Solved: Re: ACI deny rule for Specific endpoints

Venky_21 · ‎03-26-2019

Hi folks,

I have a /32 IPs configured in the ACL traditional switch within same subnet and different subnet as well.

If i have to propose ACI solution and i need to restrict communication between Specific endpoints , which ACI solution I should use . Can we use Deny rule for the specific EPs within or between EPGs ?

Thank you

micgarc2 · ‎03-27-2019

No we can not deny a specific IP learned in the fabric. Since ACI groups EPs into EPGs it just based off contracts and/or preferred groups if you get more advanced. Contracts are based off protocols/ports. If you have any scenarios where you need EPs within an EPG to be restricted you can use Intra-EPG isolate. If this isn't your need the closest thing you can do is strategically configure your EPGs/contracts to segregate your workloads.

View solution in original post

micgarc2 · ‎03-27-2019

No we can not deny a specific IP learned in the fabric. Since ACI groups EPs into EPGs it just based off contracts and/or preferred groups if you get more advanced. Contracts are based off protocols/ports. If you have any scenarios where you need EPs within an EPG to be restricted you can use Intra-EPG isolate. If this isn't your need the closest thing you can do is strategically configure your EPGs/contracts to segregate your workloads.