Hi Robert,

imalvi · ‎01-24-2016

Hi,

I have a question, one of the customer is asking for having control with in same EPG. For example if there is an EPG_FE with multiple VMs in it.How can we block access between these VMs under the same VLAN or EPG in ACI fabric?

Customer only have DVS in vcenter env.

Tomas de Leon · ‎01-25-2016

In ACI version 1.2(1i) or later, There is a feature "Microsegmentation".

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_1_2_1x_chapter_01000.html

Microsegmentation with Cisco ACI provides support for virtual endpoints attached to Cisco Application Virtual Switch (AVS) and for Microsoft vSwitch using the OpFlex protocol. This feature is not available with VMware DVS.

So unfortunately for your customer this feature will not work. A way you can still do this is create multiple EPGs within the same BD and use contracts to enforce policy.

Cheers!

T.

Robert Burns · ‎01-25-2016

In addition to what Tomas mentioned, there is an Intra-EPG isolation feature on the roadmap which is targeting the next major release. No ETA at this point, but its coming.

Robert

imalvi · ‎01-25-2016

Thank you Tomas and Robert for the clarification. So AVS is the way to go unless new release comes up with micro-segmentation for DVS.

Thanks.

Regards

Imran

bruno.fernandes · ‎02-02-2016

Hi Robert,

Just to see if I understood you correctly .... If I have two bare metal servers in the same EPG, Intra-EPG isolation is not available at the current latest release ... yet (by the way I'm running 1.2(1i) ... correct ?

Regards,

Bruno Fernandes

Control with in same EPG