08-20-2018 01:27 PM - edited 03-01-2019 05:37 AM
Hi there,
I am new to Cisco ACI and wanted to know how can I control VM to VM traffic using Cisco ACI. If we deploy vDS from Cisco ACI, I believe we will have full visibility to the VM traffic but what if we are not allowed to manage or deploy the vDS from ACI? Can I still manage the CM traffic ? Can you please provide/guide me to the right info/URL which explains about the virtual switch including the types
and differences between them.
Appreciate your response.
Solved! Go to Solution.
08-21-2018 02:10 PM
Like I said above:
Note: If they are on the same Port Group, then traffic will traverse between the VMs even before it leaves the ESXi host - you clearly have no control over that
so the key is to get the VMs into different EPGs - and that will require some co-operation from the VMWare team, no matter what solution you use.
Now if you can achieve get VMWare team to put hosts on different PortGroups, then traffic can be controlled bu ACI. In you case, it would seem that the simplest way would be to find out which VLAN correspondes to which port group and map each VLAN to an ACI EPG.
Back to your last question:
So that leads me to a conclusion that unless I deploy an AVS or AVE in the hypervisor, VM to VM traffic within the same host cannot be controlled by ACI.
Am I right?
You are right if both VMs are in the same Portgroup/VLAN. If you can manage to get hosts put into different Portgroups/VLANs then you can control the traffic with ACI, without using AVS/AVE or even DVS.
08-20-2018 02:05 PM
HiRaoul07,
You have a perfectly classic example of exactly what ACI was designed to do with ease. Imagine you have two VMs called VM_A and VM_B
I'll need to make some assumptions:
Here's what you'd do in ACI:
Now you will have the following:
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
08-21-2018 12:42 AM
Hi Chris,
Thanks for the reply. The explanation you gave stands good for traffic hitting the leaf switch. What about traffic which is not seen by the leaf switch? i.e, traffic within the same Esxi cluster, traffic within the same port-group and traffic within the same host.
I believe we would need a software switch which has to be installed in the Esxi level which can act as a leaf (in ACI terms) and apply policies configured from APIC. Please correct me if my understanding is wrong.
I have heard about AVS, vDS, Virtual edge, etc. But have not been able to understand clearly where and when can these be used.
08-21-2018 02:48 AM
I believe we would need a software switch which has to be installed in the Esxi level which can act as a leaf (in ACI terms) and apply policies configured from APIC. Please correct me if my understanding is wrong.
Correct!
Originally Cisco would have advised the AVS (Applcation Virtual Switch - aka Nexus 1000V reborn) but with VMWare v6.5, the AVS was made incompatible, and so now we have the CIsco AVE (Application Virtual Engine) which is also a Virtual Switch, but is installed as a VM instead of being directly connected to the ESXi kernel, so may actually be easier to implement anyway (especially if you don't have a great relationship with the VMWare team)
There is also the option of doing "Microsegmentation" - something the VMWare people might feel more familar with. This still involves interaction with the VMware VDS (or AVE)
The whole concept/argument comes down to "Where is the policy applied?" Cisco likes to apply policy as traffic entets the leaf switch, but VMWare likes to appply policy at the vSwitch or send traffic via a virtual gateway. To counter this, Cisco also allows the policy enforcement on a vSwitch (AVS/AVE) but as I said before, this will involve some co-operation with the VMWare team. The comment that worries me most in your original post is:
but what if we are not allowed to manage or deploy the vDS from ACI?
So in light of this, I suggest you explore the AVE approach. Read the AVE Migration Guide from the AVE Intallation Guide to see if AVE might provide the solution you are after.
08-21-2018 06:11 AM
Thanks for that clarification made. So that leads me to a conclusion that unless I deploy an AVS or AVE in the hypervisor, VM to VM traffic within the same host cannot be controlled by ACI.
Am I right?
08-21-2018 02:10 PM
Like I said above:
Note: If they are on the same Port Group, then traffic will traverse between the VMs even before it leaves the ESXi host - you clearly have no control over that
so the key is to get the VMs into different EPGs - and that will require some co-operation from the VMWare team, no matter what solution you use.
Now if you can achieve get VMWare team to put hosts on different PortGroups, then traffic can be controlled bu ACI. In you case, it would seem that the simplest way would be to find out which VLAN correspondes to which port group and map each VLAN to an ACI EPG.
Back to your last question:
So that leads me to a conclusion that unless I deploy an AVS or AVE in the hypervisor, VM to VM traffic within the same host cannot be controlled by ACI.
Am I right?
You are right if both VMs are in the same Portgroup/VLAN. If you can manage to get hosts put into different Portgroups/VLANs then you can control the traffic with ACI, without using AVS/AVE or even DVS.
08-22-2018 01:50 AM
Hi Chris,
Thanks for sharing. Appreciate it.
09-21-2018 04:13 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide