An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?
Trap 1: Create a contract with subject 'web_to_app' and apply filter…
vzAny is used for contracts applied to all EPGs; not required here and could overly permit traffic.
Trap 2: Create a contract with subject 'web_to_app' and apply filter…
This would allow traffic from app to web, not web to app, unless filter is bidirectional.
Trap 3: Create a contract with subject 'web_to_app' and apply filter 'ip'
IP filter would permit all IP traffic, not just TCP 8080.
- A
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Use vzAny for both EPGs.
Why wrong: vzAny is used for contracts applied to all EPGs; not required here and could overly permit traffic.
- B
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Assign web_EPG as provider and app_EPG as consumer.
Why wrong: This would allow traffic from app to web, not web to app, unless filter is bidirectional.
- C
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080' with direction 'both'. Assign web_EPG as provider and app_EPG as consumer.
Correct: provider sends traffic to consumer; filter permits TCP 8080; direction both allows response.
- D
Create a contract with subject 'web_to_app' and apply filter 'ip'. Assign web_EPG as provider and app_EPG as consumer.
Why wrong: IP filter would permit all IP traffic, not just TCP 8080.