I wanted to take just a moment to share the output of an APIC-EM ACL Trace (option in Path Trace). For this example, I have built out the topology below.
The applicable configuration for CSR1000v-2 is as follows–
ip access-list extended TESTING permit ospf any any permit icmp any any permit tcp any any eq telnet deny tcp any any eq 22 permit ip any any ! interface GigabitEthernet2 description to csr1000v-1 ip address 10.0.0.6 255.255.255.252 ip access-group TESTING in ip ospf cost 1 negotiation auto cdp enable
For testing it is possible to run a path trace from 10.1.1.1 (LAN interface on CSR1000v-1) to 10.1.2.1 (LAN interface on CSR1000v-2) with TCP Ports. To expose the layer 4 options, it is necessary to choose more options. The check mark in the “ACL Trace” instructs APIC-EM to evaluate ACLs.
The output indicates a successful trace AND an allowed match through the ACL.
Adjusting the path trace to target TCP port 22 demonstrates how a blocked flow is represented in APIC-EM.
The one caveat I have found is that this is only ‘semi’ real time. APIC-EM downloads the configuration from its devices and stores it into the inventory. In my case, this appears to happen every 25 minutes. So the accuracy of this test is limited to how recent the change is and the tool’s ability to properly interpret the configuration.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.