To apply contracts to all endpoint groups within a VRF, you can apply the contract directly to the VRF. This concept is also referred as a vzAny endpoint group. It simplified contract management by allowing the contract configuration for all endpoint groups within a VRF, also optimizing hardware resource consumption.
For example, if a Cisco ACI administrator has 100 endpoint groups that are all part of the same VRF, he can apply the contracts to this one vzAny group under the VRF rather than to each endpoint group.
Traditionally, VRF-wide contracts allow established traffic, allowing endpoint group contracts to define traffic in only one direction—from consumer to provider—without the need to have reverse port forwarding enabled for TCP traffic. Because all endpoint groups within 852the VRF allow established traffic, reverse port forwarding is unnecessary in the contract applied to the endpoint group directly.
A quick trick to see if contracts, or the lack thereof, are blocking traffic within the VRF in an ACI fabric is to unenforce the VRF. This technique allows communication between all endpoint groups within the VRF without the need for contracts. This is equivalent to applying the common tenant contract vzAny to the VRF endpoint group.
Note
If a very large number of contracts exists within the VRF, reimplementing the contracts in the leaf switches can take up to an hour or more when the VRF is moved back to enforced.
To apply a contract to a VRF (vzAny) using the GUI, follow these steps:
Step 1. On the menu bar, choose Tenants > ALL TENANTS. In the Work pane, choose Tenant_Name.
Step 2. In the Navigation pane, choose Tenant_Name > Networking > Private Networks > Private_Network_Name > EPG Collection for Context.
Step 3. In the Work pane, click + next to either Add Provided Contract or Add Consumed Contract.
Note
Make a selection depending on how the contract is to be deployed.
Then do the following:
Enter a Contract_Name.
Choose a QOS Type.
Choose Match Criteria.
Step 4. Click Update.
To verify a contract using the ACI API or shell command, you can use these commands:
REST API: /api/node/class/vzBrCP.xml
Shell Command : admin@apic1:~> moquery -c vzBrCP
Inter-Tenant Contracts
Some services, such as DNS for name resolution and Active Directory for user management, are common or shared across tenants. Because these services are shared, you need to allow their traffic across the whole fabric. Communication between EPGs that belong to different tenants is allowed only when they share the same contract. To use the same contract, you need to export the source tenant to the appropriate destination tenant. That contract appears under the Imported Contract section in the Security Policies of the destination tenant.
A consumed contract interface is used to associate an EPG from the destination tenant with the imported contract.
Note
A consumed contract interface represents one or more subjects defined under the contract. By associating to an interface, an endpoint group starts consuming all the subjects represented by the interface.
In the following example, EPG-1 in tenant Cisco-1 requires communication with EPG-2 in tenant Cisco-2. This is accomplished by utilizing contact interfaces. As illustrated in Figure 18-10, the tenant Cisco-1 user exports the intended contract interfaces and selects a provider to provide the contrast to EPG-2. The user then confirms the imported contract in tenant Cisco-2 and selects the contract as consumed. To advertise the routes from the source VRF to the intended VRF, the user must create the subnet within the EPG.