- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2019 05:01 AM - edited 05-16-2019 05:10 AM
Hello Experts,
I have a question about Micro-segmentation on ACI.
if we implement a VMM integration between Vmware and ACI, after that we create two µEGPs, one for Dev and another for Prod, we put VMs with Dev TAG in µEPG DEV and VMs with Prod TAG in µEPG Prod, so after that, if we create a contract between them (knowing that this VMs are in the same ESX and sharing the same subnet) , can we control the flow between Dev VMs and Prod VMs in the same ESX with contracts ? or ACI doesn't see the traffic because it is in the same DVS? if ACI doesn't see the traffic, how can we implement the control? maybe we need to implement a proxy ARP on ACI to redirect traffic in the same VLAN to ACI.
Best Regards.
Solved! Go to Solution.
- Labels:
-
Cisco ACI
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2019 05:08 PM - edited 05-17-2019 05:23 PM
Proxy arp is enabled automatically. Without it traffic flow between VMs in the same Port Group will not work. This is because they are in an isolated PVLAN. See here for more detail: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-2301.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2019 01:32 PM
Assuming this is VDS and not AVE or AVS then microsegmentation will configure Private VLANs on the Port Group. The VMs won’t be able to communicate directly but will be able to communicate to the ACI leaf switch which performs proxy ARP like you suggested.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2019 11:13 PM
So, in this case it is necessary to activate the proxy ARP? If not enabled,
traffic between VMs belonging to the same VLAN will never go through the
leaves?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-17-2019 05:08 PM - edited 05-17-2019 05:23 PM
Proxy arp is enabled automatically. Without it traffic flow between VMs in the same Port Group will not work. This is because they are in an isolated PVLAN. See here for more detail: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-2301.pdf
