Here are my study notes on the topic of Cisco ACI VRF. We start by defining some terms then see how VRF is configured.

ACI VRF: Definitions

A VRF, aka private network, is pronounced V-R-F or “Vurf”. It is the equivalent to the legacy VRF concept, in the sense that it scopes an IP namespace, or subnets.

So “IP addresses” in an ACI VRF_A are different from those in an ACI VRF_B, even if they were numerically identical. A network engineer can design his IP scheme in that way. But this situation will present challenges if he one day wanted to expose the subnets of both VRFs to the external network.

In fact, any given subnet in an ACI tenant addressing space must be unique only VRF-wide. So you can have the same subnet ID on two bridge domains. But they have to belong to two separate VRFs.

A Cisco ACI VRF is attachable to one or more bridge domains.

APIC can be instructed to confine the subnets within a given VRF, to propagate them to other VRFs, or to allow redistributing them to the outside network (the non-ACI network) through a L3Out connection.

APIC automatically creates an Infrastructure VRF to communicate with fabric switches

overlay-1 is the name of the VRF in the underlying transport network – aka the “Underlay”- which holds all VTEP addresses.

Enforced vs Unenforced network

  • The Enforced mode means that communication between EPGs is prohibited unless contracts are specified.
    • To disable this default security policiy on the VRF (in other words enable all EPGs associated with the VRF to communicate together without needing contracts) set the “Policy Control Enforcement Preference” to Unenforced at the VRF level.

Cisco ACI VRF Configuration

  • Can be created with context menus or graphically with drag and drop
  • You can configure the VRF first or the bridge domain first. The order does not matter because you can attach the bridge domain to the VRF later.

Go to Tenants -> {your tenant} -> Networking -> VRFs and right click to create a new VRF:


The Create VRF menu appears. Here type the name of your VRF and optionally a description. The field Tags can be left blank.


Notice that it is possible to create a new bridge domain if you leave the checkmark next to Create a Bridge Domain on.


Remember when I wrote that by default communication between EPGs is denied? Well this is controlled here at the VRF level, specifically with the Policy Control Enforcement Preference. Notice it is set to Enforced when you first create the VRF.

There are different options in the Create VRF menu. I would leave them to default since I am creating a VRF for the sake of the blog post.

I am going to deactivate the Create A Bridge Domain checkbox because I am going to select a bridge domain later, from a list of available bridge domains on the APIC.


Note that IP Data-plane Learning is left to default. This allows IP addresses (source and destination fields) in packets that traverse the data plane to be learned.

Then click the Submit button.

Our VRF is created and listed under the main working window Networking – VRFs:


To see which Bridge Domains are associated with a particular VRF, you have two methods:

  • method1: click on the Networking folder. You see the relationships between the constructs visually:
          • method2: click on the VRF, go to Policy then click on Show Usage

          Click here to read the rest of my Cisco ACI study notes.

          Be First to Comment

          Leave a Reply

          Your email address will not be published. Required fields are marked *