This post summarizes my study notes on the topic of ACI End Point Groups (EPG).

EPG Definitions

A Network Engineer can consider an EPG to be a sort of container. And if you’re familiar with Linux Containers, I’ll avoid that term for a while and say a “placeholder”. So an EPG is a placeholder for end hosts to which we can apply a set of network policies.

That means, an EPG is a placement in the network where we can enforce policies on a group of end hosts.

The end hosts can be: physical servers, virtual machines, Linux Containers, clients from the Internet, etc.

But how are end hosts going to be put in the adequate EPGs? Or how does the APIC do that? Don’t we configure a VLAN under a switch port and thus group end hosts on a VLAN ID basis?


The principle of how an end host is assigned an EPG is based on a traffic classifier. And the traffic classifier in ACI (as far as I know) is the encapsulation identifier (Encap ID), whether it is the 802.1Q VLAN ID or the VXLAN ID aka VNID.

So whenever some sort of traffic comes at the leaf port, the leaf reads the Encap ID, and if it finds a “matching” EPG , it applies the EPG settings and the access policies to the port.

Within an EPG, end hosts communicate together freely, no matter which subnets they are in. However, a Network Engineer can insert some filtering to control which and how an endpoint communicate with another in the same EPG. This filtering mechanism occurs with either isolation (intra-EPG isolation) or Contracts (intra-EPG Contracts).

Between EPGs all communication is denied. This is the default behaviour when you configure a VRF. That means ACI acts like a firewall at line rate denying traffic between EPGs.

Also the communication between ACI fabric and external network devices is by default denied unless we define one or more contracts between an internal EPG and the external EPG. We’ll learn about internal and external EPGs later.

A Network Engineer has the option to activate/deactivate Microsegmentation during the configuration menu of the EPG itself.

Whether it is intra-EPG isolation or intra-EPG Contracts, we implement the filtering:

  • between ACI and Vmware VDS using PVLAN technology
  • between ACI and Microsoft vSwitch using Opflex

and in both cases we implement different VLANs between the ACI fabric and the hypervisor.

EPG Deployment Immediacy and Resolution Immediacy

Resolution Immediacy

Selecting pre-provision as a Resolution Immediacy when associating an EPG to a VMM Domain will push the policies linked to the EPG to all leafs impacted by the access policies.

(to be continued)

EPG Types

We distinguish:

  • Standard (or internal) EPG
  • uSeg EPG (read further to know about them)
  • external EPG:
    • this is where we define the connection point to an external L2 or L3 Network. In the case of connecting an external L3 network, the external EPG is also called L3 EPG.
    • devices that we want to communicate with the external networks should be assigned the external EPG
    • is associated to a bridge domain that is associated itself to the L3 external routed connection.
    • in external EPGs we define the source IP address – in prefix format- of the incoming traffic that will be visible from internal EPGs.
      • So for example we can define an external subnet of which means “accept to see all external networks”. We can also define separate external networks under one external EPG.
      • I said “will be visible” and not “reachable”, because there is still no communication allowed with the internal EPGs until contracts are defined.
        • Remember that the default behaviour of a VRF is “enforced”. If it were “unenforced”, we would not need contracts, and therefore communication between external and internal EPGs would be open.
    • communication with the external networks is regulated by means of contracts.
  • vzAny aka “All EPG”:
    • a construct that represents all EPGs in a VRF.
    • is handy when we want to implement an “any-to-any” contract between all EPGs of a VRF, as a way to emulate a blacklist model.
    • reduces policy CAM utilization when all EPGs in a VRF would consume/provide the same services.
    • When a vzAny in a VRF1 consumes contracts provided by an external EPG in a VRF2, then all subnets of VRF1 will be leaked to the external EPG in VRF2.

An EPG can also be categorized in terms of providing or consuming a contract:

  • An EPG providing the “services” ist said to be a Provider of the contract, or Provider EPG.
  • The EPG benefitting from the “services” ist said to be a Consumer of the contract, thus a Consumer EPG.

Default OOB EPG

The default Out-of-Band EPG is an application EPG that is created by default in every ACI fabric. It comes under the tenant mgmt and may be used for connecting a virtualization server to a leaf over the Infrastructure VLAN.

EPG and Domains

  • An EPG can be attached to one or more VMM Domains. In this case we say “we extend an EPG x to the VMM Domain y”
  • When an EPG extends to a VMM Domain of type VMware, network segments called “Port Groups” will be automatically created on the vSphere Virtual Switch. The name of the Port Group will include the VMM Domain name and the EPG name. The VMware administrator will then have to manually assign VMs to Port Groups.

EPG and Microsegmentation

Each Microsegmentation EPG has a Precedence value, which is defined on the microsegmentation EPG configuration page.

By default, a microsegmentation EPG has a Precedence value of 0, which instructs the fabric to use the default Precedence order defined in APIC for the particular attached endpoint (virtualized server with vSphere VDS, virtualized server with AVS, etc.).

Configuring EPG

We configure EPGs under the Tenants –> (select your tenant) –> Application Profiles. We can either create the EPG with a standard right-click:


or with drag-n-drop within the Topology tab:

cisco ACI EPG requires a Bridge Domain value
  • While creating an EPG, an ACI bridge domain must be associated to it.
  • An EPG can be part of only one Bridge Domain at a time. And it can be any one, even the Bridge Domain in Tenant Common.

After dropping an EPG symbol in the window and configuring it, it will not be created unless you press the Submit button.


Configuring EPG Static Path Binding


As soon as you create an EPG instance, new menus appear under it. We can for example associate the EPG to a bare-metal domain or a VMM domain, we can define Static Path Bindings, we can define contracts…

The EPG Static Ports menu is where we configure what is called Static Path Binding or Static Binding: it aims at defining a set of “traffic selectors” that statically put the traffic coming on to the fabric leaf port into an EPG X. The most common traffic selectors are the leaf port and the VLAN ID (or Encap in ACI language).

Under the EPG menu, right-click on Static Ports and select Deploy Static EPG on PC, VPC, or Interface:


The Static Port EPG configuration window opens. Within this menu we have to decide if we are going to configure a normal port, a port channel or a virtual port channel (vPC). And for each choice we make, a different set of configurable objects will be displayed accordingly.

Here is the configurable objects in case we choose to configure a single port:


Here is what we get when we choose Direct Port Channel or Virtual Port Channel: the object Node is not an available configurable object anymore:



The value we configure for Port Encap should be chosen from the range (or ranges) within the VLAN Pool that is indirectly associated to the EPG:

Mode has the following values: Trunk, Access (802.1p) and Access (untagged)

  • Trunk: ACI expects an inbound frame with a VLAN ID field that equals whatever value configured under Encap. If so, this traffic gets classified to this EPG.
  • Access (802.1p):
    • APIC expects an inbound untagged frame with the 802.1p priority field, and
    • the inbound frames without a VLAN ID value will get classified to this EPG, and
    • traffic will be internally tagged with the VLAN encapsulation that was defined in the EPG, and
    • the leaf port (specified with the combination of Path and Node) can be later configured as a Trunk port in another EPG with static path binding.
  • Access (untagged):
    • inbound frames without VLAN ID will get associated to this EPG, and
    • frames will be internally tagged with the Encap value specified in the EPG.

Displaying EPG settings in CLI

APIC commandOutput
show epgdisplays all configured EPGs
show epg EPG_NAMEdisplays settings of EPG_NAME

Click here to read the rest of my Cisco ACI study notes.

Leave a Comment