02-04-2020 12:58 AM
Hello,
We have two tenants, a layer 3 tenant and a layer 2 tenant which has its gateway on a core switch.
We need to implement contracts to control the traffic between the servers in the same EPG.
I thought of one approach, of creating a separate EPG for every server and to create contracts between the EPGs.
the other approach, is to use micro-segmentation "uSeg", but i have no idea about it!!
Anyone knows what is the best way to achieve the required?
Solved! Go to Solution.
02-04-2020 01:50 AM
Hi @Ma'moun Mohammad shanableh ,
I'm not to sure how much direction you need on this, but for a quick answer, your option suggestimg:
creating a separate EPG for every server and to create contracts between the EPGs.
is right on target.
In my opinion, micro segmentation was only introduced so Cisco could say "me too" to VMware. Although, there are use cases where it could be useful, such as wanting to put, say, all MS servers into an EPG without actually identifying the servers individually.
So if you have no special use case where it makes good sense to use Micro Segmentation, then don't do it. It makes a simple concept complicated.
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
02-04-2020 05:56 AM
Hi @Ma'moun Mohammad shanableh , @RedNectar ,
Won't comment about the "me too" statement :-)
I would say the answer depends on what you really want to control inside your current EPG. If only a couple of services should be allowed between all the servers of the EPG, the best suitable solution is to set the current EPG with Intra EPG Isolation in its policy, then create an Intra-EPG contract into it with your expected services.
02-04-2020 01:50 AM
Hi @Ma'moun Mohammad shanableh ,
I'm not to sure how much direction you need on this, but for a quick answer, your option suggestimg:
creating a separate EPG for every server and to create contracts between the EPGs.
is right on target.
In my opinion, micro segmentation was only introduced so Cisco could say "me too" to VMware. Although, there are use cases where it could be useful, such as wanting to put, say, all MS servers into an EPG without actually identifying the servers individually.
So if you have no special use case where it makes good sense to use Micro Segmentation, then don't do it. It makes a simple concept complicated.
I hope this helps
Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem
02-04-2020 05:56 AM
Hi @Ma'moun Mohammad shanableh , @RedNectar ,
Won't comment about the "me too" statement :-)
I would say the answer depends on what you really want to control inside your current EPG. If only a couple of services should be allowed between all the servers of the EPG, the best suitable solution is to set the current EPG with Intra EPG Isolation in its policy, then create an Intra-EPG contract into it with your expected services.
02-05-2020 02:37 AM
Thank you for the reply,
Now i have a question about intra epg contracts,
Can i permit or deny traffic based on ip address and port number?
And when this feature was introduced to ACI? In any version?
Thank you
02-05-2020 02:39 AM
Thank you for the reply,
Now i have a question about intra epg contracts,
Can i permit or deny traffic based on ip address and port number?
And when this feature was introduced to ACI? In any version?
Thank you
02-06-2020 01:51 AM
Hi @Ma'moun Mohammad shanableh ,
The contract will control all the inter-Endpoints traffic in the EPG. It is not based on IP.
Intra-EPG contracts were introduced in 3.0.1.
02-11-2020 02:04 AM
Thank you for your cooperation,
I have the ACI in version 2.x, and i guess that leaves me with creating an EPG for each server.
I have another question? Does it require a downtime to integrate with VSwitches? Or we only need downtime when moving servers between EPGs only?
02-11-2020 03:48 AM - edited 02-11-2020 03:55 AM
For L3 Tenant, on medium scale,it;s easy to split the endpoints into different EPGs, if you would configure the EP ( physical servers) port static with Access (802.1P) , it would be an interruption during removing and adding the configuration from old to new EPG.
If it's a virtual environment, trunk option will make it easy for you to configure from ACI end then change the port-group attachment from vCenter side. ( slight interruption as well ).
But again , define the 3 tiers modeling (WEB/APP/DB) will make it easy from management level later on .
02-13-2020 11:12 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: