cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1807
Views
1
Helpful
8
Replies

Intra-EPG isolation in a Layer2 (bridged) design - community port

Hi Community,

Hi Community,

Is it possible to use Intra-EPG isolation in ACI L2 BD/EPG where the default gateway is on an external Firewall and not on ACI?

  • EPG/BD is basically a Layer 2 (bridged) replacement for the VLAN
  • Segmentation is done on a physical External firewall, this is where the default gateway for the EPG/BD (VLAN) resides
  • Endpoints should not talk to each other
  • But of course, endpoints must communicate to the Firewall representing another L2 endpoint in the EPG

In a legacy network, we could use Private VLAN and a community port for the firewall, but in ACI, I can't find such a concept. Of course, if a default gateway is provided by ACI, this can be achieved and is covered by documentation.

Thanks!

 

8 Replies 8

M02@rt37
VIP
VIP

Hello @Alexander Pickar,

By configuring contracts to control communication and enabling intra-EPG isolation, you can ensure that endpoints within the same EPG are isolated from each other while still being able to communicate with the external firewall and other EPGs.

Contracts define the communication policies between EPGs (VLANs) within ACI. For your scenario, you can create a contract that allows communication between the EPG and the external firewall. This contract will allow traffic from the EPG to reach the firewall.

To achieve isolation between endpoints within the same EPG, you can enable "intra-EPG isolation" within the Bridge Domain settings. This will prevent communication between endpoints within the same EPG while still allowing them to communicate with endpoints in other EPGs as per the contract rules.

Since the default gateway is on the external firewall and not on ACI, you would configure the default gateway for endpoints in your EPG to point to the IP address of the firewall. This can be done in the contract configuration for the EPG.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

I see two possible scenarios:

  • One Layer 2 Bridge Domain (BD) with two EPGS: isolated EPG-1 which is used for regular endpoint connectivity, EPG-2 which is used only for Firewall, contract between EPG1 and EPG2
  • Two Layer 2 BDs, one L2 BD1/EPG1 with Intra-EPG isolation for endpoints, second L2 BD-2/EPG-2 for Firewall, contract between EPG-1 and EPG-2.

Is any of these scenarios supported and will work? (or even better, will both of these work )

@Alexander Pickar,

Both scenarios can work, and the choice between them depends on your specific requirements and the existing network design. Generally, using separate Layer 2 BDs (scenario 2) might offer stronger isolation between the EPGs, but it also introduces more segmentation. Using a single BD with isolated EPGs (scenario 1) simplifies the configuration and reduces the number of BDs, but it might have less isolation between EPGs compared to separate BDs.

What is the level of isolation you need ? your overall network architecture scalability ? Do you have any specific requirements for communication between endpoints and the firewall ?

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hi M02@rt37,

Your answers seem to be very high level, but the scenario  is a bit more complicated.

  • Since the BD/EPG is a Layer 2 type, the external firewall, which provides the default gateway and controls traffic in/out of the BD/EPG needs to be a part of the BD/EPG. If there is another option, I'd be more than glad to know where.
  • But by using Intra-EPG isolation, all endpoints are isolated from each other, even from the external firewall.
  • In a legacy Private VLAN scenario, I would assign the firewall interface port as community port which allows this port to communicate to the isolated ports.

So, can I for example put the firewall interface to another Layer 2 BD/EPG and use a contract between the Intra-EPG isolated L2 BD/EPG and the "firewall" EPG? Is this supported?

Or is this a non-supported scenario and ACI has to act in a L3 mode with unicast routing enabled on the BD, which is well covered in the ACI documentation?

Thanks for that clarification @Alexander Pickar.

In ACI, the concept of Intra-EPG isolation is designed to prevent communication between endpoints within the same EPG, and it does not naturally accommodate scenarios where you want to isolate endpoints from each other within the EPG while still allowing them to communicate through an external device like a firewall.

ACI's primary design revolves around using contracts to control communication between different EPGs, and by default, endpoints within the same EPG can communicate freely. The scenario you've described, where you want to isolate endpoints within the same EPG from each other while allowing communication through an external firewall, doesn't align well with the Intra-EPG isolation feature.

You mention to put the firewall interface into another Layer 2 BD/EPG and use contracts to control communication. This approach could work and is more aligned with ACI's "design philosophy". By setting up contracts between the isolated EPG and the "firewall" EPG, you can define the specific communication paths you want to allow while maintaining isolation within the EPG.

ACI doesn't provide a direct feature to isolate endpoints within the same EPG and allow communication through an external device, using separate EPGs and contracts to achieve the desired communication control is a more supported and natural approach within the ACI framework.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

No specific requirements have been specified. The design is for virtual desktops, essentially virtual machines, all within one subnet, who just need to reach to their default gateway which resides on the firewall. All security rules are handled by the firewall.

I'll try at least the easier scenario with a single L2 BD and two EPGs in the lab just to verify that there are no hidden challenges.

 

Thanks for your answers!

 
 

 

 

You're welcome, Thanks for that sharing @Alexander Pickar.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hi Alexander,

You can go ahead with 2 EPG and single BD, it is a tested working solution. 

First EPG with Intra-EPG isolation enabled with all hosts which should not communicate to each other. Second EPG with firewall interface configured as gateway. Now you can add contract between Second EPG & First EPG to allow EPG with all hosts to communicate with EPG attached to firewall.

I hope this helps you in your implementation.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License