Accepted Solutions
Hey Leo,
While you can't bypass zvAny contracts, you can superceed them. If you have a specific EPG you don't want to have access to other EPGs in the VRF, what you can do is apply a discrete contract between the EPG (Consumer) and vzAny (Provider) using a filter with DENY action. Deny actions will always override Permit when applied at the same level.
Beyond this you could still grant access from that isolated EPG to other specific EPGs (if you wanted) by appling a contract between the two EPGs (using regular permit filter). EPG contracts will have a higher precedence over vzAny level contracts.
Take this example:
Goal: I want to exlclude my Web_EPG from talking to any other EPG via vzAny, but I do still want Web_EPG to be able to talk to my App_EPG. All other EPGs should be able to freely communicate within the VRF.
Here's how ACI would process the contracts/filters:
From this result you can see the difference in filter priorities. Lowest priorities get processed first on a match. Per above my filters would process in this order:
1st: Web-to-App discrete contract, assigned between these two EPGs (7)
2nd: deny_vzAny, which is a deny filter between Web_EPG and vzAny (15 & 16 for both directions)
3rd: vzAny, which allows anything else not matched within the same VRF to communicate (21)
4th (Last): Implicit Deny for everything else not matched (22)
(Note there are a couple of additional default filters to allow for internal activities such as Implicit ARP that I didn't include in my explanation)
As soon as the first match is hit, that action is applied and the lookup stops.
Robert
Hey Leo,
While you can't bypass zvAny contracts, you can superceed them. If you have a specific EPG you don't want to have access to other EPGs in the VRF, what you can do is apply a discrete contract between the EPG (Consumer) and vzAny (Provider) using a filter with DENY action. Deny actions will always override Permit when applied at the same level.
Beyond this you could still grant access from that isolated EPG to other specific EPGs (if you wanted) by appling a contract between the two EPGs (using regular permit filter). EPG contracts will have a higher precedence over vzAny level contracts.
Take this example:
Goal: I want to exlclude my Web_EPG from talking to any other EPG via vzAny, but I do still want Web_EPG to be able to talk to my App_EPG. All other EPGs should be able to freely communicate within the VRF.
Here's how ACI would process the contracts/filters:
From this result you can see the difference in filter priorities. Lowest priorities get processed first on a match. Per above my filters would process in this order:
1st: Web-to-App discrete contract, assigned between these two EPGs (7)
2nd: deny_vzAny, which is a deny filter between Web_EPG and vzAny (15 & 16 for both directions)
3rd: vzAny, which allows anything else not matched within the same VRF to communicate (21)
4th (Last): Implicit Deny for everything else not matched (22)
(Note there are a couple of additional default filters to allow for internal activities such as Implicit ARP that I didn't include in my explanation)
As soon as the first match is hit, that action is applied and the lookup stops.
Robert
