Filters & Contracts Configuration

Filters & Contracts Configuration

Posted on Jan 24, 2020 (0)

Filters & Contracts Configuration


A contracts is a rule or policy which defines how EPGs will communicate to each other. By default all communication is stopped between EPGs, to allow communication between EPGs , a contracts must be defined or unless the VRF instance is configured as “unenforced”. But a communication within EPG contracts is not required.

Below diagram defines the relationship between EPGs and contracts.

In above figure, the WEB EPG is consuming the contracts whereas APP EPG is providing the same Contracts. Similarly the DB EPG provides the separate contracts that APP EPG consumes.

Contracts have following use or goals in ACI:

  • Define an ACL to allow communication between security zones as filters
  • Provides the route leaking between VRFs or tenants.

Below figure shows how contracts are configured between EPGs

Contracts are just like security ACL that is configured between EPGs. Forwarding of traffic between endpoints is based on routing as defined by VRF configuration and BD, whereas endpoints communication between EPGs depends upon filtering rules defines by contracts.

Below figure defines the above said statements.

Filters & Subjects:

Filters are rules which includes fields such as source Port, Dest Port, Source IP, Dest IP, Protocol types which are then further attached to contracts that defines communication between EPS in fabric. A filter can contain more than one rules. A subject is a construct contained within contracts and typically referenced a filter.

Contracts that contain filters rule must have direction. Example: consumer-to-provider or provider-to-consumer

In Contracts rule don’t include IP address because traffic is filtered based on EPG definition.

Bidirectional & Reverse Filter Options:

When a contracts are configured, there are two options which are typically selected by default.

  • Apply Both Direction
  • Reverse Filter Ports

The below figure defines the relationship of communication between EPGs, where EPG-1 is consumer and EPG-2 is provider and EPG-1 wants to talk to EPG-2 on destination port 80.

If you enable apply both direction as shown in fig below , it will program two TCAM entries : One that allow source port unspecified to talk to destination port 80 in consumer-to-provider direction, and second  for provider-to-consumer direction where source port is unspecified to talk to destination port 80.

But as per configuration, it is not correct, because provider (EPG-2) would generate traffic from port 80 and not to port 80.


  • Super Duper Like


Please login here to comment.