Showing results for 
Search instead for 
Did you mean: 

Tenant isolation problems with VMM and Virtual Switch

I am scratching my head on an issue within my ACI environment; we have a Production Tenant and a DMZ Tenant.  The hosts are attached to two leaf switches as a vPC, all are using the same Attached Entity Profile, the use of Bridge Domains varies.


My Server Team has been using a single virtual switch for the VMs, within the ACI that has both Production (Tenant and contained EPGs) and DMZ connections.  The problem is that any isolation has disappeared and there is communication between the Production and DMZ.  None of the systems affected are "live" and operational.


I have been researching any information available on the web, but seem to have axhautes anything that will tell me if I need separate Attached Entity Profiles (as opposed to one "all-inclusive") or any other design/implementation considerations.  Any thoughts or information anyone might be able to help increase my knowledge so that I can solve this problem, ensure isolation and have a solid design when this goes live????  Thank you in advance!


Everyone's tags (3)
Cisco Employee

Re: Tenant isolation problems with VMM and Virtual Switch

Of course I do not know your entire setup, but I can comment based on your original question as best I can. 

The number of AEPs is irrelevant here.  In the most generic sense, Isolation happens via policy at the EPG level.  This is to say contracts and filters.  As a recap (you likely already know, but just in case), any EPs in the same EPG can communicate without any contracts needed.  Any EPs across different EPGs must have a contract that allows communication. 

There are some other knobs that can play a role here too. 

It is my guess that either you have a contract in place that allows DMZ to talk to Production and you just don't know it (such as the use of vzAny contracts under the VRF).  Or you have put the DMZ and Production EPGs into what is called a Preferred Group (which removes the need for contracts for its members).  Or you may have simply disabled contract enforcement for the entire VRF altogether (maybe by mistake).

I would check those things first.  I'll wager it is one of them, or something along those lines.