Intra-EPG Isolation Enforcement and Cisco ACI

Similar documents
Intra-EPG Isolation Enforcement and Cisco ACI

Intra-EPG Isolation Enforcement and Cisco ACI

Microsegmentation with Cisco ACI

Q-in-Q Encapsulation Mapping for EPGs

Microsegmentation with Cisco ACI

Cisco ACI with Red Hat Virtualization 2

Using Cisco APIC to Deploy an EPG on a Specific Port

Cisco ACI Virtual Machine Networking

Cisco ACI Virtual Machine Networking

Tenants. ACI Tenancy Models. ACI Tenancy Models, on page 1 Application Profile, on page 3

Cisco ACI vcenter Plugin

IGMP Snooping. About Cisco APIC and IGMP Snooping. How IGMP Snooping is Implemented in the ACI Fabric. This chapter contains the following sections:

Configuring FC Connectivity Using the REST API, on page 12

Cisco ACI with Cisco AVS

Basic User Tenant Configuration

Cisco ACI and Cisco AVS

Networking Domains. Physical domain profiles (physdomp) are typically used for bare metal server attachment and management access.

Virtual Machine Manager Domains

Cisco ACI Virtual Machine Networking

Quick Start Guide (SDN)

Virtualization Design

Cisco ACI Virtual Machine Networking

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Cisco ACI Virtual Machine Networking

Configuring Layer 4 to Layer 7 Resource Pools

Configuring Policy-Based Redirect

Configuring Policy-Based Redirect

Practical Applications of Cisco ACI Micro Segmentation

Page 2

Schema Management. Schema Management

Configuring Policy-Based Redirect

Cisco ACI Terminology ACI Terminology 2

Configuring APIC Accounts

Quick Start Guide (SDN)

Cisco APIC and Static Management Access

Layer 4 to Layer 7 Design

Cisco HyperFlex Systems

Cisco ACI Virtualization Guide, Release 2.2(1)

Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit

Multi-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service

Configure. Background. Register the FTD Appliance

Routed Connectivity to External Networks

Configuring Copy Services

Cisco ACI Virtualization Guide, Release 2.1(1)

Cisco ACI Virtualization Guide, Release 2.2(2)

Switch Virtual Interface

Provisioning Core ACI Fabric Services

Cisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI)

Working with Contracts

Provisioning Overlay Networks

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Layer 4 to Layer 7 Service Insertion, page 1

Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

Service Graph Design with Cisco Application Centric Infrastructure

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

Cisco Application Policy Infrastructure Controller Data Center Policy Model

802.1Q Tunnels. About ACI 802.1Q Tunnels

Use Case: Three-Tier Application with Transit Topology

Provisioning Layer 2 Networks

Question No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?

Management. Management Workflows. ACI Management Access Workflows. This chapter contains the following sections:

5 days lecture course and hands-on lab $3,295 USD 33 Digital Version

Configuring a Device Cluster (Logical Device)

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

Design Guide for Cisco ACI with Avi Vantage

Access Policies configured and interfaces up and in service EPG, Bridge Domain (BD) and Virtual Routing and Forwarding (VRF) already configured

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

This chapter contains the following sections: Shared Layer 3 Out, on page 1 Layer 3 Out to Layer 3 Out Inter-VRF Leaking, on page 4

Cisco APIC in a Cisco ACI Multi-Site Topology New and Changed Information 2

Cisco ACI Multi-Site, Release 1.1(1), Release Notes

Remote Leaf Switches

Cisco ACI Multi-Site Fundamentals Guide

Layer 3 IP Multicast Architecture and Design in Cisco ACI Fabric

DevNet Technical Breakout: Introduction to ACI Programming and APIs.

Toggling Between Basic and Advanced GUI Modes

ACI Fabric Endpoint Learning

Cisco ACI Virtualization Guide, Release 1.1(1j)

Using a Service Graph Template

Forescout. Controller Plugin. Configuration Guide. Version 1.1

F5 BIG-IP Local Traffic Manager Service Insertion with Cisco Application Centric Infrastructure

New and Changed Information

SharkFest 16. Cisco ACI and Wireshark. Karsten Hecker Senior Technical Instructor Fast Lane Germany. Getting Back Our Data

ACI 3.0 update. Brian Kvisgaard, System Engineer - Datacenter Switching

Modeling an Application with Cisco ACI Multi-Site Policy Manager

Building NFV Solutions with OpenStack and Cisco ACI

Cisco ACI and Pivotal Cloud Foundry Integration 2

Cisco ACI Simulator Release Notes, Release 1.1(1j)

2018 Cisco and/or its affiliates. All rights reserved.

Static VLAN Pools that will be used for the encapsulation VLAN between the external devices

Migration from Classic DC Network to Application Centric Infrastructure

Table of Contents HOL-PRT-1305

Cisco ACI Simulator VM Installation Guide

Health Scores. Understanding Health Scores

Cisco CCIE Data Center Written Exam v2.0. Version Demo

Integrating Cisco UCS with Cisco ACI

Provisioning Overlay Networks

Routing Design. Transit Routing. About Transit Routing

Using the Cisco APIC Troubleshooting Tools

Cisco HyperFlex Systems

Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601

Transcription:

This chapter contains the following sections: Intra-EPG Isolation for VMware VDS or Microsoft vswitch, on page 1 Intra-EPG Isolation Enforcement for Cisco AVS, on page 6 Intra-EPG Isolation Enforcement for Cisco ACI Virtual Edge, on page 10 Intra-EPG Isolation for VMware VDS or Microsoft vswitch Intra-EPG Isolation is an option to prevent physical or virtual endpoint devices that are in the same base EPG or useg EPG from communicating with each other. By default, endpoint devices included in the same EPG are allowed to communicate with one another. However, conditions exist in which total isolation of the endpoint devices from on another within an EPG is desirable. For example, you may want to enforce intra-epg isolation if the endpoint VMs in the same EPG belong to multiple tenants, or to prevent the possible spread of a virus. A Cisco ACI virtual machine manager (VMM) domain creates an isolated PVLAN port group at the VMware VDS or Microsoft vswitch for each EPG that has intra-epg isolation enabled. A fabric administrator specifies primary encapsulation or the fabric dynamically specifies primary encapsulation at the time of EPG-to-VMM domain association. When the fabric administrator selects the VLAN-pri and VLAN-sec values statically, the VMM domain validates that the VLAN-pri and VLAN-sec are part of a static block in the domain pool. Note When intra-epg isolation is not enforced, the VLAN-pri value is ignored even if it is specified in the configuration. VLAN-pri/VLAN-sec pairs for the VMware VDS or Microsoft vswitch are selected per VMM domain during the EPG-to-domain association. The port group created for the intra-epg isolation EPGs uses the VLAN-sec tagged with type set to PVLAN. The VMware VDS or the Microsoft vswitch and fabric swap the VLAN-pri/VLAN-sec encapsulation: Communication from the Cisco ACI fabric to the VMware VDS or Microsoft vswitch uses VLAN-pri. Communication from the VMware VDS or Microsoft vswitch to the Cisco ACI fabric uses VLAN-sec. 1

Intra-EPG Isolation for VMware VDS or Microsoft vswitch Figure 1: Intra-EPG Isolation for VMware VDS or Microsoft vswitch Note these details regarding this illustration: 1. EPG-DB sends VLAN traffic to the Cisco ACI leaf switch. The Cisco ACI egress leaf switch encapsulates traffic with a primary VLAN (PVLAN) tag and forwards it to the Web-EPG endpoint. 2. The VMware VDS or Microsoft vswitch sends traffic to the Cisco ACI leaf switch using VLAN-sec. The Cisco ACI leaf switch drops all intra-epg traffic because isolation is enforced for all intra VLAN-sec traffic within the Web-EPG. 3. The VMware VDS or Microsoft vswitch VLAN-sec uplink to the Cisco ACI Leaf is in isolated trunk mode. The Cisco ACI leaf switch uses VLAN-pri for downlink traffic to the VMware VDS or Microsoft vswitch. 4. The PVLAN map is configured in the VMware VDS or Microsoft vswitch and Cisco ACI leaf switches. VM traffic from WEB-EPG is encapsulated in VLAN-sec. The VMware VDS or Microsoft vswitch denies local intra-web EPG VM traffic according to the PVLAN tag. All intra-esxi host or Microsoft Hyper-V host VM traffic is sent to the Cisco ACI leaf using VLAN-Sec. Related Topics For information on configuring intra-epg isolation in a Cisco AVS environment, see Intra-EPG Isolation Enforcement for Cisco AVS, on page 6. 2

Configuring Intra-EPG Isolation for VMware VDS or Microsoft vswitch using the GUI Configuring Intra-EPG Isolation for VMware VDS or Microsoft vswitch using the GUI Step 4 Step 5 Log into Cisco APIC. Choose Tenants > tenant. In the left navigation pane expand the Application Profiles folder and appropriate application profile. Right-click the Application EPGs folder and then choose Create Application EPG. In the Create Application EPG dialog box, complete the following steps: a) In the Name field, add the EPG name. b) In the Intra EPG Isolation area, click Enforced. c) In the Bridge Domain field, choose the bridge domain from the drop-down list. d) Associate the EPG with a bare metal/physical domain interface or with a VM Domain. For the VM Domain case, check the Associate to VM Domain Profiles check box. For the bare metal case, check the Statically Link with Leaves/Paths check box. e) Click Next. f) In the Associated VM Domain Profiles area, click the + icon. g) From the Domain Profile drop-down list, choose the desired VMM domain. For the static case, in the Port Encap (or Secondary VLAN for Micro-Seg) field, specify the secondary VLAN, and in the Primary VLAN for Micro-Seg field, specify the primary VLAN. If the Encap fields are left blank, values will be allocated dynamically. Note For the static case, a static VLAN must be available in the VLAN pool. Step 6 Click Update and click Finish. Configuring Intra-EPG Isolation for VMware VDS or Microsoft vswitch using the NX-OS Style CLI In the CLI, create an intra-epg isolation EPG: The following example is for VMware VDS: apic1(config)# tenant Test_Isolation apic1(config-tenant)# application PVLAN apic1(config-tenant-app)# epg EPG1 apic1(config-tenant-app-epg)# show running-config # Command: show running-config tenant Tenant_VMM application Web epg intraepgdeny 3

Configuring Intra-EPG Isolation for VMware VDS or Microsoft vswitch using the NX-OS Style CLI tenant Tenant_VMM application Web epg intraepgdeny bridge-domain member VMM_BD vmware-domain member PVLAN encap vlan-2001 primary-encap vlan-2002 push on-demand vmware-domain member mininet isolation enforce apic1(config-tenant-app-epg)# The following example is for Microsoft vswitch: apic1(config)# tenant Test_Isolation apic1(config-tenant)# application PVLAN apic1(config-tenant-app)# epg EPG1 apic1(config-tenant-app-epg)# show running-config # Command: show running-config tenant Tenant_VMM application Web epg intraepgdeny tenant Tenant_VMM application Web epg intraepgdeny bridge-domain member VMM_BD microsoft-domain member domain1 encap vlan-2003 primary-encap vlan-2004 microsoft-domain member domain2 isolation enforce apic1(config-tenant-app-epg)# Verify the configuration: show epg StaticEPG detail Application EPg Data: Tenant : Test_Isolation Application : PVLAN AEPg : StaticEPG BD : VMM_BD useg EPG : no Intra EPG Isolation : enforced Vlan Domains : VMM Consumed Contracts : VMware_vDS-Ext Provided Contracts : default,isolate_epg Denied Contracts : Qos Class : unspecified Tag List : VMM Domains: Domain Type Deployment Immediacy Resolution Immediacy State Encap Primary Encap -------------------- --------- -------------------- -------------------- -------------- ---------- ---------- DVS1 VMware On Demand immediate formed auto auto Static Leaves: Node Encap Deployment Immediacy Mode Modification Time 4

Configuring Intra-EPG Isolation for VMware VDS or Microsoft vswitch using the REST API ---------- ---------------- -------------------- ------------------ ------------------------------ Static Paths: Node Interface Encap Modification Time ---------- ------------------------------ ---------------- ------------------------------ 1018 eth101/1/1 vlan-100 2016-02-11T18:39:02.337-08:00 1019 eth1/16 vlan-101 2016-02-11T18:39:02.337-08:00 Static Endpoints: Node Interface Encap End Point MAC End Point IP Address Modification Time ---------- ------------------------------ ---------------- ----------------- ------------------------------ ------------------------------ Dynamic Endpoints: Encap: (P):Primary VLAN, (S):Secondary VLAN Node Interface Encap End Point MAC End Point IP Address Modification Time ---------- ------------------------------ ---------------- ----------------- ------------------------------ ------------------------------ 1017 eth1/3 vlan-943(p) 00:50:56:B3:64:C4 --- 2016-02-17T18:35:32.224-08:00 vlan-944(s) Configuring Intra-EPG Isolation for VMware VDS or Microsoft vswitch using the REST API Send this HTTP POST message to deploy the application using the XML API. POST https://apic-ip-address/api/mo/uni/tn-examplecorp.xml For a VMware VDS or Microsoft vswitch deployment, include one of the following XML structures in the body of the POST message. The following example is for VMware VDS: <fvtenant name="tenant_vmm" > <fvap name="web"> <fvaepg name="intraepgdeny" pcenfpref="enforced"> <!-- pcenfpref="enforced" ENABLES ISOLATION--> <fvrsbd tnfvbdname="bd" /> <!-- STATIC ENCAP ASSOCIATION TO VMM DOMAIN--> <fvrsdomatt encap="vlan-2001" instrimedcy="lazy" primaryencap="vlan-2002" resimedcy="immediate" tdn="uni/vmmp-vmware/dom-dvs1 > 5

Intra-EPG Isolation Enforcement for Cisco AVS </fvaepg> </fvap> </fvtenant> The following example is for Microsoft vswitch: <fvtenant name="tenant_vmm" > <fvap name="web"> <fvaepg name="intraepgdeny" pcenfpref="enforced"> <!-- pcenfpref="enforced" ENABLES ISOLATION--> <fvrsbd tnfvbdname="bd" /> <!-- STATIC ENCAP ASSOCIATION TO VMM DOMAIN--> <fvrsdomatt tdn="uni/vmmp-microsoft/dom-domain1 > <fvrsdomatt encap="vlan-2004" instrimedcy="lazy" primaryencap="vlan-2003" resimedcy="immediate" tdn="uni/vmmp-microsoft/dom-domain2 > </fvaepg> </fvap> </fvtenant> Intra-EPG Isolation Enforcement for Cisco AVS By default, endpoints with an EPG can communicate with each other without any contracts in place. However, you can isolate endpoints within an EPG from each other. In some instances, you might want to enforce endpoint isolation within an EPG to prevent a VM with a virus or other problem from affecting other VMs in the EPG. You can configure isolation on all or none of the endpoints within an application EPG; you cannot configure isolation on some endpoints but not on others. Isolating endpoints within an EPG does not affect any contracts that enable the endpoints to communicate with endpoints in another EPG. Isolating endpoints within an EPG will trigger a fault when the EPG is associated with Cisco AVS domains in VLAN mode. Note Using intra-epg isolation on a Cisco AVS microsegment (useg) EPG is not currently supported. Communication is possible between two endpoints that reside in separate useg EPGs if either has intra-epg isolation enforced, regardless of any contract that exists between the two EPGs. Configuring Intra-EPG Isolation for Cisco AVS Using the GUI Follow this procedure to create an EPG in which the endpoints of the EPG are isolated from each other. The port that the EPG uses must belong to one of the VM Managers (VMMs). 6

Configuring Intra-EPG Isolation for Cisco AVS Using the NX-OS Style CLI Note This procedure assumes that you want to isolate endpoints within an EPG when you create the EPG. If you want to isolate endpoints within an existing EPG, select the EPG in Cisco APIC, and in the Properties pane, in the Intra EPG Isolation area, choose Enforced, and then click SUBMIT. Make sure that Cisco AVS is in VXLAN mode. Step 4 Log in to Cisco APIC. Choose Tenants, expand the folder for the tenant, and then expand the Application Profiles folder. Right-click an application profile, and choose Create Application EPG. In the Create Application EPG dialog box, complete the following actions: a) In the Name field, enter the EPG name. b) In the Intra EPG Isolation area, click Enforced. c) From the Bridge Domain drop-down list, choose the bridge domain. d) Check the Associate to VM Domain Profiles check box. e) Click Next. f) In the Associate VM Domain Profiles area, click the plus icon, and from the Domain Profile drop-down list, choose the desired VMM domain. g) Click Update and click FINISH. What to do next You can select statistics and view them to help diagnose problems involving the endpoint. See the sections Choosing Statistics to View for Isolated Endpoints on Cisco AVS and Viewing Statistics for Isolated Endpoints on Cisco AVS in this guide. Configuring Intra-EPG Isolation for Cisco AVS Using the NX-OS Style CLI Make sure that Cisco AVS is in VXLAN mode. In the CLI, create an intra-epg isolation EPG: # Command: show running-config tenant TENANT1 application APP1 7

Configuring Intra-EPG Isolation for Cisco AVS Using the REST API epg EPG1 bridge-domain member VMM_BD vmware-domain member VMMDOM1 isolation enforce <---- This enables EPG into isolation mode. What to do next You can select statistics and view them to help diagnose problems involving the endpoint. See the sections Choosing Statistics to View for Isolated Endpoints on Cisco AVS and Viewing Statistics for Isolated Endpoints on Cisco AVS in this guide. Configuring Intra-EPG Isolation for Cisco AVS Using the REST API Make sure that Cisco AVS is in VXLAN mode. Send this HTTP POST message to deploy the application using the XML API. POST https://192.0.20.123/api/mo/uni/tn-examplecorp.xml For a VMM deployment, include the XML structure in the following example in the body of the POST message. <fvtenant name="tenant_vmm" > <fvap name="web"> <fvaepg name="intraepgdeny" pcenfpref="enforced"> <!-- pcenfpref="enforced" ENABLES ISOLATION--> <fvrsbd tnfvbdname="bd" /> <fvrsdomatt encap="vlan-2001" tdn="uni/vmmp-vmware/dom-dvs1 > </fvaepg> </fvap> </fvtenant> What to do next You can select statistics and view them to help diagnose problems involving the endpoint. See the sections Choosing Statistics to View for Isolated Endpoints on Cisco AVS and Viewing Statistics for Isolated Endpoints on Cisco AVS in this guide. 8

Choosing Statistics to View for Isolated Endpoints on Cisco AVS Choosing Statistics to View for Isolated Endpoints on Cisco AVS If you configured intra-epg isolation on a Cisco AVS, you need to choose statistics such as denied connections, received packets, or transmitted multicast packets for the endpoints before you can view them. Step 4 Step 5 Step 6 Step 7 Step 8 Log into Cisco APIC. Choose Tenants > tenant. In the tenant navigation pane, choose Application Profiles > profile > Application EPGs, and then choose the EPG containing the endpoint the statistics for which you want to view. In the EPG Properties work pane, click the Operational tab to display the endpoints in the EPG. Double-click the endpoint. In the Properties dialog box for the endpoint, click the Stats tab and then click the check icon. In the Select Stats dialog box, in the Available pane, choose the statistics that you want to view for the endpoint and then use the right-pointing arrow to move them into the Selected pane. Click SUBMIT. Viewing Statistics for Isolated Endpoints on Cisco AVS If you configured intra-epg isolation on a Cisco AVS, once you have chosen statistics for the endpoints, you can view them. You must have chosen statistics to view for isolated endpoints. See "Choosing Statistics to View for Isolated Endpoints for Cisco AVS" in this guide for instructions. Step 4 Log into Cisco APIC. Choose Tenants > tenant. In the tenant navigation pane, choose Application Profiles > profile > Application EPGs, and then choose the EPG containing the endpoint the statistics for which you want to view. In the EPG Properties work pane, click the Stats tab to display the statistics for the EPG. The central pane displays the statistics that you chose earlier. You can change the view by clicking the table view or chart view icon on the upper right side of the work pane. 9

Intra-EPG Isolation Enforcement for Cisco ACI Virtual Edge Intra-EPG Isolation Enforcement for Cisco ACI Virtual Edge By default, endpoints with an EPG can communicate with each other without any contracts in place. However, you can isolate endpoints within an EPG from each other. For example, you may want to enforce endpoint isolation within an EPG to prevent a VM with a virus or other problem from affecting other VMs in the EPG. You can configure isolation on all or none of the endpoints within an application EPG; you cannot configure isolation on some endpoints but not on others. Isolating endpoints within an EPG does not affect any contracts that enable the endpoints to communicate with endpoints in another EPG. Note Enforcing intra-epg Isolation is not supported for the EPG that is associated with Cisco ACI Virtual Edge domains in VLAN mode. If you try to enforce intra-epg isolation with such an EPG, a fault is triggered. Note Using intra-epg isolation on a Cisco ACI Virtual Edge microsegment (useg) EPG is not currently supported. Note Proxy ARP is not supported for Cisco ACI Virtual Edge EPGs using VXLAN encapsulation and on which intra-epg Isolation is enforced. Therefore, intra-subnet communication is not possible between intra-epg isolated EPGs even though contracts are in place between those Cisco ACI Virtual Edge EPGs. (VXLAN). Configure Intra-EPG Isolation for Cisco ACI Virtual Edge Using the GUI Follow this procedure to create an EPG in which the endpoints of the EPG are isolated from each other. The port that the EPG uses must belong to one of the VM Managers (VMMs). Note This procedure assumes that you want to isolate endpoints within an EPG when you create the EPG. If you want to isolate endpoints within an existing EPG, select the EPG in Cisco APIC, and in the Properties pane, in the Intra EPG Isolation area, choose Enforced, and then click SUBMIT. Make sure that VXLAN-related configuration is present on the Cisco ACI Virtual Edge VMM domain, particularly a Cisco ACI Virtual Edge fabric-wide multicast address and pool of multicast addresses (one per EPG). Log in to Cisco APIC. 10

Configure Intra-EPG Isolation for Cisco ACI Virtual Edge Using the NX-OS Style CLI Step 4 Choose Tenants, expand the folder for the tenant, and then expand the Application Profiles folder. Right-click an application profile, and choose Create Application EPG. In the Create Application EPG dialog box, complete the following steps: a) In the Name field, enter the EPG name. b) In the Intra EPG Isolation area, click Enforced. c) From the Bridge Domain drop-down list, choose the bridge domain. d) Check the Associate to VM Domain Profiles check box. e) Click Next. f) In the Associate VM Domain Profiles area, complete the following steps: Click the + (plus) icon, and from the Domain Profile drop-down list, choose the desired Cisco ACI Virtual Edge VMM domain. From the Switching Mode drop-down list, choose AVE. From the Encap Mode drop-down list, choose VXLAN or Auto. If you choose Auto, make sure that encapsulation mode of the Cisco ACI Virtual Edge VMM domain is VXLAN. (Optional) Choose other configuration options appropriate to your setup. g) Click Update and click Finish. What to do next You can select statistics and view them to help diagnose problems involving the endpoint. See the sections Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 13 and View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 14 in this guide. Configure Intra-EPG Isolation for Cisco ACI Virtual Edge Using the NX-OS Style CLI Make sure that VXLAN-related configuration is present on the Cisco ACI Virtual Edge VMM domain, particularly a Cisco ACI Virtual Edge fabric-wide multicast address and pool of multicast addresses (one per EPG). In the CLI, create an intra-epg isolation EPG: # Command: show running-config tenant Tenant2 application AP-1 epg EPG-61 tenant Tenant2 application AP-1 epg EPG-61 11

Configure Intra-EPG Isolation for Cisco ACI Virtual Edge Using the REST API bridge-domain member BD-61 vmware-domain member D-AVE-SITE-2-3 switching-mode AVE encap-mode vxlan isolation enforce # This enables EPG into isolation mode. What to do next You can select statistics and view them to help diagnose problems involving the endpoint. See the sections Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 13 and View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 14 in this guide. Configure Intra-EPG Isolation for Cisco ACI Virtual Edge Using the REST API Make sure that VXLAN-related configuration is present on the Cisco ACI Virtual Edge VMM domain, particularly a Cisco ACI Virtual Edge fabric-wide multicast address and pool of multicast addresses (one per EPG). Send this HTTP POST message to deploy the application using the XML API. POST https://10.197.139.36/api/mo/uni/tn-tenant2.xml For a VMM deployment, include the XML structure in the following example in the body of the POST message. <fvtenant name="tenant2" > <fvap name="ap-1"> <fvaepg name="epg-61" pcenfpref="enforced"> <!-- pcenfpref="enforced" ENABLES ISOLATION--> <!-- pcenfpref="unenforced" DISABLES ISOLATION--> <fvrsbd tnfvbdname="bd-61" /> <fvrsdomatt switchingmode="ave" encapmode="vxlan" resimedcy="immediate" tdn="uni/vmmp-vmware/dom-d-ave-site-1-xxiii" > </fvrsdomatt> </fvaepg> </fvap> </fvtenant> 12

Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab What to do next You can select statistics and view them to help diagnose problems involving the endpoint. See the sections Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 13 and View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 14 in this guide. Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab If you configured intra-epg isolation on a Cisco ACI Virtual Edge, choose statistics such as denied connections, received packets, or transmitted multicast packets for the endpoints. You can then view the statistics. Step 4 Step 5 Step 6 Step 7 Step 8 Log in to Cisco APIC. Choose Tenants > tenant. In the tenant navigation pane, expand the Application Profiles, profile, and Application EPGs folders, and then choose the EPG containing the endpoint the statistics for which you want to view. In the EPG Properties work pane, click the Operational tab to display the endpoints in the EPG. Double-click the endpoint. In the Properties dialog box for the endpoint, click the Stats tab and then click the check icon. In the Select Stats dialog box, in the Available pane, choose the statistics that you want to view for the endpoint, and then use the right-pointing arrow to move them into the Selected pane. Click Submit. Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Virtual Networking Tab If you configured intra-epg isolation on a Cisco ACI Virtual Edge, choose statistics such as denied connections, received packets, or transmitted multicast packets for the endpoints. You can then view the statistics. Log in to Cisco APIC. Choose Virtual Networking > Inventory > VMM Domains > VMware > VMM domain > Controllers > controller instance name > DVS-VMM name > Portgroups > EPG name > Learned Point MAC address (node) >. Step 4 Click the Stats tab. Click the tab with the check mark. 13

View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab Step 5 Step 6 Step 7 In the Select Stats dialog box, click the statistics that you want to view in the Available pane, and then click the arrow pointing right to put them in the Selected pane. (Optional) Choose a sampling interval. Click Submit. View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab If you configured intra-epg isolation on a Cisco ACI Virtual Edge, once you have chosen statistics for the endpoints, you can view them. You must have chosen statistics to view for isolated endpoints. See Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 13 in this guide for instructions. Step 4 Step 5 Step 6 Log in to Cisco APIC. Choose Tenants > tenant. In the tenant navigation pane, expand the Application Profiles, profile, and Application EPGs folders, and then choose the EPG containing the endpoint with statistics that you want to view. In the EPG Properties work pane, click the Operational tab to display the endpoints in the EPG. Double-click the endpoint with statistics that you want to view. In the Properties work pane for the endpoint, click the Stats tab. The work pane displays the statistics that you chose earlier. You can change the view by clicking the table view or chart view icon on the upper left side of the work pane. View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Virtual Networking Tab If you configured intra-epg isolation on a Cisco ACI Virtual Edge, once you have chosen statistics for the endpoints, you can view them. You must have chosen statistics to view for isolated endpoints. See Choose Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Tenants Tab, on page 13 in this guide for instructions. 14

View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Virtual Networking Tab Log in to Cisco APIC. Choose Virtual Networking > Inventory > VMM Domains > VMware > VMM name > Controllers > controller instance name > DVS-VMM name > Portgroups > EPG name > Learned Point MAC address (node) Click the Stats tab. The central pane displays the statistics that you chose earlier. You can change the view by clicking the table view or chart view icon on the upper left side of the work pane. 15

View Statistics for Isolated Endpoints on Cisco ACI Virtual Edge Under the Virtual Networking Tab 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback