How to Prevent Inter-Tenant Communication in Cisco ACI

B.

In Cisco ACI, a contract defines a set of rules that determine the types of traffic that are allowed to flow between EPGs (End Point Groups). When multiple tenants need to use the same contract, it is important to ensure that inter-tenant communication is prevented.

To meet this requirement, the engineer should create the contract in the user tenant with the scope set to VRF and exported to other tenants. Here's why:

A. Create the contract in the user tenant with the scope set to VRF and exported to other tenants

• This option is the best approach because it creates the contract in the user tenant, which means that it is within the scope of that tenant only. By setting the scope to VRF (Virtual Routing and Forwarding), the contract is limited to a specific routing context, preventing inter-tenant communication.
• By exporting the contract to other tenants, other tenants can use the same contract but only within their own VRF scope. This ensures that traffic is restricted to within the tenant's VRF, preventing inter-tenant communication.

B. Create the contract in the common tenant with the scope set to Tenant

• This option creates the contract in the common tenant, which means that it is shared across all tenants. Setting the scope to Tenant means that the contract is limited to within the tenant, but it still allows inter-tenant communication. This option does not meet the requirement.

C. Create the contract in the user tenant with the scope set to Global and exported to other tenants

• This option creates the contract in the user tenant but sets the scope to Global. This means that the contract is not limited to a specific VRF or tenant, and therefore, it can allow inter-tenant communication. This option does not meet the requirement.

D. Create the contract in the common tenant with the scope set to Global.

• This option creates the contract in the common tenant, which means that it is shared across all tenants. Setting the scope to Global means that the contract is not limited to a specific VRF or tenant, and therefore, it can allow inter-tenant communication. This option does not meet the requirement.

In summary, option A is the correct answer because it creates the contract in the user tenant, limits the scope to VRF, and exports it to other tenants, preventing inter-tenant communication.