I'm just curious where other people are putting their contracts, in the specific tenant or in the common tenant? I've been working in our lab environment and I can seem some advantages to putting them all in the common tenant with the proper scope. I understand the value of re-use by putting them there, but it actually feels more cumbersome as i build a contract between EPGs within the same tenant. Today I'm a single tenant and that could change and then there would be re-use for shared services stuff. Which makes me wonder if a hybrid approach would be better...if it's shared services, put them in the common, but if it's a specific contract between EPGs within the same tenant, keep it in that tenant. Especially given there are some contracts (l4-l7 stuff) that has to be in the tenant (I think anyway).
I know there are many right ways to do the same thing. Just looking for some examples of what you're doing and what is working well (or what you regret doing).
I'd also be curious how you build your contracts...are you building specific EPG to EPG contracts with all of the filters you need within the same contract? Or are you building more "generic" contracts and applying multiple contracts to the EPGs?
for example, let's say you have ssh, https, telnet, and icmp required between EPG1 (provide) and EPG2 (consume).
do you do this:
epg1_to_epg2 contract - contains filter ssh, https, telnet, icmp
or
telnet_contract ->filter telnet
ssh_contract -> filter ssh
icmp_contract -> filter icmp
https_contract -> filter https
and then the EPGs provide and consume multiple contracts? b/c it's highly likely you'll need to use those well known services between other EPGs too? I suppose there may be a resource thing that makes #1 more efficient, but #2 almost seems like it'd be easier to look at.
thanks all for any opinions.