EPG ACCESS

namish.sharma1 · ‎04-23-2016

Hi Folks ,

I am new to ACI however , i have worked on NSX. Just want to understand that we are creating contracts within EPG to allow access .

My questions are :-

1.) Can I make policies like this , vm of this xx name from EPG1 can talk to VM of EPG2 with yy name with certain security tags .

2.) Can i deny communication within single EPG.

3.) I have following design white paper of cisco

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-731960.html

is their any other source where I could get more information about aci designs and solution in multisite architechture, how we can use it DR.

Hope this is not lot which I am asking for :-)

Regards ,

Namish

dpita · ‎04-23-2016

Hello, Thanks for using Support Forums. I will attempt to answer your questions

1.) Can I make policies like this , vm of this xx name from EPG1 can talk to VM of EPG2 with yy name with certain security tags .

--dpita: Yes this is possible. at this point in time you need to use the AVS switch instead of the DVS built in to vCenter. This feature is called micro segmentation. Please see this article for more information

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_1_2_1x_chapter_01000.html

2.) Can i deny communication within single EPG.

--dpita: Yes this is possible. This feature works with the DVS right now. its called Intra-EPG isolation. Please see this article for more information.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010001.html#id_13260

Regarding your third question on DR and multi-site, i did a quick google search and found a white paper from WWT. I recommend you speak with your account manager to get in touch with Cisco AS for help with that design.

Hope that helps. Have a nice day