Preferred Group for ACI Fabrics

Expand all sections

New and changed information
EPG preferred groups overview and limitations
Configure EPGs for preferred group

Updated August 14, 2025

Is this helpful? Feedback

New and changed information

The following table provides an overview of the significant changes up to this current release. The table does not provide an exhaustive list of all changes or of the new features up to this release.

Release Version	Feature	Description
Nexus Dashboard 4.1.1	Improved navigation and workflow when configuring preferred groups	Beginning with Nexus Dashboard 4.1.1, the navigation and workflow when configuring preferred groups in Nexus Dashboard have been enhanced.

Release Version

Feature

Description

Nexus Dashboard 4.1.1

Improved navigation and workflow when configuring preferred groups

Beginning with Nexus Dashboard 4.1.1, the navigation and workflow when configuring preferred groups in Nexus Dashboard have been enhanced.

EPG preferred groups overview and limitations

By default, Multi-Fabric architecture allows communication between EPGs only if a contract is configured between them. If there is no contract between the EPGs, any inter-EPG communication is explicitly disabled. The Preferred Group (PG) feature allows you to specify a set of EPGs that are part of the same VRF to allow full communication between them with no need for contracts to be created.

Preferred group vs contracts

There are two types of policy enforcements available for EPGs in a VRF which is stretched to multiple fabrics with a preferred group configured:

Included EPGs — Any EPG that is a member of a preferred group can freely communicate with all other EPGs in the group without any contracts. The communication is based on the source-any-destination-any-permit default rule and appropriate Multi-Fabric translations.
Excluded EPGs — EPGs that are not members of preferred groups continue to require contracts to communicate with each other. Otherwise, the default source-any-destination-any-deny rule applies.

The preferred group feature allows for greater control and ease of configuring communication between EPGs across fabrics in a stretched VRF context. If two or more EPGs in the stretched VRF require open communication while others must have only limited communication, you can configure a combination of a preferred group and contracts with filters to control the inter-EPG communication. EPGs that are excluded from the preferred group can only communicate with other EPGs if there is a contract in place to override the source-any-destination-any-deny default rule.

Stretched vs shadowed

If EPGs from multiple fabrics are configured to be part of the same preferred group, the Nexus Dashboard creates shadows of each fabric’s EPGs in the other fabrics in order to correctly translate and program the inter-fabric connectivity from the EPGs. Contract preferred group policy construct is then applied in each fabric between a real and shadow EPG for inter-EPG communication.

For example, consider a web-service EPG1 in Fabric1 and an app-service EPG2 in Fabric2 added to the preferred group. Then if EPG1 wants to access EPG2, it will first be translated to a shadow EPG1 in Fabric2 and then be able to communicate with EPG2 using the preferred group. Appropriate BDs are also stretched or shadowed if the EPG under it is part of a preferred group.

VRF preferred group setting

When you configure preferred groups directly in the APIC, you have to explicitly enable the setting on the VRF first before enabling PG membership on individual EPGs. If the PG setting on the VRF is disabled, the EPGs would not be able to communicate without contracts even if they are part of that VRF’s preferred group.

PG configuration in Nexus Dashboard follows the same approach as it does in APIC. In other words, the PG setting on the VRF must be explicitly enabled for the EPGs that are part of that VRF to use the PG configuration.

Nexus Dashboard releases prior to Release 4.0(1) did not allow you to manage the PG setting on VRFs in the GUI, but instead adjusts the setting dynamically as follows:

If you create and manage the VRF from Nexus Dashboard, Nexus Dashboard does not automatically enable or disable the VRF PG value.
Instead, if an EPG that belongs to the VRF is part of the preferred group, Nexus Dashboard will display a validation error and prompt you to manually enable the PG setting on the VRF. Similarly, if you remove the last EPG from the preferred group, you need to manually disable the VRF flag.
If you want to permanently enable the PG option on a VRF, you can enable PG on the VRF directly in the APIC first, then import that VRF into Nexus Dashboard.
Nexus Dashboard will preserve the setting and not disable it automatically even if you remove every EPG from the VRF’s preferred group.
If you import the VRF from APIC without first changing the PG setting, Nexus Dashboard will manage the object as if it was created from Nexus Dashboard and overwrite the PG setting dynamically based on EPG membership.

Limitations

The following guidelines and limitations apply when using EPG Preferred Groups:

Preferred Groups are not supported for inter-fabric L3Out external EPGs.
EPGs and External EPGs objects in a given VRF must not be configured as part of the Preferred Group if vzAny for that VRF is already consuming or providing a contract.

Configure EPGs for preferred group

Before you begin:

You must have one or more EPGs added to a schema template.

This section describes how to enable the Preferred Group (PG) configuration on the VRF and the EPGs.

Navigate to the Orchestration page.

Manage > Orchestration
Choose Tenant Templates > Applications.
Enable PG on the VRF.
1. Open the schema that contains the VRF used by the EPGs you want to include in the preferred group.
2. From the View Overview drop-down, select the template that contains the VRF.
3. Select the VRF.
4. In the properties sidebar on the right, check the Preferred Group check box.
  
  This enabled the PG configuration on that VRF. You will need to enable the PG setting on 2 or more EPGs which you want to be part of the preferred group as described in the next step.
5. Click Save to save the template changes.
Configure one or more EPGs to be part of the preferred group.
- You must not have a preferred group where some EPGs are managed by Nexus Dashboard and some are managed locally by the APIC.
- If you have an existing preferred group in any of the APICs and are planning to import the EPGs from that preferred group into Nexus Dashboard, you must import all EPGs in the group.
1. If the EPGs you want to include in the preferred group are in a different schema or template, navigate to that template.
2. Select an EPG.
3. In the right properties bar, check the Include in Preferred Group checkbox.
4. Click Save to save the template changes.
(Optional) Verify that all EPGs have been added to the preferred group.

You can view the full list of EPGs that are configured to be part of the preferred group by selecting a VRF and checking the Preferred Group EPGs list in the properties sidebar on the right.

First Published: 2025-01-31
Last Modified: 2025-01-31

Need help?

Open a Support Case
(Requires a Cisco Service Contract)