The vzAny managed entity offers a means to link all Endpoint Groups (EPGs) within a Virtual Routing and Forwarding (VRF) instance to one or multiple contracts (vzBrCP), eliminating the need to establish individual contract relationships for each EPG.
This ensures that whenever a new EPG is introduced to a VRF, vzAny contract rules are applied automatically.
The vzAny entity includes all entities within the same Virtual Routing and Forwarding (VRF), including internal EPGs within application profiles, external EPGs for L2Outs and L3Outs, as well as out-of-band or in-band EPGs (External Management Network Instance Profile in the APIC user interface) in the management tenant.
While vzAny is supported as a consumer for a shared service, it is not supported in the role of a provider for a shared service.
Please note that utilizing vzAny as a consumer for a shared service contract implies that any entity within the consumer VRF can establish communication with the provider application in the provider VRF.
When the contract scope associated with vzAny involves the Application Profile, the leaf switches will not consolidate zoning rules with pcTag 0. Instead, they will program multiple zoning rules with the individual pcTag of each Endpoint Group (EPG).
While this approach simplifies configuration, it does not contribute to saving policy TCAM usage.
Contract Priority
EPG Hierarchy:
More-specific EPGs take precedence over vzAny and preferred groups.
EPG Relationships:
EPG-to-EPG (priority 7 or 9) overrides EPG-to-vzAny (priority 13 or 15) and vzAny-to-EPG (priority 14 or 16), which in turn overrides vzAny-to-vzAny (priority 17 or 20).
Source-Destination Priority:
Specific source prioritized over specific destination (e.g., EPG-to-vzAny over vzAny-to-EPG).
Layer 4 Specificity:
More-specific Layer 4 (IP) rules take precedence (unspecified)
Filter Specificity:
Specific filters override "any" filters (e.g., EPG-to-EPG contract with a specific filter over one with a default filter).
Destination-Source Priority:
Specific destination prioritized over specific source (e.g., sport-any-to-dport-80 over sport-80-to-dport-any).
Deny Actions and Protocol Specificity:
Deny actions and specific protocols take precedence.
Log and Action Priority:
Within the same zoning-rule priority, deny + log prevails over deny, which prevails over redirect or permit action.
Redirect and Permit Specificity:
Between redirect and permit actions, more specific protocol and specific Layer 4 port prevail.
Action Resolution:
Between redirect and permit, if filters are identical, redirect prevails over permit. If filter rules overlap in ports and have the same priority, the resolution is non-deterministic. Conflicting rules of this type should be avoided for deterministic actions.
Priority Order:
Lower priority numbers denote higher precedence; hence, rules with lower values (i.e., higher priority) take precedence over those with higher values (i.e., lower priority).
Comments