Cisco ACI VzAny Contract Explained – Any EPG

Cisco ACI VzAny Contract Explained – Any EPG


In the Cisco ACI fabric, EPGs can only communicate with other EPGs according to contract rules. A relationship between an EPG and a contract specifies whether the EPG provides the communications defined by the contract rules, consumes them, or both.

By dynamically applying contract rules to all EPGs in a VRF, vzAny automates the process of configuring EPG contract relationships. Whenever a new EPG is added to a VRF, vzAny contract rules automatically apply.

What is Any EPG ACI:

The “Any” Endpoint Group, is a collection of all of the EPGs that allows for a shorthand way to refer to all of the EPGs within that VRF. This shorthand referral eases management by allowing for a single point of contract configuration for all EPGs within a VRF, and also optimizes hardware resource consumption by applying the contract to this one group rather than each EPG individually.

In other words, if one has 1000 EPGs that are all part of the same VRF/VRF/private network, you can apply the contract(s) to this one vzAny group under the VRF, rather than on each EPG.

How vzAny Works

The following scenarios illustrate how vzAny works:

  • vzAny is the consumer and one EPG is the provider
  • vzAny is the provider and one EPG is the consumer
  • vzAny is the provider and the consumer

In latest versions, VzAny works with ESG as well.

Configuration in GUI:

To configure vzAny, navigate to Tenants > tenant-name Networking > VRFs > vrf-name > EPG Collection for VRF.

Usage example:

Here all EPGs under the EPG provide contract A, (because the VRF provides it) but only EPG MGMT consumes it. Let’s assume contract permitted SSH, and the customer wants to initiate SSH from devices in MGMT to any other device in the VRF. 

Provide the contract on the VRF using vzAny, and consume it on the one EPG where the SSH will be initiated from.  In essence EPG MGMT also provides contract A, but unless some other EPG consumes it, only devices in EPG MGMT can open SSH.


What users should not do when using vzAny collection of EPGs, is configure it for both provider and consumer of the common/default contract.  More specific contract filter rules should be used when deploying contracts via the vzAny option.

The previous combination is not supported and could lead to a intermittent connectivity issues.


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x