Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2265
Views
5
Helpful
7
Replies

ACI EPG and Contracts

rohandec1980
Level 1
Level 1

‎07-18-2020 03:57 PM

Hi

 

I have 2 EPGs,

 

EPG A has a single host(virtual appliance) with IP of 10.1.1.1, BD Subnet 10.1.1.0/24.

 

EPG B has 50 hosts in the IP range 10.2.2.0/24 configured on BD subnet.

 

How can i use contracts to limit communication from EPG A to only 4 hosts in EPG B [10.2.2.5, 10.2.2.6,10.2.2.7,10.2.2.8].

 

Is that possible?

 

Regards

Rohan 

Labels:
0 Helpful
7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

‎07-18-2020 08:09 PM

Hi

Yes you can create a contract between EPGs and then filter the traffic you to allow.
Here a link showing you how that works:
https://www.cisco.com/c/m/en_us/products/data-center/software-demos/aci/creating-a-contract-between-epgs.html

Hope I understood your question correctly and answered it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

rohandec1980
Level 1
Level 1
In response to Francesco Molino

‎07-19-2020 12:52 AM

Hi Francesco

 

My query is how can i use contracts to limit communication from EPG A to only 4 hosts in EPG B [10.2.2.5, 10.2.2.6,10.2.2.7,10.2.2.8] and not the whole EPG B.

 

Is that possible, or would i have to break up EPG B into smaller EPGs to do that?

 

Regards

Rohan

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rohandec1980

‎07-19-2020 06:29 PM

Ok now i got it right.
You can do this different ways, for example use a pbr if you have firewall to filter traffic but the most simple way is to redefine your EPGs in a more granular way do you'll be able to apply a contract between them. So your EPG should be split in 2 EPGs (1 for the whole subnet and 1 for the few endpoints you want to filter).

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to rohandec1980

‎07-19-2020 10:07 PM - edited ‎07-19-2020 10:12 PM

Hi @rohandec1980 

You can create a uEPG containing 10.2.2.5, 10.2.2.6,10.2.2.7,10.2.2.8, and you can apply the contract between the uEPG and EPG-A.

For everything else regarding policy enforcement on uEPG, you can inherit the contracts from EPG-B.

 

For more details about micro-segmentation, have a look on the config guide and ciscolive presos:

  • Config guide:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/virtualization/Cisco-ACI-Virtualization-Guide-42x/Cisco-ACI-Virtualization-Guide-421_chapter_0100.html 

  • Ciscolive lab:

https://aci-lab.ciscolive.com/lab/pod21/segmentation/mseg 

Stay safe,

Sergiu

rohandec1980
Level 1
Level 1
In response to Sergiu.Daniluk

‎07-26-2020 05:43 AM

Hi Sergiu

 

In case of micro segmentation the 4 hosts in epg b which are part of the uEPG will not be able to communicate with rest of EPGB members. Is that right?

 

My requirement is to make sure EPGA can only talk to some members of EPG B. The only possible solution seems splitting up EPGB into smaller epgs.

 

Regards

Rohan 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rohandec1980

‎07-28-2020 06:29 PM

I will personally go with smaller epg as i said before. Easier in that specific case.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to rohandec1980

‎07-30-2020 01:36 AM

Hi,

That is correct. You will need contracts if you need communication between uEPG and base EPG.

 

Stay safe,

Sergiu

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card