Tenant isolation problems with VMM and Virtual Switch
I am scratching my head on an issue within my ACI environment; we have a Production Tenant and a DMZ Tenant. The hosts are attached to two leaf switches as a vPC, all are using the same Attached Entity Profile, the use of Bridge Domains varies.
My Server Team has been using a single virtual switch for the VMs, within the ACI that has both Production (Tenant and contained EPGs) and DMZ connections. The problem is that any isolation has disappeared and there is communication between the Production and DMZ. None of the systems affected are "live" and operational.
I have been researching any information available on the web, but seem to have axhautes anything that will tell me if I need separate Attached Entity Profiles (as opposed to one "all-inclusive") or any other design/implementation considerations. Any thoughts or information anyone might be able to help increase my knowledge so that I can solve this problem, ensure isolation and have a solid design when this goes live???? Thank you in advance!
Re: Tenant isolation problems with VMM and Virtual Switch
Of course I do not know your entire setup, but I can comment based on your original question as best I can.
The number of AEPs is irrelevant here. In the most generic sense, Isolation happens via policy at the EPG level. This is to say contracts and filters. As a recap (you likely already know, but just in case), any EPs in the same EPG can communicate without any contracts needed. Any EPs across different EPGs must have a contract that allows communication.
There are some other knobs that can play a role here too.
It is my guess that either you have a contract in place that allows DMZ to talk to Production and you just don't know it (such as the use of vzAny contracts under the VRF). Or you have put the DMZ and Production EPGs into what is called a Preferred Group (which removes the need for contracts for its members). Or you may have simply disabled contract enforcement for the entire VRF altogether (maybe by mistake).
I would check those things first. I'll wager it is one of them, or something along those lines.
If you’re like me and are familiar with switch CLI like the back of your hand, this is a handy method to learn a bit of Python. Being a powerful scripting language, Python is commonly used in many scripting tools and SDKs (software development toolkits) f...
Hi All, I am new in ACI, i was just checking whether we can check teachablety between end point to end point through ping, i know we can check it using destination IP & through source gateway IP, but how can we ping from end point to end point I...
Live Webinar: Network Insider Series Thursday, June 25, 2020 10:00 AM Pacific Standard Time (San Francisco, GTM -08:00) Miercom, an independent third-party performance testing and certification company, assessed Cisco Data Center Network Management (DCNM...
Earlier today at Cisco Live US, we saw results of a recent AppDynamics pulse survey that suggests a radical shift in the priorities technologists are facing in the wake of COVID-19.
In the survey, based on interviews of more than 1,000 IT professionals (f...
As infrastructure evolves through hybrid cloud adoption, your data center network is challenged to evolve with it. How can your fabric transform a distributed data center into an interconnected multicloud network? How will it be managed, secured and auto...