cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2004
Views
5
Helpful
3
Replies

Micro-Segmentation

MedRT
Level 1
Level 1

Hello Experts,

 

I have a question about Micro-segmentation on ACI.

 

if we implement a VMM integration between Vmware and ACI, after that we create two µEGPs, one for Dev and another for Prod, we put VMs with Dev TAG in µEPG DEV and VMs with Prod TAG in µEPG Prod, so after that, if we create a contract between them (knowing that this VMs are in the same ESX and sharing the same subnet) , can we control the flow between Dev VMs and Prod VMs in the same ESX with contracts ? or ACI doesn't see the traffic because it is in the same DVS? if ACI doesn't see the traffic, how can we implement the control? maybe we need to implement a proxy ARP on ACI to redirect traffic in the same VLAN to ACI.

 

Best Regards.

1 Accepted Solution

Accepted Solutions

Proxy arp is enabled automatically. Without it traffic flow between VMs in the same Port Group will not work. This is because they are in an isolated PVLAN. See here for more detail: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-2301.pdf

View solution in original post

3 Replies 3

richmond
Level 1
Level 1

Assuming this is VDS and not AVE or AVS then microsegmentation will configure Private VLANs on the Port Group. The VMs won’t be able to communicate directly but will be able to communicate to the ACI leaf switch which performs proxy ARP like you suggested. 

Thank you for your answer,
So, in this case it is necessary to activate the proxy ARP? If not enabled,
traffic between VMs belonging to the same VLAN will never go through the
leaves?

Proxy arp is enabled automatically. Without it traffic flow between VMs in the same Port Group will not work. This is because they are in an isolated PVLAN. See here for more detail: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-2301.pdf

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License