Cisco ACI Intra-EPG Contract Explained with Examples
Reference: ACI white Paper
Contents
I- Intra-EPG Isolation
By default, communication between endpoints in an EPG is open, unless you enable Intra EPG isolation under the EPG policy configuration.
Change the Intra EPG Isolation: Enforced.
Intra EPG Isolation Example:
let’s check the zoning rules for the example (from ACI white paper) below where Intra EPG Isolation is enforced for EPG App:
Endpoints in App EPG can’t communicate with each other, but they can still communicate with an endpoint in Web EPG because of Contract1.
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4231 | 32774 | 32774 | implicit | uni-dir | enabled | 2850817 | | deny,log | class-eq-deny(2) |
| 4244 | 32774 | 32775 | 68 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
| 4222 | 32775 | 32774 | 67 | bi-dir | enabled | 2850817 | tenant1:Contract1 | permit | fully_qual(7) |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
Intra EPG Isolation design consideration:
The following list includes some key design considerations for the use of intra-EPG isolation:
- In the case of a VMware vDS VMM and SCVMM domain, Once intra-EPG isolation is enabled, Cisco ACI programs PVLAN (Private VLAN) on the port-group for the EPG. If there is an intermediate switch, such as a Cisco UCS® fabric interconnect, between the ACI leaf and a vDS, you must configure PVLAN on the intermediate switch.
- If you require communication between EPGs that are in the same bridge domain subnet and configured with intra-EPG isolation, you need to manually enable proxy-ARP too.
- By enabling proxy-ARP, a VM (or, in general, an endpoint) that sends ARPs for another endpoint, receives an answer from the BD SVI that is the BD subnet IP owned by ACI leaf nodes, therefore, traffic between endpoints is routed.
Below is an illustration on how intra EPG isolation is enforced using PVLAN on the port-group forcing the the communication between EPs part the same EPGs to go through the Leaf where it can apply contracts (denying if intra EPG enforced without extract Intra EPG contract):
- Example:
II- Intra-EPG Contract
Since ACI 3.0, It is possible to assign contracts to restrict traffic internal to an EPG.
- It’s supported on both EPG and uEPG.
- It’s supported with PhysDoms and VMware VMM Domains
- IntraEPG contracts require using proxy-arp.
Whereas intra-EPG isolation denies all of the traffic within an EPG, an intra-EPG contract can specify which traffic is allowed within an EPG based on protocol, L4 ports…
The configuration for the intra-EPG contract is at Tenant > Application Profiles > Application_Profile_name > Application EPGs > EPG_name > Contracts.
Note – Intra EPG contractPBR support
Since Endpoints in the EPG may be in the same subnet, when they want to communicate with each other, they will send ARP for other EP IP. With Intra-EPG isolated enforced, EPG will only be able to communicate with the Promiscuous port (SVI), So the SVI will proxy the ARP and respond to the ARP Requests.
Intra EPG Contract Example:
Because of an intra-EPG contract at App EPG. Endpoints in App EPG cannot communicate with each other except for traffic permitted in the Contract1 subject.
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+-------------------+----------+----------------------+
| 4231 | 32774 | 32774 | implicit | uni-dir | enabled | 2850817 | | deny,log | class-eq-deny(2) |
| 4222 | 32774 | 32774 | 68 | bi-dir | enabled | 2850817 | tenant1:Contract1 | permit | class-eq-filter(1) |
| 4244 | 32774 | 32774 | 67 | uni-dir-ignore | enabled | 2850817 | tenant1:Contract1 | permit | class-eq-filter(1) |
Note
EPG Intra-Contract it is only supported on EX/FX switches or newer (ARP-proxy requirement).