Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
278
Views
0
Helpful
3
Replies

Can the contract name be different between two relevant EPGs?

Herman2018
Level 3
Level 3

‎02-03-2025 01:16 AM

Hi, we have two EPGs , now need to create contract  for the communication between them. I just want to want to use two different contracts only. Can I create two contracts like below:

contract A -- allow EPG A to access EPG B, then apply this contract as consumer contract on EPG A

contract B -- allow EPG A to access EPB, then apply this contract as provider contract on EPG B

can someone pls advise? thanks in advance. 

 

 

Labels:
0 Helpful
3 Replies 3

RedNectar
VIP Alumni
VIP Alumni

‎02-03-2025 02:21 AM

Hi @Herman2018 ,

You almost nailed it! But you only need one contract (strictly speaking you COULD build it like your scenario, but it's complicted and involves multiple filters. Don't do it!)

Here is a full explanation

If you want EPG A to access EPG B, then this implies that EPG B is providing some service on some TCP or UDP port number - to keep it simple, lets say TCP port 22

Now, to allow EPG A access to TCP port 22 on EPG B servers, you'll need to:

  1. Create a Filter with a single entry of dst port range 22 to 22 (src port should be let blank)
    • TIP: Create the filter in the common tenant with a descriptive name like TCP22_Fltr
  2. Create a contract that uses this filter. Since contracts define services, give it a name like TCP22.Service_Ct or since port 22 is ssh, maybe SSH.Svc_Ct - including the word "Service" or "Svc" in the contract name helps remind you that the contract is defining a service, which helps when determining Provider and Consumer.
    • IMPORTANT: When applying the contract, make sure both the
      [x] Apply in both directions and the
      [x] Reverse Filter Ports options are set
    • See this answer for some nice pictures
  3. Apply the Contract as a Provided Contract for the provider EPG - in this case, EPG B
  4. Apply the Contract as a Consumer Contract for the consumer EPG - in this case, EPG A

Now, if you want to allow EPG A access EVERYTHING on EPG B, repeat the above with a different filter and contract name - and consider, do you want EVERYTHING - or just IP traffic? Or just TCP traffic

  • For EVERYTHING - you can use the default filter in the common tenant, and create a contract say AllTraffic_Ct that uses this contract.  Not recommended - a filter that allows just IP makes much more sense unless you are running weird protocols
  • For IP only, create a filter say IP.Only_Fltr and a contract say IP.Only_Ct
  • For TCP only, create a filter say TCP.Only_Fltr and a contract say TCP.Only_Ct
  • In all these cases, the rules for provider and consumer still apply = EPG B is the provider and EPG A is the consumer

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Herman2018
Level 3
Level 3
In response to RedNectar

‎02-06-2025 05:39 PM

hi @RedNectar ,thank you so much for your kind advice! We have a general contract something like "allow any any" , so I think we can apply this contract as provider contract on EPG B, just need to create a new contract and apply it as consumer contract on EPG A. This is one of scenarios which use different contracts on each EPG respectively. 

0 Helpful

RedNectar
VIP Alumni
VIP Alumni
In response to Herman2018

‎02-06-2025 09:22 PM

Sounds good. Let us know if it is successful and put this thread to bed.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License