I feel like I'm missing something that should be obvious. I'm at a loss for identifying where to define a host or a subnet as a source or destination within the contract policy heirarchy.
If I have a contract, I can specificy allowed/denied TCP and UDP port ranges between two EPGs. But I can't define subnets and IPs?
If I'm doing a brownfield migration, and I'm starting with endpoints within a VLAN/subnet that need different policies to replicate their existing ACL (there's no firewall in the particular set of cases I'm considering), do they need to be in different EPGs with different contracts? That will NOT scale at all for what I need - I'll end up with hundreds or possibly thousands of EPGs, with something approaching a full mesh of several thousands of contracts, for just a handful of ACI subnets, compared to IOS's max of #ACL's = 2x #VLANs.
weylin