As I was sitting in an ACI techtorial here at Cisco Live this morning, a point was really driven home for me. In ACI we have the idea of Contracts and Filters. This is a fancy way of saying we can have policies between end points (or end point groups specifically). A filter contains three things: a subject, an action, and a label. Most of us our familiar with the first two, especially if we relate it to the idea of an Access Control List (or ACL). The subject specified the "what," for example it could be http, https, icmp, etc. etc. The action is going to be either "permit" or "deny." But what about these labels?
Well, the labels are actually optional in ACI. But essentially it's a way of tagging the filter. We can then search these labels quickly to find the policies we are looking for. Maybe we have a label called "SQL" and we search on it. This will bring up all the policies with the label "SQL." Where as, if we just looked at all policies attached to the database servers we would have to look through the POSTGreSql policies as well. This will allow us to search through dozens, hundreds, maybe even thousands of policies more easily than we ever have before!