Solved: Re: How can VM to VM traffic be controlled by ACI

Raoul07 · ‎08-20-2018

Hi there,

I am new to Cisco ACI and wanted to know how can I control VM to VM traffic using Cisco ACI. If we deploy vDS from Cisco ACI, I believe we will have full visibility to the VM traffic but what if we are not allowed to manage or deploy the vDS from ACI? Can I still manage the CM traffic ? Can you please provide/guide me to the right info/URL which explains about the virtual switch including the types

and differences between them.

Appreciate your response.

RedNectar · ‎08-21-2018

Like I said above:

Note: If they are on the same Port Group, then traffic will traverse between the VMs even before it leaves the ESXi host - you clearly have no control over that

so the key is to get the VMs into different EPGs - and that will require some co-operation from the VMWare team, no matter what solution you use.

Now if you can achieve get VMWare team to put hosts on different PortGroups, then traffic can be controlled bu ACI. In you case, it would seem that the simplest way would be to find out which VLAN correspondes to which port group and map each VLAN to an ACI EPG.

Back to your last question:

So that leads me to a conclusion that unless I deploy an AVS or AVE in the hypervisor, VM to VM traffic within the same host cannot be controlled by ACI.

Am I right?

You are right if both VMs are in the same Portgroup/VLAN. If you can manage to get hosts put into different Portgroups/VLANs then you can control the traffic with ACI, without using AVS/AVE or even DVS.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎08-20-2018

HiRaoul07,

You have a perfectly classic example of exactly what ACI was designed to do with ease. Imagine you have two VMs called VM_A and VM_B

I'll need to make some assumptions:

I assume that they share the same default gateway,
I assume you know the VLAN/VXLAN IDs of the VMs - they will need to be different, so you need to make sure the VM administrator places each VM in a different PortGroup.
1. Note: If they are on the same Port Group, then traffic will traverse between the VMs even before it leaves the ESXi host - you clearly have no control over that
Traffic from the VMs reaches the ACI leaf switches on the same port/port channle/Virtual port channel

Here's what you'd do in ACI:

Create a VRF
Create a Bridge Domain and link it to the VRF
1. Assign the default gateway IP address to the Bridge Domain
Create an Application Profile
In the Application Profile, create two Application End Point Groups (EPGs), say EPG-A and EPG-B. As you create each EPG,
1. link it to the Bridge Domain created above
2. Map the VLAN/VXLAN ID on teh incoming port/PC/VPC to the EPG

Now you will have the following:

VM_A & VM_B servers will share same subnet and gateway
VM_A can talk to the GW
VM_B can talk to the GW
VM_A and VM_B can't talk to each other, but you can eaily create a contract to allow them to talk to each other for a given set up UDP/TCP ports

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Raoul07 · ‎08-21-2018

Hi Chris,

Thanks for the reply. The explanation you gave stands good for traffic hitting the leaf switch. What about traffic which is not seen by the leaf switch? i.e, traffic within the same Esxi cluster, traffic within the same port-group and traffic within the same host.

I believe we would need a software switch which has to be installed in the Esxi level which can act as a leaf (in ACI terms) and apply policies configured from APIC. Please correct me if my understanding is wrong.

I have heard about AVS, vDS, Virtual edge, etc. But have not been able to understand clearly where and when can these be used.

RedNectar · ‎08-21-2018

I believe we would need a software switch which has to be installed in the Esxi level which can act as a leaf (in ACI terms) and apply policies configured from APIC. Please correct me if my understanding is wrong.

Correct!

Originally Cisco would have advised the AVS (Applcation Virtual Switch - aka Nexus 1000V reborn) but with VMWare v6.5, the AVS was made incompatible, and so now we have the CIsco AVE (Application Virtual Engine) which is also a Virtual Switch, but is installed as a VM instead of being directly connected to the ESXi kernel, so may actually be easier to implement anyway (especially if you don't have a great relationship with the VMWare team)

There is also the option of doing "Microsegmentation" - something the VMWare people might feel more familar with. This still involves interaction with the VMware VDS (or AVE)

The whole concept/argument comes down to "Where is the policy applied?" Cisco likes to apply policy as traffic entets the leaf switch, but VMWare likes to appply policy at the vSwitch or send traffic via a virtual gateway. To counter this, Cisco also allows the policy enforcement on a vSwitch (AVS/AVE) but as I said before, this will involve some co-operation with the VMWare team. The comment that worries me most in your original post is:

but what if we are not allowed to manage or deploy the vDS from ACI?

So in light of this, I suggest you explore the AVE approach. Read the AVE Migration Guide from the AVE Intallation Guide to see if AVE might provide the solution you are after.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Raoul07 · ‎08-21-2018

Thanks for that clarification made. So that leads me to a conclusion that unless I deploy an AVS or AVE in the hypervisor, VM to VM traffic within the same host cannot be controlled by ACI.

Am I right?

RedNectar · ‎08-21-2018

Like I said above:

Note: If they are on the same Port Group, then traffic will traverse between the VMs even before it leaves the ESXi host - you clearly have no control over that

so the key is to get the VMs into different EPGs - and that will require some co-operation from the VMWare team, no matter what solution you use.

Now if you can achieve get VMWare team to put hosts on different PortGroups, then traffic can be controlled bu ACI. In you case, it would seem that the simplest way would be to find out which VLAN correspondes to which port group and map each VLAN to an ACI EPG.

Back to your last question:

So that leads me to a conclusion that unless I deploy an AVS or AVE in the hypervisor, VM to VM traffic within the same host cannot be controlled by ACI.

Am I right?

You are right if both VMs are in the same Portgroup/VLAN. If you can manage to get hosts put into different Portgroups/VLANs then you can control the traffic with ACI, without using AVS/AVE or even DVS.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Raoul07 · ‎08-22-2018

Hi Chris,

Thanks for sharing. Appreciate it.

rsnaraya · ‎09-21-2018

Hi

we can also achieve this by Intra-EGP isolation or Micro-segmentation in our ACI solution ?