06-25-2020 05:51 PM
Hi,
I have a ACI setup where several EPGs are in the same subnet and same bridge domain. There are no contracts between them however when one host in EPG A does a ping sweep using nmap, it is able to see other hosts in the other EPGs IP addresses. Is this normal?
Appreciate the help.
Solved! Go to Solution.
06-25-2020 10:38 PM
It might be possible that the nmap to "see" other endpoints based on ARP reply and no necessarily based on ICMP reply.
If you do individual pings to the observed endpoints, is it working? If not, then is just ARP which, in case the ARP flooding is enabled, ACI fabric will flood the ARP request within the BD. Workaround -> disable ARP flooding
If you do see ICMP replies, check if EPGs are in a preferred group or if the VRF is unenforced.
Stay safe,
Sergiu
06-25-2020 10:38 PM
It might be possible that the nmap to "see" other endpoints based on ARP reply and no necessarily based on ICMP reply.
If you do individual pings to the observed endpoints, is it working? If not, then is just ARP which, in case the ARP flooding is enabled, ACI fabric will flood the ARP request within the BD. Workaround -> disable ARP flooding
If you do see ICMP replies, check if EPGs are in a preferred group or if the VRF is unenforced.
Stay safe,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide