Here are my study notes on the topic of Cisco ACI VRF. We start by defining some terms then see how VRF is configured.

ACI VRF: Definitions

  • aka private network.
  • can be pronounced V-R-F or a bit fancier like “Vurf”
  • is equivalent to the legacy VRF concept.
  • is pointed by one or more bridge domains
  • Subnets must be unique only VRF-wide. It means:
    • you can’t have a subnet Subnet_S1 on two bridge domains belonging to the same VRF
    • VRF_A and VRF_D can both have a subnet with the same subnet range of IP addresses. But this situation will present challenges if you one day wanted to expose the subnet to the external network.
  • APIC can be instructed to confine the subnets within a given VRF, or to propagate them to other VRFs, or to allow redistributing them to the outside network through a L3out connection.
  • APIC automatically creates an Infrastructure VRF to communicate with fabric switches
  • overlay-1 is the name of the VRF underlay, which holds all VTEPs.

Enforced vs Unenforced network

  • The Enforced mode means that communication between EPGs is prohibited unless contracts are specified.
    • To disable this default security policiy on the VRF (in other words enable all EPGs associated with the VRF to communicate together without needing contracts) set the “Policy Control Enforcement Preference” to Unenforced at the VRF level.

Cisco ACI VRF Configuration

  • Can be created with context menus or graphically with drag and drop
  • You can configure the VRF first or the bridge domain first. The order does not matter because you can attach the bridge domain to the VRF later.

Go to Tenants -> {your tenant} -> Networking -> VRFs and right click to create a new VRF:


The Create VRF menu appears. Here type the name of your VRF and optionally a description. The field Tags can be left blank.


Notice that it is possible to create a new bridge domain if you leave the checkmark next to Create a Bridge Domain on.


Remember when I wrote that by default communication between EPGs is denied? Well this is controlled here at the VRF level, specifically with the Policy Control Enforcement Preference. Notice it is set to Enforced when you first create the VRF.

There are different options in the Create VRF menu. I would leave them to default since I am creating a VRF for the sake of the blog post.

I am going to deactivate the Create A Bridge Domain checkbox because I am going to select a bridge domain later, from a list of available bridge domains on the APIC.


Note that IP Data-plane Learning is left to default. This allows IP addresses (source and destination fields) in packets that traverse the data plane to be learned.

Then click the Submit button.

Our VRF is created and listed under the main working window Networking – VRFs:


To see which Bridge Domains are associated with a particular VRF, you have two methods:

  • method1: click on the Networking folder. You see the relationships between the constructs visually:
          • method2: click on the VRF, go to Policy then click on Show Usage

          Click here to read the rest of my Cisco ACI study notes.

          Leave a Comment