Tuesday, March 7, 2023
HomeCloud ComputingACI Segmentation and Migrations made simpler with Endpoint Safety Teams (ESG)

ACI Segmentation and Migrations made simpler with Endpoint Safety Teams (ESG)

Let’s open with a query: “How are you dealing with safety and segmentation necessities in your Cisco Utility Centric Infrastructure (ACI) cloth?”

I count on most solutions will relate to constructs of Endpoint Teams (EPGs), contracts and filters.  These ideas are the foundations of ACI. However with regards to any infrastructure capabilities, designs and prospects’ necessities are consistently evolving, typically resulting in new segmentation challenges. That’s the reason I wish to introduce a comparatively latest, highly effective choice known as Endpoint Safety Teams (ESGs). Though ESGs had been launched in Cisco ACI some time again (model 5.0(1) launched in Might 2020), there may be nonetheless ample alternative to unfold this performance to a broader viewers.

For individuals who haven’t explored the subject but, ESGs supply an alternate manner of dealing with segmentation with the added flexibility of decoupling this from the sooner ideas of forwarding and safety related to Endpoint Teams. That is to say that ESGs deal with segmentation individually from the forwarding points, permitting extra flexibility and chance with every.

EPG and ESG – Highlights and Variations

The simplest approach to handle endpoints with widespread safety necessities is to place them into teams and management communication between them. In ACI, these teams have been historically represented by EPGs. Contracts which might be connected to EPGs are used for controlling communication and different insurance policies between teams with totally different postures. Though EPG has been primarily offering community safety, it should be married to a single bridge area. It’s because EPGs outline each forwarding coverage and safety segmentation concurrently. This direct relationship between Bridge Area (BD) and an EPG prevents the potential for an EPG to span a couple of bridge area. This design requirement may be alleviated by ESGs. With ESGs, networking (i.e., forwarding coverage) occurs on the EPG/BD degree, and safety enforcement is moved to the ESG degree.

Operationally, the ESG idea is just like, and extra simple than the unique EPG method. Identical to EPGs, communication is allowed amongst any endpoints inside the identical group, however within the case of ESGs, that is unbiased of the subnet or BD they’re related to. For communication between totally different ESGs, we want contracts. That sounds acquainted, doesn’t it? ESGs use the identical contract constructs we now have been utilizing in ACI since inception.

So, what are the advantages of ESGs then? In a nutshell, the place EPGs are certain to a single BD, ESGs let you outline a safety coverage that spans throughout a number of BDs. That is to say you possibly can group and apply coverage to any variety of endpoints throughout any variety of BDs below a given VRF.  On the identical time, ESGs decouple the forwarding coverage, which lets you do issues like VRF route leaking in a way more easy and extra intuitive method.

ESG. A Easy Use Case Instance

To offer an instance of the place ESGs might be helpful, think about a brownfield ACI deployment that has been in operation for years. Over time issues are likely to develop organically. You would possibly discover you might have created increasingly more EPG/BD combos however later understand that many of those EPGs truly share the identical safety profile. With EPGs, you’ll be deploying and consuming extra contract sources to attain what you need, plus doubtlessly including to your administration burden with extra objects to keep watch over. With ESGs, now you can merely group all these brownfield EPGs and their endpoints and apply the widespread safety insurance policies solely as soon as. What’s essential is you are able to do this with out altering something having to do with IP addressing or BD settings they’re utilizing to speak.

So how do I assign an endpoint to an ESG? You do that with a collection of matching standards. Within the first launch of ESGs, you had been restricted within the sorts of matching standards. Ranging from ACI 5.2(1), we now have expanded matching standards to supply extra flexibility for endpoint classification and ease for the person. Amongst them: Tag Selectors (based mostly on MAC, IP, VM tag, subnet), complete EPG Selectors, and IP Subnet Selectors. All the main points about totally different selectors may be discovered right here: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/security-configuration/cisco-apic-security-configuration-guide-60x/endpoint-security-groups-60x.html.

EPG to ESG Migration Simplified

In case the place your infrastructure is diligently segmented with EPGs and contracts that mirror utility tiers’ dependencies, ESGs are designed to let you migrate your coverage with just a bit effort.

The primary query that almost all most likely involves your thoughts is the right way to obtain that? With the EPG Selector, one of many new strategies of classifying endpoints into ESGs, we allow a seamless migration to the brand new grouping idea by inheriting contracts from the EPG degree. That is a simple approach to rapidly transfer all of your endpoints inside a number of EPGs into your new ESGs.

For a greater understanding, let’s consider the under instance. See Determine 1. We’ve a easy two EPGs setup that we are going to migrate to ESGs. At present, the communication between them is achieved with contract Ctr-1.

Excessive-level migration steps are as follows:

  1. Migrate EPG 1 to ESG 1
  2. Migrate EPG 2 to ESG 2
  3. Change the prevailing contract with the one utilized between newly created ESGs.
Two EPGs with contract in place
Determine-1- Two EPGs with the contract in place

Step one is to create a brand new ESG 1 the place EPG 1 is matched utilizing the EPG Selector. It implies that all endpoints that belong to this EPG grow to be a part of a newly created ESG . These endpoints nonetheless talk with the opposite EPG(s) due to an automated contract inheritance (Be aware: You can’t configure an express contract between ESG and EPG).

This state, depicted in Determine 2, is taken into account as an intermediate step of a migration, which the APIC experiences with F3602 fault till you migrate excellent EPG(s) and contracts. This fault is a manner for us to encourage you to proceed with a migration course of so that every one safety configurations are maintained by ESGs. This may preserve the configuration and design easy and maintainable. Nevertheless, you wouldn’t have to do it . You possibly can progress based on your undertaking schedule.

Interim migration step
Determine 2 – Interim migration step

As a subsequent step, with EPG Selector, you migrate EPG 2 to ESG 2, respectively. Remember the fact that nothing stands in the best way of inserting different EPGs into the identical ESG (even when these EPGs consult with totally different BDs). Communication between ESGs continues to be allowed with contract inheritance.

To finish the migration, as a remaining step, configure a brand new contract with the identical filters as the unique one – Ctr-1-1. Assign one ESG as a supplier and the second as a client, which takes priority over contract inheritance. Lastly, take away the unique Ctr-1 contract between EPG 1 and EPG 2. This step is proven in Determine 3.

Final setup with ESGs and new contract
Determine 3 – Closing setup with ESGs and new contract

Simple Migration to ACI

The earlier instance is principally relevant when segmentation on the EPG degree is already utilized based on the applying dependencies. Nevertheless, not everybody could understand that ESG additionally simplifies brownfield migrations from current environments to Cisco ACI.

A place to begin for a lot of new ACI prospects is how EPG designs are carried out.  Sometimes, the commonest alternative is to implement such that one subnet is mapped to at least one BD and one EPG to mirror previous VLAN-based segmentation designs (Determine 4). To this point, shifting from such a state to a extra application-oriented method the place an utility is damaged up into tiers based mostly on perform has not been trivial. It has typically been related to the necessity to switch some workloads between EPGs, or re-addressing servers/companies, which generally results in disruptions.

EPG = BD segmentation design
Determine 4 – EPG = BD segmentation design

Introducing application-level segmentation in such a deployment mannequin is difficult until you utilize ESGs. So how do I make this migration from pure EPG to utilizing ESG? With the brand new selectors out there, you can begin very broadly after which, when prepared, start to outline extra element and coverage. It’s a multi-stage course of that also permits endpoints to speak with out disruption as we make the transition gracefully. Generally, the steps of this course of may be outlined as follows:

  1. Classify all endpoints into one “catch-all” ESG
  2. Outline new segmentation teams and seamlessly take out endpoints from “catch-all” ESG to newly created ESGs.
  3. Proceed till all endpoints are assigned to new safety teams.

In step one (Determine 5), you possibly can allow free communication between EPGs, by classifying all of them utilizing EPG selectors and placing them (quickly) into one “catch-all” ESG. That is conceptually just like any “permit-all” options you’ll have used previous to ESGs (e.g. vzAny, Most popular Teams).

All EPGs are temporarily put into one ESG
Determine 5 – All EPGs are quickly put into one ESG

Within the second step (Determine 6), you possibly can start to form and refine your safety coverage by seamlessly taking out endpoints from the catch-all ESG and placing them into different newly created ESGs that meet your safety coverage and desired end result. For that, you need to use different endpoint selector strategies out there – on this instance – tag selectors. Remember the fact that there isn’t any want to alter any networking constructs associated to those endpoints. VLAN binding to interfaces with EPGs stays the identical. No want for re-addressing or shifting between BDs or EPGs.

Gradual migration from an existing network to Cisco ACI
Determine 6 – Gradual migration from an current community to Cisco ACI

As you proceed to refine your safety insurance policies, you’ll find yourself in a state the place all your endpoints are actually utilizing the ESG mannequin. As your information heart cloth grows, you wouldn’t have to spend any time worrying about which EPG or which BD subnet is required as a result of ESG frees you of that tight coupling. As well as, you’ll acquire detailed visibility into endpoints which might be a part of an ESG that symbolize a division (like IT or Gross sales within the above instance) or utility suite. This makes administration, auditing, and different operational points simpler.

Intuitive route-leaking

It’s properly understood that getting Cisco ACI to interconnect two VRFs in the identical or totally different tenants is feasible with none exterior router. Nevertheless, two extra points should be ensured for the sort of communication to occur. First is common routing reachability and the second is safety permission.

On this very weblog, I said that ESG decouples forwarding from safety coverage. That is additionally clearly seen when that you must configure inter-VRF connectivity. Seek advice from Determine 7 for high-level, intuitive configuration steps.

Simplified route-leaking configuration
Determine 7. Simplified route-leaking configuration. Just one route is proven for higher readability

On the VRF degree, configure the subnet to be leaked and its destined VRF to ascertain routing reachability. A leaked subnet should be equal to or be a subset of a BD subnet. Subsequent connect a contract between the ESGs in several VRFs to permit desired communication to occur. Lastly, you possibly can put apart the necessity to configure subnets below the supplier EPG (as an alternative of below the BD solely), and make changes to outline the proper BD scope. These are usually not required anymore. The tip result’s a a lot simpler approach to arrange route leaking with not one of the generally complicated and cumbersome steps that had been obligatory utilizing the standard EPG method.

To discover extra particulars of this idea that the networking business has dubbed “route leaking”, consult with the Endpoint Safety Teams chapter within the Cisco APIC Safety Configuration Information.


Due to the idea of ESGs, the safety and segmentation capabilities of Cisco ACI turned extra versatile and highly effective. Significantly utilizing ESGs within the migration path from a mannequin the place 1 EPG equals 1 BD, to a extra refined community coverage is one thing that appears to be typically missed.

Our work is just not but carried out. We’ll proceed to allow new makes use of for ESG with new options. Essentially the most anticipated characteristic that shall be coming quickly is ESG help with Nexus Dashboard Orchestrator (NDO) for purchasers who’ve chosen to deploy Multi-Website throughout information facilities and places. Keep tuned!





Please enter your comment!
Please enter your name here

Most Popular

Recent Comments