🔷 What is a Contract Preferred Group in ACI?
In Cisco ACI, Endpoint
Groups (EPGs) typically require contracts to
communicate with each other. This follows the “allow list” model,
where communication is explicitly permitted only if a contract exists.
The Preferred
Group (PG) feature simplifies this by allowing certain EPGs
within the same VRF to communicate freely without contracts.
✅ Key Concepts
|
Term |
Description |
|
Included EPGs |
EPGs that are part
of the preferred group and can communicate with each other without contracts. |
|
Excluded EPGs |
EPGs outside the
preferred group that still require contracts to communicate. |
|
VRF PG Setting |
Must be enabled for
the preferred group to work. Without this, even included EPGs won’t
communicate freely. |
🛠️ Configuration Steps
- Enable Preferred Group on VRF:
- Go to the VRF settings in APIC or Nexus
Dashboard Orchestrator (NDO).
- Check the Preferred Group box.
- Add EPGs to the Preferred Group:
- In the EPG properties, check Include
in Preferred Group.
- Save the configuration.
- Verify Membership:
- You can view all EPGs in the preferred
group under the VRF’s properties.
🌐 Multi-Site Considerations
- In a stretched VRF across
multiple sites, preferred group EPGs are shadowed in
other sites to enable inter-site communication.
- This allows, for example, a web
EPG in Site 1 to communicate with an app EPG in Site 2 without
contracts.
⚠️ Limitations
- Preferred Groups are not supported for L3Out
external EPGs.
- If vzAny is already
consuming/providing a contract in the VRF, you should not configure
preferred groups.
- All EPGs in a preferred group must be
managed consistently (either all via APIC or all via
NDO).
