Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5515
Views
0
Helpful
10
Replies

ACI Intra EPG Isolation in L2 Bridge Domain

Go to solution
Ernesto Fernandez gomez-pinto
Level 1
Level 1

‎05-24-2021 07:50 AM

Hello,

 

I have a EPG configured in L2 BD (ACI is not the DG of this subnet), and i have activated Intra-EPG isolation with a Intra-EPG contract to control the permited traffic, but it don't work. Is it a supported configuration?, are there any documentation for it?.

 

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎05-25-2021 07:19 AM - edited ‎05-25-2021 07:19 AM

No its not supported.  for Proxy arp to work, the BD needs to be L3.  (SVI + Unicast Routing).

Robert

View solution in original post

0 Helpful
10 Replies 10

Go to solution
a12288
Level 3
Level 3

‎05-24-2021 08:35 AM

You can attach some screenshots of your config here.

0 Helpful

Go to solution
Ernesto Fernandez gomez-pinto
Level 1
Level 1
In response to a12288

‎05-24-2021 09:15 AM

Hi,

 

Attached screenshots of BD and EPG.

 

L2 BD Configuration

 

L2 BD Configuration of L3

 

EPG Configuration

 

Intra-EPG contract

 

Regards.

Preview file
47 KB
Preview file
46 KB
Preview file
44 KB
Preview file
89 KB
Preview file
75 KB
0 Helpful

Go to solution
a12288
Level 3
Level 3
In response to Ernesto Fernandez gomez-pinto

‎05-24-2021 10:19 AM

What about your associated domain part of config?

0 Helpful

Go to solution
Ernesto Fernandez gomez-pinto
Level 1
Level 1

‎05-24-2021 12:16 PM

Hello,

 

Attached the domain configuration. The test are with two vmaware VM, and with vmware integrate with ACI.

 

Regards.

Preview file
59 KB
Preview file
75 KB
0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎05-24-2021 04:10 PM

Which version and Leaf models are you using?

Robert

0 Helpful

Go to solution
Ernesto Fernandez gomez-pinto
Level 1
Level 1

‎05-24-2021 10:55 PM

Hi,

 

Version 5.1.3 and leaf FX (93180YC and 93108TC).

 

Regards.

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to Ernesto Fernandez gomez-pinto

‎05-25-2021 05:24 AM

What exactly are you trying to accomplish?  Are you trying to restrict Intra-EPG communication to just ICMP? (Intra EPG Contract), or are you trying to prevent any communication within an EPG (Intra EPG Isolation)?  If you just want to filter the Intra-EPG traffic, then all you need is the contract, not the isolation flag.

Robert

0 Helpful

Go to solution
Ernesto Fernandez gomez-pinto
Level 1
Level 1

‎05-25-2021 05:35 AM

Hi,

I need permit specifict traffic in the EPG and deny rest, so I need Intra-EPG isolation for deny L2 traffic and Intra-EPG contract to permit specific traffic. This configuration works fine when ACI Bridge Domain has Unicast Routing enabled and IP configured in the BD, but for me don't work when the BD is L2.

 

The question is if this is supported.

 

Regards.

0 Helpful

Go to solution
Imran.M
Level 1
Level 1
In response to Ernesto Fernandez gomez-pinto

‎05-25-2021 07:05 AM

 

ACI is a zero trust environment when its Enforced.

 

when you create EPG where it says (intra EPG isolation) select "Enforced" and use contracts to allow traffic between EPG's 

 

 

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎05-25-2021 07:19 AM - edited ‎05-25-2021 07:19 AM

No its not supported.  for Proxy arp to work, the BD needs to be L3.  (SVI + Unicast Routing).

Robert

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License