| Purpose | Used to explicitly deny certain types of traffic for an EPG | Used to apply contracts to all EPGs within a VRF in a simplified manner |
| Functionality | Acts as a deny filter for specific traffic (e.g., block port 80 or 23) | Acts as a wildcard to apply contracts to all EPGs in a VRF |
| Application Scope | Applied to individual EPGs to block traffic | Applied to entire VRF, affecting all EPGs within it |
| Use Case | Prevent specific traffic types (e.g., cleartext communication) | Enable free intra-VRF communication or many-to-one service consumption |
| Configuration Complexity | Requires manual filter creation and careful application | Simplifies configuration by automating contract relationships |
| TCAM Usage | May consume more TCAM entries depending on filter granularity | Optimizes TCAM usage by reducing entries to a single group-level contract |
| Best Practices | Generally discouraged unless absolutely necessary | Recommended for efficient policy management in large-scale environments |
| Limitations | Not suitable for inter-EPG communication control | Must follow strict guidelines to avoid unintended traffic leaks |
No comments:
Post a Comment