Troubleshoot Contracts when the Zoning-rule Name Field Is Empty

Available Languages

Download Options

  • PDF     (32.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (83.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (70.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 3, 2025
Document ID:222909

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the guidelines to identify an implicit contract on a leaf, such as an override rule.

    Prerequisites

    Requirements

    • Basic knowledge of ACI
    • Endpoint Groups and contract
    • ELAM configuration

    Components Used

    This document is not restricted to specific software and hardware versions.

    Devices used:

    • Cisco ACI running version 5.3(2)
    • ELAM Assistant / CLI ELAM

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    pcTag is a numeric ID used for internal representation of Endpoint Policy Group (EPG) in ACI. The pcTag assigned to source epg is called SCLASS while the pcTag assigned to destination EPG is called DCLASS.

    Shared services Consumer used the reserved PcTag of 14.

    System - These are internal system tags from range 1-15.

    Global - Range 16-16385 is reserved for global use.

    Drop EPG uses the reserved PcTag of 13.

    Shared services Consumer uses the reserved PcTag of 14.

    l3out with 0.0.0.0/0 uses the reserved PcTag of 15.

    Local - The default scope of pcTag is local to VRF and can be reused across VRF’s. Its value ranges from 16386-65535.

    Steps to Resolve the Contract

    ELAM is used on these scenarios. These commands are for CLI ELAM and can be used as reference:

    vsh_lc
debug platform internal <asic > elam asic <number>
trigger reset
trigger init in-select <in-select_code> out-select 0
set outer ipv4 src_ip <source ip> dst_ip < destination ip address>
start 
status

    Step 1. ELAM TRIGGER

    First, gather several aspects from an ELAM: source class 11060, destination class 14, and Stats Index: 51983.

    For shared services > consumer subnet in provider,  class id 14 is used.

    This is used for EPGs in provider VRF with local sclass that cannot talk to these subnets.

    IP Protocol : ICMP( 0x1 )

L4 Src Port : 2048( 0x800 )

L4 Dst Port : 56951( 0xDE77 )

sclass (src pcTag) : 11060( 0x2B34 ) 

dclass (dst pcTag) : 14( 0xE ) 

------------------------------------------------------------------------------------------------------------------------------------------------------

Contract Result

------------------------------------------------------------------------------------------------------------------------------------------------------

Contract Drop : no
Contract Logging : no
Contract Applied : no
Contract Hit : yes
Contract Aclqos Stats Index : 51983
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 51983 )

    Step 2. Zoning-rule Verification Based on a Hardware Rule Match

    Use the hardware index of match contract 51983 to resolve the rule identifier.

    module-1# show sys int aclqos zoning-rules | grep -B 9 "Idx: 51983"
===========================================
Rule ID: 8640 Scope 20 Src EPG: 11060 Dst EPG: 14 Filter 65534
     unit_id: 0
     === Region priority: 2466 (rule prio: 9 entry: 162)===
     sw_index = 13310 | hw_index = 29937 | stats_idx = 51983
   Curr TCAM resource:
   =============================
     === SDK Info ===
     Result/Stats Idx: 51983
    note-icon

    Note: On version 4.X, the rule cannot appear. Use show system internal aclqos zoning-rules implicit command to identify the contract.

    The Rule Identifier can be used on the zoning rule to review the contract. For override rules, the contract name is going to be empty:

    S2-LF101# show zoning-rule rule-id 8640
    Config State
    ============
    | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | Intent |
    |---------|--------|--------|----------|-----|--------|-------|------|--------|---------|--------|
    | 8640    | 11060  | 14     | implicit | uni-dir | enabled | 2424832 |   | permit_override | src_dst_any(9) | install |
    Install State
    ==============
    | Rule ID | SrcEPG | DstEPG | FilterID | Dir | Scope | Name | Action | Priority | 
    |---------|--------|--------|----------|-----|-------|------|--------|---------|
    | 8640    | 11060  | 14     | implicit | uni-dir | 2424832 |   | permit_override | src_dst_any(9) |

    Step 3a. Verify with the Object actrlRule to See if There is a Contract Name

    The actrlRule moquery can be used on the leaf with a filter:

    moquery -c actrlRule -f 'actrl.Rule.rn*"s-<sclass>-d-<dclass>"' | grep ctrctName

    For the example, this is the contract that is creating the override policy:

    moquery -c actrlRule -f 'actrl.Rule.rn*"s-11060-d-14"' | grep ctrctName
ctrctName : common:Common-Global

    It is possible that this field ctrctName can be empty. If that is the case, there is another object that can be used.

    Step 3b. Verify with the Object actrlRule to See if There is a Contract Name

    The vzRuleOwner moquery can be used on the leaf:

    moquery -c vzRuleOwner -f 'vz.RuleOwner.dn*"11060.*14"'

    For the vzRuleOwner example, this is the contract that is creating the override policy:

    MXS2-LF101# moquery -c vzRuleOwner -f 'vz.RuleOwner.dn*"11060.*14"'
Total Objects shown: 1
# vz.RuleOwner
creatorDn : cdef-[uni/tn-common/brc-Common-Global]/epgCont-[uni/tn-common/out-L3OUT-External/instP-External/]-fr-[uni/tn-common/brc-Common-Global/dirass/prov-[uni/tn-common/out-L3OUT-External/instP-External-]-any-no]/to-[uni/tn-common/brc-Common-Global/dirass/cons-[uni/tn-test/ap-ap-test/epg-epg-test]-any-no]
tag : to-epg
action : permit_override
childAction :
ctrctName : 
direction : uni-dir
dn : sys/actrl/scope-2424832/rule-2424832-s-11060-d-14-f-implicit/own-[cdef-[uni/tn-common/brc-Common-contract]/epgCont-[uni/tn-common/out-L3OUT/instP-External]/fr-[uni/tn-common/brc-Common-contract/dirass/prov-[uni/tn-common/out-L3OUT/instP-External]-any-no]/to-[uni/tn-common/brc-Common-contract/dirass/cons-[uni/tn-test/ap-ap-test/epg-epg-test]-any-no]]-tag-to-epg
intent : install
lcOwn : local
markDscp : unspecified
modTs : 2024-08-07T06:16:42.241+00:00
monitorDn : uni/tn-common/monepg-default
name : 
nameAlias : 
prio : src_dst_any
qosGrp : unspecified
rn : own-[cdef-[uni/tn-common/brc-Common-Global]/epgCont-[uni/tn-common/out-L3OUT-External/instP-External-]/fr-[uni/tn-common/brc-Common-Global/dirass/prov-[uni/tn-common/out-L3OUT-External/instP-External-]-any-no]/to-[uni/tn-common/brc-Common-Global/dirass/cons-[uni/tn-test/ap-ap-test/epg-epg-test]-any-no]]-tag-to-epg
status :
type : tenant

    On the DN, after brc, it is going to be the contract name.

    RN/DN: brc-<contract name>

    For example:

    brc-Common-contract

    Reference

    Cisco Bug ID Bug Title Enhancement Add it Version
    Cisco bug ID CSCwk84663 The visibility of the rules has been added. This override rule appears in the zoning rules when the configuration is set correctly, but a name is not be explicitly mentioned in the zoning rules. version 5.X

    Related Information

    Verify ACI Shared Services - Shared Service Consumer PcTag 14

    Revision History

    Revision Publish Date Comments
    2.0
    03-Apr-2025
    Updated to Add Reference Link, Additional Information, and Formatting.
    1.0
    27-Mar-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jessica Rueda
      Customer Delivery Engineering Technical Leader

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products