Filters & Contracts Configuration
A contracts is a rule or policy which defines how EPGs will communicate to each other. By default all communication is stopped between EPGs, to allow communication between EPGs , a contracts must be defined or unless the VRF instance is configured as “unenforced”. But a communication within EPG contracts is not required.
Below diagram defines the relationship between EPGs and contracts.
In above figure, the WEB EPG is consuming the contracts whereas APP EPG is providing the same Contracts. Similarly the DB EPG provides the separate contracts that APP EPG consumes.
Contracts have following use or goals in ACI:
- Define an ACL to allow communication between security zones as filters
- Provides the route leaking between VRFs or tenants.
Below figure shows how contracts are configured between EPGs
Contracts are just like security ACL that is configured between EPGs. Forwarding of traffic between endpoints is based on routing as defined by VRF configuration and BD, whereas endpoints communication between EPGs depends upon filtering rules defines by contracts.
Below figure defines the above said statements.