Why Service Graphs Matter in Cisco ACI — Complete Guide with Configuration Examples

 If you have worked with Cisco ACI for any length of time, you have almost certainly heard the term Service Graph. Many engineers treat it as an advanced topic they will "get to later." In reality, Service Graphs are one of the most powerful and most misunderstood features in ACI — and ignoring them means you are missing the core value of ACI's policy-driven architecture.

This guide explains what Service Graphs are, why they exist, how they work under the hood, and how to configure them step by step. It is written from real production experience, not from a lab that has never seen a firewall.

Table of Contents

1. What is a Service Graph in Cisco ACI?
2. Why Service Graphs Matter
3. How Service Graphs Work
4. Key Components Explained
5. Go-To, Go-Through, and One-Arm Mode
6. Step-by-Step Configuration
7. Real-World Use Cases
8. Common Mistakes to Avoid
9. Interview Questions and Answers
10. Final Summary

1. What is a Service Graph in Cisco ACI?

A Service Graph in Cisco ACI is a policy construct that defines how traffic between two Endpoint Groups (EPGs) should be redirected through one or more network service devices — such as a firewall, load balancer, or intrusion prevention system — before reaching its destination.

Without a Service Graph, traffic between two EPGs is controlled only by ACI Contracts. A Contract can allow or deny traffic, but it has no concept of routing that traffic through a third device. A Service Graph fills exactly that gap.

Simple definition: A Service Graph tells ACI — "before you allow this traffic from EPG A to EPG B, send it through this firewall and this load balancer first."

The Service Graph is attached to a Contract. When a Contract with a Service Graph is applied between two EPGs, ACI automatically stitches the traffic flow through the defined service devices using its internal policy engine — without requiring manual static routing changes on every device in the fabric.

2. Why Service Graphs Matter

In traditional data center networking, inserting a firewall or load balancer into a traffic path requires careful planning of VLANs, routing, and physical cabling. When topologies change, you update routing tables, reconfigure VLANs, and sometimes repatch cables. This is slow, error-prone, and does not scale.

Cisco ACI was designed to solve this problem through policy automation. Service Graphs are the mechanism that makes service insertion dynamic and repeatable. Here is why they matter:

a) Policy-Driven Service Insertion

Instead of manually routing traffic through a firewall, you define a Service Graph that says "all traffic matching this Contract must pass through this firewall." ACI handles the forwarding automatically. When the policy changes, ACI updates the fabric — not the engineer.

b) No Manual VLAN Management

Service Graphs automate the VLAN stitching between the ACI fabric and the service device. ACI allocates encapsulation VLANs dynamically based on the graph configuration. This removes one of the most common sources of human error in service chaining.

c) Reusability Across Tenants

A Service Graph template can be defined once and reused across multiple tenants and applications. You do not rebuild the same firewall insertion logic for every application. This is critical in multi-tenant environments.

d) Consistent Security Policy Enforcement

When security policy says "all traffic between the web tier and the database tier must go through the firewall," a Service Graph enforces this at the fabric level. There is no way for traffic to bypass the service device — the fabric simply will not forward it any other way.

e) Integration with Third-Party Devices

ACI supports Service Graphs for both Cisco and third-party service devices. Cisco provides device packages for vendors like Palo Alto, F5, Citrix, and ASA. These device packages allow ACI to programmatically configure the service device as part of graph deployment.

Bottom line: Service Graphs turn what was once a complex, manual, error-prone process into a repeatable policy that ACI enforces automatically across the fabric.

3. How Service Graphs Work

Understanding how Service Graphs work requires understanding the traffic flow before and after graph insertion.

Without a Service Graph

Traffic from EPG-Web to EPG-DB is governed by a Contract. If the Contract permits port 1521 (Oracle), traffic flows directly across the ACI fabric from leaf to leaf. There is no third device involved.

With a Service Graph

When a Service Graph is attached to the same Contract, ACI intercepts the traffic flow and redirects it through the defined service node — for example, a firewall — before delivering it to EPG-DB. The firewall inspects the traffic, applies its own security policies, and either forwards or drops the connection.

ACI accomplishes this redirection using Policy-Based Redirect (PBR) at the leaf switches. The leaf where EPG-Web is connected sees the traffic, matches it against the Service Graph policy, and forwards it to the firewall's interface instead of directly to the destination leaf. After the firewall processes the traffic, it forwards it back into the fabric, which then delivers it to EPG-DB.

Key insight: The service device does not need to be physically inline between the source and destination. ACI uses PBR at the leaf layer to logically redirect traffic to the service device regardless of physical position.

4. Key Components of a Service Graph

Before configuring a Service Graph, you must understand the objects involved. Each has a specific role.

Component	What It Is	Where It Lives
L4-L7 Device	The actual service device (firewall, load balancer). Defines interfaces, VLANs, and connectivity to the fabric.	Tenant or Common Tenant
Service Graph Template	Defines which service devices are in the chain and their order. Reusable across applications.	Tenant
Device Selection Policy	Binds a specific L4-L7 Device to a Service Graph Template. Maps logical interfaces to physical/virtual device interfaces.	Tenant
Contract with Graph	The Contract that triggers the Service Graph when applied between two EPGs.	Tenant
Function Node	Represents one service device inside a Service Graph Template. A graph can have multiple function nodes (e.g., firewall → load balancer).	Inside the Graph Template
Connector	The interface connection on a function node. Each node has a consumer connector (traffic coming in) and a provider connector (traffic going out).	Inside the Graph Template
Bridge Domain (BD)	Each connector on the service device is placed in a Bridge Domain, providing Layer 2 stitching between the fabric and the device.	Tenant

5. Go-To, Go-Through, and One-Arm Mode

Cisco ACI Service Graphs support three insertion modes. Choosing the wrong mode is one of the most common mistakes in production deployments.

Go-Through Mode (Most Common)

The service device has two logical interfaces — one on the consumer side and one on the provider side. Traffic enters through the consumer interface, is processed by the device, and exits through the provider interface. This is used for firewalls in routed or transparent mode.

Go-To Mode

Traffic is redirected to the service device, which then forwards it directly to the destination without returning through the ACI fabric on a separate interface. This is less common and is used for specific routing scenarios.

One-Arm Mode

The service device has a single interface connected to the fabric. Both inbound and outbound traffic use the same interface. This is the standard mode for load balancers, where the load balancer receives traffic and sends the response back through the same interface.

Mode	Interfaces	Typical Use Case
Go-Through	Two (consumer + provider)	Firewall (routed or transparent)
Go-To	One (provider only)	Specific routing edge cases
One-Arm	One (shared)	Load balancer (F5, Citrix)

6. Step-by-Step Configuration — Firewall Service Graph

The following steps walk through configuring a Service Graph for a firewall in Go-Through mode. The scenario is: all traffic from EPG-Web to EPG-App must pass through an ASA firewall.

Step 1 — Create Bridge Domains for Service Device Interfaces

Create two Bridge Domains: one for the consumer side (facing EPG-Web) and one for the provider side (facing EPG-App). Do not enable Unicast Routing on these BDs unless the firewall is routing traffic.

# APIC GUI Path:
Tenant → Networking → Bridge Domains → Create Bridge Domain

# BD 1: Consumer side
Name:      BD-FW-Consumer
L2 Only:   Yes (no IP gateway needed for transparent mode)

# BD 2: Provider side
Name:      BD-FW-Provider
L2 Only:   Yes

Step 2 — Create the L4-L7 Device

Define the physical or virtual service device and its interfaces.

# APIC GUI Path:
Tenant → L4-L7 Services → L4-L7 Devices → Create L4-L7 Device

Name:            FW-ASA-01
Service Type:   Firewall
Device Type:    Physical
VMM Domain:     (leave blank for physical)

# Add Concrete Interfaces:
Interface 1:    consumer  → maps to leaf port connected to FW inside int
Interface 2:    provider  → maps to leaf port connected to FW outside int

Step 3 — Create the Service Graph Template

Build the graph template and define the function node.

# APIC GUI Path:
Tenant → L4-L7 Services → L4-L7 Service Graph Templates → Create

Name:              SGT-Firewall
Graph Type:       L4-L7 Services

# Drag the device into the graph canvas:
Function Node:    FW-ASA-01
Function Type:    GoThrough
Managed:          No (unless using device package for auto-config)

# Connect Consumer EPG → FW Consumer Interface → FW Provider Interface → Provider EPG

Step 4 — Create the Device Selection Policy

This binds the graph template to the actual device and maps connectors to Bridge Domains.

# APIC GUI Path:
Tenant → L4-L7 Services → L4-L7 Policy-Based Redirect → Device Selection Policies

Name:                    DSP-SGT-Firewall
Service Graph:          SGT-Firewall
Node:                    FW-ASA-01

# Map connectors to Bridge Domains:
Consumer Connector:     BD-FW-Consumer
Provider Connector:     BD-FW-Provider

Step 5 — Apply the Graph to a Contract

Attach the Service Graph Template to the Contract that governs traffic between your EPGs.

# APIC GUI Path:
Tenant → Contracts → [Your Contract] → Service Graph

Service Graph:           SGT-Firewall
Device Selection Policy: DSP-SGT-Firewall

Step 6 — Verify the Service Graph is Deployed

# APIC GUI — Check deployment state:
Tenant → L4-L7 Services → Deployed Graph Instances

# Look for:
State:    deployed    (not "failed" or "incomplete")

# CLI verification on leaf switch:
show zoning-rule scope <vrf-vnid>
show pbr policy

# Confirm PBR redirect entries are programmed:
show endpoint

Deployment confirmed when: The graph shows state "deployed", the leaf has PBR entries for the relevant traffic, and traffic between EPG-Web and EPG-App is visible in the firewall logs.

7. Real-World Use Cases

Use Case 1 — Web to App Tier Firewall

The most common use case. All traffic from the web tier EPG to the application tier EPG passes through an ASA or Palo Alto firewall. The firewall enforces stateful inspection and blocks unauthorized ports. Without a Service Graph, this requires complex routing. With a Service Graph, it is a policy decision.

Use Case 2 — Load Balancer for Application Tier

An F5 BIG-IP or Citrix ADC is deployed in one-arm mode. The Service Graph redirects traffic destined for the virtual IP of the application to the load balancer, which then distributes the load across multiple application servers. ACI handles the VLAN stitching automatically.

Use Case 3 — Chained Services (Firewall + Load Balancer)

A single Service Graph can chain multiple service devices. Traffic flows from the web EPG → through the firewall → then through the load balancer → then to the app EPG. Each device is a separate function node in the same graph template. This is service chaining at its most powerful.

Use Case 4 — Shared Services in Common Tenant

A company runs one shared firewall for all tenants. The L4-L7 Device is defined in the Common Tenant and referenced by Service Graphs in each individual tenant. This avoids duplicating device configuration and allows centralized firewall management.

8. Common Mistakes to Avoid

Mistake	Impact	Correct Approach
Enabling unicast routing on service device BDs when firewall is in transparent mode	Traffic routing bypasses the firewall	Disable unicast routing on BDs for transparent mode firewalls
Wrong function type (Go-To vs Go-Through)	Graph deploys but traffic is not redirected correctly	Match function type to the device's network mode
Not mapping connectors to correct Bridge Domains	Graph deployment fails or traffic loops	Carefully map consumer/provider connectors to separate BDs
Applying graph to wrong Contract direction	Only one-way traffic goes through the service device	Apply graph to the Contract, not just a filter — it applies bidirectionally
Using a managed graph without a device package	Deployment fails with "device package missing" fault	Use unmanaged mode unless you have the correct device package installed
Missing PBR redirect policy on leaf	Graph shows deployed but traffic goes direct	Verify PBR entries with show pbr policy on the leaf

9. Interview Questions and Answers

Q: What is the difference between a Contract and a Service Graph?

A Contract defines whether traffic is allowed or denied. A Service Graph defines the path that traffic must take when it is allowed — through which service devices and in which order. A Service Graph is always attached to a Contract.

Q: Can a Service Graph be reused across multiple Contracts?

Yes. A Service Graph Template is reusable. You can attach the same template to multiple Contracts using separate Device Selection Policies. This is one of the key advantages of the template-based approach.

Q: What is the role of Bridge Domains in a Service Graph?

Bridge Domains provide the Layer 2 stitching between the ACI fabric and the service device interfaces. Each connector on a function node is associated with a Bridge Domain. This allows ACI to extend the fabric logically to the service device without requiring additional physical VLANs to be manually configured on every leaf.

Q: What happens if a Service Graph deployment fails?

The graph enters a "failed" or "incomplete" state. Traffic between the EPGs may be dropped entirely or may bypass the service device depending on the contract configuration. Check faults on the graph instance in APIC and verify connector-to-BD mapping, device package availability, and PBR entries on the leaf.

Q: What is the difference between managed and unmanaged Service Graphs?

In an unmanaged graph, ACI handles only the fabric-side stitching. The service device (firewall, load balancer) must be configured manually. In a managed graph, ACI uses a device package to automatically push configuration to the service device as part of graph deployment. Managed graphs require the correct vendor device package to be installed in APIC.

Q: Can a Service Graph have more than one function node?

Yes. A graph can chain multiple function nodes — for example, a firewall followed by a load balancer. Traffic is redirected through each node in sequence. This is called service chaining.

Q: Where should the L4-L7 Device be defined for a shared firewall used by multiple tenants?

In the Common Tenant. Devices defined in the Common Tenant can be referenced by Service Graphs in any user tenant, enabling a single shared device to serve multiple tenants without duplication.

10. Final Summary

Key Takeaways

• A Service Graph defines the path traffic must take between two EPGs — through firewalls, load balancers, or other service devices
• Service Graphs are attached to Contracts — the Contract permits or denies traffic, the graph defines the path
• ACI uses Policy-Based Redirect (PBR) at the leaf layer to redirect traffic to service devices without requiring inline physical placement
• Choose the correct insertion mode — Go-Through for firewalls, One-Arm for load balancers
• Service Graph Templates are reusable — define once, apply to many applications
• Shared service devices belong in the Common Tenant for multi-tenant environments
• Always verify deployment state in APIC and PBR entries on the leaf after configuring a graph

Service Graphs are one of the features that truly differentiate Cisco ACI from traditional networking. Once you understand them, you realize they eliminate entire categories of operational complexity that have existed in data centers for decades. If you are preparing for a CCIE DC exam or a senior ACI role, mastering Service Graphs is non-negotiable.

Have questions about Service Graphs in your environment? Drop a comment below or reach out at rockingoa@gmail.com — I am available for Cisco ACI and Nexus consulting and freelancing work.

Cisco ACI Service Graph L4-L7 Services Data Center ACI Configuration CCIE DC Network Security Policy-Based Redirect

NL

Networklearner

CCIE Data Center certified engineer with 18+ years of experience in enterprise and data center networking. Specializes in Cisco ACI, Nexus, and data center design. Available for consulting and freelancing.

📧 rockingoa@gmail.com

Related Posts

• Cisco ACI Decommission Only vs Remove vs Secure Remove Explained
• Cisco ACI Leaf Node ID Swap on vPC Pairs — Risks and Steps
• How to Safely Decommission a Leaf Switch in Cisco ACI

Cisco ACI Taboo Contract vs vzAny Contract: Complete Guide with Configuration Examples

If you've been working with Cisco ACI contracts and wondering when to use a Taboo Contract versus a vzAny Contract, you're not alone. These two policy constructs are among the most misunderstood concepts in ACI — and using the wrong one in a production environment can lead to unexpected traffic flows, TCAM exhaustion, or even serious security gaps.

In this guide, I'll break down both contract types from the ground up, explain exactly when to use each one, walk through configuration steps in APIC, and share real-world lessons from 10 years of deploying and troubleshooting Cisco ACI and Nexus environments (CCIE DC #XXXXX).

Table of Contents

1. What are ACI Contracts?
2. What is a Taboo Contract?
3. What is a vzAny Contract?
4. Taboo vs vzAny: Full Comparison Table
5. Configuring a Taboo Contract in APIC
6. Configuring vzAny in APIC
7. TCAM Impact: What You Need to Know
8. Real-World Use Cases
9. Which One Should You Choose?
10. Common Mistakes to Avoid
11. FAQ

1. What are ACI Contracts?

Before diving into Taboo and vzAny, it's worth quickly grounding ourselves in ACI's policy model. In Cisco ACI, contracts are the mechanism that controls traffic between Endpoint Groups (EPGs). By default, ACI operates on an implicit-deny model — no traffic flows between EPGs unless a contract explicitly permits it.

A standard ACI contract consists of:

• Subjects — a grouping of filters applied to a traffic flow
• Filters — define the traffic (protocol, port, direction)
• Provider EPG — the EPG offering the service
• Consumer EPG — the EPG consuming the service

Taboo Contracts and vzAny Contracts are special variations of this model that serve very different purposes — one is designed to deny traffic, and the other to simplify large-scale policy across an entire VRF.

2. What is a Taboo Contract?

A Taboo Contract is a special ACI contract type used to explicitly deny specific traffic for an EPG. Think of it as a blacklist — you use it when you want to block a particular type of traffic that would otherwise be permitted by a broader "permit-all" contract or contract preferred group.

The name "Taboo" reflects its intent: traffic matched by a Taboo Contract is forbidden. It operates at the EPG level and is typically used alongside other contracts that permit broader access.

Key characteristics of Taboo Contracts:

• Applied directly to an EPG (not a VRF)
• Works as a deny override — takes precedence over permit contracts
• Requires manually creating filters for the traffic you want to block (e.g., TCP port 23 for Telnet, TCP port 80 for HTTP)
• Generates TCAM entries per filter — the more granular your filters, the more TCAM it consumes
• Cisco generally discourages Taboo Contracts unless absolutely necessary, because misconfiguration can cause unintended outages

Important: Taboo Contracts were designed for specific use cases — primarily to block cleartext or insecure protocols (Telnet, FTP, HTTP) when a broader permit contract is already in place. They are not a general-purpose security tool and should be used sparingly.

Typical Taboo Contract use case:

Imagine your security policy mandates that no EPG should ever communicate over Telnet (TCP 23) or unencrypted HTTP (TCP 80), even if a broader "permit-all" contract exists. Rather than modifying every single contract across your fabric, you apply a Taboo Contract directly to the EPGs in question, creating a deny entry that overrides any existing permits for those specific ports.

3. What is a vzAny Contract?

vzAny is a special managed object in Cisco ACI that represents all EPGs within a VRF. When you associate a contract with vzAny, that contract automatically applies to every EPG in that VRF — both as a provider and as a consumer simultaneously.

In practical terms, vzAny is ACI's way of saying "apply this policy to everything in this VRF at once." It is the most efficient way to enable intra-VRF communication or to apply a common policy across a large number of EPGs without creating individual contract relationships for every pair.

Key characteristics of vzAny:

• Operates at the VRF level — affects all EPGs inside that VRF
• Acts as both provider and consumer simultaneously, creating a "wildcard" relationship
• Dramatically reduces the number of contract relationships needed in large environments
• Optimises TCAM — instead of n² contract entries for n EPGs, vzAny creates a single group-level entry
• Must be used carefully in multi-tenant environments to avoid unintended traffic leaks between tenants
• Recommended for large-scale deployments where many EPGs need common policy

Pro tip: vzAny is especially powerful when combined with the "prefer" option for intra-EPG isolation. You can allow broad intra-VRF communication via vzAny while still enforcing stricter policies between specific EPGs using targeted contracts.

Typical vzAny use case:

In a large enterprise environment with 50+ EPGs across a VRF, you want all EPGs to communicate freely with a shared set of services (DNS, NTP, monitoring). Without vzAny, you'd need to create individual provider/consumer relationships for every EPG — that's potentially hundreds of contract associations. With vzAny, you create one contract, associate it with vzAny as the consumer, and the shared-service EPG as the provider. Done.

4. Taboo vs vzAny: Full Comparison Table

Aspect	Taboo Contract	vzAny Contract
Primary Purpose	Explicitly deny specific traffic types for an EPG	Apply contracts to all EPGs within a VRF simultaneously
How It Works	Acts as a deny filter — overrides permit contracts for matched traffic	Acts as a wildcard — represents every EPG in the VRF as both provider and consumer
Scope of Application	Individual EPG level	Entire VRF level — all EPGs inside it
Primary Use Case	Block insecure protocols (Telnet, FTP, HTTP) or specific ports	Enable free intra-VRF communication or simplify many-to-one service consumption
Configuration Complexity	Higher — requires manual filter creation per protocol/port to deny	Lower — one contract association covers all EPGs automatically
TCAM Usage	Can be high — each filter creates additional TCAM entries per leaf	Optimised — single group-level entry significantly reduces TCAM consumption
Traffic Direction Impact	Affects only the specific EPG it is applied to	Affects all EPGs in the VRF — bidirectional impact
Multi-tenant Safety	Safe — scoped to specific EPG	Risky if misconfigured — can cause unintended cross-tenant traffic leaks
Best Practice	Use sparingly — only when a specific deny is required and cannot be achieved by restructuring contracts	Recommended for large-scale environments with shared services or open intra-VRF communication needs
Cisco Recommendation	Generally discouraged unless absolutely necessary	Recommended for efficient policy management at scale
Interaction with Other Contracts	Overrides permit contracts — deny takes precedence	Works alongside EPG-specific contracts — EPG contracts take precedence where defined
Limitations	Not suitable for inter-EPG communication control at scale; increases TCAM pressure	Must follow strict guidelines to avoid unintended traffic leaks across EPGs or tenants

5. Configuring a Taboo Contract in APIC

Here's a step-by-step walkthrough of configuring a Taboo Contract to block Telnet (TCP 23) traffic from an EPG:

Step 1 — Create the Filter

1. In APIC, navigate to Tenants → [Your Tenant] → Contracts → Filters
2. Right-click Filters and select Create Filter
3. Name it something descriptive: deny-telnet-filter
4. Add a Filter Entry:
• Name: block-tcp-23
• EtherType: IP
• IP Protocol: TCP
• Destination Port From: 23
• Destination Port To: 23
5. Click Submit

Step 2 — Create the Taboo Contract

1. Navigate to Tenants → [Your Tenant] → Contracts → Taboo Contracts
2. Right-click and select Create Taboo Contract
3. Name it: block-insecure-protocols
4. Under Subjects, add a Subject:
• Name: deny-telnet
• Associate the filter: deny-telnet-filter
5. Click Submit

Step 3 — Apply the Taboo Contract to an EPG

1. Navigate to Tenants → [Your Tenant] → Application Profiles → [Your AP] → [Your EPG]
2. Under the EPG, find Taboo Contracts
3. Right-click and select Add Taboo Contract
4. Select block-insecure-protocols
5. Click Submit

Caution: Always verify the Taboo Contract is working as expected in a lab or lower environment before applying it to production EPGs. Use the APIC Troubleshoot → Traffic Map tool or show zoning-rule on the leaf switches to confirm the deny rules are programmed correctly.

6. Configuring vzAny in APIC

Here's how to configure vzAny to allow all EPGs within a VRF to consume a shared DNS service:

Step 1 — Create the Contract (standard contract, not Taboo)

1. Navigate to Tenants → [Your Tenant] → Contracts
2. Right-click and select Create Contract
3. Name it: shared-dns-contract
4. Add a Subject with a filter permitting UDP port 53
5. Click Submit

Step 2 — Set the DNS EPG as Provider

1. Navigate to your DNS EPG
2. Under Provided Contracts, add shared-dns-contract

Step 3 — Associate vzAny as Consumer

1. Navigate to Tenants → [Your Tenant] → Networking → VRFs → [Your VRF]
2. Click on the VRF and find the EPG Collection for VRF (vzAny) section
3. Under Consumed Contracts, add shared-dns-contract
4. Click Submit

With this configuration, every EPG inside the VRF automatically becomes a consumer of the DNS service — no individual contract relationships needed.

# REST API call to associate contract with vzAny { "vzAny": { "attributes": { "dn": "uni/tn-MyTenant/ctx-MyVRF/any", "prefGrMemb": "disabled" }, "children": [{ "vzRsAnyToCons": { "attributes": { "tnVzBrCPName": "shared-dns-contract" } } }] } }

7. TCAM Impact: What You Need to Know

TCAM (Ternary Content Addressable Memory) is one of the most critical hardware resources in ACI leaf switches. Running out of TCAM space causes contract rules to fail to program, which means traffic silently drops. Understanding how Taboo and vzAny affect TCAM is essential for any production deployment.

Taboo Contract — TCAM behaviour:

• Each filter entry in a Taboo Contract creates a separate TCAM entry per EPG per leaf where that EPG has endpoints
• If you have granular filters (e.g., blocking 10 different ports), you get 10 TCAM entries per EPG per leaf
• In large fabrics with many EPGs and many leaves, Taboo Contracts can consume TCAM rapidly
• Always check leaf TCAM utilisation with: show system internal eltmc info policy brief

vzAny — TCAM behaviour:

• vzAny uses a group-level TCAM entry instead of per-EPG entries
• Instead of creating N entries for N EPGs in the VRF, vzAny creates a single entry representing the entire VRF class
• This makes vzAny dramatically more TCAM-efficient in environments with many EPGs
• The trade-off is less granular control — you cannot easily apply vzAny selectively to only some EPGs

TCAM rule of thumb: If you have more than 20 EPGs in a VRF and need a common policy, vzAny will almost always be more TCAM-efficient than individual contracts or Taboo Contracts applied per EPG.

8. Real-World Use Cases

When Taboo Contract makes sense:

• Compliance-driven blocking: Your security team mandates no Telnet or FTP anywhere, even if ops teams have existing "permit-all" contracts. A Taboo Contract enforces this without restructuring all existing policies.
• Temporary traffic block during maintenance: You need to block a specific port to an EPG temporarily during an upgrade without removing the existing contract.
• Protocol enforcement: Forcing all communication to be encrypted — block HTTP (80) and enforce HTTPS (443) only for specific EPGs.

When vzAny makes sense:

• Shared services access: DNS, NTP, syslog, monitoring — services that every EPG in the VRF should be able to reach.
• Development/test environments: Where you want all EPGs to communicate freely with each other without managing individual contracts.
• Large-scale deployments: 30+ EPGs that all need the same baseline policy — vzAny avoids an explosion of contract relationships.
• Migration from traditional networking: When converting a flat network to ACI and initially needing open intra-VRF communication while policy is refined.

9. Which One Should You Choose?

Your Situation	Recommended Choice
Need to block a specific port or protocol for one or a few EPGs	Taboo Contract
Need all EPGs in a VRF to access a shared service (DNS, NTP, monitoring)	vzAny (consumer) + standard contract
Want open communication between all EPGs in a VRF (dev/test)	vzAny with permit-all contract
Concerned about TCAM exhaustion with many EPGs	vzAny — always more TCAM-efficient at scale
Need to enforce a security deny that overrides existing permits	Taboo Contract
Multi-tenant environment needing strict isolation	Avoid vzAny — use targeted contracts per EPG
Migrating from flat network, need temporary open access	vzAny with a plan to tighten policy over time

My recommendation from the field: In 10 years of ACI deployments, the most common mistake I've seen is over-relying on Taboo Contracts as a security tool. Taboo Contracts should be your last resort — a scalpel, not a hammer. If you find yourself adding many Taboo Contracts across multiple EPGs, that's usually a sign your contract design needs to be re-architected. On the other hand, vzAny is underutilised — most environments with 20+ EPGs sharing common services would benefit enormously from vzAny, yet many engineers avoid it because they don't fully understand it. Used correctly, vzAny is one of the most powerful simplification tools in the entire ACI policy model.

10. Common Mistakes to Avoid

Taboo Contract mistakes:

• Applying Taboo to the wrong EPG direction: Remember Taboo Contracts only affect the EPG they're applied to — not the EPG on the other side of the communication.
• Using Taboo instead of fixing contract design: If you need many Taboo Contracts, your underlying contract architecture probably needs to be redesigned.
• Not testing in a lab first: A misconfigured Taboo Contract can block legitimate traffic and cause outages. Always validate with traffic tests before production rollout.
• Ignoring TCAM utilisation: Adding many granular Taboo filters across many EPGs can silently exhaust TCAM and cause rule programming failures.

vzAny mistakes:

• Using vzAny in multi-tenant environments without careful scoping: If your VRF spans multiple tenants, vzAny can unintentionally allow cross-tenant traffic. Always scope VRFs carefully before applying vzAny.
• Applying vzAny with permit-all in production: Fine for dev/test, but dangerous in production. Always use vzAny with a specific contract that permits only required traffic.
• Forgetting that vzAny affects endpoint discovery too: vzAny contracts can affect how COOP (Council of Oracle Protocol) handles endpoint learning. Test thoroughly after applying vzAny changes.

11. Frequently Asked Questions

Can I use Taboo Contract and vzAny together?

Yes. A common pattern is to use vzAny to allow broad intra-VRF communication, and then apply a Taboo Contract to specific EPGs to block particular protocols within that open policy. The Taboo deny takes precedence over the vzAny permit for the matched traffic.

Does vzAny work with the Contract Preferred Group?

Yes, but with important caveats. When Contract Preferred Group is enabled on a VRF, EPGs within the preferred group communicate freely without contracts. vzAny can still be used alongside preferred groups to apply contracts to EPGs outside the preferred group. See our post on Contract Preferred Groups in ACI for more detail.

What happens to TCAM if I apply both Taboo and vzAny?

The vzAny entry remains efficient (group-level). The Taboo Contract adds per-EPG entries only for the specific EPGs it is applied to. As long as you keep Taboo Contracts minimal and targeted, the TCAM impact remains manageable.

Can vzAny be used as a provider instead of a consumer?

Yes. vzAny can be configured as a provider, consumer, or both. When used as a provider, all EPGs in the VRF provide the contract — useful for making all EPGs accessible to a specific external consumer (like a monitoring system) without configuring each EPG individually.

How do I verify Taboo Contract rules are programmed on the leaf?

SSH to the leaf switch and run:

leaf# show zoning-rule scope [vrf-vnid] # Look for entries with action "deny" — these are your Taboo Contract rules # Also check: show system internal policy-mgr stats

Summary

Key takeaways

• Taboo Contract = EPG-level explicit deny. Use it sparingly to block specific protocols. Increases TCAM consumption per EPG.
• vzAny = VRF-level wildcard. Use it to apply contracts to all EPGs at once. Much more TCAM-efficient at scale.
• They can be used together — vzAny for broad policy, Taboo for specific overrides.
• In multi-tenant environments, use vzAny with caution to avoid cross-tenant traffic leaks.
• If you find yourself creating many Taboo Contracts, it's time to redesign your contract architecture.