Tuesday, 26 August 2025

What is a Contract Preferred Group in ACI?

 🔷 What is a Contract Preferred Group in ACI?

In Cisco ACI, Endpoint Groups (EPGs) typically require contracts to communicate with each other. This follows the “allow list” model, where communication is explicitly permitted only if a contract exists.

The Preferred Group (PG) feature simplifies this by allowing certain EPGs within the same VRF to communicate freely without contracts.


Key Concepts

Term

Description

Included EPGs

EPGs that are part of the preferred group and can communicate with each other without contracts.

Excluded EPGs

EPGs outside the preferred group that still require contracts to communicate.

VRF PG Setting

Must be enabled for the preferred group to work. Without this, even included EPGs won’t communicate freely.


🛠️ Configuration Steps

  1. Enable Preferred Group on VRF:
    • Go to the VRF settings in APIC or Nexus Dashboard Orchestrator (NDO).
    • Check the Preferred Group box.
  2. Add EPGs to the Preferred Group:
    • In the EPG properties, check Include in Preferred Group.
    • Save the configuration.
  3. Verify Membership:
    • You can view all EPGs in the preferred group under the VRF’s properties.

🌐 Multi-Site Considerations

  • In a stretched VRF across multiple sites, preferred group EPGs are shadowed in other sites to enable inter-site communication.
  • This allows, for example, a web EPG in Site 1 to communicate with an app EPG in Site 2 without contracts.

⚠️ Limitations

  • Preferred Groups are not supported for L3Out external EPGs.
  • If vzAny is already consuming/providing a contract in the VRF, you should not configure preferred groups.
  • All EPGs in a preferred group must be managed consistently (either all via APIC or all via NDO).

 

No comments:

Post a Comment