Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
1
Helpful
5
Replies

inter-EPG communication recommendation

Go to solution
Monsinka
Frequent Visitor
Frequent Visitor

‎02-02-2026 01:14 AM - edited ‎02-02-2026 03:02 AM

In a Cisco ACI deployment operating purely at Layer 2, where servers are connected to the ACI fabric and their default gateway resides on an external firewall connected to ACI, should Preferred Group be enabled to allow free communication between EPGs with traffic control enforced only on the firewall, or is it still recommended to use ACI contracts for inter-EPG communication? for exemple if i have two servers is different vlan , and their gateway is on the firewall and i need those servers to be able to communicate with each other , even if the ACI is L2 , do i need  contract between them , your recommendations  are highly appreciated. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RedNectar
VIP
VIP

‎02-02-2026 12:21 PM

Hi @Monsinka ,

Let's start with the basics. L2 vs L3

 

for exemple if i have two servers is different vlan , and their gateway is on the firewall and i need those servers to be able to communicate with each other

Then the whole story is at L3 - nothing to do with ACI (assuming of course that the two servers on different VLANs are in different subnets - if they are on the same subnet - something quite easy to configure in ACI - then that is a whole different story)

So for your example, enabling or disabling Preferred Groups will have absolutely zero effect.  Inter-EPG communication is ONLY going to occur via the firewall.

Similarly, configuring contracts between the EPGs will be a complete waste of time - IF the default gateway is on the firewall. I repeat: Inter-EPG communication is ONLY going to occur via the firewall.

I think that answers your question.

Now. Just to plant a seed of an idea, in case you'd LIKE to allow those two servers to have inter-EPG communication WITHOUT going through the firewall

You could move the default gateway of the servers to ACI, use a feature called Policy Based Redirect (PBR) to create a contract that allows the two EPGs to communicate freely, bust send all other traffic to the firewall.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

5 Replies 5

Go to solution
mynetwork
Frequent Visitor
Frequent Visitor

‎02-02-2026 04:32 AM

Hi @Monsinka 

Use Preferred Group if Your goal is "free communication between EPGs with traffic control enforced only on the firewall."

or

Consider Unenforced VRF Instead: If all EPGs in the VRF should communicate freely without any ACI policies (mirroring a flat L2 network), set the VRF to unenforced. This is simpler than preferred group but removes all intra-VRF policy capabilities

 

0 Helpful

Go to solution
Monsinka
Frequent Visitor
Frequent Visitor

‎02-02-2026 06:33 AM

so there is no way to not use contracts if we want to make endpoints in different EGP be able to communicate with each other even if the ACI fabric is acting as L2 and the gateways on the firewall ? 

0 Helpful

Go to solution
RedNectar
VIP
VIP

‎02-02-2026 12:21 PM

Hi @Monsinka ,

Let's start with the basics. L2 vs L3

 

for exemple if i have two servers is different vlan , and their gateway is on the firewall and i need those servers to be able to communicate with each other

Then the whole story is at L3 - nothing to do with ACI (assuming of course that the two servers on different VLANs are in different subnets - if they are on the same subnet - something quite easy to configure in ACI - then that is a whole different story)

So for your example, enabling or disabling Preferred Groups will have absolutely zero effect.  Inter-EPG communication is ONLY going to occur via the firewall.

Similarly, configuring contracts between the EPGs will be a complete waste of time - IF the default gateway is on the firewall. I repeat: Inter-EPG communication is ONLY going to occur via the firewall.

I think that answers your question.

Now. Just to plant a seed of an idea, in case you'd LIKE to allow those two servers to have inter-EPG communication WITHOUT going through the firewall

You could move the default gateway of the servers to ACI, use a feature called Policy Based Redirect (PBR) to create a contract that allows the two EPGs to communicate freely, bust send all other traffic to the firewall.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Go to solution
Monsinka
Frequent Visitor
Frequent Visitor
In response to RedNectar

‎02-03-2026 02:39 AM

thank you for much , just one other question please , do i need to enable to 'L2 unknow unicast' setting on BD to flood isince the ACI is acting as L2, i have already disabled the 'unicast routing' setting on BD  

0 Helpful

Go to solution
RedNectar
VIP
VIP
In response to Monsinka

‎02-03-2026 11:32 AM

Hi @Monsinka ,

Best practice is to set L2 Unknown Unicast to Flood in a pure L2 environment. The ARP flooding option doesn't matter. If Unicast Routing is disabled, ARPs will flood.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License