Cisco Nexus Dashboard Orchestrator Configuration Guide for ACI Fabrics, Release 4.1(x) - EPG Preferred Group [Cisco Nexus Dashboard Orchestrator] (2024)

EPG Preferred Groups Overview and Limitations

By default, Multi-Site architecture allows communication between EPGs only if a contract is configured between them. If there is no contract between the EPGs, any inter-EPG communication is explicitly disabled. The Preferred Group (PG) feature allows you to specify a set of EPGs that are part of the same VRF to allow full communication between them with no need for contracts to be created.

Preferred Group vs Contracts

There are two types of policy enforcements available for EPGs in a VRF which is stretched to multiple sites with a contract preferred group configured:

Included EPGs – Any EPG that is a member of a preferred group can freely communicate with all other EPGs in the group without any contracts. The communication is based on the source-any-destination-any-permit default rule and appropriate Multi-Site translations.
See Also
Cisco ACI EPG vs BD (Bridge Domain) | Zuguo Tan posted on the topic | LinkedIn Cisco Application Centric Infrastructure - ACI Fabric L3Out White Paper
Excluded EPGs – EPGs that are not members of preferred groups continue to require contracts to communicate with each other. Otherwise, the default source-any-destination-any-deny rule applies.

The contract preferred group feature allows for greater control and ease of configuring communication between EPGs across sites in a stretched VRF context. If two or more EPGs in the stretched VRF require open communication while others must have only limited communication, you can configure a combination of a contract preferred group and contracts with filters to control the inter-EPG communication. EPGs that are excluded from the preferred group can only communicate with other EPGs if there is a contract in place to override the source-any-destination-any-deny default rule.

Stretched vs Shadowed

If EPGs from multiple sites are configured to be part of the same contract preferred group, the Nexus Dashboard Orchestrator creates shadows of each site's EPGs in the other sites in order to correctly translate and program the inter-site connectivity from the EPGs. Contract preferred group policy construct is then applied in each site between a real and shadow EPG for inter-EPG communication.

For example, consider a web-service EPG1 in Site1 and an app-service EPG2 in Site2 added to the contract preferred group. Then if EPG1 wants to access EPG2, it will first be translated to a shadow EPG1 in Site2 and then be able to communicate with EPG2 using the contract preferred group. Appropriate BDs are also stretched or shadowed if the EPG under it is part of a contract preferred group.

VRF Preferred Group Setting

When you configure preferred groups directly in the APIC, you have to explicitly enable the setting on the VRF first before enabling PG membership on individual EPGs. If the PG setting on the VRF is disabled, the EPGs would not be able to communicate without contracts even if they are part of that VRF's preferred group.

Cisco Nexus Dashboard Orchestrator Configuration Guide for ACI Fabrics, Release 4.1(x) - EPG Preferred Group [Cisco Nexus Dashboard Orchestrator] (1)

Note

Beginning with Release 4.0(1), PG configuration in NDO follows the same approach as it does in APIC. In other words, the PG setting on the VRF must be explicitly enabled for the EPGs that are part of that VRF to use the PG configuration.

Nexus Dashboard Orchestrator releases prior to Release 4.0(1) did not allow you to manage the PG setting on VRFs in the GUI, but instead adjusts the setting dynamically as follows:

If you create and manage the VRF from NDO, NDO will dynamically enable or disable VRF PG value based on whether any EPGs that belong to that VRF are part of the preferred group.

In other words, when you add one or more EPGs to the preferred group, NDO automatically enables the PG setting on the VRF. When you remove the last EPG from the preferred group, NDO disables the VRF flag.
If you want to permanently enable the PG option on a VRF, you can enable PG on the VRF directly in the APIC first, then import that VRF into NDO.

NDO will preserve the setting and not disable it automatically even if you remove every EPG from the VRF's preferred group.
If you import the VRF from APIC without first changing the PG setting, NDO will manage the object as if it was created from NDO and overwrite the PG setting dynamically based on EPG membership.

Limitations

The following guidelines and limitations apply when using EPG Preferred Groups:

Preferred Groups are not supported for intersite L3Out external EPGs.
EPGs and External EPGs objects in a given VRF must not be configured as part of the Preferred Group if vzAny for that VRF is already consuming or providing a contract.

Configuring EPGs for Preferred Group

This section describes how to enable the Preferred Group (PG) configuration on the VRF and the EPGs.

Before you begin

You must have one or more EPGs added to a schema template.

Procedure

Step1

Step2

From the left navigation pane, choose Application Management > Schemas.

Step3

Enable PG on the VRF.

Open the Schema that contains the VRF used by the EPGs you want to include in the preferred group.
From the View Overview dropdown, select the template that contains the VRF.
Select the VRF.
In the properties sidebar on the right, check the Preferred Group checkbox.

This enabled the PG configuration on that VRF. You will need to enable the PG setting on 2 or more EPGs which you want to be part of the preferred group as described in the next step.
Click Save to save the template changes.

Step4

Configure one or more EPGs to be part of the preferred group.

Note

You must not have a preferred group where some EPGs are managed by Nexus Dashboard Orchestrator and some are managed locally by the APIC.

If you have an existing preferred group in any of the APICs and are planning to import the EPGs from that preferred group into Nexus Dashboard Orchestrator, you must import all EPGs in the group.

If the EPGs you want to include in the preferred group are in a different schema or template, navigate to that template.
Select an EPG.
In the right properties bar, check the Include in Preferred Group checkbox.
Click Save to save the template changes.

Step5

(Optional) Verify that all EPGs have been added to the preferred group.

You can view the full list of EPGs that are configured to be part of the preferred group by selecting a VRF and checking the Preferred Group EPGs list in the properties sidebar on the right.