Part of the beauty of Cisco Application Centric Infrastructure is the idea of contracts. In ACI we talk a lot about the idea of the policy driven network. Those policies are what we call contracts. Contracts aren’t totally unlike ACLs, but there are some big differences. First, ACLs usually go between IP addresses or subnets, while contracts are between End Point Groups and they are not concerned with specific IP addressing. ACI is also a white list model, so contracts usually allow traffic while ACLs spend a lot of time denying traffic on a traditional network. Finally they can be easily made bidirectional, meaning they can apply the same policy from your web EPG, for example, to your app EPG, and vice versa. You can make it bidirectional by simply clicking a checkbox, instead of writing several more ACLs to make it work.
To read more click here.