Solved: Re: uSeg EPG contracts deny

dijix1990 · ‎11-30-2023

I have some questions

I tried to implement uSeg and didn't understand behaviour

I have EPG APP with enforced behaviuor.

I made two uSeg epg and without contracts they couldn't speak each other - it's good. After it I permited RDP session between them through contract, RDP worked, but I noticed that PC's inside uSeg EPG could communicate with each other through any protocols.

I thought that deny is implicit rule in the contract

dijix1990 · ‎12-08-2023

so, it was because of vzAny rule, after was removing it started work as expected

View solution in original post

Robert Burns · ‎11-30-2023

Whether an endpoint belongs to a base EPG, or uSeg EPG doesn't impact how contracts work. If you want endpoints between EPGs (Regular or uSeg) to communicate in a VRF in enforced mode - requires a contract. The contract is what dicates the ports/protocols based on the associated filters of that contract.

What does the filter in your applied contract look like?

Robert

dijix1990 · ‎12-05-2023

My parent EPG (BKP_Servers_Test) - intra EPG isolation is Enforced

Now my endpoints can't communicate without contracts because of intra EPG isolation is Enforced, it's general behaviour

10.177.200.10 and 10.177.20.5

Now I want to move my 10.177.200.10 and 10.177.20.5 to different uSeg EPG

I made new uSeg-1 with match attribute ip=10.177.200.10 (placed inside uSeg-1), and after it 10.177.200.10 (placed inside paret EPG BKP_Servers_Test) could communicate with 10.177.200.5 without any contracts, why?

Is it default behavour? uSeg EPG and parent EPG can communicate without contracts? I thought that ACI has white list behaviour with feature intra EPG isolation is Enforced and we need contracts everywhere (for commication between different uSeg EPG, for communicate between uSeg EPG and Parent EPG for communicate between uSeg EPG and another EPG)

dijix1990 · ‎12-08-2023

so, it was because of vzAny rule, after was removing it started work as expected