Hi,
While east-west traffic using contracts is widely explained through all the documentation, I didn't find clear guidelines to manage north-south traffic control in ACI. All the examples refer to the typical "allow all" contract for L3out in order to let all the outgoing traffic get out the ACI fabric. However, consuming that kind of contract also allows any incoming traffic to the consuming EPG.
For incoming traffic, I would expect the external EPG under the L3out to consume only those contracts provided by the internal EPGs inside the fabric so the rest of the traffic is blocked and, for outgoing traffic, a contract provided by the external EPG that allows ONLY all the outgoing traffic.
What are the best practices in this sense?
thanks.