I don't feel like I have a good handle on contracts in ACI. It seems like I am heading down a path where I will need to apply a contract in 20+ places every time I add a new EPG. Reading the official documentation isn't all that helpful; configuration is not the problem, it is how to design the layout of contracts to avoid a spider web.
For those who use ACI in production, and who don't just punt traffic control to an external firewall, how do you plan contracts? Do you create a larger number of VRFs (than you would otherwise want) so you can mark EPGs as unenforced? Do you use the contract/subject labels and has that helped reduce the number of different contracts? Do you avoid contracts as much as possible, or only used to pass L4-7 to a firewall to do the actual filtering?
No comments:
Post a Comment