Policy Assurance Operations
Incremental Access List Deployment
To minimize the potential impact on existing traffic flows of a policy deployment in operating systems that leverage instant activation and line-by-line changes, Apstra automatically performs a multistep process for deploying policy changes. This ensures that the network does not enter an open (free-flowing traffic) state while the rules are being pushed into the Tertiary Content-Addressable Memory (TCAM).
Apstra performs the following workflow during policy changes:
Install temp Access List (ACL), write it to the device as
previous-acl-name_TMPSwitch to _TMP ACL
Add original ACL with new rendering
Switch to the original ACL
Remove the TMP ACL
We recommend not using more than 50% of TCAM to allow for secondary ACL (some NOS can do this on their own but require TCAM to “merge” entries into an ACL). We recommend that customers leave default ACL atomic update settings as is in NX-OS and EOS. This means if an applied ACL (say, using X TCAM entries) is modified, the NOS needs 2x free TCAM space during ACK modification. Our change improves modification by enforcing policies even when the atomic update is impossible.
Changing atomic update settings is not controlled by Apstra.
Example Policy Deployment
The following is an example policy deployment object:
ip access-list ACL_VLAN_3_IN_TMP <CREATES TMP ACL> 4 remark Policy: 'www to db ssh copy' 5 deny TCP 10.0.1.128/25 eq 22 10.0.2.128/25 9 remark Policy: 'www to db ssh' 10 permit TCP 10.0.1.128/25 range 1 1024 10.0.2.128/25 14 remark Trailing default action rule 15 permit IP 10.0.1.0/24 0.0.0.0/0 exit ! interface vlan 3 ip access-group ACL_VLAN_3_IN_TMP in <SWITCH TO TMP ACL> exit ! no ip access-list ACL_VLAN_3_IN <REMOVE ORIGINAL ACL> ! ip access-list ACL_VLAN_3_IN <CREATE UPDATED ORIGINAL ACL> 4 remark Policy: 'www to db ssh allow' 5 deny TCP 10.0.1.128/25 range 22 23 10.0.2.128/25 9 remark Policy: 'www to db ssh' 10 permit TCP 10.0.1.128/25 range 1 1024 10.0.2.128/25 14 remark Trailing default action rule 15 permit IP 10.0.1.0/24 0.0.0.0/0 Exit interface vlan 3 ip access-group ACL_VLAN_3_IN in <SWITCH TO UPDATED ACL> exit ! no ip access-list ACL_VLAN_3_IN_TMP <REMOVE TMP ACL>
Policy Enable/Disable
Policies can be enabled and disabled easily through the Apstra GUI or API. Switching a policy to disabled queues the change in Uncommitted, and the administrator must Commit the changes to the Blueprint for them to take effect.
Policy Export/Import
You can import and export policies via the API. The same policy objects are required for a proper import. This is especially helpful when managing multiple Blueprints with identical policies.