In Cisco ACI (Application Centric Infrastructure), a taboo contract is a special type of contract used to explicitly deny specific types of traffic between endpoint groups (EPGs), even if other contracts would otherwise allow it.
🔍 What
is a Taboo Contract?
- Purpose: Taboo contracts are designed to block
traffic that matches certain filters. They override any other contracts
that might permit that traffic.
- Application: Unlike standard contracts which are applied between EPGs (one consuming and one providing), taboo contracts are applied to an entire EPG. This means they affect all traffic originating from or destined to that EPG
- Use Case: For example, if you want to ensure that
an EPG never uses insecure protocols like HTTP (port 80) or Telnet (port
23), you can apply a taboo contract with filters for those ports
🛑 Key Characteristics
- Deny Action: Taboo contracts only support the
"deny" action. They are used to block traffic, not to permit it.
- Logging: Optionally, taboo contracts can also log the denied traffic for auditing or troubleshooting purposes
- Priority: They take precedence over regular contracts. If a packet matches a taboo filter, it is dropped—even if a regular contract would otherwise allow it
⚠️ Best
Practices & Cautions
- Many experts recommend avoiding taboo contracts unless absolutely necessary. Instead, it's often better to design your standard contracts carefully to only permit the desired traffic
- Taboo contracts can add complexity and may lead
to unintended traffic drops if not managed properly
No comments:
Post a Comment