Showing posts with label Taboo Contract. Show all posts
Showing posts with label Taboo Contract. Show all posts

Monday, 18 August 2025

Taboo vs vzAny Contract

 

AspectTaboo ContractvzAny Contract
PurposeUsed to explicitly deny certain types of traffic for an EPGUsed to apply contracts to all EPGs within a VRF in a simplified manner
FunctionalityActs as a deny filter for specific traffic (e.g., block port 80 or 23)Acts as a wildcard to apply contracts to all EPGs in a VRF
Application ScopeApplied to individual EPGs to block trafficApplied to entire VRF, affecting all EPGs within it
Use CasePrevent specific traffic types (e.g., cleartext communication)Enable free intra-VRF communication or many-to-one service consumption
Configuration ComplexityRequires manual filter creation and careful applicationSimplifies configuration by automating contract relationships
TCAM UsageMay consume more TCAM entries depending on filter granularityOptimizes TCAM usage by reducing entries to a single group-level contract
Best PracticesGenerally discouraged unless absolutely necessary
Recommended for efficient policy management in large-scale environments
LimitationsNot suitable for inter-EPG communication controlMust follow strict guidelines to avoid unintended traffic leaks
Posted by at No comments:
Labels: , , , ,

Sunday, 17 August 2025

What is a Taboo Contract?

 In Cisco ACI (Application Centric Infrastructure), a taboo contract is a special type of contract used to explicitly deny specific types of traffic between endpoint groups (EPGs), even if other contracts would otherwise allow it.

🔍 What is a Taboo Contract?

  • Purpose: Taboo contracts are designed to block traffic that matches certain filters. They override any other contracts that might permit that traffic.
  • Application: Unlike standard contracts which are applied between EPGs (one consuming and one providing), taboo contracts are applied to an entire EPG. This means they affect all traffic originating from or destined to that EPG 
  • Use Case: For example, if you want to ensure that an EPG never uses insecure protocols like HTTP (port 80) or Telnet (port 23), you can apply a taboo contract with filters for those ports 

🛑 Key Characteristics

  • Deny Action: Taboo contracts only support the "deny" action. They are used to block traffic, not to permit it.
  • Logging: Optionally, taboo contracts can also log the denied traffic for auditing or troubleshooting purposes 
  • Priority: They take precedence over regular contracts. If a packet matches a taboo filter, it is dropped—even if a regular contract would otherwise allow it 

⚠️ Best Practices & Cautions

  • Many experts recommend avoiding taboo contracts unless absolutely necessary. Instead, it's often better to design your standard contracts carefully to only permit the desired traffic 
  • Taboo contracts can add complexity and may lead to unintended traffic drops if not managed properly

 

Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)