Match groups

Match groups allow you specify a profile for specific types of packets which can then be used to indicate their inclusion or exclusion from workload traffic.

In the Fabric Services System UI, you can:

  • Create a match group.
  • Edit a match group.
  • Delete a match group.

Creating a match group

  1. Click to open the main menu and select Profiles.
  2. From the Profiles drop-down list, select Match Groups.
  3. Use the Region Selector at the top of the page to select the region in which to create the match group.
  4. Create an IPv4 or IPv6 match group.
    • To create an IPv4 match group, go to step 5.
    • To create an IPv6 match group, go to step 9.
  5. Click + CREATE IPV4 MATCH GROUP.
  6. Enter general information about the match group:
    1. Enter a Name for the match group.
    2. Optional: Enter a Description.
  7. Enter IPv4 match entry information for the match group:
    1. In the IPv4 Match Entry panel, click +ADD.
    2. Enter an IP address in the resulting form.
      The IP address must be specified as a prefix; that is, the host section must be all zeros.
    3. Click ADD.
    4. Repeat steps 7.a through 7.c until the IPv4 Address list is complete.
      Note that the ACL Reference List is empty. This list shows all of the ACL policies that are currently using this IPv4 match group; but because this is a new match group, no profiles are using it.
    5. At the lower right of the Match Group overlay, click CREATE.
      The system closes the Match Group Creation overlay and returns you to the Profiles page with the Match Groups view selected. The match group you just created is now included in the list of available IPv4 match groups.
    Repeat this step until the IPv4 match entry list is complete.
  8. Do one of the following:
    • To create an IPv6 match group, go to step 9.
    • If you are finished creating match groups, go to 12.
  9. Click + CREATE IPV6 MATCH GROUP. The Match Group Creation overlay displays.
  10. Enter general information about the match group:
    1. Enter a Name for the match group.
    2. Optional: Enter a Description.
  11. Enter IPv6 match entry information for the match group:
    1. In the IPv6 Match Entry panel, click +ADD.
    2. Enter an IP address in the resulting form.
      The IP address must be specified as a prefix; that is, the host section must be all zeros.
    3. Click ADD.
    4. Repeat steps 11.a through 11.c until the IPv6 address list is complete.
      Note: The ACL Reference List field is empty. This list shows all of the ACL policies that are currently using this IPv6 match group; but because this is a new match group, no profiles are using it.
    5. At the lower right of the Match Group overlay, click CREATE.
    The system closes the Match Group Creation overlay and returns you to the Profiles page with the Match Group view selected. The match group you just created is now included in the list of available match groups.
  12. You have completed this procedure.

Editing a match group

You can edit a match group at any time.

After you edit a match group, you must update ACLs that rely on that match group. To aid you in identifying the affected ACLs, these ACLs display a True flag in their Need update status. Open and save the ACL.

If the updated ACL profile is being used by a workload VPN intent, and that workload VPN intent has already been generated or deployed, then you must regenerate that workload VPN intent:

  • If the workload VPN intent has been generated but is not yet deployed, you can re-save and regenerate the workload VPN intent without creating a new version. Regenerating the workload VPN intent incorporates the new ACL settings into its configuration.
  • If the workload VPN intent has already been deployed, you need to create a new candidate version of the workload VPN intent before you can regenerate and redeploy it with the new ACL settings.
  1. Click to open the main menu and select Profiles.
  2. From the Profiles drop-down list, select Match Groups.
  3. Use the Region Selector at the top of the page to select the region containing the match group.
  4. Select a match group from the list, click the More actions icon ( ) at the right edge of the row, and select Open from the drop-down list.
  5. Update parameters for the match group.
  6. At the lower right of the Match Groups overlay, click SAVE.

Deleting a match group

You can only delete a match group that is not being used by one or more ACL profiles. For any match group, a list of ACL profiles that are using it are listed in the ACL Reference List when viewing the match group's details.

To delete a match group:

  1. Click to open the main menu and select Profiles.
  2. In the Profiles drop-down list, click Match Groups.
  3. Use the Region Selector at the top of the page to select the region containing the match group.
  4. Select a match group from the list by clicking on the More actions icon ( ) at the right edge of the row, and select Delete from the drop-down list.
  5. In the confirmation form, click OK.
    The system deletes the selected match group and closes the confirmation form, returning you to the Profiles page with the Match Groups view selected. The match group you just deleted no longer appears in the list.