/ ltrdcn-2143 / pod3 / segmentation


ACI MicroSegmentation
!Credentials

ACI
M i c r o S e g m e n t a t i o n

During this session, we will be covering how to con3gure MicroSegmentation in ACI.

We will be focusing in two use cases:

Intra-EPG Isolation
Virtual Machines Based Attributes.

PODO3-WEB-SRV-01 •Centos

10.0.145.18 Node1
POD03-WEB-SRV-01.ecatsrtpdmz.cisco.com

Step 1 - Intra EPG Isolation

From POD03-WEB-SRV-01 start a continuos to POD03-WEB-SRV-02 Don't stop the

ping.

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 1 of 11
:
  Terminal

root@pod03-web-srv-01 ~]# ping 10.0.144.19

root@pod03-web-srv-01 ~]#ping 10.0.144.19

PING 10.0.144.19 ((10.0.144.19) 56(84) bytes of data.
64 bytes from 10.0.144.19: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 10.0.144.19: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.144.19: icmp_seq=3 ttl=64 time=0.164 ms

Create the Intra-EPG Policy in the aci_p03_epg_web by:

1 Tenant aci_p03_tenant
2 Expand Application Pro3les
3 Expand aci_p03_ap
4 Expand Application EPG's
5 Click on aci_p03_epg_web
6 Click on Policy
7 Click on General
8 Click On Intra EPG Isolation : Enforced
9 Click OK on the warning message
10 Click Submit
11 Submit Changes

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 2 of 11
:
 After you click submit, you will notice the Pings are not longer working.

From 10.0.144.19 icmp_seq=1577 Destination Host Unreachable

From 10.0.144.19 icmp_seq=1578 Destination Host Unreachable
From 10.0.144.19 icmp_seq=1579 Destination Host Unreachable

Let's revert back the Intra EPG isolation setting to Unenforced. In order to do this we
need to do the following steps:

1 Click Unenforced
2 Click Submit
3 Click Submit Changes

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 3 of 11
:
 The Pings are back and working

root@pod03-web-srv-01 ~]#ping 10.0.144.19

PING 10.0.144.19 ((10.0.144.19) 56(84) bytes of data.
64 bytes from 10.0.144.19: icmp_seq=1000 ttl=64 time=0.174 ms
64 bytes from 10.0.144.19: icmp_seq=1001 ttl=64 time=0.193 ms
64 bytes from 10.0.144.19: icmp_seq=1002 ttl=64 time=0.164 ms

Step 2 - Virtual Machines Attributes

In this particular example, ACI will be leveraging Virtual Machines Attributes in order
to provide the segmentation needed to control the desired Virtual Machines
communication. In some instances, customers may add an identi3er in their naming
convention to differetiate the VM role such as:

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 4 of 11
:
 DEV
PROD
External
Internal

Then, customers may create rules to allow or dissallow traQc. For example DEV
machines are not allow to talk with PROD machines. ACI can help achieve by creating
the necessary rules to block the desired communication.

Step 3 - Enable MicroSegmentation in the

domain
We need to allow uSeg-EPG Segmentation in the aci_p03_epg_web by:

1 Tenant aci_p03_tenant
2 Expand Application Pro3les
3 Expand aci_p03_ap
4 Expand Application EPG's
5 Click on aci_p03_epg_web
6 Click on Domains (VM's and Baremetal) aci_p03_dc3_vds
7 Double Click on your VMware domain and a new popup will be presented
8 Click on: Allow MicroSegmentation

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 5 of 11
:
 9 Click Ok

Step 4 - Create micro segmentaion policy

Once you have allowed MicroSegmentation in the aci_p03_epg_web. We need to
create the uSeg EPGs policy by:

1 Tenant aci_p03_tenant
2 Expand Application Pro3les
3 Expand aci_p03_ap
4 Right Click on uSeg EPGs
5 Click on Create uSeg EPG

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 6 of 11
:
 6 Name: aci_p03_useg_web
7 Bridge Domain: aci_p03_bd_web
8 Click Next

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 7 of 11
:
 9 Click on the + symbol to associate the uSeg with the VMM domain
aci_p03_dc3_vds
10 Domain Pro3le: aci_p03_dc3_vds
11 Deployment Immediacy: Immediate
12 Click Update
13 Click Finish

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 8 of 11
:
 Step 5 - Create uSeg Attributes.
We need to de3ne the rule for our USeg, in this particular case we are going to be
using name as the VM attribute. Where POD03-WEB-SRV-01 and POD03-WEB-SRV-
02 will not be able to communicate

In order to create our uSeg Attributes, we need to do the following:

1 Tenant aci_p03_tenant
2 Expand Application Pro3les
3 Expand aci_p03_ap
4 Click on uSeg EPGs
5 Expand aci_p03_useg_web

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 9 of 11
:
 6 Click uSeg Attributes
7 Click the plus sign (+) button
8 Select a Type... : VM - VM Name
9 Select an operator: Contains
10 Next to Contains: 02
11 Click Submit
12 Click on Submit Changes

After you click submit, you will notice the Pings are not longer working.

From 10.0.144.19 icmp_seq=1577 Destination Host Unreachable

From 10.0.144.19 icmp_seq=1578 Destination Host Unreachable
From 10.0.144.19 icmp_seq=1579 Destination Host Unreachable

Step 6 - MicroSegmentation Conclusion

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 10 of 11
:
 As you can see in this chapter, ACI can provide different type of MicroSegmentation
for different use cases. It is always import to understand the use case in order to
con3gure ACI with the right set of properties.

← MicroSegmentation Concepts Platform →

https://aci-lab.ciscolive.com/lab/pod3/segmentation/mseg 11/29/24, 08 56
Page 11 of 11
: