Group Based Policy Model

Define Application Policy

Go To Project | Policy | Application Policy and define the policies as follows:

Policy Action is abstract definition of policy. Cisco ACI is a whitelisting technology, therefore only ALLOW action is supported.

Define Policy Action by going to the section Policy Actions, click on Create Policy Action, enter the name of the action, e. g. ALLOW and select action ALLOW and click Create Policy Action.

Ultimum OpenStack Cisco ACI - Create Policy Action)

Define Groups

We will create two groups group-provider and group-consumer and we will show how to create a contract for ssh connection between the two groups.

Go To Project | Policy | Groups. In Internal tab, click on Create Internal Group, enter name of the group group-provider and click Next

Ultimum OpenStack Cisco ACI - Create Group

Now we will name the Contract as contract1 and click Next

Ultimum OpenStack Cisco ACI - Create Contract/EPG

Policy Rule Set contains a group of Policy Rules. We will add a new Policy Rule for SSH by clicking on +

Ultimum OpenStack Cisco ACI - Create Policy Rule

Provide name ssh-policy and then click Next.

Ultimum OpenStack Cisco ACI - Create Policy Rule

Policy Rule consist of one or more Policy Classifiers. Policy Classifier is an abstract definition of allowed protocol, which can be range of ports in specified direction. Click + to create a new Policy Classifier

Ultimum OpenStack Cisco ACI - Create Policy Rule

Specify parameters of SSH protocol. Then click on Create Policy Classifier

Ultimum OpenStack Cisco ACI - Create Policy Classifier

Then confirm the ssh policy classifier to be used by clicking on Next

Ultimum OpenStack Cisco ACI - Create Policy Classifier

Then confirm the ssh-policy policy to be used by clicking on Next

Ultimum OpenStack Cisco ACI - Create Policy

Then confirm using contract1 as provided Policy Rule Set by clicking on Next

Ultimum OpenStack Cisco ACI - Create Policy Rule Set

After these steps, the newly created group is shown in the Internal groups list:

Ultimum OpenStack Cisco ACI - Group Created

Now if you go to the APIC interface and see the EPG diagram in Tenants | | Application Profiles | openstack_app | Application EPGs

Ultimum OpenStack Cisco ACI - Group Created

Notice the Shd_group-provider... which is an EPG for infrastructure DHCP and other infrastructure services.

We will now repeat a similar process for group_consumer. In Internal tab, click on Create Internal Group, enter name of the group group-consumer and click Next

Ultimum OpenStack Cisco ACI - APIC Create Group

Choose contract1 as consumed contract and click Next

Ultimum OpenStack Cisco ACI - APIC Create Group

Here we can choose which Network Policy should be the Group placed to. We choose Default as we want OpenStack to create a new Bridge Domain for this Contract.

Ultimum OpenStack Cisco ACI - Network Policy

After we click Next the group-consumer is successfully created.

Ultimum OpenStack Cisco ACI - Group Created

We see in APIC that corresponding EPG and Contracts have been created according to our definition.

Launching instances

We will launch an instance in defined Groups. Internal tab click group-provider group. You will see an empty list of members. Click Create Member button.

Ultimum OpenStack Cisco ACI - Create Member

Specify the name vm-provider of the instance and image.

Ultimum OpenStack Cisco ACI - Create Member

In the Groups tab, choose the group-provider as the group.

Ultimum OpenStack Cisco ACI - Create Member

You should see a new instance in the dashboard. Notice the IP of vm-provider is 10.0.0.2.

Ultimum OpenStack Cisco ACI - Create Member

Repeat a similar process for the group-consumer so that you have also vm-consumer instance in group-consumer.

Ultimum OpenStack Cisco ACI - Create Member

Now go to the console of the vm-consumer instance, and try to ssh 10.0.0.2. You will get the message from ssh that Permission is denied, which means we can create an ssh connection from vm-consumer to vm-provider.

Ultimum OpenStack Cisco ACI - Create Member

However, if you try to ssh 10.0.1.2 from vm-provider you will not get any response since the contract is and allowed Protocol Classifier is only one directional.

Ultimum OpenStack Cisco ACI - Create Member

Last modified: 0001-01-01