Hi @crispin.robinson ,
First a tip:
When posting on the forum, add your pictures inline (click the Camera icon and simply click in, then paste your picture in the grey area of the dialogue that appears, or select the files.) This means you pictures are actually SEEN (a) in the email that gets sent to subscribers and (b) anyone who looks at this post in the future. Adding pictures as attachments... puts your submission into the TL;DR category.
And now let's look at your statement
NB: They are coming off the same Interface, does that make a difference? Same EPG/BD/VRF.
Yep. It sure does! What that means is that the two hosts are connected to each other via a L2 switch or (more likely in your case since they are VMs) a vSwitch
So therefore, the traffic BETWEEN these two hosts will NEVER reach an ACI leaf where the policy is enforced.
The FIX
I guess you could fix this by deploying Cisco's AVE vSwitch on your ESXi hosts, but that decision is best made at the initial deployment stage.
An easier way at this stage is to isolate one of the hosts into a different VLAN but leave it in the same EPG and there are a couple of approaches.
- Use microsegmentation - isolating one of the VMs via name (for example)
- Use a static mapping for ONE of the VMs
The Microsegmentation approach doesn't really keep them in the same EPG though
So the static approach would go like this
- In vMware, create a new portgroup mapped to a new VLAN
- Statically map ONE of your VMs to that portgroup
- Statically map that VLAN to the SAME EPG
- And now you should be able to do the isolation
RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
