Traffic Filtering in Cisco ACI
ACI classify the endpoint as EPG. ACI filters traffic based on which EPG is allowed to talk to another EPG.
The following EPG information is included in VXLAN Packet:
- Source Class EPG: – S_Class
- Destination Class EPG: – D_Class
- Class Identifier:- Class_ID to identify the EPG Number
ACI leaf has two forwarding options while applying policy filter, when packet is forwarded from local connected Endpoints.
- For Remote endpoints EPG whose information is cached locally, policy is applied locally.
- If Leaf has not yet cached the information about destination endpoints, the policy is applied on egress leaf. For this in the VXLAN header the policy_applied bits are turned off which indicates that the policy should be applied on egress leaf only.
- If the Policy has not been applied to remote leaf, the receiving leaf looks up the destination IP/MAC of the packet in LST. It then derives the destination EPG and applies the filtering policy using the Source EPG and destination EPG Information which is present in VXLAN header.
ACI leaf has following forwarding option for endpoints outside the fabric which is further dependent on egress policy or ingress policy control
Egress Policy control: End points-to-outside traffic is always filtered on the border leaf after EPG has been learned. The border leaf learns the endpoint information in the GST from active conversations.
Ingress policy control: Outside-to-endpoint traffic and endpoint-to-outside traffic is always filtered at the leaf to which host is locally attached. In this case, the GST in the border leaf does not learn endpoint addresses.
Contracts are used for filtering rules which are programmed in the policy content-addressable memory (CAM) on the leaf nodes with in ACI fabric. The Contracts contains the filters (Filters contain the exact filtering rules) which are applied on EPG.