ACI
MicroSegmentation

During this session, we will be covering how to configure MicroSegmentation in ACI. We will be focusing in two use cases:

  • Intra-EPG Isolation
  • Virtual Machines Based Attributes.

Step 1 - Intra EPG Isolation

From POD29-WEB-SRV-01 start a continuos to POD29-WEB-SRV-02 Don't stop the ping.


ping 10.0.144.227


root@pod29-web-srv-01 ~]#ping 10.0.144.227 
PING 10.0.144.227 ((10.0.144.227) 56(84) bytes of data.
64 bytes from 10.0.144.227: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 10.0.144.227: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.144.227: icmp_seq=3 ttl=64 time=0.164 ms

Create the Intra-EPG Policy in the aci_p29_epg_web by:

  1. Tenant aci_p29_tenant
  2. Expand Application Profiles
  3. Expand aci_p29_ap
  4. Expand Application EPG's
  5. Click on aci_p29_epg_web
  6. Click on Policy
  7. Click on General
  8. Click On Intra EPG Isolation : Enforced
  9. Click OK on the warning message
  10. Click Submit
  11. Submit Changes

After you click submit, you will notice the Pings are not longer working.

From 10.0.144.227 icmp_seq=1577 Destination Host Unreachable
From 10.0.144.227 icmp_seq=1578 Destination Host Unreachable
From 10.0.144.227 icmp_seq=1579 Destination Host Unreachable

Let's revert back the Intra EPG isolation setting to Unenforced. In order to do this we need to do the following steps:

  1. Click Unenforced
  2. Click Submit
  3. Click Submit Changes

The Pings are back and working


root@pod29-web-srv-01 ~]#ping 10.0.144.227
PING 10.0.144.227 ((10.0.144.227) 56(84) bytes of data.
64 bytes from 10.0.144.227: icmp_seq=1000 ttl=64 time=0.174 ms
64 bytes from 10.0.144.227: icmp_seq=1001 ttl=64 time=0.193 ms
64 bytes from 10.0.144.227: icmp_seq=1002 ttl=64 time=0.164 ms

Step 2 - Virtual Machines Attributes

In this particular example, ACI will be leveraging Virtual Machines Attributes in order to provide the segmentation needed to control the desired Virtual Machines communication. In some instances, customers may add an identifier in their naming convention to differetiate the VM role such as:

  • DEV
  • PROD
  • External
  • Internal
Then, customers may create rules to allow or dissallow traffic. For example DEV machines are not allow to talk with PROD machines. ACI can help achieve by creating the necessary rules to block the desired communication.


Step 3 - Enable MicroSegmentation in the domain

We need to allow uSeg-EPG Segmentation in the aci_p29_epg_web by:

  1. Tenant aci_p29_tenant
  2. Expand Application Profiles
  3. Expand aci_p29_ap
  4. Expand Application EPG's
  5. Click on aci_p29_epg_web
  6. Click on Domains (VM's and Baremetal) aci_p29_dc3_vds
  7. Double Click on your VMware domain and a new popup will be presented
  8. Click on: Allow MicroSegmentation
  9. Click Ok

Step 4 - Create micro segmentaion policy

Once you have allowed MicroSegmentation in the aci_p29_epg_web. We need to create the uSeg EPGs policy by:

  1. Tenant aci_p29_tenant
  2. Expand Application Profiles
  3. Expand aci_p29_ap
  4. Right Click on uSeg EPGs
  5. Click on Create uSeg EPG
  6. Name: aci_p29_useg_web
  7. Bridge Domain: aci_p29_bd_web
  8. Click Next
  9. Click on the + symbol to associate the uSeg with the VMM domain aci_p29_dc3_vds
  10. Domain Profile: aci_p29_dc3_vds
  11. Deployment Immediacy: Immediate
  12. Click Update
  13. Click Finish

Step 5 - Create uSeg Attributes.

We need to define the rule for our USeg, in this particular case we are going to be using name as the VM attribute. Where POD29-WEB-SRV-01 and POD29-WEB-SRV-02 will not be able to communicate

In order to create our uSeg Attributes, we need to do the following:

  1. Tenant aci_p29_tenant
  2. Expand Application Profiles
  3. Expand aci_p29_ap
  4. Click on uSeg EPGs
  5. Expand aci_p29_useg_web
  6. Click uSeg Attributes
  7. Click the plus sign (+) button
  8. Select a Type... : VM - VM Name
  9. Select an operator: Contains
  10. Next to Contains: 02
  11. Click Submit
  12. Click on Submit Changes

After you click submit, you will notice the Pings are not longer working.

From 10.0.144.227 icmp_seq=1577 Destination Host Unreachable
From 10.0.144.227 icmp_seq=1578 Destination Host Unreachable
From 10.0.144.227 icmp_seq=1579 Destination Host Unreachable

Step 6 - MicroSegmentation Conclusion

As you can see in this chapter, ACI can provide different type of MicroSegmentation for different use cases. It is always import to understand the use case in order to configure ACI with the right set of properties.