cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
872
Views
0
Helpful
1
Replies
Keng How Lim
Beginner

Cisco ACI - Pings between different EPGs allowed without Contracts?

Hi,

 

I have a ACI setup where several EPGs are in the same subnet and same bridge domain. There are no contracts between them however when one host in EPG A does a ping sweep using nmap, it is able to see other hosts in the other EPGs IP addresses. Is this normal?

 

Appreciate the help.

1 ACCEPTED SOLUTION

Accepted Solutions
Sergiu.Daniluk
VIP Advocate

Hi @Keng How Lim 

It might be possible that the nmap to "see" other endpoints based on ARP reply and no necessarily based on ICMP reply.

If you do individual pings to the observed endpoints, is it working? If not, then is just ARP which, in case the ARP flooding is enabled, ACI fabric will flood the ARP request within the BD. Workaround -> disable ARP flooding

If you do see ICMP replies, check if EPGs are in a preferred group or if the VRF is unenforced.

Stay safe,

Sergiu

View solution in original post

1 REPLY 1
Sergiu.Daniluk
VIP Advocate

Hi @Keng How Lim 

It might be possible that the nmap to "see" other endpoints based on ARP reply and no necessarily based on ICMP reply.

If you do individual pings to the observed endpoints, is it working? If not, then is just ARP which, in case the ARP flooding is enabled, ACI fabric will flood the ARP request within the BD. Workaround -> disable ARP flooding

If you do see ICMP replies, check if EPGs are in a preferred group or if the VRF is unenforced.

Stay safe,

Sergiu

View solution in original post