I'd like to start a thread concerning the "contracts configuration" and how to reduce their use to save HW resources inside ACI. My considerations rise up from a real case (i'm in the phase of ACI modeling what in the Brownfield is already deployed and need to be migrated to ACI).
I'm beginning with some questions about what would be possible and what wouldn't in ACI (at the end of this thread i'm quoting the scheme as reference of my thoughts):
1) May I introduce "vzAny" and define more contracts between it and different L3Out external EPGs that belong to the same Tenant but in different VRFs?
1.a) If yes, is it representing a shortcut among the different L3Out external EPGs?
2) If i want to introduce the "Preferred group"to avoid to use contracts among EPGs that belong to it (in the brownfield implementation, the subnets they represent, do inter-VLAN routing via static routes already), but at the same time i need a contract (at the beginning that let pass "all IP") between all them and a few L3Out external EPGs, may i think to use the "vzAny"to introduce ONLY one contract between each L3Out external EPGand vzAny?
2.a) ...as consequence, that means i have to introduce other VRFs which L3Out external EPGs belong, because otherwise the "vzAny" would include also the L3Out EPGs themselves, right?
3) If i introduce the "Preferred Group", i need however to configure the "associations between each BD (that in my case is 1to1 with internal EPG based on Network Centric Paradigm) and each L3Out external EPG, right?
Just to clarify the scenario...
I've 3 VDC from Brownfield that have to be migrated to ACI (i'm thinking to introduce 3 Tenants each one with one VRF that contain stretched VLANs domain 1 Internal EPG = 1 BD = 1 VLAN; plus other VRFs just to allow to introduce the contract between vzAny and L3Out EPGs and save contracts in the end).
All the internal EPGs have to talk each other as they already do in Brownfield but have to exit to external world (Internet, another remote DC, branch office that use services hosted inside Data Center and finally a external FWINTRA that in Brownfield environment is implementing a inter-VDC shortcut).
I've to allow traffic from other two Tenants (in brownfield VDCs) to be flowing via FWINTRA to VRF Prod (in tenant Prod), for east-west path, and use the VRF Prod to access to external world, by requirements, for North-south path.
I'd not like to get crazy with contracts, so the choices are two in my opinion (or three :)):
1) apply the un-enforced --> and then if i had to change the policy later one?
2) use a kind of default contract shared among all the EPGs, internal and L3Out external --> but i don't want that all the L3Out talk each other, just a couple for transit routing
3) vzAny + preferred group considering the drawback of 0/0 from external EPG (work around 1/0 and 128/0)
I would be really interested to understand your opinion, because i'm quite new to ACI and the first guess, could be the worse one because of my poor experience!
The attachment is quoting the main Tenant, the more complex, as reference...
thanks fro oyr reply!
May you show to me where is asserting that vzAny and "Preffered group" cannot be used at the same time intenrally at a VRF?
Because that is something i didn't read till now around...
I was originally thking to go for this the implementation of this model at the end...
where just a few contracts would have been used...
...but at this point, basing on what you sayd, it wouldn't work! :(