ACL Trace in APIC EM

I wanted to take just a moment to share the output of an APIC-EM ACL Trace (option in Path Trace). For this example, I have built out the topology below.

pathtracetopology

The applicable configuration for CSR1000v-2 is as follows–

ip access-list extended TESTING
 permit ospf any any
 permit icmp any any
 permit tcp any any eq telnet
 deny   tcp any any eq 22
 permit ip any any
!
interface GigabitEthernet2
 description to csr1000v-1
 ip address 10.0.0.6 255.255.255.252
 ip access-group TESTING in
 ip ospf cost 1
 negotiation auto
 cdp enable

For testing it is possible to run a path trace from 10.1.1.1 (LAN interface on CSR1000v-1) to 10.1.2.1 (LAN interface on CSR1000v-2) with TCP Ports. To expose the layer 4 options, it is necessary to choose more options. The check mark in the “ACL Trace” instructs APIC-EM to evaluate ACLs.

pathtraceoptions

The output indicates a successful trace AND an allowed match through the ACL.

successfulacl

Adjusting the path trace to target TCP port 22 demonstrates how a blocked flow is represented in APIC-EM.

failedacltrace

The one caveat I have found is that this is only ‘semi’ real time. APIC-EM downloads the configuration from its devices and stores it into the inventory. In my case, this appears to happen every 25 minutes. So the accuracy of this test is limited to how recent the change is and the tool’s ability to properly interpret the configuration.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply