Intra-EPG Isolation Enforcement and Cisco ACI

Similar documents
Intra-EPG Isolation Enforcement and Cisco ACI

Intra-EPG Isolation Enforcement and Cisco ACI

Q-in-Q Encapsulation Mapping for EPGs

Using Cisco APIC to Deploy an EPG on a Specific Port

Microsegmentation with Cisco ACI

Microsegmentation with Cisco ACI

Cisco ACI Virtual Machine Networking

Cisco ACI with Red Hat Virtualization 2

Cisco ACI Virtual Machine Networking

Tenants. ACI Tenancy Models. ACI Tenancy Models, on page 1 Application Profile, on page 3

IGMP Snooping. About Cisco APIC and IGMP Snooping. How IGMP Snooping is Implemented in the ACI Fabric. This chapter contains the following sections:

Basic User Tenant Configuration

Configuring FC Connectivity Using the REST API, on page 12

Cisco ACI Virtual Machine Networking

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Virtual Machine Manager Domains

Using a Service Graph Template

Routed Connectivity to External Networks

Networking Domains. Physical domain profiles (physdomp) are typically used for bare metal server attachment and management access.

Configuring Copy Services

Cisco APIC and Static Management Access

Cisco ACI Terminology ACI Terminology 2

Cisco ACI Virtual Machine Networking

Quick Start Guide (SDN)

Cisco ACI vcenter Plugin

Configuring Layer 4 to Layer 7 Resource Pools

Cisco ACI with Cisco AVS

Cisco ACI Virtual Machine Networking

802.1Q Tunnels. About ACI 802.1Q Tunnels

Use Case: Three-Tier Application with Transit Topology

Configuring Policy-Based Redirect

Switch Virtual Interface

Virtualization Design

Configuring Policy-Based Redirect

Cisco ACI and Cisco AVS

Layer 4 to Layer 7 Design

Schema Management. Schema Management

Practical Applications of Cisco ACI Micro Segmentation

Quick Start Guide (SDN)

Cisco HyperFlex Systems

Provisioning Layer 2 Networks

Page 2

Multi-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service

Configuring Policy-Based Redirect

Remote Leaf Switches

Cisco ACI Virtualization Guide, Release 2.1(1)

Cisco ACI Virtualization Guide, Release 2.2(1)

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit

Cisco ACI Virtualization Guide, Release 2.2(2)

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Configuring Direct Server Return

Working with Contracts

Layer 4 to Layer 7 Service Insertion, page 1

5 days lecture course and hands-on lab $3,295 USD 33 Digital Version

Management. Management Workflows. ACI Management Access Workflows. This chapter contains the following sections:

DevNet Technical Breakout: Introduction to ACI Programming and APIs.

Cisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI)

Configuring APIC Accounts

Provisioning Core ACI Fabric Services

Design Guide for Cisco ACI with Avi Vantage

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

Cisco ACI Multi-Site Fundamentals Guide

Configure. Background. Register the FTD Appliance

This chapter contains the following sections: Shared Layer 3 Out, on page 1 Layer 3 Out to Layer 3 Out Inter-VRF Leaking, on page 4

ACI 3.0 update. Brian Kvisgaard, System Engineer - Datacenter Switching

Cisco ACI Multi-Site, Release 1.1(1), Release Notes

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

Access Policies configured and interfaces up and in service EPG, Bridge Domain (BD) and Virtual Routing and Forwarding (VRF) already configured

Cisco Application Policy Infrastructure Controller Data Center Policy Model

Modeling an Application with Cisco ACI Multi-Site Policy Manager

Cisco ACI Simulator Release Notes, Release 1.1(1j)

Cisco Application Centric Infrastructure (ACI) Simulator

Cisco ACI and Route Maps Using Explicit Prefix List

Cisco ACI and Pivotal Cloud Foundry Integration 2

SharkFest 16. Cisco ACI and Wireshark. Karsten Hecker Senior Technical Instructor Fast Lane Germany. Getting Back Our Data

Static VLAN Pools that will be used for the encapsulation VLAN between the external devices

Configuring Fabric and Interfaces

Building NFV Solutions with OpenStack and Cisco ACI

Service Insertion with ACI using F5 iworkflow

Service Graph Design with Cisco Application Centric Infrastructure

Cisco ACI vpod. One intent: Any workload, Any location, Any cloud. Introduction

New and Changed Information

Cisco UCS Director and ACI Advanced Deployment Lab

Cisco IT Compute at Scale on Cisco ACI

Cisco ACI Virtualization Guide, Release 1.1(1j)

Integrating Cisco UCS with Cisco ACI

Configuring a Device Cluster (Logical Device)

Integration of Hypervisors and L4-7 Services into an ACI Fabric

Question No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?

Configuring a Service Graph

Toggling Between Basic and Advanced GUI Modes

Routing Design. Transit Routing. About Transit Routing

Understanding PVLANs in UCS

Cisco APIC in a Cisco ACI Multi-Site Topology New and Changed Information 2

2018 Cisco and/or its affiliates. All rights reserved.

F5 BIG-IP Local Traffic Manager Service Insertion with Cisco Application Centric Infrastructure

Tenant Onboarding. Tenant Onboarding Overview. Tenant Onboarding with Virtual Data Centers

ACI Fabric Endpoint Learning

Transcription:

This chapter contains the following sections: Intra-EPG Isolation for VMware vds, page 1 Configuring Intra-EPG Isolation for VMware vds using the GUI, page 3 Configuring Intra-EPG Isolation for VMware vds using the NX-OS Style CLI, page 3 Configuring Intra-EPG Isolation for VMware vds using the REST API, page 5 Intra-EPG Isolation for VMware vds Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are contained in the same base EPG or useg EPG from communicating with each other. By default endpoint devices included in the same EPG are allowed to communicate with one another; however, conditions exist in which total isolation of the endpoint devices from on another within an EPG is desirable. For example, if the endpoint VMs in the same EPG belong to multiple tenants, or if you want to prevent the possible spread of a virus that might infect one VM from spreading to all VMs in an EPG, intra-epg isolation might be desirable to enforce. An ACI virtual machine manager (VMM) domain creates an isolated PVLAN port group at the VMware vds switch for each EPG that has intra-epg isolation enabled. A fabric administrator specifies primary encapsulation or the fabric dynamically specifies primary encapsulation at the time of EPG-to-VMM domain association. When the fabric administrator selects the VLAN-pri and VLAN-sec values statically, the VMM domain validates that the VLAN-pri and VLAN-sec are part of a static block in the domain pool. Note When intra-epg isolation is not enforced, the VLAN-pri value is ignored even if it is specified in the configuration. VLAN-pri/VLAN-sec pairs for the vds switch are selected per VMM domain during the EPG-to-domain association. The port group created for the intra-epg isolation EPGs uses the VLAN-sec tagged with type set to PVLAN. The vds and fabric swap the VLAN-pri/VLAN-sec encapsulation: Communication from the ACI fabric to the vds switch uses VLAN-pri. 1

Intra-EPG Isolation for VMware vds Communication from the vds switch to the ACI fabric uses VLAN-sec. Figure 1: Intra-EPG Isolation for VMware vds Note these details regarding this illustration: 1 EPG-DB sends VLAN traffic to the ACI leaf switch. The ACI egress leaf switch encapsulates traffic with a primary VLAN (PVLAN) tag and forwards it to the Web-EPG endpoint. 2 The vds switch sends traffic to the ACI leaf switch using VLAN-sec. The ACI leaf switch drops all intra-epg traffic because isolation is enforced for all intra VLAN-sec traffic within the Web-EPG. 3 The vds VLAN-sec uplink to the ACI Leaf is in isolated trunk mode. The ACI leaf switch uses VLAN-pri for downlink traffic to the vds switch. 4 The PVLAN map is configured in the vds and ACI leaf switches. VM traffic from WEB-EPG is encapsulated in VLAN-sec. The vds switch denies local intra-web EPG VM traffic according to the PVLAN tag. All intra-esxi host VM traffic is sent to the ACI leaf using VLAN-sec Related Topics For information on configuring intra-epg isolation in a Cisco AVS environment, see Intra-EPG Isolation Enforcement for Cisco AVS. 2

Configuring Intra-EPG Isolation for VMware vds using the GUI Configuring Intra-EPG Isolation for VMware vds using the GUI Procedure Step 1 Step 2 In a tenant, right click on an Application Profile, and open the Create Application EPG dialog box to perform the following actions: a) In the Name field, add the EPG name (intra_epg-deny). b) For Intra EPG Isolation, click Enforced. c) In the Bridge Domain field, choose the bridge domain from the drop-down list (bd1). d) Associate the EPG with a bare metal/physical domain interface or with a VM Domain. For the VM Domain case, check the Associate to VM Domain Profiles check box. For the bare metal case, check the Statically Link with Leaves/Paths check box. e) Click Next. f) In the Step 2 for Specify the VM Domains area, expand Associate VM Domain Profiles and from the drop-down list, choose the desired VMM domain. Click Update and click OK. In the Domains dialog box, perform the following actions: a) In the Domain Profile field, choose a domain profile from the drop-down list (VMwarePVLAN). For the static case, in the Port Encap (or Secondary VLAN for Micro-Seg) field, specify the secondary VLAN (vlan-2005), and in the Primary VLAN for Micro-Seg field, specify the primary VLAN (vlan-2006). If the Encap fields are left blank, values will be allocated dynamically. Note For the static case, a static VLAN must be available in the VLAN pool. b) Choose a domain profile from the drop-down list (VMwareDVS). c) Click Update. d) Click Finish. Configuring Intra-EPG Isolation for VMware vds using the NX-OS Style CLI Procedure Step 1 In the CLI, create an intra-epg isolation EPG: The VMM case is below. apic1(config)# tenant Test_Isolation apic1(config-tenant)# application PVLAN apic1(config-tenant-app)# epg EPG1 apic1(config-tenant-app-epg)# show running-config # Command: show running-config 3

Configuring Intra-EPG Isolation for VMware vds using the NX-OS Style CLI Step 2 tenant Test_Isolation application PVLAN epg EPG1 tenant Test_Isolation application PVLAN epg EPG1 bridge-domain member VMM_BD contract consumer VMware_vDS-Ext contract consumer default contract provider Isolate_EPG vmware-domain member PVLAN encap vlan-2002 primary-encap vlan-2001 push on-demand <--- Assigns static primary & secondary encap to EPG. vmware-domain member mininet <--- If no static vlan assigned APIC assigns primary & secondary encap for isolated EPG. isolation enforce exit exit exit Verify the configuration: <---- This enables EPG isolation mode. show epg StaticEPG detail Application EPg Data: Tenant : Test_Isolation Application : PVLAN AEPg : StaticEPG BD : VMM_BD useg EPG : no Intra EPG Isolation : enforced Vlan Domains : VMM Consumed Contracts : VMware_vDS-Ext Provided Contracts : default,isolate_epg Denied Contracts : Qos Class : unspecified Tag List : VMM Domains: Domain Type Deployment Immediacy Resolution Immediacy State Encap Primary Encap -------------------- --------- -------------------- -------------------- -------------- ---------- ---------- DVS1 VMware On Demand immediate formed auto auto Static Leaves: Node Encap Deployment Immediacy Mode Modification Time ---------- ---------------- -------------------- ------------------ ------------------------------ Static Paths: Node Interface Encap Modification Time ---------- ------------------------------ ---------------- ------------------------------ 1018 eth101/1/1 vlan-100 2016-02-11T18:39:02.337-08:00 1019 eth1/16 vlan-101 2016-02-11T18:39:02.337-08:00 Static Endpoints: Node Interface Encap End Point MAC End Point IP Address Modification Time ---------- ------------------------------ ---------------- ----------------- ------------------------------ ------------------------------ Dynamic Endpoints: Encap: (P):Primary VLAN, (S):Secondary VLAN Node Interface Encap End Point MAC End Point IP Address Modification Time ---------- ------------------------------ ---------------- ----------------- 4

Configuring Intra-EPG Isolation for VMware vds using the REST API ------------------------------ ------------------------------ 1017 eth1/3 vlan-943(p) 00:50:56:B3:64:C4 --- 2016-02-17T18:35:32.224-08:00 vlan-944(s) Configuring Intra-EPG Isolation for VMware vds using the REST API Before You Begin Procedure Step 1 Send this HTTP POST message to deploy the application using the XML API. Step 2 POST https://apic-ip-address/api/mo/uni/tn-examplecorp.xml For a VMware vds VMM deployment, include this XML structure in the body of the POST message. <fvtenant name="tenant_vmm" > <fvap name="web"> <fvaepg name="intraepgdeny" pcenfpref="enforced"> <!-- pcenfpref="enforced" ENABLES ISOLATION--> <fvrsbd tnfvbdname="bd" /> <fvrspathatt tdn="topology/pod-1/paths-1017/pathep-[eth1/2]" encap="vlan-51" primaryencap="vlan-100" instrimedcy='immediate'/> <!-- STATIC ENCAP ASSOCIATION TO VMM DOMAIN--> <fvrsdomatt encap="vlan-2001" instrimedcy="lazy" primaryencap="vlan-2002" resimedcy="immediate" tdn="uni/vmmp-vmware/dom-dvs1 > </fvaepg> </fvap> </fvtenant> 5

Configuring Intra-EPG Isolation for VMware vds using the REST API 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback