Network security 1.0 modules 13-14: layer 2 and endpoint security group exam
The Application endpoint group (fvAEPg) object that represents an EPG has a direct relationship with the bridge domain object (fvBD) that represents the Layer 2 broadcast domain. This is illustrated in the above figure in the first three columns. Show An ESG is a logical entity that contains a collection of physical or virtual network endpoints. In addition, an ESG is associated to a single VRF (Virtual Routing and Forwarding) instance instead of a bridge domain. This allows the definition of a security zone that is independent of the bridge domains (the fourth column of Figure 1, illustrates this point). Just as the EPGs divide a bridge domain into security zones, the ESGs divide the VRF instance into security zones. The EPG policy embeds both forwarding and security logic. For example, an EPG provides not only a security zone based on VLAN, but also a VLAN binding on leaf node interfaces. Also, a contract on the EPG is used to enforce the security and determine which leaf nodes the bridge domain subnet should be deployed on, and which subnets to be leaked to which VRF instance in the case of VRF route leaking (i.e. shared service). On the contrary, an ESG is used only to enforce security using the contracts while the forwarding logics are handled by other components. With an ESG, the routing logic such as bridge domain subnets deployment and VRF route leaking are moved to VRF level. The VLAN binding on leaf node interfaces are still handled at EPG level. An ESG is a security construct that has certain match criteria to define which endpoint belongs to the ESG, and uses contracts or policies to define the security stance. The match criteria are called the ESG selectors that are based on attributes such as an IPv4 or IPv6 address spanning across bridge domains in the associated VRF instance, or a tag associated to endpoint MAC address. For details about these and other supported selector types, see . The contract usage in the ESGs is the same as the EPGs. Endpoints that belong to the same ESG can communicate without the need for a contract. To enable communication between endpoints that belong to different ESGs, you need to configure contracts between the ESGs. For the communication with devices outside of the Cisco ACI fabric, you need to configure a contract between the L3Out external EPG ( In the figure below, there are four bridge domains associated with one EPG each. The administrator uses the EPG configuration to ensure that traffic from virtual machines or from physical servers is associated with the appropriate bridge domain connected to the appropriate VLAN. For instance EPG1-1 defines the mapping of the traffic from VLAN 10 with BD1, the EPG2-1 maps VLAN 20 to BD2, and so on. Figure 2. ESGs can be used to aggregate endpoints of different subnets
Note The contracts that are used by the EPGs cannot be re-used by the ESGs, and vice versa. This section summarizes how the Cisco Application Policy Infrastructure Controller (APIC) programs leaf nodes, when an administrator configures the endpoint security groups (ESGs).
Note Cisco APIC generates a unique number to identify each ESG, just as it does for EPGs. This number is called a pcTag or Class ID. In some contexts, it is referred to as sclass, S-Class, or source class. Global pcTags are numbers that are unique in the entire fabric regardless of which VRF instance the ESG (or EPG) belongs to. ESGs are always assigned a global pcTag. Global pcTag numbers range from 16 to 16385. Local pcTags are numbers that are unique within a VRF scope, which means that Cisco APIC can generate the same number to identify another EPG in a different VRF instance. Local pcTag numbers range from 16386 to 65535. pcTag numbers from 1 to 15 are reserved for system internal use. Selectors are configured under each ESG with a variety of matching criteria to classify endpoints to the ESG. Unlike EPGs, which use VLANs to classify endpoints, ESGs can classify endpoints using much more flexible criteria. This concept is similar to micro segmentation EPG (or useg EPG); however, useg EPGs are still tied to one bridge domain while ESGs can contain endpoints across bridge domains. The supported ESG selectors are:
A tag selector uses policy tags to classify endpoints to a given ESG. A policy tag consists of a key and a value, such as “key: owner, value: john.” Policy tags can be assigned to a variety of user configurable objects, and ACI features can act upon those tags. Security classification using policy tags provides an easy and intuitive operation to add multiple endpoints to the security group (ESG). With policy tags and ESG tag selectors, you can classify your choice of multiple endpoints to an ESG without having to specify each endpoint individually. ESG tag selectors match only policy tags in the same tenant as the ESG. This isolation ensures that each tenant manages its own resources, and it prevents any unintended policy tag match across tenants. Note, though, that if a user tenant is using a bridge domain or a VRF from the tenant 'common,' the user tenant may not have visibility of some configurations. Although similar in configuration, policy tags (such as the user-definable tagTag) differ in purpose and usage from annotations (tagAnnotation). For details regarding the differences, see the "Alias, Annotations, and Tags" chapter of the Cisco APIC System Management Configuration Guide, 5.2(x). ESG tag selectors can match policy tags assigned to the following objects. Name Description Object BD Subnet Subnet under a bridge domain fvSubnet IP Endpoint Tags Metadata for a host IP address of an endpoint fvEpIpTag MAC Endpoint Tags Metadata for a MAC address of an endpoint fvEpMacTag VMM MAC Endpoint Tags Metadata derived via VMM integration fvEpVmmMacTagDef Static Endpoint Static endpoint fvStCEp The following sections describe the use of policy tags for each type of supported object. Policy Tags for BD SubnetsBy matching a policy tag assigned to a bridge domain subnet, a tag selector can classify all IP endpoints within the subnet to a given ESG. Although similar to an IP subnet selector, a policy tag and tag selector allow you to group multiple IP subnets, in addition to different types of parameters, such as specific MAC addresses. You can also match a subset of a BD subnet by creating a smaller BD subnet with the No Default SVI Gateway option and assigning the policy tag to the smaller subnet. This option allows you to configure a subnet under a BD without deploying the corresponding SVI. When configuring a tag selector matching a policy tag for BD subnets, consider the following guidelines:
Policy Tags for IP Endpoint TagsBecause the objects representing endpoints (fvCEp, fvIp) are dynamically created and deleted based on the endpoint learning status on ACI switches, it is not practical to assign policy tags directly to such objects. For that reason, a new user-configurable object, an IP endpoint tag, is introduced with Cisco APIC Release 5.2(1) to represent an IP address of an endpoint. The IP endpoint tag object can be created and maintained even before the IP address is learned as an endpoint. Using this object, you can assign policy tags to an IP address of an endpoint at any given time. An IP endpoint tag has a scope of VRF and represents the host IP address you configured in the given VRF. The tag is simply a metadata or descriptor of an IP address. Configuring an IP endpoint tag does not deploy an endpoint or the specified IP address. If you need to statically deploy an endpoint and its IP address before the endpoint is learned, configure a static endpoint. When configuring a tag selector matching a policy tag for an IP endpoint tag, consider the following guidelines:
Policy Tags for MAC Endpoint TagsBecause the objects representing endpoints (fvCEp, fvIp) are dynamically created and deleted based on the endpoint learning status on ACI switches, it is not practical to assign policy tags directly to such objects. For that reason, a new user-configurable object, a MAC endpoint tag, is introduced with Cisco APIC Release 5.2(1) to represent a MAC address of an endpoint. The MAC endpoint tag object can be created and maintained even before the MAC address is learned as an endpoint. Using this object, you can assign policy tags to a MAC address of an endpoint at any given time. A MAC endpoint tag has a scope of BD and represents the MAC address you configured in the given BD. If the MAC address is unique across BDs, you can specify the scope of BD as "any" (“*”) and instead provide a VRF as its scope. The tag is simply a metadata or descriptor of a MAC address. Configuring a MAC endpoint tag does not deploy an endpoint or the specified MAC address. If you need to statically deploy an endpoint and its MAC address before the endpoint is learned, configure a static endpoint. Policy Tags for VMM MAC Endpoint TagsAPIC automatically populates a read-only VMM MAC endpoint policy tag (fvEpVmmMacTagDef) based on information learned through VMM integration. APIC retrieves information about endpoints through VMM integration and then maps that information to policy tags for each endpoint. Similar to a MAC endpoint tag object that you manually create, a VMM MAC endpoint tag object is simply a metadata or descriptor of a MAC address to maintain policy tags even when the corresponding endpoint is not learned in the data-plane yet. ESG tag selectors can use these policy tags to classify the endpoints to ESGs. The following VMM information is supported by ESG tag selectors. Integration Type Source Information Translated Policy Tag Format VMware vSphere Distributed Switch (vDS) VM name Key: Value: VM name VMware vSphere Distributed Switch (vDS) vSphere Tag “Category: Tag Name” Key: Category Value: Tag Name VMM MAC endpoint tags and the policy tags translated from the VM's name are automatically populated on APIC under Tenant > Polices > Endpoint Tags > Endpoint MAC. To enable this, you must enable Allow Micro-Segmentation when associating a VMM domain to EPGs. These tags are displayed with a suffix "(VMM)" to distinguish them from manually configured MAC endpoint tags. Translated policy tags other than a VM's name, such as a VMware tag, are not generated on VMM MAC endpoint tags until matched by an ESG tag selector. You must also enable Tag Collection under corresponding VMM domains. Each translated policy tag is assigned to the MAC address of an endpoint. If a MAC endpoint tag is configured with the same MAC address in the same BD as the VMM MAC endpoint tag, only the policy tags from the MAC endpoint tag are used. In this case, the translated policy tags from the VMM MAC endpoint tags are ignored. Policy Tags for Static EndpointBy matching a policy tag assigned to a static endpoint that is configured under an EPG, a tag selector can classify the MAC address of the static endpoint to a given ESG. Policy tag support for static endpoints avoids the need for configuring a MAC endpoint tag for the same MAC address as the static endpoint. In fact, these two configurations are incompatible with each other. In other words:
The static endpoint tag is supported only for static endpoints of type silent-host. An EPG selector matches an entire EPG to an ESG. Multiple EPGs can be matched to an ESG using EPG selectors, but only if the EPGs are in the same tenant and the same VRF as the ESG. The EPG selector is ideal for grouping multiple VLANs across bridge domains as a single security group (ESG) to simplify the configuration of contracts. When an EPG is matched to an ESG by an EPG selector, all endpoints in the EPG belong to the ESG and all security configurations are now handled by the ESG. EPG selectors have the following characteristics:
When an EPG is matched to an ESG via an EPG selector, intra-EPG/ESG isolation and Preferred Group Membership configuration under the EPG and ESG must be the same. After the match, the ESG settings overwrite the EPG settings. The contract inheritance from EPG to ESG enables a seamless migration from the existing EPG security design to the new ESG security design. To simplify the configuration and to fully take advantage of ESG, we recommend that you complete the migration and do not retain EPG inherited contracts for EPG to ESG communication as a permanent configuration. When an ESG has contracts inherited by EPG selectors, APIC raises a fault as a warning and a reminder that the EPG to ESG migration has yet to be completed. See the "ESG Migration Strategy" section for details on migration using EPG selectors. When an EPG is matched to an ESG by an EPG selector, the EPG's policy control tag (pcTag) is replaced by the ESG's pcTag. The pcTag replacement operation may cause a small transient traffic disruption for endpoints in the EPG. This is the same impact as other pcTag update events that occur with other features such as when configuring shared services (route leaking) with EPGs. Note that the pcTag is not specific to ESGs and is not related to policy tags (tagTag) used by tag selectors. The pcTag is an EPG/ESG identifier for applying contracts in the data-plane. Prior to release 5.2(4), you cannot create a contract with a service EPG created through a service graph. There are certain challenges that come with this limitation, such as:
Beginning with release 5.2(4), the service EPG selector for endpoint security groups (ESGs) is now available. This feature allows you to map a service EPG to an ESG and create a contract with that ESG. Using this feature, even if you have a vzAny-to-vzAny permit contract that is configured, you can add a deny contract between the service ESG and other ESGs to allow specific ESGs to communicate with the service ESG. The following sections provide more information on example configurations with and without using service EPG selectors, and additional information on using service EPG selectors: Example Configurations Without Using Service EPG SelectorsIn order to enable the necessary configurations without using the service EPG selector option introduced in release 5.2(4), you could use the Direct Connect option. The following figure shows an example configuration where the Direct Connect option is in the default (disabled) setting. The following figure shows an example where the Direct Connect option is enabled. A permit rule is added for the traffic from the service EPG to a consumer or provider EPG. However, even with the Direct Connect option enabled, an EPG that is not a consumer or provider EPG doesn't have the permit rule with the service EPG, and you cannot add a contract manually. One possible workaround to this restriction would be to configure a vzAny contract, where the service EPGs are part of the vzAny configuration, as shown in the following graphic. However, one consideration with this workaround is that the EPG (class ID 300 in the previous example) can also communicate with other EPGs in the VRF. A second possible workaround is to configure a preferred group, as shown in the following graphic. However, one consideration with this second workaround is that other EPGs in the preferred group can communicate with each other without a contract. It could also consume more TCAM resources. If neither of those workarounds provide a workable solution for your situation, you can use the service EPG selector option available beginning in release 5.2(4), as described in the following section. Example Configurations Using Service EPG SelectorsUsing the service EPG selector, available beginning with release 5.2(4), a service device connector representing the service EPG ( The following figure shows an example configuration using the service EPG selector. Another way that you might use the service EPG selector feature would be to exclude the service device interface in a vzAny-to-vzAny permit contract. In this scenario, vzAny-to-vzAny is used to permit all traffic within a VRF, but you also want to prevent communication with the service device interface, as shown in the following figure. Supported and Unsupported Locations for ESGs and Service EPGsThis section provides information on the supported and unsupported location for ESGs and service EPGs. This section is relevant only for designs where the admin needs to allow or deny traffic directed to the Layer 4 to Layer 7 device from the ESGs. Traffic redirected to the Layer 4 to Layer 7 device does not belong to this category, and it is not subject to the restrictions described in this section. This is because, the destination IP address of the redirected traffic is an endpoint, and not the Layer 4 to Layer 7 device IP address. Note A service EPG is internally created in the tenant where the Layer 4 to Layer 7 device is defined.
Guidelines and Limitations for Service EPG SelectorsFollowing are the guidelines and limitations for the service EPG selector feature that is introduced in release 5.2(4):
With various classification methods in ESG, it is important to understand the difference in classification of IP addresses and MAC addresses. This difference is essentially the same as microsegment (uSeg) EPG criteria. When a packet is routed by a switch, the forwarding lookup is based on the IP address. When a packet is switched by a switch, the forwarding lookup is based on the MAC address even when the packet has an IP header. Similarly, when a packet is routed by a switch, the contract lookup is based on the IP address. When a packet is switched by a switch, the contract lookup is based on the MAC address even when the packet has an IP header. This behavior affects the contract application based on ESG as follows. IP-based selectors (such as IP subnet selectors, tag selectors matching policy tags for BD subnets or IP endpoint tag objects) classify only the IP addresses. Such classifications do not take effect for switching traffic. On the other hand, other selectors classify MAC addresses, and such classifications take effect for both switching and routing traffic. This means that a MAC-based selector applies also to an IP address associated to the MAC address, unless a separate IP-based selector overrides it. This behavior is demonstrated in the following three scenarios. In these scenarios, endpoint EP_A is a member of EPG_A and does not initially belong to any ESG. EP_A's MAC address is MAC_A and its IP address is IP_A.
This behavior may cause switching traffic (layer 2 traffic) to bypass ESG contracts when IP-based selectors are used, even if the source and destination IP addresses of the traffic belong to different ESGs. To prevent this issue with IP-based selectors, you must use the proxy ARP feature in ACI so that all traffic is handled as routed traffic on ACI switches, even if the source and destination IP addresses are in the same subnet. There are three options for using proxy ARP for this purpose:
In the case of layer 2 traffic when endpoints in the same subnet (or VLAN) are classified to different ESGs, you may need private VLAN configuration regardless of the layer 2 traffic limitation with IP-based selectors. Private VLAN configuration may be needed when non-ACI switches exist between the endpoints and ACI switches. This is because non-ACI switches may switch the traffic before ACI switches can enforce contracts based on ESGs. When choosing selector types, consider whether the traffic will be switched or routed. The tables below show the order of precedence of selectors for each type of traffic. Table 1. Precedence Order for Switching TrafficPrecedence Order Selector 1 Tag Selector (Endpoint MAC Tag) Tag Selector (Static Endpoint) 2 Tag Selector (Endpoint VMM MAC Tag) 3 EPG Selector Table 2. Precedence Order for Routing TrafficPrecedence Order Selector 1 Tag Selector (Endpoint IP Tag) IP Subnet Selector (host IP) 2 Tag Selector (BD Subnet) IP Subnet Selector (subnet) 3 Tag Selector (Endpoint MAC Tag) Tag Selector (Static Endpoint) 4 Tag Selector (Endpoint VMM MAC Tag) 5 EPG Selector If an object is matched by multiple tag selectors via the same or different policy tags, the object is associated to the tag selector that matched first. Subsequent tag selectors are then ignored. If an object is matched by multiple tag selectors when no tag selector had matched the object previously, no tag selectors take effect until the conflict match is resolved. A fault is raised under the ESG and under the object that is matched by multiple tag selectors. Contracts are the Cisco ACI equivalent of access control lists (ACLs). ESGs can only communicate with other ESGs according to the contract rules. The administrator uses a contract to select the types of traffic that can pass between ESGs, including the protocols and ports allowed. An ESG can be a provider, consumer, or both provider and consumer of a contract, and can consume multiple contracts simultaneously. ESGs can also be part of a preferred group so that multiple ESGs can talk freely with other ESGs that are part of the preferred group. Supported Contracts relationship:
Contracts between the ESGs and the EPGs (or uSeg EPGs) are not supported. When an endpoint in an ESG needs to communicate with other endpoints in the EPG, the other endpoints need to be migrated to the ESGs first. vzAny or preferred group can be used as an alternative during the migration. Other contract-related features that are supported in a uSeg EPG, such as contract inheritance, an intra ESG contract, or intra ESG isolation, are also supported in an ESG. The exception is the Taboo Contract, which is not supported in an ESG. In alternative to using specific contracts between ESGs, you can also allow traffic between ESGs using a construct called vzAny. vzAny represents all of the ESGs and EPGs in the given VRF instance. This also includes the L3Out external EPG ( Figure 4 provides an example. If the administrator configures a contract between vzAny and EPG 4-1, in the topology from Figure 2, endpoints 192.168.1.11, 192.168.2.11 (ESG1) and 192.168.3.11 (EPG3-1) can communicate with 192.168.4.11 (EPG4-1). This does not mean that ESG1 and EPG3-1 belong to the same security zone and 192.168.11 (or 192.168.2.11) can communicate with 192.168.3.11 without a contract. If the desired configuration is to allow any-to-any communication within the VRF instance regardless of an ESG, an EPG, L3Out EPG etc., the user can configure vzAny to provide and consume a contract to allow all traffic instead of disabling Policy Enforcement (Unenforced) in the VRF instance. In summary, the vzAny construct can be used for providing and (or) consuming a contract in order to enable an ESG to communicate with anybody in the VRF instance using the contract just as it does for an EPG. Even though the contracts between ESGs and the EPGs are not allowed, vzAny contracts can be used to allow traffic between the ESGs and EPGs. A preferred group is an alternative to using explicit contracts between ESGs or using vzAny contracts. The user can also configure the preferred group to enable the communication between ESGs in a VRF instance. Any endpoints in the preferred group can communicate with each other freely. The user can also use preferred groups to enable ESGs to EPGs communication which can be useful in a migration between an EPG-based security configuration to an ESG-based security configuration. Figure 5. Example with ESG1 and EPG3-1 part of the same preferred group.In the example of the figure above, ESG1 and EPG3-1 are configured to be part of the preferred group of VRF A and the following communications are allowed:
Refer to the Cisco APIC Basic Configuration Guide for information on configuring preferred groups. When an endpoint needs a service that is shared by another VRF, there are two things required for the communication to happen. The first thing is the routing reachability. The second thing is security permission. In an EPG, these two are coupled closely in one set of configurations, such as the EPG subnet and contracts. In ESG, these two are decoupled in two different configurations:
With these two configurations completely decoupled, you do not need to configure a subnet or a subset of the subnet under the ESG as you must do for an EPG. The following sections explain how to configure route leaking for the bridge domain subnets and external prefixes learned from external routers. After you finish configuring route leaking, you can configure a contract between two ESGs, or an ESG and L3Out EPG, to allow the communication. You must use a contract with a scope larger than VRF, such as global. Note The route leaking configuration at the VRF level is supported only for ESGs. This section explains how to configure route leaking between VRF instances for a bridge domain subnet to which the ESG endpoints belong to. This is performed simply by specifying a subnet to leak and the target VRF instance in the source VRF instance at the VRF level (instead of at the EPG level like it is done if you do not use ESGs). The subnet that you enter in the route leaking configuration needs to match the bridge domain subnet or be a subset of a configured bridge domain subnet. The route leaked by this configuration is only the subnet with the specified subnet mask. You cannot specify a range of subnets to leak multiple bridge domain subnets in one configuration. Note The subnet that you configure under the VRF route leaking configuration can also match subnets used under the EPGs. This can be useful for migration purposes. The figure above provides an example of VRF leaking between two VRF instances: VRF A and VRF B, where the administrator has configured two ESGs: ESG1 and ESG2. In addition to having a contract between ESG1 and ESG2 (to allow the traffic), the administrator needs to configure route leaking in the VRF instance as described in the section, . The configuration of the bridge domain subnet scopes, Advertised Externally and Shared between VRFs, is not required with VRF level route leaking for an ESG. When a leaked bridge domain subnet needs to be advertised by L3Outs in the target VRF instance, you can set Allow L3Out Advertisement to True in the VRF level route leaking configuration. Note that the subnet scopes under a bridge domain are ignored when leaking the subnet to the target VRF instance specified in the VRF level route leaking, and the configuration in the VRF level route leaking takes precedence. Those scopes under a bridge domain are still honored at the same time for other configurations like advertising the subnet from an L3Out in the same VRF instance, route leaking to another VRF instance through a traditional configuration that is through EPG contracts, or both. The configuration of route leaking for the purpose of allowing traffic from a L3Out of a VRF to ESGs of another VRF is referred to as ESG shared L3Out to differentiate from the shared L3Out for EPGs. In order to leak routes that are learned from a L3Out for an ESG communication, the administrator must configure the route leaking for external prefixes in VRF level. This is done by using IP prefix-list style configuration. The user can configure a specific prefix or can specify a range of prefixes by using the “le” (less than or equal to) or “ge” (greater than or equal to) as you can with an IP prefix-list in a normal router. Unlike bridge domain subnets, there is no restriction that the leaked prefix must be equal to or smaller than an actual route, because external routes are dynamically learned and are not often predictable. Because of the lack of the restriction, a leaked external prefix can specify a range to leak multiple prefixes with one configuration. In the configuration, you must also specify the target VRF. Please refer to for the configuration details. For an ESG shared L3Out configuration, along with configuring route leaking in the VRF and applying a contract with L3Out EPG, you need to define which prefix belongs to which L3Out EPG. To specify which prefix belongs to which L3Out EPG, you must configure an L3Out subnet with the External Subnets for the External EPG and Shared Security Import Subnet scopes. The Endpoint Tracker tab allows you to enter a fabric-attached endpoint IP or MAC address and quickly see the location of this endpoint, the endpoint group to which the endpoint belongs, the VLAN encapsulation used, and if any transitions (flaps) have occurred for this endpoint.
The Endpoint Tracker tool displays the date and time of each state transition along with the IP address, MAC address, owning endpoint group, action (attached or detached), physical node, interface, and VLAN encapsulation during the event. The Endpoint Tracker tool uses an object called the fvCEp to find the endpoints that are learned in the fabric, for an ESG and as well as an EPG. An endpoint that belongs to an ESG is represented by two fvCEp objects, one for the EPG that provides VLAN binding, another for the ESG that provides security.Therefore, the Endpoint Tracker tool shows two entries (one for an EPG, another for an ESG) when used for the ESG endpoints. The following guidelines and limitations apply when using endpoint security groups (ESGs):
Beginning with the 5.2(3) release, the following features or configurations are supported:
Beginning with Cisco Application Policy Infrastructure Controller (APIC) release 5.2(1), EPG selectors allow endpoint security groups (ESGs) to inherit contracts from EPG, simplifying EPG-to-ESG migration. The contract inheritance with EPG selectors enables a seamless and flexible migration by allowing endpoints to keep communicating with other endpoints using inherited contracts even though the other endpoints are not yet migrated to ESGs. In the following example, we will focus on the EPG to ESG migration of EPG A1 in the following figure. The current communication from EPG A1 is done through contract C1 with EPGs B1, B2, and B3. Figure 7. Prepare to begin EPG-to-ESG migrationThe first step is to create an ESG (ESG A1 in the following figure) and match EPG A1 to it using the EPG selector. Figure 8. Create an ESG, migrate first EPGAfter EPG A1 has been matched to ESG A1, endpoints that belonged to EPG A1 now belong to ESG A1 and contract C1 provided by EPG A1 is inherited by ESG A1. All of the migrated endpoints can still communicate with EPGs B1, B2, and B3 even though these EPGs are not migrated to ESG yet. Remember that without the contract inheritance with EPG selectors, Cisco Application Centric Infrastructure (ACI) does not allow contracts between ESG and EPG. Note that when an ESG inherits contracts via EPG selectors, the original pcTags of the EPGs are replaced by the pcTag of the ESG. This operation may result in a small transient disruption of traffic for endpoints in the EPGs. At this point, depending on your project schedule, instead of completing the migration of EPG A1, you could configure new contracts between ESG A1 and other ESGs or L3Out external EPGs. However, no more new contracts can be added to EPG A1 because all security configurations should be managed by the ESG. To keep the configuration simple and maintainable, we recommend that you complete the EPG to ESG migration at your earliest convenience. Until EPG A1 stops providing (or consuming) contracts, a fault F3602 is raised as a warning to make you aware of an incomplete migration. To continue the migration, create ESGs for the EPGs on the other side of contract C1. In this example, EPG A1 is providing contract C1, so those EPGs (EPGs B1, B2, and B3) are consuming contract C1. Migrate these EPGs to new ESGs (ESGs B1, B2, and B3) using EPG selectors. In this example in the following figure, each EPG is mapped to an ESG. Figure 9. Create additional ESGs, migrate EPGsAlternatively, you could combine multiple EPGs into one ESG. For example, you could create one ESG and then configure an EPG selector for both EPG B1 and B2 on the same ESG. Next, create a new contract (C1’ in the following figure) with the same filters as contract C1. Configure the new ESGs as provider and consumer. This is in preparation to stop providing contract C1 from EPG A1, which is the last step of EPG to ESG migration for EPG A1. Figure 10. Create a new contractBecause contract C1 with the same filters was already inherited by all four ESGs (A1, B1, B2, and B3), the new contract configuration does not deploy any new rules in hardware, so no additional policy TCAM is consumed by creating the new contract. ESG A1 now has contract C1’ that allows the same communication as C1 with ESG B1, B2, and B3. At this point, we can stop providing contract C1 on EPG A1, allowing the ESG A1 to handle all security, as shown in the following figure. Figure 11. Remove EPG as provider for the old contractKeep in mind that EPGs B1, B2, and B3 cannot stop consuming contract C1 yet because contract C1 is also provided by EPGs A2 and A3, which are not yet migrated to ESGs. After EPGs A2 and A3 are migrated to ESGs and are providing contract C1’, all EPGs (A2, A3, B1, B2, and B3) can stop using contract C1 without traffic disruption. To complete the migration of EPG to ESG, follow the same procedure for contract C2 and any other contracts on an EPG level. In Cisco APIC Release 5.2(1) and later releases, ESG selectors can be policy tags, EPGs, and IP subnets. In earlier releases, only IP subnets are supported. ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, choose tenant_name > Application Profiles > application_profile_name > Endpoint Security Groups Step 3Right click Endpoint Security Groups and select Create Endpoint Security Group. Step 4In the STEP 1 > Identity page of the Create Endpoint Security Group dialog box, enter the following information:
In the STEP 2 > Selectors page, click the + sign in the Tag Selectors bar if you want to use policy tags as an endpoint selector. The Create a Tag Selector dialog box opens. Follow the procedure in . In the STEP 2 > Selectors page, click the + sign in the EPG Selectors bar if you want to specify an EPG as an endpoint selector. The Create an EPG Selector dialog box opens. Follow the procedure in . In the STEP 2 > Selectors page, click the + sign in the IP Subnet Selectors bar if you want to specify an IP subnet as an endpoint selector. The Create an IP Subnet Selector dialog box opens. Follow the procedure in . Click Next. The STEP 3 > Advanced (Optional) page of the Create Endpoint Security Group dialog box opens. In the STEP 3 > Advanced (Optional) page, you can configure the following options:
Click Finish. Use this procedure to create a tag selector for an endpoint security group (ESG). ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, expand tenant_name > Application Profiles > application_profile_name > Endpoint Security Groups > esg_name > Selectors. Step 3Right click Tag Selectors and select Create a Tag Selector. Step 4In the Create a Tag Selector dialog box, enter the following information:
Use this procedure to create an EPG selector for an endpoint security group (ESG). ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, expand tenant_name > Application Profiles > application_profile_name > Endpoint Security Groups > esg_name > Selectors. Step 3Right click EPG Selectors and select Create an EPG Selector. Step 4In the Create an EPG Selector dialog box, enter the following information:
Use this procedure to create an IP subnet selector for an endpoint security group (ESG). ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, expand tenant_name > Application Profiles > application_profile_name > Endpoint Security Groups > esg_name > Selectors. Step 3Right click IP Subnet Selectors and select Create an IP Subnet Selector. Step 4In the Create an IP Subnet Selector dialog box, enter the following information:
Use this procedure to create a service EPG selector for an endpoint security group (ESG). ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, expand tenant_name > Application Profiles > application_profile_name > Endpoint Security Groups > esg_name > Selectors. Step 3Right click Service EPG Selectors and select Create a Service EPG Selector. Step 4In the Create a Service EPG Selector dialog box, enter the following information:
Use this procedure to add a policy tag to an endpoint MAC address. The tag can then be used by a tag selector to associate the endpoint MAC address to an endpoint security group (ESG). ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, expand tenant_name > Application Profiles > application_profile_name > Application EPGs > epg_name. Step 3In the Work pane, choose the Operational > Client Endpoints tab. The Client Endpoints table displays the MAC address of each available endpoint along with the IP address associated with it. If an address is already assigned policy tags, those policy tags are displayed in the Policy Tags column for the MAC or IP address. Right-click the row with the desired MAC address and select Configure an Endpoint MAC Tag. If the MAC address does not appear in the table, it is not yet learned or visible through VMM integration. In this case, expand tenant_name > Policies > Endpoint Tags, right-click Endpoint MAC and select Create an Endpoint MAC Tag. In the Create an Endpoint MAC Tag dialog box, enter the following information:
Use this procedure to add a policy tag to an endpoint IP address. The tag can then be used by a tag selector to associate the endpoint IP address to an endpoint security group (ESG). ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, expand tenant_name > Application Profiles > application_profile_name > Application EPGs > epg_name. Step 3In the Work pane, choose the Operational > Client Endpoints tab. The Client Endpoints table displays the MAC address of each available endpoint along with the IP address associated with it. If an address has already been assigned policy tags, those policy tags are displayed in the Policy Tags column for the MAC or IP address. Right-click the row with the desired IP address and select Configure an Endpoint IP Tag. If the IP address does not appear in the table, it is not yet learned or visible through VMM integration. In this case, expand tenant_name > Policies > Endpoint Tags, right-click Endpoint IP and select Create an Endpoint IP Tag. In the Create an Endpoint IP Tag dialog box, enter the following information:
ProcedureStep 1 On the menu bar, choose Tenants and select the applicable Tenant. Step 2In the Navigation pane, choose tenant_name > Application Profiles > application_profile_name > Endpoint Security Groups > esg_name. Step 3Right click on Contracts and choose the action depending on how the contract is to be deployed. The options are:
A contract that is consumed or provided by an application EPG cannot be used here for an ESG. In the Add Contract dialog box, perform the following actions:
Click Submit. Creating an EPG SelectorThe EPG selector object (fvEPgSelector ) matches the DN of a specific EPG.
The EPG selector can only match an EPG that belongs to the same tenant and VRF as the ESG. Creating Tags and a Tag SelectorThe tag selector object (fvTagSelector ) matches tag objects (tagTag ) discovered under the following objects:
Note The tag selector object also matches tag objects under fvEpVmmMacTagDef . However, policy tags under this object are populated through VMM integration, and are not configurable. This example shows the location of a tagTag object and the fvTagSelector object that will find and match the tag.
As an alternative to matching a tag exactly, a tag can be partially matched or matched using a regular expression using the valueOperator property of the fvTagSelector :
This example shows various matching conditions:
Special Tag Selector for VMM EndpointsUsing a special key, the tag selector object (fvTagSelector ) matches VMM endpoints by name. The special matchKey is "__vmm::vmname" and the matchValue is the name of the VM. This example shows a tag selector that matches the VM named "vmName-Dev" using an exact match:
Use this procedure to configure route leaking of internal bridge domain subnets. Before you beginYou must have created the tenant, VRF, bridge domain, and the subnet to be leaked. ProcedureStep 1 In the Navigation pane, navigate to the Tenant name > Networking > VRFs > Inter- VRF Leaked Routes for ESG > EPG/BD Subnets. Step 2Right click on the EPG/BD Subnets and select Configure EPG/BD Subnet to leak. Step 3In the Configure EPG/BD Subnet to leak dialog box, perform the following functions:
In the Tenant and VRF destinations field, navigate to the far right and click on the + sign. Step 5In the Create Tenant and VRF destination dialog box, perform the following functions:
Click Submit. Use this procedure to configure route leaking of external prefixes. Before you beginYou must have configured an L3Out in the source VRF and the external prefixes are learned. ProcedureStep 1 In the Navigation pane, navigate to the Tenant name > Networking > VRFs > Inter- VRF Leaked Routes for ESG > External Prefixes. Step 2Right click on the External Prefixes and select Create Leaked External Prefix. Step 3In the Create Leaked External Prefix dialog box, perform the following functions:
In the Tenant and VRF destinations field, navigate to the far right and click on the + sign. Step 5In the Create Tenant and VRF destination dialog box, perform the following functions:
Click Submit. All the configurations provided for the deployment of a service graph with EPGs equally apply to the ESGs, the only change required is that instead of associating the contract to EPGs the contract is associated to ESGs. Use this procedure to apply a service graph template for a Layer 4 to Layer 7 service device in unmanaged mode to a contract used by endpoint security groups: Before you beginYou must have created the following things:
ProcedureStep 1 On the menu bar, choose Tenants > All Tenants. Step 2In the Work pane, double click the tenant's name. Step 3In the Navigation pane, expand Tenant > Services > L4-L7 > Service Graph Templates. Step 4In the Navigation pane, right-click on the Service Graph Template Name that you want to apply to the ESGs and choose Apply L4-L7 Service Graph Template. The Apply L4-L7 Service Graph Template To EPGs dialog box appears. You will be associating a Layer 4 to Layer 7 service graph template to a contract between the endpoint security groups. Configure a contract in the Apply L4-L7 Service Graph Template To EPGs STEP 1> Contract dialog box by entering the appropriate values:
|