Here are my study notes on the topic of VRF in ACI.

ACI VRF: Definitions

  • aka private network.
  • pronounced V-R-F or way fancier “Vurf”
  • is equivalent to the legacy VRF concept.
  • is pointed by one or more bridge domains
  • Subnets must be unique only VRF-wide. It means:
    • you can’t have a subnet Subnet_S1 on two bridge domains belonging to the same VRF
    • VRF_A and VRF_D can both have a subnet with the same subnet range of IP addresses. But this situation will present challenges if you one day wanted to expose the subnet to the external network.
  • APIC can be instructed to confine the subnets within a given VRF, or to propagate them to other VRFs, or to allow redistributing them to the outside network through a L3out connection.
  • APIC automatically creates an Infrastructure VRF to communicate with fabric switches

Enforced vs Unenforced network

  • The Enforced mode means that communication between EPGs is prohibited unless contracts are specified.
    • To disable this default security policiy on the VRF (in other words enable all EPGs associated with the VRF to communicate together without needing contracts) set the “Policy Control Enforcement Preference” to Unenforced at the VRF level.

ACI VRF Configuration

  • Can be created with context menus or graphically with drag and drop
  • You can configure the VRF first or the bridge domain first. The order does not matter because you can attach the bridge domain to the VRF later.

Go to Tenants -> {your tenant} -> Networking -> VRFs and rightclick to create a new VRF:

cisco-aci-vrf

The Create VRF menu appears. Here type the name of your VRF and optionally a description. The field Tags can be left blank.

cisco-aci-vrf

Notice that it is possible to create a new bridge domain if you leave the checkmark next to Create a Bridge Domain on.

cisco-aci-vrf

Remember when I wrote that by default communication between EPGs is denied? Well this is controlled here at the VRF level, specifically with the Policy Control Enforcement Preference. Notice it is set to Enforced when you first create the VRF.

There are different options in the Create VRF menu. I would leave them to default since I am creating a VRF for the sake of the blog post.

I am going to deactivate the Create A Bridge Domain checkbox because I am going to select a bridge domain later, from a list of available bridge domains on the APIC.

cisco-aci-vrf

Note that IP Data-plane Learning is left to default. This allows IP addresses (source and destination fields) in packets that traverse the data plane to be learned.

Then click the Submit button.

Our VRF is created and listed under the main working window Networking – VRFs:

cisco-aci-vrf

To see which Bridge Domains are associated with a particular VRF, you have two methods:

  • method1: click on the Networking folder. You see the relationships between the constructs visually:
    • method2: click on the VRF, go to Policy then click on Show Usage

    Click here to read the rest of my Cisco ACI study notes.

    Categories: Cisco DCACI

    Keyboard Banger

    Keyboard Banger is a network engineer from Africa. He has been working in network support and administration since 2008. He started writing study notes about certification exams and technology topics a couple of years ago. When he's not writing articles, he can be found wandering on technical forums.

    0 Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *