Define Application Policy
Go To Project | Policy | Application Policy and define the policies as follows:
Policy Action is abstract definition of policy. Cisco ACI is a whitelisting technology, therefore only ALLOW action is supported.
Define Policy Action by going to the section Policy Actions, click on Create Policy Action, enter the name of the action, e. g.
ALLOW and select action
ALLOW and click Create Policy Action.
We will create two groups
group-consumer and we will show how to create a contract for ssh connection between the two groups.
Go To Project | Policy | Groups. In Internal tab, click on Create Internal Group, enter name of the group
group-provider and click Next
Now we will name the Contract as
contract1 and click Next
Policy Rule Set contains a group of Policy Rules. We will add a new Policy Rule for SSH by clicking on +
ssh-policy and then click Next.
Policy Rule consist of one or more Policy Classifiers. Policy Classifier is an abstract definition of allowed protocol, which can be range of ports in specified direction. Click + to create a new Policy Classifier
Specify parameters of SSH protocol. Then click on Create Policy Classifier
Then confirm the
ssh policy classifier to be used by clicking on Next
Then confirm the
ssh-policy policy to be used by clicking on Next
Then confirm using
contract1 as provided Policy Rule Set by clicking on Next
After these steps, the newly created group is shown in the Internal groups list:
Now if you go to the APIC interface and see the EPG diagram in Tenants | | Application Profiles | openstack_app | Application EPGs
Shd_group-provider... which is an EPG for infrastructure DHCP and other infrastructure services.
We will now repeat a similar process for
group_consumer. In Internal tab, click on Create Internal Group, enter name of the group
group-consumer and click Next
contract1 as consumed contract and click Next
Here we can choose which Network Policy should be the Group placed to. We choose
Default as we want OpenStack to create a new Bridge Domain for this Contract.
After we click Next the
group-consumer is successfully created.
We see in APIC that corresponding EPG and Contracts have been created according to our definition.
We will launch an instance in defined Groups. Internal tab click
group-provider group. You will see an empty list of members. Click Create Member button.
Specify the name
vm-provider of the instance and image.
In the Groups tab, choose the
group-provider as the group.
You should see a new instance in the dashboard. Notice the IP of
Repeat a similar process for the
group-consumer so that you have also
vm-consumer instance in
Now go to the console of the
vm-consumer instance, and try to
ssh 10.0.0.2. You will get the message from ssh that Permission is denied, which means we can create an ssh connection from
However, if you try to
ssh 10.0.1.2 from
vm-provider you will not get any response since the contract is and allowed Protocol Classifier is only one directional.
Last modified: Nov. 7, 2017