the Navigation pane choose Tenant_Name > Security Policies > Contracts > Imported Contracts > Contact_Name. 4 In the Work pane, choose Actions > Delete. Verify Exported Contracts REST :: /api/node/class/vzcpif.xml CLI :: moquery -c vzcpif Ingress-Based ACLs The main purpose of the ingress-based ACL feature is to save resources on the border leaf. In this policy enforcement model, the policy will be only applied on non-border leafs, thereby reducing zone-rule consumption on border leafs. This enforcement direction policy is applied at the VRF level and allows for backward compatibility with the previous policy enforcement model. The policy enforcement direction for this new model is as follows: 1 Host to WAN The policy is applied on the non-border leaf 2 WAN to Host The policy is applied on non-border leaf regardless of whether or not the endpoint group is learned on the border leaf 3 WAN to WAN The policy is applied on ingress border leaf This feature is not compatible with the transit routing, vzany, and taboo contract use cases. Transit routing rules are already applied at ingress. 16
17 Contracts Use Cases Configuring Ingress-Based ACLs Using the GUI Policy control enforcement direction is applied on the VRF. Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 On the menu bar, choose Tenant > All TENANTS. In the Work pane, double click the tenant's name. In the Navigation Pane, choose Networking > VRFs > VRF Name. In the Work pane, set Policy Control Enforcement Direction to Ingress. Click Submit. Verify the policy usage, then click Submit Changes. Verifying Ingress-Based ACLs The following ishell command verifies the ingress-based ACLs: admin@apic1:~> moquery -c fv.ctx -f fv.ctx.name== vrf-name The following hardware CLI commands verify the ingress-based ACLs: # vsh_lc module-1# show system internal eltmc info vrf name Contracts Use Cases These use cases all assume the objective is for a host in EPG-1 to talk to a host in EPG-2, achieving bidirectional traffic. How these scenarios are implemented will depend on the operational model chosen, and whether the system is more focused on object re-use or tenant autonomy. Review the Contracts section on Contract Scoping for a more detailed discussion. These are some common scenarios: 1 Inter-Tenant Contracts 2 Inter-Private Network Contracts 3 Single Contract Bidirectional forwarding with reverse filter 4 Single Contract Unidirectional with multiple Filters 5 Multiple Contracts Unidirectional with single Filter Inter-Tenant Contracts ACME Inc., as with most companies, makes use of shared services such as DNS for name resolution and Active Directory for user management. These services will be used across most of their tenants and so ACME Inc. must allow this traffic across the whole fabric. Communication between EPGs that belong to different tenants is only allowed when they share the same contract. To use the same contract, it will need to be exported from the source tenant to the appropriate destination tenant. That contract will appear under the Imported Contract section in the Security Policies of the destination tenant. 17
18 Contracts Use Cases A Consumed Contract Interface will be used to associate an EPG from the destination tenant with the imported contract. Note: A contract consumption interface represents one or more subjects defined under the contract. By associating to an interface, an endpoint group starts consuming all the subjects represented by the interface. In the use case below, EPG-1 in tenant Cisco-1 requires communication with EPG-2 in tenant Cisco-2. This is accomplished by utilizing contact interfaces. In tenant Cisco-1 the user will export the intended contract interfaces. In tenant Cisco-1 the user will export the intended contract and select provider to provide the contrast to EPG-2. The user will then confirm the imported contract in tenant Cisco-2 and select the contract as consumed. To advertise the routes from the source VRF to the intended VRF, the user must create the subnet within the EPG. Figure 2: Exporting Contracts Between Tenants Tenant Cisco-1/EPG-1 1 Create an Export Contract under security policies. 2 Create the host subnet (default Gateway IP) under EPG1 - subnet scope shared. 3 Add the Contract under EPG1 - contract type provider. 4 Create the host subnet under the bridge domain - subnet scope private/public. Tenant Cisco-2/EPG-2 1 Confirm the exported contract is listed under Imported Contracts. 2 Create the host subnet (default Gateway IP) under EPG2 - subnet scope shared. 3 Add the Interface Contract under EPG2 - contract type consumed. 4 Create the host subnet (default Gateway IP) under the bridge domain - subnet scope private/public. 18
19 Contracts Use Cases Inter-Private Network Contracts Communication In the use case below, EPG-1 in VRF Cisco-1 requires communication with EPG-2 in VRF Cisco-2. This is accomplished by utilizing the subnet field within the EPG. By creating the subnet under the EPG and selecting shared, the route will be leaked to the VRF noted within the Tenant scoped contract. Figure 3: Exporting Contracts Between Private Networks 1 Create the contract under Security Policies - contract scope Tenant. 2 (Tenant Cisco-1/EPG-1) Create the host subnet (default Gateway IP) under EPG1 - subnet scope shared. 3 Add the Contract under EPG1 - contract type provider. 4 (Tenant Cisco-1/EPG-2) Create the host subnet (default Gateway IP) under EPG2 - subnet scope shared. 5 Add the Contract under EPG2 - contract type provider. Single Contract Bidirectional Reverse Filter This use case is useful when implementing a contract with the option to apply the contract subject in both directions and with the option to apply the reverse filter. This is the most common of the use cases and allows for a single subject/filter to be implemented with a single Provider/Consumer relationship. In the use case below, EPG-1 is providing a contract with a subject of www and EPG-2 is consuming the contract. This allows the Web Client in EPG-2 to access the Web Server in EPG-1. i.e. EPG-1 is providing a service to EPG-2. Figure 4: Default Bi-directional Contract with Reverse Filter Result: 19
20 Contracts Use Cases A single contract with (1) Subject and (1) Filter with a single provider and a single consumer. In this example, www. Single Contract Unidirectional with Multiple Filters This use case involves implementing a contract without the option to apply the contract subject in both directions. When selecting this option the user no longer has the option to select the reverse filter option. In the use case below, EPG-1 is providing a contract with a subject of icmp and EPG-2 is consuming the contract. This allows the Host in EPG-1 to access the Host in EPG-2 via icmp. When utilizing a single subject without the use of "Apply Both Directions," the user must then configure two filters, one in each direction. Figure 5: Single Contract, Single Unidirectional Subject, Multiple Filters Result: A single contract with (1) Subject (2) Filters and a single provider and a single consumer. In this example, icmp. Multiple Contracts Uni-Directional Single Filter This use case is useful when implementing a contract with the option to apply the contract subject in both directions, and without the option to apply the reverse filter. This allows the end-user the most granularity when deploying contracts, but is also the most comprehensive. In the use case below, EPG-1 is providing a contract with a subject of www and EPG-2 is consuming the contract. This allows the Web Client in EPG-2 to access the Web Server in EPG-1. That is, EPG-1 is providing a service to EPG-2. Figure 6: Multiple Contracts, Unidirectional Subjects, Single Filters Result: 20
21 Contracts Use Cases Two contracts with (1) Subject (1) Filters. Each contract will have a single provider and a single consumer referencing the same contract. The difference here is that the contract is explicitly applied in BOTH directions. 21
22 Contracts Use Cases 22
This chapter contains the following sections: Shared Layer 3 Out, on page 1 Layer 3 Out to Layer 3 Out Inter-VRF Leaking, on page 4
This chapter contains the following sections: Shared Layer 3 Out, on page 1 Layer 3 Out to Layer 3 Out Inter-VRF Leaking, on page 4 Shared Layer 3 Out A shared Layer 3 outside network (L3extOut) configuration
More informationTenants. ACI Tenancy Models. ACI Tenancy Models, on page 1 Application Profile, on page 3
ACI Tenancy Models, on page 1 Application Profile, on page 3 ACI Tenancy Models ACME Inc. will be using tenancy for a couple of use cases. They will be using tenant constructs for the application lifecycle
More informationUse Case: Three-Tier Application with Transit Topology
Use Case: Three-Tier Application with Transit Topology About Deploying a Three-Tier Application with Transit Topology, on page 1 Deploying a Three-Tier Application, on page 3 Transit Routing with OSPF
More informationRouting Design. Transit Routing. About Transit Routing
Transit Routing, page 1 L3Out Ingress Policy Enforcement, page 16 L3Out MTU Considerations, page 20 Shared L3Outs, page 22 L3Out Router IDs, page 27 Multiple External Connectivity, page 30 Transit Routing
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More informationConfiguring APIC Accounts
This chapter contains the following sections: Adding an APIC Account, page 1 Viewing APIC Reports, page 3 Assigning an APIC account to a Pod, page 15 Handling APIC Failover, page 15 Adding an APIC Account
More informationSchema Management. Schema Management
, page 1 Creating a Schema Template, page 2 Configuring an Application Profile, page 2 Configuring a Contract, page 3 Configuring a Bridge Domain, page 4 Configuring a VRF for the Tenant, page 4 Configuring
More informationConfiguring Layer 4 to Layer 7 Resource Pools
Configuring Layer 4 to Layer 7 Resource Pools About Layer 4 to Layer 7 Resource Pools, page 1 About External IP Address Pools, page 2 About External Layer 3 Routed Domains and the Associated VLAN Pools,
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, on page 1 About Multi-Node Policy-Based Redirect, on page 3 About Symmetric Policy-Based Redirect, on page 3 Policy Based Redirect and Hashing Algorithms, on page 4 Policy-Based
More informationCisco Application Policy Infrastructure Controller Data Center Policy Model
White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, page 1 About Symmetric Policy-Based Redirect, page 8 Policy Based Redirect and Hashing Algorithms, page 8 Using the GUI, page 9 Using the NX-OS-Style CLI, page 10 Verifying
More informationRouting Implementation
L3Out Subnets, page 1 L3Out Subnets About Defining L3Out Subnets L3Outs are the Cisco Application Centric Infrastructure (ACI) objects used to provide external connectivity in external Layer 3 networks.
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, page 1 About Symmetric Policy-Based Redirect, page 8 Using the GUI, page 8 Using the NX-OS-Style CLI, page 10 Verifying a Policy-Based Redirect Configuration Using the NX-OS-Style
More informationModeling an Application with Cisco ACI Multi-Site Policy Manager
Modeling an Application with Cisco ACI Multi-Site Policy Manager Introduction Cisco Application Centric Infrastructure (Cisco ACI ) Multi-Site is the policy manager component used to define intersite policies
More informationRouted Connectivity to External Networks
This chapter contains the following sections: About Routed Connectivity to Outside Networks, on page 1 Layer 3 Out for, on page 1 Guidelines for Routed Connectivity to Outside Networks, on page 3 Configuring
More informationVerified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)
Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k) Overview 2 General Scalability Limits 2 Fabric Topology, SPAN, Tenants, Contexts
More informationACI Transit Routing, Route Peering, and EIGRP Support
ACI Transit Routing, Route Peering, and EIGRP Support ACI Transit Routing This chapter contains the following sections: ACI Transit Routing, on page 1 Transit Routing Use Cases, on page 1 ACI Fabric Route
More informationACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)
This chapter contains the following sections:, on page 1 Alias API Inspector App Center Alias A changeable name for a given object. While the name of an object, once created, cannot be changed, the Alias
More informationExam Questions Demo Cisco. Exam Questions
Cisco Exam Questions 300-170 DCVAI Implementing Cisco Data Center Virtualization and Automation (DCVAI) Version:Demo 1. Which management interface is selected by the Cisco APIC by default if an in band
More informationBasic User Tenant Configuration
This chapter contains the following sections: Tenants, page 1 Routing Within the Tenant, page 2 Creating Tenants, VRF, and Bridge Domains, page 10 Deploying an Application Policy, page 12 Statically Deploying
More informationCisco ACI vcenter Plugin
This chapter contains the following sections: About Cisco ACI with VMware vsphere Web Client, page 1 Getting Started with, page 2 Features and Limitations, page 7 GUI, page 12 Performing ACI Object Configurations,
More informationNew and Changed Information
This chapter contains the following sections:, page 1 The following table provides an overview of the significant changes to this guide for this current release. The table does not provide an exhaustive
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationVerified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)
Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k) Overview 2 General Scalability Limits 2 Fabric Topology, SPAN, Tenants, Contexts
More informationExam Questions
Exam Questions 300-170 DCVAI Implementing Cisco Data Center Virtualization and Automation (DCVAI) https://www.2passeasy.com/dumps/300-170/ 1. Which management interface is selected by the Cisco APIC by
More informationCisco ACI Terminology ACI Terminology 2
inology ACI Terminology 2 Revised: May 24, 2018, ACI Terminology Cisco ACI Term Alias API Inspector App Center Application Policy Infrastructure Controller (APIC) Application Profile Atomic Counters Alias
More informationIntra-EPG Isolation Enforcement and Cisco ACI
This chapter contains the following sections: Intra-EPG Isolation for VMware VDS or Microsoft vswitch, on page 1 Intra-EPG Isolation Enforcement for Cisco AVS, on page 6 Intra-EPG Isolation Enforcement
More informationQ-in-Q Encapsulation Mapping for EPGs
, on page 1 Configuring Using the GUI, on page 2 Mapping EPGs to Q-in-Q Encapsulated Leaf Interfaces Using the NX-OS Style CLI, on page 5 Mapping EPGs to Q-in-Q Encapsulation Enabled Interfaces Using the
More informationIntra-EPG Isolation Enforcement and Cisco ACI
This chapter contains the following sections: Intra-EPG Isolation for VMware vds, page 1 Intra-EPG Isolation Enforcement for Cisco AVS, page 5 Intra-EPG Isolation for VMware vds Intra-EPG Isolation is
More informationProvisioning Core ACI Fabric Services
This chapter contains the following sections: Time Synchronization and NTP, page 1 Configuring a DHCP Relay Policy, page 4 Configuring a DNS Service Policy, page 7 Configuring Custom Certificate Guidelines,
More informationConfiguring IP ACLs. About ACLs
This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices. Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs. This chapter includes the following
More informationIGMP Snooping. About Cisco APIC and IGMP Snooping. How IGMP Snooping is Implemented in the ACI Fabric. This chapter contains the following sections:
This chapter contains the following sections: About Cisco APIC and, page 1 Configuring and Assigning an Policy, page 4 Enabling Static Port Groups, page 8 Enabling IGMP Snoop Access Groups, page 12 About
More informationAppendix B Policies and Filters
Appendix B Policies and Filters NOTE: This appendix does not describe Access Control Lists (ACLs) or IPX SAP ACLs, which are additional methods for filtering packets. See Software-Based IP Access Control
More informationCisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack
White Paper Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack Introduction Cisco Application Centric Infrastructure (ACI) is a next-generation data center fabric infrastructure
More informationCisco ACI and Cisco AVS
This chapter includes the following sections: Cisco AVS Overview, page 1 Installing the Cisco AVS, page 5 Key Post-Installation Configuration Tasks for the Cisco AVS, page 14 Distributed Firewall, page
More informationToggling Between Basic and Advanced GUI Modes
This chapter contains the following sections: Toggling Between Basic and Advanced GUI Modes, page 1 About Getting Started with APIC Examples, page 2 Switch Discovery with the APIC, page 2 Configuring Network
More informationQuestion No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?
Volume: 60 Questions Question No: 1 You discover that a VLAN is not enabled on a leaf port even though on EPG is provisioned. Which cause of the issue is most likely true? A. Cisco Discovery protocol is
More informationLayer 4 to Layer 7 Service Insertion, page 1
This chapter contains the following sections:, page 1 Layer 4 to Layer 7 Policy Model, page 2 About Service Graphs, page 2 About Policy-Based Redirect, page 5 Automated Service Insertion, page 12 About
More informationCisco ACI Multi-Site Fundamentals Guide
First Published: 2017-08-10 Last Modified: 2017-10-09 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationIPv4 ACLs, identified by ACL numbers, fall into four categories, as shown in Table 1. Table 1 IPv4 ACL categories
Table of Contents ACL Configuration 1 ACL Overview 1 IPv4 ACL Classification 1 IPv4 ACL Rule Order 1 Rule Numbering Step with IPv4 ACLs 3 Effective Time Period of an IPv4 ACL 3 IP Fragments Filtering with
More informationHP High-End Firewalls
HP High-End Firewalls Access Control Configuration Guide Part number: 5998-2648 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationMicrosegmentation with Cisco ACI
This chapter contains the following sections:, page 1 Microsegmentation with the Cisco Application Centric Infrastructure (ACI) provides the ability to automatically assign endpoints to logical security
More informationConfiguring ACLs. ACL overview. ACL categories. ACL numbering and naming
Contents Configuring ACLs 1 ACL overview 1 ACL categories 1 ACL numbering and naming 1 Match order 2 ACL rule numbering 3 Implementing time-based ACL rules 3 IPv4 fragments filtering with ACLs 3 Flow templates
More informationIntra-EPG Isolation Enforcement and Cisco ACI
This chapter contains the following sections: Intra-EPG Isolation for VMware vds, page 1 Configuring Intra-EPG Isolation for VMware vds using the GUI, page 3 Configuring Intra-EPG Isolation for VMware
More informationACI Fabric Endpoint Learning
White Paper ACI Fabric Endpoint Learning 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 45 Contents Introduction... 3 Goals of this document...
More informationCisco CCIE Data Center Written Exam v2.0. Version Demo
Cisco 400-151 CCIE Data Center Written Exam v2.0 Version Demo QUESTION 1 Which IETF standard is the most efficient messaging protocol used in an lot network? A. SNMP B. HTTP C. CoAP D. MQTI Correct Answer:
More informationConfiguring IP ACLs. About ACLs
About ACLs This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices. Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs. This chapter includes
More informationPrinciples of Application Centric Infrastructure
White Paper Principles of Application Centric Infrastructure What You Will Learn One of the main innovations in application centric infrastructure (ACI) is the introduction of a highly abstracted interface
More informationCisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI)
Cisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI) Version: 1.0 September 2016 1 Agenda Overview & Architecture Hardware & Software Compatibility Licensing Orchestration Capabilities
More informationACL Rule Configuration on the WAP371
Article ID: 5089 ACL Rule Configuration on the WAP371 Objective A network access control list (ACL) is an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet.
More informationConfiguring IP ACLs. Finding Feature Information
This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices. Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs. Note The Cisco NX-OS release that
More informationConfiguring Commonly Used IP ACLs
Configuring Commonly Used IP ACLs Document ID: 26448 Contents Introduction Prerequisites Requirements Components Used Conventions Configuration Examples Allow a Select Host to Access the Network Deny a
More informationUpgrading and Downgrading Firmware
Firmware Management, page 1 Upgrading and Downgrading Considerations, page 3 Upgrading the Fabric, page 4 Firmware Management ACME Inc., in partnership with Cisco, has evaluated the requirements for their
More informationLayer 3 IP Multicast Architecture and Design in Cisco ACI Fabric
White Paper Layer 3 IP Multicast Architecture and Design in Cisco ACI Fabric What You Will Learn Many enterprise data center applications require IP multicast support and rely on multicast packet delivery
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationUsing a Service Graph Template
Associating Service Graph Templates with Contracts and EPGs Using the GUI, page 1 Creating a Service Graph Template Using the NX-OS-Style CLI, page 1 Configuring a Service Graph Template Using the Object
More informationStatic VLAN Pools that will be used for the encapsulation VLAN between the external devices
Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Configure Verify and Troubleshoot Introduction This document describes the configuration
More informationCisco HyperFlex Systems
White Paper Cisco HyperFlex Systems Install and Manage Cisco HyperFlex Systems in a Cisco ACI Environment Original Update: January 2017 Updated: March 2018 Note: This document contains material and data
More informationTCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12
TCP/IP Networking Training Details Training Time : 9 Hours Capacity : 12 Prerequisites : There are no prerequisites for this course. About Training About Training TCP/IP is the globally accepted group
More informationDeploying ASA. ASA Deployment Modes in ACI Fabric
ASA Deployment Modes in ACI Fabric, page 1 About the ASA Operational Model, page 2 Translation of ASA Terminology, page 2 About ASA Multi-Context Mode, page 3 About ASA High Availability and Scalability,
More informationNetworking and Management Connectivity
This chapter contains the following sections: DHCP Relay, on page 1 DNS, on page 3 In-Band and Out-of-Band Management Access, on page 4 IPv6 Support, on page 6 Routing Within the Tenant, on page 11 WAN
More informationMicrosegmentation with Cisco ACI
This chapter contains the following sections:, page 1 Microsegmentation with the Cisco Application Centric Infrastructure (ACI) provides the ability to automatically assign endpoints to logical security
More informationCisco ACI and Route Maps Using Explicit Prefix List
Cisco ACI and Route Maps Using Explicit Prefix List New and Changed Information 2 About Explicit Prefix List Support for Route Maps/Profile 2 About Route Map/Profile 4 Aggregation Support for Explicit
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationQuick Start Guide (SDN)
NetBrain Integrated Edition 7.1 Quick Start Guide (SDN) Version 7.1 Last Updated 2018-07-24 Copyright 2004-2018 NetBrain Technologies, Inc. All rights reserved. Contents 1. Discovering and Visualizing
More informationHealth Scores. Understanding Health Scores
Understanding, on page 1 Understanding Faults, on page 4 How Are Calculated, on page 5 Health Score Use Cases, on page 7 Understanding ACME's Operations team has been challenged on a regular basis to answer
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationConfiguring Copy Services
About Copy Services About Copy Services, on page 1 Copy Services Limitations, on page 2 Using the GUI, on page 2 Using the NX-OS-Style CLI, on page 4 Using the REST API, on page 6 Unlike SPAN that duplicates
More informationTransparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple
More informationInformation about Network Security with ACLs
This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Finding Feature Information,
More informationUsing the Cisco APIC Troubleshooting Tools
This chapter introduces the tools and methodology commonly used to troubleshoot problems you may experience. These tools can assist you with monitoring traffic, debugging, and detecting issues such as
More informationConfiguring Traffic Policies
CHAPTER 11 Date: 4/23/09 Cisco Application Networking Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through
More informationCisco Nexus Data Broker for Network Traffic Monitoring and Visibility
Guide Cisco Nexus Data Broker for Network Traffic Monitoring and Visibility Solution Implementation Guide 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
More informationManaging Zone-based Firewall Rules
CHAPTER 18 The Zone-based Firewall feature (also known as Zone-based Policy Firewall) allows unidirectional application of IOS firewall policies between groups of interfaces known as zones. That is, interfaces
More informationMulti-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service
Cisco ACI Multi-Site Service Integration, on page 1 Cisco ACI Multi-Site Back-to-Back Spine Connectivity Across Sites Without IPN, on page 8 Bridge Domain with Layer 2 Broadcast Extension, on page 9 Bridge
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationVirtual Machine Manager Domains
This chapter contains the following sections: Cisco ACI VM Networking Support for Virtual Machine Managers, page 1 VMM Domain Policy Model, page 3 Virtual Machine Manager Domain Main Components, page 3,
More informationCSC 4900 Computer Networks: Network Layer
CSC 4900 Computer Networks: Network Layer Professor Henry Carter Fall 2017 Chapter 4: Network Layer 4. 1 Introduction 4.2 What s inside a router 4.3 IP: Internet Protocol Datagram format 4.4 Generalized
More informationCisco Nexus Data Broker
Data Sheet Cisco Nexus Data Broker Product Overview You used to monitor traffic mainly to manage network operations. Today, when you monitor traffic you can find out instantly what is happening throughout
More informationConfigure. Background. Register the FTD Appliance
Background, page 1 Register the FTD Appliance, page 1 Create a Service Graph, page 9 Apply a Service Graph Template, page 10 Supported Functions, page 13 FTD Deployments, page 18 Background The ACI fabric
More informationAccess Rules. Controlling Network Access
This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent
More informationConfiguring Firewall Filters (J-Web Procedure)
Configuring Firewall Filters (J-Web Procedure) You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer
More informationIP Access List Overview
Access control lists (ACLs) perform packet filtering to control which packets move through a network and to where. The packet filtering provides security by helping to limit the network traffic, restrict
More informationInstalling or Recovering Cisco APIC Images
Installation s, on page 1 Usage Guidelines, on page 2 Conditions for Recovering or Installing Cisco APIC Software Image, on page 5 Installing Cisco APIC Software Using a PXE Server, on page 5 Installing
More informationCCNA Exploration Network Fundamentals. Chapter 3 Application Layer Functionality and Protocols
CCNA Exploration Network Fundamentals Chapter 3 Application Layer Functionality and Protocols Application Layer Functionality and Protocols Applications: The Interface Between the Networks Horny/Coufal
More informationConfiguring an IP ACL
9 CHAPTER This chapter describes how to configure IP access control lists (ACLs). This chapter includes the following sections: Information About ACLs, page 9-1 Prerequisites for IP ACLs, page 9-5 Guidelines
More informationQuick Start Guide (SDN)
NetBrain Integrated Edition 7.1 Quick Start Guide (SDN) Version 7.1a Last Updated 2018-09-03 Copyright 2004-2018 NetBrain Technologies, Inc. All rights reserved. Contents 1. Discovering and Visualizing
More informationPage 2
Page 2 Mgmt-B, vmotion-a vmotion-b VMM-Pool-B_ Connection-B -Set-A Uplink-Set-A Uplink-Set-B ACI-DC Standard Aggregation L3 Switch Configuration for existing Layer 2 : Nexus 6K-01 switch is
More informationConfiguring Port Channels
This chapter contains the following sections: Information About Port Channels, page 1, page 11 Verifying Port Channel Configuration, page 19 Triggering the Port Channel Membership Consistency Checker,
More informationTable of Contents HOL-PRT-1305
Table of Contents Lab Overview... 2 - Abstract... 3 Overview of Cisco Nexus 1000V series Enhanced-VXLAN... 5 vcloud Director Networking and Cisco Nexus 1000V... 7 Solution Architecture... 9 Verify Cisco
More informationTransparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. You can set the firewall mode independently for each context in multiple
More informationUnderstanding Access Lists
Access lists perform packet filtering to control which packets move through the network and where. Such controls help to limit network traffic and restrict the access of users and devices to the network.
More informationStateful Network Address Translation 64
The feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful NAT64 translator algorithmically translates the IPv4 addresses of IPv4 hosts to
More informationCisco APIC Layer 3 Networking Configuration Guide
First Published: 2017-09-22 Last Modified: 2018-08-30 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationConfiguring Fabric and Interfaces
Fabric and Interface Configuration, on page 1 Graceful Insertion and Removal (GIR) Mode, on page 2 Configuring Physical Ports in Leaf Nodes and FEX Devices Using the NX-OS CLI, on page 3 Configuring Port
More informationCisco ACI Multi-Site, Release 1.1(1), Release Notes
Cisco ACI Multi-Site, Release 1.1(1), Release Notes This document describes the features, caveats, and limitations for the Cisco Application Centric Infrastructure Multi-Site software. The Cisco Application
More informationInitial Setup. Cisco APIC Documentation Roadmap. This chapter contains the following sections:
This chapter contains the following sections: Cisco APIC Documentation Roadmap, page 1 Simplified Approach to Configuring in Cisco APIC, page 2 Changing the BIOS Default Password, page 2 About the APIC,
More informationRouter and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface
CCNA4 Chapter 5 * Router and ACL By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. *
More informationConfiguring Ethernet Virtual Connections on the Cisco ASR 1000 Series Router
Configuring Ethernet Virtual Connections on the Cisco ASR 1000 Series Router Ethernet virtual circuit (EVC) infrastructure is a Layer 2 platform-independent bridging architecture that supports Ethernet
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More information