Solved: Intra-EPG contract

udo.konstantin · ‎07-05-2023

Hello,

a customer has the following requirement:

EPs within an EPG shouldn't communicate with each other per default. But there is one exception.
A system within this EPG should be accessable from all other EPs within this EPG.

Is this possible with Intra-EPG Isolation and define an contract to allow communication from specified EPs to only ONE EP?

Thanks

Udo

Robert Burns · ‎07-06-2023

No. that's the purpose of an EPG - to provide a consistent security policy for all EPs. For that particular EP, if you need a different set of access policies, then it should be placed into it's own EPG. Sounds like you want Intra-EPG Isolation enabled on the main EPG (to prevent all endpoints from communicating with each other), and then use a uSeg (microsegment EPG) for the single endpoint you need restrict access to. To re-assign the EP to a uSeg EPG, you can match on the single EP's IP/MAC/VM Attribute etc - then you can apply a contract between the Intra-Isolated EPG and the uSeg EPG to accomplish what you wish.

Robert

View solution in original post

Robert Burns · ‎07-06-2023

No. that's the purpose of an EPG - to provide a consistent security policy for all EPs. For that particular EP, if you need a different set of access policies, then it should be placed into it's own EPG. Sounds like you want Intra-EPG Isolation enabled on the main EPG (to prevent all endpoints from communicating with each other), and then use a uSeg (microsegment EPG) for the single endpoint you need restrict access to. To re-assign the EP to a uSeg EPG, you can match on the single EP's IP/MAC/VM Attribute etc - then you can apply a contract between the Intra-Isolated EPG and the uSeg EPG to accomplish what you wish.

Robert