Cisco ACI Endpoint Security Group (ESG) Explained and Configuration

Note: This post is heavily based on the cisco ACI ESG white paper.

Why ESG is needed

According to Cisco Documentation, Endpoint Security Groups (ESGs) are the new network security construct in Cisco ACI. Although the endpoint groups (EPGs) have been providing network security, EPGs have to be associated with a single bridge domain (BD) and used to define security zones within a BD.

This is because the EPGs serve both forwarding and security segmentation at the same time. The direct relationship between the BD and an EPG limits the possibility of an EPG spanning more than one BD. This limitation of EPGs is resolved by using the new ESG constructs.

ESP vs EPG, In simple words:

  • EPG <-> BD, EPG defines forwarding scope and security segmentation.
  • ESG <-> VRF, ESG can span multiple BD, ESG defines only security segmentation.

What is an ESG

An ESG is a logical entity that contains a collection of physical or virtual network endpoints. In addition, an ESG is associated with a single VRF (Virtual Routing and Forwarding) instead of BD. This allows the definition of a security zone that is independent of the BDs.

An ESG is a security construct that has certain match criteria to define which endpoint belongs to the ESG, and uses contracts or policies to define the security stance. The match criteria are called the ESG selectors that are based on attributes, such as an IPv4 or IPv6 address spanning across BDs in the associated VRF. For Cisco APIC, release 5.0(1), the available matching criteria is the IP address or the subnet of an endpoint.

ESGs and Contracts

ESGs can only communicate with other ESGs according to the contract rules. The administrator uses a contract to select the types of traffic that can pass between ESGs, including the protocols and ports allowed.

Supported Contracts relationship:

  1. ESG ⇔ ESG
  2. ESG ⇔ L3Out EPG
  3. ESG ⇔ inband-EPG
  4. ESG ⇔ vzAny


At the actual moment (5.0 version), Contracts between the ESGs and the EPGs (or uSeg EPGs) are not supported. When an endpoint in an ESG needs to communicate with other endpoints in the EPG, the other endpoints need to be migrated to the ESG first.

Also, ESGs are not supported as a source or destination of the following features:

* On-Demand Atomic Counter

* On-Demand Latency Measurement


ESG Migration within VRF

ESG Configuration Example in Cisco ACI

First of all, create a new ESG:

  • Navigate to: Tenant > Application Profiles > Endpoint Security Group and right-click on it.

  • Enter the Name and VRF associated with the ESG and click Next:

  • Define the selectors, in our example, we will choose a subnet selector, but also, EPG or tag as selectors:

  • Click OK, then Next and Finish (unless you want to enforce Intra ESG isolation in the advanced tab):

  • We can verify the ESG configuration:

  • The Application of Contracts is similar to the EPG:

Under the ESG menu, right-click on contracts:

and select the contract to Provide or consume:


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x