top of page
Search
Writer's pictureMukesh Chanderia
Nov 21, 20234 min read

pcTag (zoning-rule) & Policy TCAM

Updated: Sep 29


Understanding pcTag in Cisco ACI


1. What is pcTag?

  • pcTag (Policy Control Tag):

    • A unique identifier assigned to each Endpoint Group (EPG) in Cisco ACI.


2. Assignment and Purpose

  • Assignment:

    • Assigned to an EPG when it is created.

  • Purpose:

    • Used in contract rules on leaf switches to control and secure network traffic.

    • These security rules are known as zoning rules.


3. Components of a Zoning Rule

Each zoning rule includes the following parameters:

  1. Source EPG (src pcTag):

    • The pcTag of the EPG where the traffic originates.

  2. Destination EPG (dst pcTag):

    • The pcTag of the EPG where the traffic is intended to go.

  3. Filter ID:

    • Defines the type of traffic, such as TCP traffic on destination port 3306.

  4. Scope:

    • Specifies the Virtual Routing and Forwarding (VRF) and Virtual Network ID (VNID) for both source and destination EPGs.

  5. Action:

    • Determines whether to permit or deny the traffic.


4. Core Parameters of a Zoning Rule

  • Source pcTag, Destination pcTag, and Filter ID:

    • These are the main elements that define what kind of traffic is allowed between which EPGs.


5. Scope Parameter

  • Definition:

    • Specifies the VRF in which the zoning rule applies.

  • Importance:

    • Ensures that pcTags are unique within each VRF.


6. Types of pcTags and Their Ranges

  1. System Reserved pcTag (1-15):

    • Used for internal system rules.

  2. Global pcTag (16-16385):

    • Unique across all VRFs.

    • Used for shared services like VRF route leaking.

  3. Local pcTag (16386-65535):

    • Unique only within a single VRF.

    • Default for internal EPGs and L3Out EPGs.


7. Default Behavior

  • EPGs in Different VRFs:

    • May have overlapping local pcTags.

    • This is acceptable because traffic remains within the same VRF.


8. pcTag Assignment with VRF Route Leaking

  • When VRF Route Leaking is Enabled:

    • EPGs that provide shared services are assigned a new global pcTag instead of their original local pcTag.

  • Provider EPGs:

    • Only EPGs configured for shared services receive a global pcTag.


9. Summary of pcTag Types and Usage

  • System Reserved (1-15):

    • Internal use.

  • Global (16-16385):

    • Across VRFs for shared services.

  • Local (16386-65535):

    • Within a single VRF for regular EPGs.


Key Takeaways


  • pcTag: A unique ID for each EPG, essential for defining and enforcing security rules.

  • Zoning Rules: Utilize pcTags to control traffic between EPGs based on defined parameters.

  • Scope: Ensures pcTags are unique within each VRF, crucial for maintaining proper traffic segregation.

  • pcTag Types:

    • System Reserved: For internal operations.

    • Global: For shared services across VRFs.

    • Local: For standard EPGs within a single VRF.

  • VRF Route Leaking: Assigns global pcTags to provider EPGs to facilitate shared services and cross-VRF communication.



leaf-a# show zoning-rule scope 2490369



leaf-a# show zoning-rule scope 2424832 src-epg 16386 dst-epg 10931




Leaf # show zoning-rule scope 123456







show zoning-filter



Show zoning-filter 5



Policy TCAM Exhaustion in Cisco ACI


1. What is Policy TCAM Exhaustion?

  • TCAM (Ternary Content-Addressable Memory):

    • A type of memory in switch hardware where policies are stored for enforcement.

  • Issue:

    • When an Endpoint Group (EPG) uses a contract, the zoning rules on a leaf switch can use up many TCAM entries.

    • Result: This can lead to TCAM exhaustion, where there are no more entries available for new policies.


2. Optimizing Policy CAM Usage


Option 1: Set Policy Control Enforcement to Unenforced in VRF

  • Default Behavior:

    • Policy Control Enforcement is enabled by default.

    • Effect: EPGs cannot communicate unless there is a specific contract rule.

  • Unenforced Mode:

    • Action: Turn off Policy Control Enforcement.

    • Result:

      • No contract rules are applied.

      • Any endpoints can communicate freely as long as they are connected via Layer 2 or Layer 3.


Option 2: Use Contracts with vzAny

  • What is vzAny?

    • A managed object that links all EPGs within a VRF to one or more contracts.

    • Benefit: Avoids creating separate contract rules for each EPG.

  • How It Works:

    • Automatically applies contract rules to all EPGs in a VRF.

    • When a new EPG is added, vzAny automatically includes it in the contract rules.

  • Advantages:

    • Simplifies Configuration: Reduces the number of individual contract rules.

    • Saves TCAM Space: Combines multiple rules into one, lowering TCAM usage.

  • Example:

    • Without vzAny:

      • Rule 1: EPG 16401 → EPG 16402 (FTP)

      • Rule 2: EPG 16401 → EPG 16403 (FTP)

      • Rule 3: EPG 16401 → EPG 16404 (FTP)

    • With vzAny:

      • Rule: EPG 16401 → vzAny (All EPGs) (FTP)



Guidelines and Limitations:


  • Represents Everyone in the Same VRF:

    • Includes internal EPGs, external EPGs for L2Outs and L3Outs, and management networks.

  • Usage Restrictions:

    • Supported as Consumer: Can consume shared services.

    • Not Supported as Provider: Cannot provide shared services.

  • Communication Impact:

    • Using vzAny as a consumer allows any EPG in the consumer VRF to communicate with the provider VRF.

  • Scope Considerations:

    • If the contract scope is set to Application Profile, vzAny won’t save TCAM space as it will still create individual zoning rules.




Option 3: Use Contract Preferred Group

  • Purpose:

    • Simplifies configurations where multiple EPGs share the same contract.

  • Example Scenario:

    • Requirement: Allow EPGs 1 to 4 to communicate with each other without security restrictions.

    • Action: Create a preferred group contract that permits EPGs 1-4 to talk to each other freely.

    • Effect: Other EPGs will still follow the allow list model, maintaining security for the rest of the network.


To simplify such a configuration requirement to partially unenforced contract policies in the given VRF, ACI introduced Contract Preferred Group in the APIC release 2.2(1).



Preferred Group in Cisco ACI


  • Included and Excluded Members:

    • Included Members:

      • Specific Endpoint Groups (EPGs) are marked as "Included".

      • Example: EPG 1 to EPG 4 are designated as Included members.

    • Excluded Members:

      • All other EPGs that are not Included are grouped as "Excluded" members.

  • Communication Rules:

    • No Contracts Needed for Included Members:

      • EPGs within the Included group do not require any contract rules to communicate.

    • Free Communication:

      • Included EPGs can freely talk to each other without any security enforcement or restrictions.


To configure Contract Preferred Group, follow these steps:

  1. Enable the Preferred Group under the VRF.


  1. Add EPGs in the “Included” member. By default, all EPGs are defined as the “Excluded” member.



Note : When adding a L3Out EPG in the “Included” member, 0.0.0.0/0 with “External Subnets for the External EPG” scope is not supported. Use 0.0.0.0/1 and 128.0.0.0/1 instead.

36 views0 comments

Recent Posts

See All

Comments

bottom of page