Introduction

This document describes the concept of Policy Class Tag(pcTag) / Class in Cisco Application Centric Infrastructure (ACI). The information in this document is based on software version 4.2(3n).

Prerequisites 

To best understand the design presented in this document, the reader must have a basic working knowledge of Cisco ACI.

What is pcTag?

In simple words pcTag is a numeric ID used for internal representation of Endpoint Policy Group (epg) in ACI, also referred to as Source Class (sclass) or Destination Class (dclass). It is used for the classification of traffic and for Policy Enforcement (Contract Enforcement). When traffic ingress an ACI Leaf, based on the configured direction of policy enforcement (Default - Ingress)  and locally available prefix information the ACI Leaf will classify and mark source and destination traffic into EPGs by assigning a pcTag value to it. The pcTag assigned to source epg is called SCLASS while the pcTag assigned to destination EPG is called DCLASS.

pcTag value ranges between 1 and 65535. It can be further be sub-divided into three categories.

System - These are internal system tag’s from range 1-15. e.g 13 is for drop EPG and 15 is used for l3out with 0.0.0.0/0 subnet in EPG.

Global - By default the scope of pcTag is local to VRF(Virtual Routing and Forwarding). However, in case of inter VRF contracts pcTag must have a global scope and should be unique across api fabric.  Range 16-16385 is reserved for global use.

Local - The default scope of pcTag is local to VRF and may be reused across VRF’s. Its value ranges from 16386-65535.

How to get pctag value of an EPG?

• Using Application Policy Infrastructure Controller(APIC) Graphical User Interface (GUI)

   
On the APIC GUI select the EPG for which you want to get the pctag and pcTag can be seen under Policy -> General

   
        Tenants --> Application Profiles(AP) (Select the AP) --> Application EPGs (Select the EPG)--> Policy -->General

Similarly, for Layer 3 Out (L3Out) EPG, select L3out EPG and the pcTag can be found right under Policy -> General tab

      Tenants --> Networking --> L3Outs-->Select the L3out --> External EPGs ( Select the EPG) -->Policy -->General

• Using APIC Command Line Interface (CLI)

Using APIC CLI, pcTag of an EPG can beobtainedbyeitherusing the givenshow command orby usinga Managed Object Query(MO Query).

apic# show epg EPG1 detail
Application EPg Data:
Tenant              : Prod
Application         : AP01
AEPg                : EPG1
BD                  : BD1
uSeg EPG            : no
Intra EPG Isolation : unenforced
Proxy ARP           : none
Policy Tag          : 49155
Vlan Domains        : prod-phy-dom
Consumed Contracts  : default
Provided Contracts  : 
Denied Contracts    : 
Qos Class           : unspecified
Tag List            :

apic# moquery -c fvAEPg -f 'fv.AEPg.name=="EPG1"' | egrep "^name|^dn|^pcTag|^scope"

name                 : EPG1
dn                   : uni/tn-Prod/ap-AP01/epg-EPG1
nameAlias            : 
pcTag                : 49155
scope                : 2326533

Moquery to obtain pcTag value of a L3Out epg:

apic# moquery -c l3extInstP -f 'l3ext.InstP.name=="ext_EPG"' | egrep "^name|^dn|^pcTag"
name                 : ext_EPG
dn                   : uni/tn-Prod/out-L3out_BGP/instP-ext_EPG
nameAlias            : 
pcTag                : 16386

• Using Leaf CLI

•  When the endpoint has been learned in aregular EPG, you can get the pcTag/SCLASS from EndPoint Manager(EPM).

bgl-aci05-leaf5# show system internal epm endpoint ip 192.168.10.10

MAC : 002c.c80a.7ca9 ::: Num IPs : 1
IP# 0 : 192.168.10.10 ::: IP# 0 flags :  ::: l3-sw-hit: No
Vlan id : 74 ::: Vlan vnid : 13894 ::: VRF name : Prod:vrfA
BD vnid : 15826927 ::: VRF vnid : 2326533
Phy If : 0x1a011000 ::: Tunnel If : 0
Interface : Ethernet1/18
Flags : 0x80000c04 ::: sclass : 49155 ::: Ref count : 5  <<<<<<<<sclass
EP Create Timestamp : 12/30/2020 15:45:21.722804
EP Update Timestamp : 12/30/2020 15:45:21.722804
EP Flags : local|IP|MAC|sclass|

::::

TogetthepcTagvalueforL3Out EPG,the Policy Manager (Policy-mgr) prefix table is used:

Inoutput,16386 is the pcTag for subnet 10.20.20.0/24.

bgl-aci05-leaf5# vsh -c 'show system internal policy-mgr prefix' | egrep "Vrf-Vni|==|2326533"  
Vrf-Vni VRF-Id Table-Id Table-State  VRF-Name                    Addr                                Class Shared Remote Complete
======= ======  =========== =======  ============================ ================================= ====== ====== ====== ========
2326533 5      0x5           Up     Prod:vrfA                                         0.0.0.0/0   15      True   True   False   
2326533 5      0x80000005    Up     Prod:vrfA                                              ::/0   15      True   True   False   
2326533 5      0x5           Up     Prod:vrfA                                      10.20.20.0/24  16386   True   True   False 

How to get the EPG name when you know pcTag value? 

The simplest way toretrievethe EPG namefrom the APIC CLIwhen youknowthe pcTagis to usethebelow MO Query

For a regular EPG,

apic# moquery -c fvAEPg -f 'fv.AEPg.pcTag=="16387"' | egrep "name|^dn"  

name                 : EPG1
dn                   : uni/tn-mgmt/ap-AP/epg-EPG1
nameAlias            : 
scope                : 2621440

For an L3out EPG:

apic# moquery -c l3extInstP -f 'l3ext.InstP.pcTag=="16386"'| egrep "name|^dn|scope"

name                 : ext_EPG
dn                   : uni/tn-Prod/out-L3out_BGP/instP-ext_EPG
nameAlias            : 
scope                : 2326533

Note: There are chances when you can get multiple EPGs against one pcTag value, as the local pcTag has a scope local to the VRF. An additional filter with VRF segment ID can get you the exact match.

Rules to drive source pcTag and destination pcTag SCLASS/DCLASS of a flow

Theserules can be used todeterminethe sclass and dclass ofan intra-VRFflow and do a zoning-rule lookup 

Sclass	Dclass
SCLASS = Source Epg pctag, if ingress EPG is a regular EPG. SCLASS = vrf pctag, if ingress into a L3Out under the 0.0.0.0/0 subnet in L3Out EPG. SCLASS = Ext. EPG pcTag, if hit any other non-default subnet in L3Out external EPG.	DCLASS= Destination EPG pcTag, if destination endpoint has learned on ingress leaf. DCLASS =1, if  destination endpoint is not learned and we send the packet to fabric (Hardware Proxy or Flood). Policy Enforcement would be on destination Leaf.  DCLASS = 15, if hit is on 0.0.0.0/0 subnet under L3Out external EPG. DCLASS = External EPG pcTag,  when a hit is on a more specific or non-default subnet.

Note: Subnet mentioned above is the subnet you configure under External EPG and not the subnet in a routing table. 

Getting SCLASS/DCLASS using Embedded Logic Analysis Module (ELAM)

ELAM is one of the preferred tools to get source and destination pcTag values of a flow. In the ELAM, under "pkt rw vector", we can get the SCLASS and DCLASS of a flow using the given fields. The values will be in hexadecimal and need to converted into decimal to get the EPG pcTag.

sug_lurw_vec.info.nsh_special.dclass: <val>

sug_lurw_vec.info.nsh_special.sclass: <val>

Example:

sug_lurw_vec.info.nsh_special.dclass: 0x8004 << dst epg pctag is 32772
sug_lurw_vec.info.nsh_special.sclass: 0x8002. << src epg pctag is 32769

With the source and destination pcTag values, we can verify the Zoning Rules on ingress and egress Leaf Switches. 

For more information on Zoning-Rules, click here.