Here is a simple scenario to show the questions I would like to get some clarification regarding EPG and ESG.
I currently have 3 EPGs for VLAN 10, 20 and 30. intra-EPG isolation is not enabled. Each has a number of workloads/endpoints included and unique BD associated under single VRF. The BDs have the default gateway addresses for the VLANs. vzAny is used under the VRF.
I plan to create two ESGs and would use IP tag and VM tag to include only:
- Workloads A & B from EPG/VLAN 10 for ESG1
- Workload AA from EPG/VLAN 20 for ESG2
With this ESG setup, I want to create specific contracts/filters to:
- Allow workload A communication with workload AA for SSH
- Deny workload B communication with workload AA for SSH
Now the question is, with the existing vzAny, will workloads under the same EPG still be able to communicate with each other, whether it is included as part of ESG or not? Will inter-EPG communication be still allowed? Initially I am quite positive but after reading the ESG design guide, linked below, I am not too sure anymore...
Referencing following from the ESG design guide:
Q. Can I configure contracts between ESGs and EPGs?
A. No. When using ESGs, all security should be handled in ESGs, and EPGs should be used only for network constructs such as VLAN. When migrating EPGs to ESGs, EPG selectors can be used. EPG selectors enable you to inherit contracts from matched EPGs to the ESG such that communications between the matched EPGs that migrated to the ESG and other EPGs that have yet to migrate to ESGs are allowed during the migration phase.
Will this apply to vzAny OR only to specific contracts? Or it requires me to have all the EPGs mapped into ESGs in order to utilize ESG feature?
https://www.cisco.com/c/en/us/td/docs/dcn/whitepapers/cisco-aci-esg-design-guide.html