cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2231
Views
10
Helpful
8
Replies

ACI contracts between servers in the same EPG

Hello,

 

We have two tenants, a layer 3 tenant and a layer 2 tenant which has its gateway on a core switch.

 

We need to implement contracts to control the traffic between the servers in the same EPG.

I thought of one approach, of creating a separate EPG for every server and to create contracts between the EPGs.

the other approach, is to use micro-segmentation "uSeg", but i have no idea about it!!

 

Anyone knows what is the best way to achieve the required?

2 Accepted Solutions

Accepted Solutions

RedNectar
VIP
VIP

Hi @Ma'moun Mohammad shanableh ,

I'm not to sure how much direction you need on this, but for a quick answer, your option suggestimg:

creating a separate EPG for every server and to create contracts between the EPGs.

is right on target.

In my opinion, micro segmentation was only introduced so Cisco could say "me too" to VMware. Although, there are use cases where it could be useful, such as wanting to put, say, all MS servers into an EPG without actually identifying the servers individually.

So if you have no special use case where it makes good sense to use Micro Segmentation, then don't do it. It makes a simple concept complicated.

I hope this helps

 



Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem


 

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

Hi @Ma'moun Mohammad shanableh , @RedNectar ,

Won't comment about the "me too" statement :-)

I would say the answer depends on what you really want to control inside your current EPG. If only a couple of services should be allowed between all the servers of the EPG, the best suitable solution is to set the current EPG with Intra EPG Isolation in its policy, then create an Intra-EPG contract into it with your expected services.

Remi Astruc

View solution in original post

8 Replies 8

RedNectar
VIP
VIP

Hi @Ma'moun Mohammad shanableh ,

I'm not to sure how much direction you need on this, but for a quick answer, your option suggestimg:

creating a separate EPG for every server and to create contracts between the EPGs.

is right on target.

In my opinion, micro segmentation was only introduced so Cisco could say "me too" to VMware. Although, there are use cases where it could be useful, such as wanting to put, say, all MS servers into an EPG without actually identifying the servers individually.

So if you have no special use case where it makes good sense to use Micro Segmentation, then don't do it. It makes a simple concept complicated.

I hope this helps

 



Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem


 

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Hi @Ma'moun Mohammad shanableh , @RedNectar ,

Won't comment about the "me too" statement :-)

I would say the answer depends on what you really want to control inside your current EPG. If only a couple of services should be allowed between all the servers of the EPG, the best suitable solution is to set the current EPG with Intra EPG Isolation in its policy, then create an Intra-EPG contract into it with your expected services.

Remi Astruc

Thank you for the reply,

 

Now i have a question about intra epg contracts,

Can i permit or deny traffic based on ip address and port number?

 

And when this feature was introduced to ACI? In any version?

 

Thank you

Thank you for the reply,

 

Now i have a question about intra epg contracts,

Can i permit or deny traffic based on ip address and port number?

 

And when this feature was introduced to ACI? In any version?

 

Thank you

Hi @Ma'moun Mohammad shanableh ,

The contract will control all the inter-Endpoints traffic in the EPG. It is not based on IP.

Intra-EPG contracts were introduced in 3.0.1.

 

Remi Astruc

Thank you for your cooperation,

 

I have the ACI in version 2.x, and i guess that leaves me with creating an EPG for each server.

 

I have another question? Does it require a downtime to integrate with VSwitches? Or we only need downtime when moving servers between EPGs only?

 

salam shanableh,

 

 

For L3 Tenant, on medium scale,it;s easy to split the endpoints into different EPGs, if you would configure the EP  ( physical servers) port static with Access (802.1P) , it would be an interruption during removing and adding the configuration from old to new EPG.

 

If it's a virtual environment, trunk option will make it easy for you to configure from ACI end then change the port-group attachment from vCenter side. ( slight interruption as well ).

 

But again , define the 3 tiers modeling (WEB/APP/DB) will make it easy from management level later on .

creating a vDS in APIC is not disruptive however moving the VMs NICs from their actual port-group to the ACI managed vDS will obviously be a downtime. Also keep in mind that ACI must the IP GW for these BDs
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License