Understanding Cisco ACI VRF Enforced Mode (Simple & Secure Explanation)
In Cisco ACI, VRF Enforced Mode is the default and most secure policy model. It follows a strict white‑list approach, meaning EPGs cannot communicate with each other unless a contract explicitly allows that traffic. Even if two EPGs exist in the same VRF, they still need a contract for inter‑EPG communication.
Why VRF Enforced Mode Matters
- Secure by default: All inter‑EPG traffic is denied until permitted by a contract.
- Controlled micro-segmentation: Only required communication paths are opened.
- Intra‑EPG traffic allowed: Endpoints inside the same EPG can talk freely unless isolation is configured.
Other Policy Modes
- Unenforced Mode:
All traffic inside the VRF is allowed without contracts. Used rarely—mainly for testing or troubleshooting. - Preferred Group:
A flexible option where selected EPGs can communicate freely, while others still require contracts. Useful during migrations or gradual policy tightening.
How to Configure VRF Enforced Mode
Navigate to:
Tenants → [Tenant Name] → Networking → VRFs
Under Policy Control Enforcement Preference, choose:
🔒 Enforced
Once enabled, contracts become mandatory for any EPG-to-EPG communication.
Switching from Unenforced to Enforced
If you’re tightening security from an unenforced setup, you can enable Preferred Groups to avoid breaking existing traffic flows during the transition. This allows a smooth shift while still moving toward full policy enforcement.
No comments:
Post a Comment