Showing results for 
Search instead for 
Did you mean: 

There is a Global ACI option (SYSTEM > SYSTEM SETTINGS >> Fabric Wide Setting | Enforce Domain Validation) that forces ACI to check that an EPG is linked to a Domain. The Cisco Application Centric Infrastructure Design Guide White Paper recommends that this option be turned on, but it is a once-only option.  Once it is turned on, you can't turn it off.

And that includes turning it off by restoring a snapshot that was taken before the option was turned on.

So the point of this post is to warn anyone who turns this option on (and I recommend that you do), you should do so as the very first configuration action you take with a new Fabric, BEFORE you take any snapshots.

If you try to restore a snopshot taken before the option was enabled you will receive the following error:

Failed to apply tree: Asking for domain validation is a one time operation. No further changes allowed

Domain Validation Error.jpg

aka Chris Welsh


Level 3
Level 3

Hi Red, 


thanks for the advice. 

Could you expand on what exactly this funtionality is actually doing? I have it enabled in a lab setup but was unable to determine the difference. 

Without this checkbox enabled, I get an "invalid path error" if the domain is not attached to the EPG. What is different with the fuction enabled?




Hi @pille1234 ,

You have pretty much answered your own question:

What is different with the fuction enabled?

with your comment:

Without this checkbox enabled, I get an "invalid path error" if the domain is not attached to the EPG.

And this error is telling you that your Access Policy Chain has a gap or mis-configuration.  Since I LIKE to be told when there is a problem, I always check the "Enforce Validation" global configuration checkbox.

Now, if you don't check it, you may still have a problem, and the EPG may not work, but you won't see the error.

As the Cisco Application Centric Infrastructure Design Guide White Paper puts it:

Cisco ACI has a feature that verifies whether the VLAN used in an EPG matches the AEP configured, that there are no overlaps, and so on.



I have one query regarding the system setting "Enforcing Domain Validation". In my ACI fabric that system setting is not on. If I want to on that parameter then is there any service impact on running EPG? Any MAC fapping on those EPGs where physical domain not added with EPG.


Biswanath Biswas






Cisco Employee
Cisco Employee

Please check this documentation detailing the Enforce Domain Validation setting and its benefits.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: