Solved: Assistance on how to define hosts in Application EPG

bl80 · ‎05-03-2022

I have numerous uSEG EPGs in the Fabric, all from various App Profiles tied to our VMM Domain set with micro-segmentation. This uEPG deployment is pretty straight forward and working great. Have a number of other App EPGs defined from connections to systems, each tagged VLAN ID is then mapped at the AAEP -- one vlan per APP EPG and this also works great.

We have a new fabric connected system that needs to be setup that will house a couple internal application servers. Was hoping to set both of these app servers on the same vlan (tagged at the bond on the connected appliance).

What I am not clear on -- how to a map each APP EPG to these two "servers' that will be on the same vlan?

Hoping this can be accomplished.

Setup is a physical domain, static vlan pool (1 vlan), defined on AAEP setup on VPC leaf interface policy group setup on single interface on vpc pair of leafs.

As noted, I've done the exact setup before using a pool of vlans and each vlan was then mapped at AAEP, one vlan ID mapped to one APP EPG. Just not sure if possible to map same vlan to different App EPGs - both will be under the same Bridge Domain and same subnet. Really just want to set them up in different App EPGs for contract control for their use purposes.

If its important, the appliance that is being connected to the fabric is a Veritas Flex -- https://www.veritas.com/content/support/en_US/doc/130821112-140800124-0/v130821165-140800124

Thank you!

Robert Burns · ‎05-06-2022

Here's the jist of how to set this up.

The BD Should be setup as follows:

The Base EPG and uSeg EPG need to be part of the same BD.
The BD must have a subnet/SVI defined
Unicast Routing must be enabled on the BD

The base (Application) EPG is standard, nothing special other than associating the appropriate Physical Domain and BD

The uSeg EPG should be setup as follows:

Associate the appropriate Physical Domain and BD
Each Leaf where the BD is deployed and uSeg endpoints will exist needs to be added as Static Leafs (Deployment Immediacy should be set to Immediate). **For VPC connected hosts, both Leafs need to be added.
Create a uSeg Attribute matching for "IP" equals [IP]. The matching IP can be an explicit IP, or a subnet.

Here's some screenshots for your reference.

uSeg EPG: Config

uSeg EPG: Phys Domain Binding (linked with VLAN Pool ID 500)

uSeg EPG: Static Leaf assignment

uSeg EPG: Matching Attributes

BD: General Config

BD: L3 Config

uSeg EPG: Client Endpoint Learning/Match

Robert

View solution in original post

Robert Burns · ‎05-05-2022

Have you considered using uSeg on your Veritas baremetal system? You could perform EPG assignment based on Network attributes (IP attribute) and differentiate applications as such. Then you could assign contracts between the respective uSeg App EPGs and other endpoints to allow/restrict access.
Would look something like this:

Robert

bl80 · ‎05-05-2022

Where is the Micro-segmentation allowed for this? I know with our VCenter connection its defined on the VM Domain.

I see there is option under "static ports" section of the App EPG that looks like I can define the VPC in use and do Micro-Segmentation there. Is this where it would be setup? Any specific example configurations of this you could share? Looks like it need at least 2 vlans. One for port encapsulation and one for the micro-segmentation? Appreciate the advice and think this will be the best solution once I get handle on best way to deploy. Thank you!

Robert Burns · ‎05-06-2022

Here's the jist of how to set this up.

The BD Should be setup as follows:

The Base EPG and uSeg EPG need to be part of the same BD.
The BD must have a subnet/SVI defined
Unicast Routing must be enabled on the BD

The base (Application) EPG is standard, nothing special other than associating the appropriate Physical Domain and BD

The uSeg EPG should be setup as follows:

Associate the appropriate Physical Domain and BD
Each Leaf where the BD is deployed and uSeg endpoints will exist needs to be added as Static Leafs (Deployment Immediacy should be set to Immediate). **For VPC connected hosts, both Leafs need to be added.
Create a uSeg Attribute matching for "IP" equals [IP]. The matching IP can be an explicit IP, or a subnet.

Here's some screenshots for your reference.

uSeg EPG: Config

uSeg EPG: Phys Domain Binding (linked with VLAN Pool ID 500)

uSeg EPG: Static Leaf assignment

uSeg EPG: Matching Attributes

BD: General Config

BD: L3 Config

uSeg EPG: Client Endpoint Learning/Match

Robert

bl80 · ‎05-06-2022

Thank you @Robert Burns !! Might ping you if any specific questions but the above makes perfect sense, I've just not deployed EPGs in this exact manner before.