Cisco ACI VzAny Contract Explained – Any EPG
In the Cisco ACI fabric, EPGs can only communicate with other EPGs according to contract rules. A relationship between an EPG and a contract specifies whether the EPG provides the communications defined by the contract rules, consumes them, or both.
By dynamically applying contract rules to all EPGs in a VRF,
vzAny automates the process of configuring EPG contract relationships. Whenever a new EPG is added to a VRF, vzAny contract rules automatically apply.
What is Any EPG ACI:
The “Any” Endpoint Group, is a collection of all of the EPGs that allows for a shorthand way to refer to all of the EPGs within that VRF. This shorthand referral eases management by allowing for a single point of contract configuration for all EPGs within a VRF, and also optimizes hardware resource consumption by applying the contract to this one group rather than each EPG individually.
In other words, if one has 1000 EPGs that are all part of the same VRF/VRF/private network, you can apply the contract(s) to this one vzAny group under the VRF, rather than on each EPG.
How vzAny Works
The following scenarios illustrate how vzAny works:
vzAnyis the consumer and one EPG is the provider
vzAnyis the provider and one EPG is the consumer
vzAnyis the provider and the consumer
In latest versions, VzAny works with ESG as well.
Configuration in GUI:
To configure vzAny, navigate to Tenants > tenant-name > Networking > VRFs > vrf-name > EPG Collection for VRF.
Here all EPGs under the EPG provide contract A, (because the VRF provides it) but only EPG MGMT consumes it. Let’s assume contract permitted SSH, and the customer wants to initiate SSH from devices in MGMT to any other device in the VRF.
Provide the contract on the VRF using vzAny, and consume it on the one EPG where the SSH will be initiated from. In essence EPG MGMT also provides contract A, but unless some other EPG consumes it, only devices in EPG MGMT can open SSH.
What users should not do when using vzAny collection of EPGs, is configure it for both provider and consumer of the common/default contract. More specific contract filter rules should be used when deploying contracts via the vzAny option.
The previous combination is not supported and could lead to a intermittent connectivity issues.