![How Do Bridge Domains and EPGs Work Together in Cisco ACI?[CCNP Enterprise]](https://networkjourney.com/wp-content/uploads/2025/06/How-Do-Bridge-Domains-and-EPGs-Work-Together-in-Cisco-ACI_networkjourney.png)
Today we’re going deep into a topic that often seems overwhelming at first but becomes incredibly exciting once you get the hang of it — Cisco ACI (Application Centric Infrastructure). When I first started exploring Cisco ACI in customer data center deployments, I found myself fascinated by how it breaks the norms of traditional networking with policy-driven architecture.
If you’re preparing for CCNP/CCIE Data Center or working in enterprise network design, this guide will help you understand the building blocks of ACI — Bridge Domains and EPGs (Endpoint Groups) — in a simple, real-world manner with CLI, use cases, and labs. Let’s dive right in.
Table of Contents
Theory in Brief
What is Cisco ACI? Cisco ACI is Cisco’s SDN (Software Defined Networking) solution for modern data centers. Unlike traditional switch-by-switch configurations, ACI is built around a centralized controller called the APIC (Application Policy Infrastructure Controller) that manages the entire fabric using policies.
ACI Logical Model Overview:
- Tenants: Top-level container for policies, typically per customer or department.
- VRFs (Private Networks): Layer 3 segmentation within a tenant.
- Bridge Domains (BD): Layer 2 forwarding construct, similar to a VLAN.
- EPGs (Endpoint Groups): Logical grouping of endpoints that share common policies.
Bridge Domains and EPGs in Action:
- A Bridge Domain defines the subnet and gateway for your endpoints.
- EPGs group devices like VMs, bare-metal servers, or containers. These EPGs connect to Bridge Domains and control communication through contracts (ACL-like policies).
Why It Matters: This decoupling of policy from topology allows you to enforce consistent security, QoS, and forwarding decisions across your data center — no matter where your workloads live.
Bridge Domains and EPGs Summary
| Feature | Bridge Domain | EPG (Endpoint Group) |
|---|---|---|
| Layer | Layer 2 | Logical grouping (above L2/L3) |
| Purpose | Forwarding domain (like VLAN) | Group endpoints by application/policy |
| IP/Subnet Defined? | Yes | No |
| Connected To | EPGs, Subnets | BDs, Interfaces (Static Path, VMM, L2 out) |
| Policy Role | Routing/gateway config, Flooding behavior | Policy enforcement, contracts |
Pros and Cons
| Pros (Bridge Domain / EPG) | Cons |
| Centralized management (APIC) | Steep learning curve |
| Decouples policy from physical topology | Requires Cisco Nexus 9000 and APIC |
| Excellent for micro-segmentation | Policy dependency issues if misconfigured |
| Flexible path mapping (Static/Dynamic) | Slight complexity in troubleshooting |
Essential CLI Commands (APIC & Leaf)
| Task | Command Example | Description |
| Check EPGs in a Tenant | moquery -c fvAEPg -f 'fvAEPg.dn="uni/tn-Tenant1"' | Lists EPGs under a tenant |
| Check BD Configuration | moquery -c fvBD -f 'fvBD.dn="uni/tn-Tenant1"' | Show BD and associated subnets |
| Verify Contract Attachments | show contract usage | Displays contracts used in EPGs |
| Interface Path Binding | show interface eth 1/1 epg | Shows which EPG is mapped to interface |
| Ping from Leaf Switch | ping <destination IP> | Useful for verifying endpoint reachability |
Real-World Use Cases
| Use Case | Description | Benefit |
| Multi-Tenant DC | Isolate tenants using separate VRFs and EPGs | Policy isolation, tenant-level control |
| App-Tier Segmentation | Web, App, DB servers in different EPGs with contracts | Better security and access control |
| Hybrid Workload Policies | Physical + virtual workloads in same EPG | Uniform policies regardless of location |
| Service Insertion | Redirect traffic through FW using contracts & BDs | Integrated security without re-architecture |
EVE-NG Lab: Mini ACI Simulation (Using vAPIC & vLeaf)
Lab Topology Diagram
- Use Cisco Nexus 9000v switches with ACI simulation in EVE-NG
- Simulate APIC using vAPIC image (limited functionality for practice)
Sample Configuration Flow:
# On APIC GUI or via REST/CLI
Create Tenant: Finance
Create VRF: Finance-VRF
Create Bridge Domain: BD-Finance
Assign subnet: 10.10.10.1/24
Create Application Profile: App1
Create EPGs: Web-EPG, App-EPG
Associate both to BD-Finance
Bind EPG to interface: Leaf1 eth1/1 → Web-EPG
Leaf2 eth1/2 → App-EPG
Create Contracts: Web-to-App-Allow (TCP 8080)
Provide/Consume between EPGs
Troubleshooting Tips
| Problem | Command/Tool | Resolution |
| Endpoint not learned | show endpoint on leaf | Check EPG mapping and BD subnet config |
| Contract not enforced | show zoning-rule | Validate correct provider/consumer setup |
| Ping fails between EPGs | ping from leaf or endpoint | Ensure contracts and BD subnet are reachable |
| Wrong Interface to EPG Mapping | show interface epg | Rebind or verify static path binding |
| APIC config not syncing | Check APIC logs or moquery | Verify fabric health and sync status |
Frequently Asked Questions (FAQs)
1. What is a Bridge Domain in Cisco ACI?
Answer:
A Bridge Domain (BD) in Cisco ACI is a Layer 2 forwarding construct within a Tenant. It represents a broadcast domain, similar to a VLAN in traditional networking. All endpoints associated with the same BD can communicate at Layer 2. It is directly associated with a Subnet and can be connected to multiple EPGs.
2. What is an Endpoint Group (EPG)?
Answer:
An Endpoint Group (EPG) is a logical grouping of endpoints (servers, VMs, etc.) that share the same policy. EPGs determine how traffic is classified and treated in Cisco ACI. Policies like contracts (which define allowed traffic) are applied between EPGs rather than between VLANs or subnets.
3. How do Bridge Domains and EPGs relate to each other?
Answer:
EPGs are bound to a Bridge Domain. This means that all endpoints in an EPG reside in the same Layer 2 network (BD). The BD provides the networking context, while the EPG defines policy boundaries. You can have multiple EPGs mapped to the same BD, allowing policy-based segmentation within the same subnet.
4. Can multiple EPGs share the same Bridge Domain?
Answer:
Yes. This is a common design practice in ACI. Multiple EPGs can be associated with a single Bridge Domain. This allows for Layer 2 connectivity among endpoints, but policies (contracts) between EPGs control which endpoints can talk to each other, providing segmentation within a shared subnet.
5. Is subnet configuration done in the Bridge Domain or EPG?
Answer:
Subnets are configured within the Bridge Domain, not the EPG. The BD defines the IP gateway for the endpoints connected to it. You can also define multiple subnets in a BD if needed, and decide whether they are advertised externally or used internally.
6. Do EPGs provide any Layer 3 routing function?
Answer:
No. EPGs do not provide Layer 3 routing themselves. Routing between subnets (inter-BD routing) is handled by Contract and VRF logic within the ACI fabric. EPGs are simply groupings of endpoints for applying policy, not routing constructs.
7. How do Contracts work between EPGs?
Answer:
Contracts in Cisco ACI define what kind of traffic is allowed between two EPGs. If EPG A and EPG B are in the same or different Bridge Domains, they cannot talk to each other unless a contract is applied. Contracts contain filters that define protocols/ports allowed.
8. Can a Bridge Domain span multiple VRFs?
Answer:
No. A Bridge Domain is always associated with a single VRF. VRFs provide Layer 3 segmentation, and a BD cannot exist in more than one VRF. However, multiple BDs can exist within the same VRF.
9. What happens if I associate two EPGs to different BDs but forget to configure a contract?
Answer:
If no contract is applied and ‘Enforced Mode’ is enabled (which it is by default), there will be no communication between the EPGs, even if the Bridge Domains are in the same VRF. A contract must be configured to explicitly allow communication between those EPGs.
10. Can I use Bridge Domains without EPGs or vice versa?
Answer:
No. In Cisco ACI, both Bridge Domains and EPGs are mandatory components of the forwarding and policy model. A BD provides Layer 2 context, and EPGs group endpoints for policy enforcement. One cannot function as intended without the other in an operational ACI fabric.
YouTube Link
Watch the Complete CCNP Enterprise: How Do Bridge Domains and EPGs Work Together in Cisco ACI? Lab Demo & Explanation on our channel:
Final Note
Understanding how to differentiate and implement How Do Bridge Domains and EPGs Work Together in Cisco ACI? is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.
If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:
CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!
Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088
Upskill now and future-proof your networking career!
![Overlay Technologies for CCNP Enterprise: The Complete 2025 Guide with Labs, CLI & Exam Relevance [CCNP ENTERPRISE]](https://networkjourney.com/wp-content/uploads/2025/06/Overlay-Technologies-for-CCNP-Enterprise_networkjourney.png)
![Real-World Use Case of Conditional Routing in Enterprise Networks [ CCNP ENTERPRISE ]](https://networkjourney.com/wp-content/uploads/2025/06/Real-World-Use-Case-of-Conditional-Routing-in-Enterprise-Networks-CCNP-ENTERPRISE-.png)
![MAC Address Table Lookup Deep Dive: Mastering Switch-Level Visibility [CCNP Enterprise]](https://networkjourney.com/wp-content/uploads/2025/06/MAC-Address-Table-Lookup-Deep-Dive_networkjourney.png)