Preferred Group Explained and Configuration

This post consists of some notes from Cisco ACI Contract white paper.

What is a Preferred Group in ACI:

The Preferred Group (PG) feature allows you to specify a set of EPGs that are part of the same VRF to allow full communication between them with no need for contracts to be created.


There are two types of policy enforcements available for EPGs in a VRF with a contract preferred group configured:

  • Included EPGs: Any EPG that is a member of a preferred group can freely communicate with all other EPGs in the group without any contracts, The communication is based on the source-any-destination-any-permit default rule
  • Excluded EPGs: EPGs that are not members of preferred groups continue to require contracts to communicate with each other. Otherwise, the default source-any-destination-any-deny rule applies.

ACI Preferred Group Configuration:

When you configure preferred groups directly in the APIC, you have to explicitly enable the setting on the VRF first before enabling PG membership on individual EPGs. If the PG setting on the VRF is disabled, the EPGs would not be able to communicate without contracts even if they are part of that VRF’s preferred group.

In simple words, the preferred group configuration is done per VRF and requires two steps:

1.     Enable Preferred Group on the VRF.

2.     Enable a preferred group configuration at EPG so that the EPG is in the preferred group


I- Enable Preferred Group on the VRF:

Navigate to Tenant > Networking > VRFs > VRF_name > Policy. The default configuration is “Disabled.”


II- Enable a preferred group on the EPG level:

Under the EPG Policy menu, EPG_name > Policy > General. The default configuration is “Excluded.”

In order to join the preferred group, change select “Include” for the Preferred Group Member option:


Preferred group Example:

Zoning rules for Preferred group:

Pod1-Leaf1# show zoning-rule scope 2850817
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID |      Dir       |  operSt |  Scope  |        Name       |  Action  |          Priority          |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------------+
|   4250  |   0    |   0    | implicit |    uni-dir     | enabled | 2850817 |                   |  permit  | grp_any_any_any_permit(20) |

|   4208  |   0    |   15   | implicit |    uni-dir     | enabled | 2850817 |                   | deny,log | grp_any_dest_any_deny(19)  |

|   4249  | 32775  | 32774  |    67    |     bi-dir     | enabled | 2850817 | tenant1:Contract1 |  permit  |       fully_qual(7)        |

|   4248  | 32774  | 32775  |    68    | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 |  permit  |       fully_qual(7)        |

|   4210  | 49153  |   0    | implicit |    uni-dir     | enabled | 2850817 |                   | deny,log |  grp_src_any_any_deny(18)  |

|   4231  | 32775  |   0    | implicit |    uni-dir     | enabled | 2850817 |                   | deny,log |  grp_src_any_any_deny(18)  |

|   4229  |   0    | 32775  | implicit |    uni-dir     | enabled | 2850817 |                   | deny,log | grp_any_dest_any_deny(19)  |

|   4247  |   0    | 32777  | implicit |    uni-dir     | enabled | 2850817 |                   |  permit  |      any_dest_any(16)      |


  • Step 1: Allow all communication in a VRF: The communication between App EPG and EB EPG or any EPGs that are in the preferred group is achieved with an any-to-any implicit permit rule (Rule ID 4250). This rule allows all communication within the VRF. (priority 20)
  • Step 2: Deny communication between EPGs that are not Preferred Group members (0: any EPG, pctag of non-Preferred Group EPG): Cisco ACI creates deny rules, which have higher priority, to deny communication between non-preferred group members and any other EPGs. In this example, ACI programs rule to deny traffic from Web EPG to any other EPGs, and from any EPGs to the Web EPG (Rule IDs: 4231 and 4229). (priority 18 & 19)

    So, for each EPG non-member of the preferred group, there is always a pair of explicit deny rules:
    EPG non-member of PG (pctag: x) to any EPG (pcTag: 0).
    any EPG (pcTag: 0) to EPG non-member of PG (pctag: x).

  • Step 3: Allow communication between specific EPG (one part of PG): this contract has a higher priority than the implicit deny rules programmed for the preferred group. (priority 7)


In a simple picture:


https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html
https://www.cisco.com/c/en/us/td/docs/dcn/mso/3x/configuration/cisco-aci-multi-site-configuration-guide-301/aci-multi-site-use-case-preferred-group.pdf

Bilel A

Bilel A

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Learn Duty
0
Would love your thoughts, please comment.x
()
x