Showing results for 
Search instead for 
Did you mean: 

EPG labels, complements and consumed contract interfaces

First, what does the complement flag do for EPG labels? I have not been able to find any documentation on this.


Second, should EPG labels work the same for consumed contract interfaces as they do for contracts within a tenant? Or do I need to do something additional to get them to work.


The scenario is that in ACI 4.1(1i) I have a tenant with an EPG with a contract which is providing access to all IP traffic and a server endpoint with a /32 EPG subnet in addition to the /24 bridge domain subnet. The following EPGs consume that contract and endpoints are able to access network services (SSH, HTTP and ICMP) on the server endpoint when there are no labels configured:

  • Client EPG in same tenant
  • Client EPG in Tenant 2 via consumed contract interface
  • Client EPG in Tenant 3 via consumed contract interface (exported after I added the label to the server EPG)

If I add an EPG label at either the EPG level or the contract level, the EPG in the same tenant still works when I add the label at either the EPG level or the contract level in the client EPG in the same tenant.


However, the EPGs in Tenant 2 and 3 can't access the server endpoint in the server EPG, regardless of whether I configure the label on the EPG or on the consumed contract interface. Even changing the label matching option to None on both sides doesn't help--only deleting the label from the server EPG does.


What am I missing here?