Cisco ACI Contracts and Filters - Explanation and Configuration

In the realm of modern networking, Cisco's Application Centric Infrastructure (ACI) stands out for its ability to streamline and secure application deployment. A critical component of ACI is the use of contracts and filters, which govern how different application endpoints communicate with one another.

Understanding these elements is essential for network architects and administrators who aim to optimize application performance while maintaining robust security measures. This is also covered in our IT infrastructure training courses.

This article discusses the Cisco ACI contracts and filters, providing a comprehensive overview of their functionalities and significance within the ACI framework. It will also guide you through the configuration process, ensuring you have the knowledge needed to implement these features effectively.

What are ACI Contracts?

Contracts in Cisco ACI serve as a set of rules that define how different endpoint groups (EPGs) communicate with one another. They establish policies that dictate which types of traffic are permitted or denied between EPGs, thereby controlling access and enhancing security.

By utilizing contracts, network administrators can ensure that only authorized traffic flows between applications, minimizing potential vulnerabilities.

Online Cisco ACI Training ClassJoin the live class and learn concepts of Cisco ACI.Explore course

What are ACI Filters?

Filters in Cisco ACI are used to specify the criteria for traffic that can be allowed or denied within a contract. These filters define parameters such as source and destination IP addresses, ports, and protocols.

By applying filters, organizations can fine-tune their network policies, ensuring that only relevant traffic is processed, which optimizes performance and enhances security across the network fabric.

Network Lab Topology

We will use the Cisco ACI virtual lab, which consists of the following virtual machines:

● vCenter Server (also used as the RDP jump box)

● ACI Simulator – release version 0.1e

● APIC-1

● Leafl and Leaf2

● Spine-1

● ESXi-1

● ESXi-2

● Linux

How to Create and Configure Filters and Contracts

In this section, we will do two tasks:

● Creating Filters

● Creating Contracts

Explanation

To build the foundation of the application profile, it is necessary to create filters within our tenant that will be utilized by the contracts. Those contracts will then be associated with EPGs that will make up our 3-tier application profile. The following are tasks that will be completed in this section of the lab.

Creating Filters:

Note: PLEASE MAKE SURE THAT YOU ARE ON THE “Uninets” TENANT BEFORE CREATING FILTERS AND CONTRACTS

Create Web Filter

In this portion of the lab, we will first create a Web Server Filter

1) In the Uninets tenant, expand the “Security Policies” window on the left-‐hand panel

2) Select the “Filters” section

3) on the right-‐hand panel, click on the “ACTIONS” button

4) Select “Create Filter”

Configure Web Filter:

1) In the “Name” window, type in Web_Filter

2) On the “Entries:” window, click on the “+” and a new entry window will Please provide the following information under each window:

● Name: web_filter

● EtherType: IP

● ARP Flag: Nothing

● IP Protocol: tcp

● Source Port/Range (From): Unspecified

● Source Port/Range (To): Unspecified

● Destination Port/Range (From): http

● Destination Port/Range (To): http

● TCP Session Rules: Unspecified

3) Click on “UPDATE”

4) Once the “UPDATE” button is clicked, the “SUBMIT” button will be active. Please click on “SUBMIT” to create the web

Create App Filter

1) Click on the “ACTIONS” button

2) Select “Create Filter”

Configure App Filter

1) In the “Name” window, type in App_Filter

2) On the “Entries:” window, click on the “+” and a new entry window will appear. Please provide the following information under each window:

● Name: app_filter

● EtherType: IP

● ARP Flag:

● IP Protocol: tcp

● Source Port/Range (From): Unspecified

● Source Port/Range (To): Unspecified

● Destination Port/Range (From): 1433

● Destination Port/Range (To): 1433

● TCP Session Rules: Unspecified

Note:

When entering in “1433” into the window for “Destination Port/Range (From)” and “Destination Port/Range (To)”, make sure that you do not hit the tab key after entering in 1433.

If you do so, the window may choose “https” or another entry in the options. So make sure that after you enter 1433, that the window shows 1433.

3) Click on “UPDATE”

Create DB Filter

We will now create a Database Server filter

1) Click on the “ACTIONS” button

2) Select “Create Filter”

Configure DB Filter

1) In the “Name” window, type in DB_Filter

2) On the “Entries:” window, click on the “+” and a new entry window will appear. Please provide the following information under each window:

● Name: db_filter

● EtherType: IP

● ARP Flag:

● IP Protocol: tcp

● Source Port/Range (From): Unspecified

● Source Port/Range (To): Unspecified

● Destination Port/Range (From): 1521

● Destination Port/Range (To): 1521

● TCP Session Rules: Unspecified

Click on “UPDATE”

Screen Shots for All Filter Created.

Creating Contracts

With the filters created, we will now create the contracts that will use those filters. Please follow the procedures below to create the various contracts and associate the filters to those contracts.

Create Web Contract

We will first create a Web Server Contract

1) In the Uninets tenant, expand the “Security Policies” window on the left-‐hand panel

2) Select the “Contracts” section

3) On the right-‐hand panel, click on the “ACTIONS” button

4) Select “Create Contract”

Configure Web Contract

Let's Create Contracts as mentioned:

1) In the “Name” window, type in Web_Con

2) Leave the other boxes default and click on the “+” next to “Subjects:”

Adding Subjects to the Contract

1) In the “Name” window, type in web_subj

2) Make sure both “Reverse Filter Ports” and “Apply Both Directions” check box is checked

3) Under the “Filter Chain” window, click on the “+” sign to add a filter

4) From the drop-‐down arrow, click on that arrowto show the listof filters and select “Web_Filter” under the “Uninets” tenant

5) Once selected, click on “Update”

Finalizing the Filter Chain Selection

1) Click on “OK” to complete the filter chain selection

2) Please click on the “SUBMIT” button to create the web server

3) We will now create an Application Server Contract and DB Contracts. In same

Screen Shots for App Contracts and its association with App_Filter

Screen Shots for DB Contracts and its association with DB_Filter 

The figure will show you