Endpoint Security Group
Before continuing to the ESG portion of this lab, is important to remove the contracts that we have previously created

In this section, we will be creating the Endpoint Security Group (ESG) use case where end points will be able to communicate without the need of creating a contract between the aci_p01_epg_web and aci_p01_epg_app.

Below is the logical representation of POD01 leveraging ESG with the name aci_p01_esg.

Step 1 - Removing Previously Created Contract

In this step, we will be removing the contract created in the previously section:

  1. Ensure your Tenant : aci_p01_tenant is expanded
  2. Expand Application Profiles
  3. Expand aci_p01_ap
  4. Expand Application EPG
  5. Expand aci_p01_epg_web
  6. Click on Contracts
  7. Right Click on aci_p01_con
  8. Click Delete
  9. Click Yes - to confirm

Verify POD01-WEB-SRV-01 can not ping POD01-APP-SRV, do not proceed if ping is succesful

    
    ping 172.16.1.2 -c 3
    
    

root@pod01-web-srv-01 ~]#ping 172.16.1.2 -c 3
PING 10.0.144.1 (172.16.1.2) 56(84) bytes of data.

--- 172.16.1.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
root@pod01-web-srv-01 ~]#

Step 2 - Create ESG

Create an ESG by:
  1. Ensure your Tenant : aci_p01_tenant is expanded
  2. Expand Application Profiles
  3. Right Click on aci_p01_ap
  4. Click Create Endpoint Security Group

Step 3 - Create ESG

In this step we will be naming our ESG, attaching it to the VRF and provide the necessary selector to be able to make sure devices in different EPGs will be able to communicate.

Configure the ESG by:

  1. Name : aci_p01_esg
  2. VRF: aci_p01_vrf
  3. Click Next
  4. Click the + on the IP Subnet Selectors
  5. Create the first selector with the IP of the aci_p01_bd_web bridge domain with IP: 10.0.144.1/29
  6. Create the second selector with the IP of the aci_p01_bd_app bridge domain with IP: 172.16.1.1/24
  7. Click Next
  8. Click Finish

Verify your work

Step 4 - Verify Connectivity

If you closed the window to then click on the ICON to the left to connect and verify the ESG. You will be using the same browser SSH client you are going to click on the ICON on the left to connect to this linux server. Username:root and Password:cisco.123

After you have submitted the changes, verify POD01-WEB-SRV-01 can ping POD01-APP-SRV


ping 172.16.1.2 -c 3

root@pod01-web-srv-01 ~]#ping 172.16.1.2 -c 3
PING 172.16.1.2 (172.16.1.25) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=63 time=0.162 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=63 time=0.156 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=63 time=0.158 ms

--- 172.16.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.156/0.158/0.162/0.014 ms

Step 5 - Remove ESG rule

To continue to the next section of the lab is important to the remove aci_p01_esg

  1. Ensure your Tenant : aci_p01_tenant is expanded
  2. Expand Application Profiles
  3. Expand aci_p01_ap
  4. Expand Endpoint Security Groups
  5. Expand aci_p01_epg_web
  6. Right Click on aci_p01_esg
  7. Click Delete
  8. Click Yes - to confirm