Understand Preferred Group Contract

Understand Preferred Group Contract

As you have learned so far, in Cisco ACI, any EPGs need to have a contract to communicate with any other EPGs due to the allow list model. As the number of EPGs grow, the contract configuration between all EPGs becomes challenging to manage. With vzAny, certain configurations, such as all EPGs in the given VRF shares the same contract, can be simplified.

What about the configuration like this? It is working fine with the allow list model except for the communication between EPG 1, 2, 3 and 4. The requirement here is that EPG 1 – 4 should be allowed to talk to each other without any security rules, while the rest should follow the allow list model.

To simplify such a configuration requirement to partially unenforced contract policies in the given VRF, ACI introduced Contract Preferred Group in the APIC release 2.2(1).

With Preferred Group, ACI defines some EPGs as the “Included” members. All the other EPGs are grouped as “Excluded” members. In the example picture, EPG 1 – 4 are defined as the “Included” members. Within the “Included” members, there are no contracts that are required. They can talk to each other without any security enforcement. The EPGs in the “Excluded” members, on the other hand, still follow the allow list model and requires contracts to talk to any other EPGs within the “Excluded” members or with the EPGs in the “Included” members.

---