Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
1
Replies

ACI in open mode

Go to solution
anazarenko
Level 1
Level 1

‎12-03-2020 06:51 AM

Hi,

 

Unfortunately I can't easily find any manuals how to use ACI in open mode without inter-EPG contracts.

Is it a valid mode? Where can I find any manuals about it? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎12-03-2020 07:31 AM

There a couple ways to accomplish what you're asking.

 

1) Unenforced VRF.  This option removes any policy (contracts) for all endpoint communication within the scope of a VRF.  Keep in mind, this also prevents you from leveraging features like Policy Based Redirect (PBR) which are dependent on policy being enforced.  By default all communication between endpoints eventually hits an implicit-deny ACL, but this would disable all contracts from being applied removing the default 'whitelist' security mode.

2. Using vzAny.  This is a special EPG that represents ALL EPGs within a VRF.  This would allow the VRF to remain enforced, but you can allow an any:any communication between any EPGs that are within the VRF.

3. Preferred Group Member.  This is another feature that gets more granular than vzAny, but allow select EPGs within a VRF to be part of the "Preferred Group".  EPGs that are part of the PG, can freely communicate.  Any EPGs not members will not.  

These concepts are explained in a great Cisco Live Session here: https://www.ciscolive.com/global/on-demand-library.html?search=ACI%20security&search=ACI+security#/session/1573153555522001JKm0

Robert

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎12-03-2020 07:31 AM

There a couple ways to accomplish what you're asking.

 

1) Unenforced VRF.  This option removes any policy (contracts) for all endpoint communication within the scope of a VRF.  Keep in mind, this also prevents you from leveraging features like Policy Based Redirect (PBR) which are dependent on policy being enforced.  By default all communication between endpoints eventually hits an implicit-deny ACL, but this would disable all contracts from being applied removing the default 'whitelist' security mode.

2. Using vzAny.  This is a special EPG that represents ALL EPGs within a VRF.  This would allow the VRF to remain enforced, but you can allow an any:any communication between any EPGs that are within the VRF.

3. Preferred Group Member.  This is another feature that gets more granular than vzAny, but allow select EPGs within a VRF to be part of the "Preferred Group".  EPGs that are part of the PG, can freely communicate.  Any EPGs not members will not.  

These concepts are explained in a great Cisco Live Session here: https://www.ciscolive.com/global/on-demand-library.html?search=ACI%20security&search=ACI+security#/session/1573153555522001JKm0

Robert

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License