Solved: Micro-Segmentation

MedRT · ‎05-16-2019

Hello Experts,

I have a question about Micro-segmentation on ACI.

if we implement a VMM integration between Vmware and ACI, after that we create two µEGPs, one for Dev and another for Prod, we put VMs with Dev TAG in µEPG DEV and VMs with Prod TAG in µEPG Prod, so after that, if we create a contract between them (knowing that this VMs are in the same ESX and sharing the same subnet) , can we control the flow between Dev VMs and Prod VMs in the same ESX with contracts ? or ACI doesn't see the traffic because it is in the same DVS? if ACI doesn't see the traffic, how can we implement the control? maybe we need to implement a proxy ARP on ACI to redirect traffic in the same VLAN to ACI.

Best Regards.

richmond · ‎05-17-2019

Proxy arp is enabled automatically. Without it traffic flow between VMs in the same Port Group will not work. This is because they are in an isolated PVLAN. See here for more detail: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-2301.pdf

View solution in original post

richmond · ‎05-16-2019

Assuming this is VDS and not AVE or AVS then microsegmentation will configure Private VLANs on the Port Group. The VMs won’t be able to communicate directly but will be able to communicate to the ACI leaf switch which performs proxy ARP like you suggested.

MedRT · ‎05-16-2019

Thank you for your answer,
So, in this case it is necessary to activate the proxy ARP? If not enabled,
traffic between VMs belonging to the same VLAN will never go through the
leaves?

richmond · ‎05-17-2019

Proxy arp is enabled automatically. Without it traffic flow between VMs in the same Port Group will not work. This is because they are in an isolated PVLAN. See here for more detail: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-2301.pdf