Solved: uSEG EPG and Intra-EPG Isolation - Page 2

Ezequ!el · ‎06-22-2021

Hi,

I have created an uSEG EPG with Intra-EPG Isolation enabled, as I do not want EPs to talk to each other inside this uSEG. This uSEG is also not part of the Preferred Groups, as I want to define any flow communication over a contract.

I check and it is working as expected, no flows are allowed. Then I create an Intra-EPG contract with one subject, allowing ICMP and ARP. Check again and ping is working as expected. But also any other service, like SSH, Web... etc. So basically everything is allowed.

How can I check where is this traffic flowing and why is being accepted? If I delete the contract again I can check that no traffic is allowed.

I am using ACI 4.2(6d).

Thanks for any help.

Sergiu.Daniluk · ‎06-25-2021

Hi @Ezequ!el

If you want to use a network-based attribute and classify IP addresses in the same subnet, you must use the MAC-based network attribute. IP-based microsegmented EPGs do not support classification for IP addresses in the same subnet. IP-based microsegmented EPGs are supported only when traffic requires Layer 3 routing. If the traffic is bridged, basically when the leaf switch is using MAC information for packet forwarding, the microsegmentation policy cannot be enforced when using IP attributes for EP classification.

Also, one thing which you need to keep in mind, if you have multiple attributes identifying the same endpoint, there is an order of precedence: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/virtualization/Cisco-ACI-Virtualization-Guide-42x/Cisco-ACI-Virtualization-Guide-421_chapter_0100.html#concept_n5h_wll_5z

Stay safe,

Sergiu

Ezequ!el · ‎06-25-2021

Understood.

But now I did another test, which its result got me more confused.

In the uSEG, I have now one baremetal server with vlan encap 2 and two vmware servers with vlan encap 3.

Policies between vmware servers are being enforced as expected, even though I am still using ONLY IP address attribute. If I try to generate traffic between vmware server and the baremetal server, it is not working (Intra-PEG policies are not enforced). The only difference here is the vlan encapsulation, as all 3 servers are under the same uSEG, coming from the same base EPG, with the same IP subnet and using only the IP address attribute.

Is there any limitation of using different vlan encapsulation on the same uSEG when it comes to Intra-EPG contracts?

Thanks in advance for your time and help, very appreciated.

Robert Burns · ‎06-25-2021

This shouldn't matter. The who point of uSeg is that you can apply it to multiple base EPG endpoints, which will undoubtedly have different encaps. In ACI encap has nothing to do with security policy. It's simply used as a classifier. The communication is defined by the contracts applied to the EPGs (referenced by a Source Class ID/sclass).

So is your current issue that your Baremetal can't reach either VM with ICMP? (applied by your intra-EPG contract on your uSeg EPG)

And just to confirm - you're doing VMM integration correct?

Robert

Ezequ!el · ‎06-25-2021

Hi,

Yes VMM is integrated.

And yes, if I try to communicate from VMM to Baremetal, Intra-EPG contract is not taken into account and it is just ignored. As seen with ELAM, VMM is then classified as on Base EPG instead in the uSEG. I can see ARP not going trough.

If I do the same VMM to VMM everything works as expected. I can see ARP request and reply and then ICMP working.

All three EPs are only pushed into the uSEG based on IP address.