Contract Preferred Group

The requirement here is that EPG 1 – 4 should be allowed to talk to each other without any security rules, while the rest EPGs 5 - 7 should follow the allow list model.

To simplify such a configuration requirement to partially unenforced contract policies in the given VRF.

Through the concept of Preferred Group, ACI designates certain Endpoint Groups (EPGs) as "Included" members, while grouping all other EPGs as "Excluded" members.

In the provided illustration, EPGs 1–4 are identified as "Included" members. Within this category, no mandatory contracts exist; these EPGs can communicate with each other without any security enforcement.

Conversely, EPGs in the "Excluded" members require contracts for communication within the "Excluded" members or with EPGs in the "Included" members.

A common use case for preferred group arises during migration scenarios.

In an initial phase, when migrating resources to the ACI fabric, one might opt for a network construct without enforcing security.

Subsequently, security measures can be gradually implemented using Endpoint Groups (EPGs) and contracts within the ACI fabric.

In this context, marking all EPGs associated with migrated resources as "Included" initially allows for a seamless transition, and later, when security rules need to be applied within the fabric, these EPGs can be switched to "Excluded."

Contract Preferred Group Configuration

1. Enable the Preferred Group under the VRF.

Note: If Policy Control Enforcement Preference is set to "Unenforced" then all EGP could communicate with each other without any restriction.

2) Add EPGs in the “Included” member. By default, all EPGs are defined as the “Excluded” member.