Solved: Re: Microsegmentation and BD Subnet

neroshake · ‎03-11-2021

Hi Colleagues,

I have read that in order to be able to implement microsegmentation with uSegs it is mandatory that Unicast Routing be enabled and Subnet is defined for BD for Base EPG. My question is - is it also required that the configured Subnet Address for BD should act as a default gateway for endpoints in Base and uSeg EPGs, or they (endpoints) can have different IP configured as a default GW (not the one configured as BD Subnet)?

Thank you!

Nero

Robert Burns · ‎03-13-2021

Yes, unicast routing is required and the GW should be hosted on the BD.

Robert

View solution in original post

neroshake · ‎03-13-2021

Any feedback?

Robert Burns · ‎03-13-2021

Yes, unicast routing is required and the GW should be hosted on the BD.

Robert

RedNectar · ‎03-13-2021

Hi @neroshake ,

I don't see your problem. Unless it's reavealed in the wording of your question:

is it also required that the configured Subnet Address for BD should act as a default gateway for endpoints in Base and uSeg EPGs, or they (endpoints) can have different IP configured as a default GW (not the one configured as BD Subnet)?

You seem to be thinking that the BD can have only one default gateway address. It is indeed quite possible to have endpoints with different default gateway addrsesses - you just have to keep adding as many IP addresses to the BD as you need to cater for all the µSeg EPGs.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Robert Burns · ‎03-13-2021

I assume he was asking about the scenario where the GW resided outside of ACI and still applying uSeg policies. Even though an SVI is configured on a BD doesn't necessarily mean the Endpoints are using it as their default GW.

Robert

neroshake · ‎03-14-2021

Hi @RedNectar

As @Robert Burns noted indeed my case is where GW resides outside of ACI and I still want to do microsegmentation. As I understand - no way?

Beroshake

RedNectar · ‎03-14-2021

Hi @neroshake ,

I've never tried configuring microsegmentation with the default gateway IPs outside ACI - so I'll agree with @Robert Burns' answer. In fact, I've never had an instance where I've had to use microsegmentation, although I do see it does have its uses. But in general, I find microsegmentation as a bit convoluted.

So perhaps I should be asking - what are you hoping to achieve by using micorsegmentation?

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Robert Burns · ‎03-14-2021

@RedNectar

In the current form, uSeg (or as I prefer to call them - 'Attribute-based EPGs') is targeted best at App Centric deployments where the BD subnets are few and large in size. This comes with the restriction of base & uSeg EPGs needing to belong to the same BD. In a network Centric deployment this presents a natural challenge with the VLAN/BD/EPG sets.

With the addition of ESGs, you'll see a better implementation of segmentation, where you're no longer restricted to Endpoints within a the same BD, but rather the ability to apply security policies VRF-wide regardless of EPG/BD association.

Robert

neroshake · ‎03-14-2021

@RedNectar

@Robert Burns

I have a Network Centric migration where DMZ gateway resides on external firewall. What I want to achieve - is to separate few groups of DMZ systems from communication each with other. Like machines A1, A2 and A3 should be able to communicate together but shouldnot be able to communicate with machines B1, B2 and B3 which are in a group B. Etc.