cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4538
Views
0
Helpful
10
Replies

ACI Intra EPG Isolation in L2 Bridge Domain

Hello,

 

I have a EPG configured in L2 BD (ACI is not the DG of this subnet), and i have activated Intra-EPG isolation with a Intra-EPG contract to control the permited traffic, but it don't work. Is it a supported configuration?, are there any documentation for it?.

 

Regards.

1 Accepted Solution

Accepted Solutions

Robert Burns
Cisco Employee
Cisco Employee

No its not supported.  for Proxy arp to work, the BD needs to be L3.  (SVI + Unicast Routing).

Robert

View solution in original post

10 Replies 10

a12288
Level 3
Level 3

You can attach some screenshots of your config here.

Hi,

 

Attached screenshots of BD and EPG.

 

L2 BD Configuration

 

L2 BD Configuration of L3

 

EPG Configuration

 

Intra-EPG contract

 

Regards.

What about your associated domain part of config?

Hello,

 

Attached the domain configuration. The test are with two vmaware VM, and with vmware integrate with ACI.

 

Regards.

Robert Burns
Cisco Employee
Cisco Employee

Which version and Leaf models are you using?

Robert

Hi,

 

Version 5.1.3 and leaf FX (93180YC and 93108TC).

 

Regards.

What exactly are you trying to accomplish?  Are you trying to restrict Intra-EPG communication to just ICMP? (Intra EPG Contract), or are you trying to prevent any communication within an EPG (Intra EPG Isolation)?  If you just want to filter the Intra-EPG traffic, then all you need is the contract, not the isolation flag.

Robert

Hi,

I need permit specifict traffic in the EPG and deny rest, so I need Intra-EPG isolation for deny L2 traffic and Intra-EPG contract to permit specific traffic. This configuration works fine when ACI Bridge Domain has Unicast Routing enabled and IP configured in the BD, but for me don't work when the BD is L2.

 

The question is if this is supported.

 

Regards.

 

ACI is a zero trust environment when its Enforced.

 

when you create EPG where it says (intra EPG isolation) select "Enforced" and use contracts to allow traffic between EPG's 

 

 

Robert Burns
Cisco Employee
Cisco Employee

No its not supported.  for Proxy arp to work, the BD needs to be L3.  (SVI + Unicast Routing).

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License