12-03-2020 06:51 AM
Hi,
Unfortunately I can't easily find any manuals how to use ACI in open mode without inter-EPG contracts.
Is it a valid mode? Where can I find any manuals about it?
Solved! Go to Solution.
12-03-2020 07:31 AM
There a couple ways to accomplish what you're asking.
1) Unenforced VRF. This option removes any policy (contracts) for all endpoint communication within the scope of a VRF. Keep in mind, this also prevents you from leveraging features like Policy Based Redirect (PBR) which are dependent on policy being enforced. By default all communication between endpoints eventually hits an implicit-deny ACL, but this would disable all contracts from being applied removing the default 'whitelist' security mode.
2. Using vzAny. This is a special EPG that represents ALL EPGs within a VRF. This would allow the VRF to remain enforced, but you can allow an any:any communication between any EPGs that are within the VRF.
3. Preferred Group Member. This is another feature that gets more granular than vzAny, but allow select EPGs within a VRF to be part of the "Preferred Group". EPGs that are part of the PG, can freely communicate. Any EPGs not members will not.
These concepts are explained in a great Cisco Live Session here: https://www.ciscolive.com/global/on-demand-library.html?search=ACI%20security&search=ACI+security#/session/1573153555522001JKm0
Robert
12-03-2020 07:31 AM
There a couple ways to accomplish what you're asking.
1) Unenforced VRF. This option removes any policy (contracts) for all endpoint communication within the scope of a VRF. Keep in mind, this also prevents you from leveraging features like Policy Based Redirect (PBR) which are dependent on policy being enforced. By default all communication between endpoints eventually hits an implicit-deny ACL, but this would disable all contracts from being applied removing the default 'whitelist' security mode.
2. Using vzAny. This is a special EPG that represents ALL EPGs within a VRF. This would allow the VRF to remain enforced, but you can allow an any:any communication between any EPGs that are within the VRF.
3. Preferred Group Member. This is another feature that gets more granular than vzAny, but allow select EPGs within a VRF to be part of the "Preferred Group". EPGs that are part of the PG, can freely communicate. Any EPGs not members will not.
These concepts are explained in a great Cisco Live Session here: https://www.ciscolive.com/global/on-demand-library.html?search=ACI%20security&search=ACI+security#/session/1573153555522001JKm0
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide