EPG Preferred Groups Overview and Limitations
By default, Multi-Site architecture allows communication between EPGs only if a contract is configured between them. If there is no contract between the EPGs, any inter-EPG communication is explicitly disabled. The Preferred Group (PG) feature allows you to specify a set of EPGs that are part of the same VRF to allow full communication between them with no need for contracts to be created.
Preferred Group vs Contracts
There are two types of policy enforcements available for EPGs in a VRF which is stretched to multiple sites with a contract preferred group configured:
-
Included EPGs – Any EPG that is a member of a preferred group can freely communicate with all other EPGs in the group without any contracts. The communication is based on the
source-any-destination-any-permit
default rule and appropriate Multi-Site translations. -
Excluded EPGs – EPGs that are not members of preferred groups continue to require contracts to communicate with each other. Otherwise, the default
source-any-destination-any-deny
rule applies.
The contract preferred group feature allows for greater control and ease of configuring communication between EPGs across
sites in a stretched VRF context. If two or more EPGs in the stretched VRF require open communication while others must have
only limited communication, you can configure a combination of a contract preferred group and contracts with filters to control
the inter-EPG communication. EPGs that are excluded from the preferred group can only communicate with other EPGs if there
is a contract in place to override the source-any-destination-any-deny
default rule.
Stretched vs Shadowed
If EPGs from multiple sites are configured to be part of the same contract preferred group, the Nexus Dashboard Orchestrator creates shadows of each site's EPGs in the other sites in order to correctly translate and program the inter-site connectivity from the EPGs. Contract preferred group policy construct is then applied in each site between a real and shadow EPG for inter-EPG communication.
For example, consider a web-service EPG1 in Site1 and an app-service EPG2 in Site2 added to the contract preferred group. Then if EPG1 wants to access EPG2, it will first be translated to a shadow EPG1 in Site2 and then be able to communicate with EPG2 using the contract preferred group. Appropriate BDs are also stretched or shadowed if the EPG under it is part of a contract preferred group.
VRF Preferred Group Setting
When you configure preferred groups directly in the APIC, you have to explicitly enable the setting on the VRF first before enabling PG membership on individual EPGs. If the PG setting on the VRF is disabled, the EPGs would not be able to communicate without contracts even if they are part of that VRF's preferred group.
Note |
Beginning with Release 4.0(1), PG configuration in NDO follows the same approach as it does in APIC. In other words, the PG setting on the VRF must be explicitly enabled for the EPGs that are part of that VRF to use the PG configuration. Nexus Dashboard Orchestrator releases prior to Release 4.0(1) did not allow you to manage the PG setting on VRFs in the GUI, but instead adjusts the setting dynamically as follows:
|
Limitations
The following guidelines and limitations apply when using EPG Preferred Groups:
-
Preferred Groups are not supported for intersite L3Out external EPGs.
-
EPGs and External EPGs objects in a given VRF must not be configured as part of the Preferred Group if vzAny for that VRF is already consuming or providing a contract.