HomeCloud ComputingACI Segmentation and Migrations made simpler with Endpoint Safety Teams (ESG)

ACI Segmentation and Migrations made simpler with Endpoint Safety Teams (ESG)

Let’s open with a query: “How are you dealing with safety and segmentation necessities in your Cisco Software Centric Infrastructure (ACI) cloth?”

I anticipate most solutions will relate to constructs of Endpoint Teams (EPGs), contracts and filters.  These ideas are the foundations of ACI. However with regards to any infrastructure capabilities, designs and clients’ necessities are always evolving, usually resulting in new segmentation challenges. That’s the reason I wish to introduce a comparatively latest, highly effective possibility referred to as Endpoint Safety Teams (ESGs). Though ESGs have been launched in Cisco ACI some time again (model 5.0(1) launched in Could 2020), there’s nonetheless ample alternative to unfold this performance to a broader viewers.

For individuals who haven’t explored the subject but, ESGs supply an alternate method of dealing with segmentation with the added flexibility of decoupling this from the sooner ideas of forwarding and safety related to Endpoint Teams. That is to say that ESGs deal with segmentation individually from the forwarding facets, permitting extra flexibility and chance with every.

EPG and ESG – Highlights and Variations

The simplest strategy to handle endpoints with frequent safety necessities is to place them into teams and management communication between them. In ACI, these teams have been historically represented by EPGs. Contracts which can be hooked up to EPGs are used for controlling communication and different insurance policies between teams with totally different postures. Though EPG has been primarily offering community safety, it should be married to a single bridge area. It is because EPGs outline each forwarding coverage and safety segmentation concurrently. This direct relationship between Bridge Area (BD) and an EPG prevents the potential for an EPG to span multiple bridge area. This design requirement could be alleviated by ESGs. With ESGs, networking (i.e., forwarding coverage) occurs on the EPG/BD degree, and safety enforcement is moved to the ESG degree.

Operationally, the ESG idea is much like, and extra easy than the unique EPG strategy. Identical to EPGs, communication is allowed amongst any endpoints inside the identical group, however within the case of ESGs, that is impartial of the subnet or BD they’re related to. For communication between totally different ESGs, we’d like contracts. That sounds acquainted, doesn’t it? ESGs use the identical contract constructs we have now been utilizing in ACI since inception.

So, what are the advantages of ESGs then? In a nutshell, the place EPGs are sure to a single BD, ESGs help you outline a safety coverage that spans throughout a number of BDs. That is to say you’ll be able to group and apply coverage to any variety of endpoints throughout any variety of BDs underneath a given VRF.  On the identical time, ESGs decouple the forwarding coverage, which lets you do issues like VRF route leaking in a way more easy and extra intuitive method.

ESG. A Easy Use Case Instance

To provide an instance of the place ESGs could possibly be helpful, contemplate a brownfield ACI deployment that has been in operation for years. Over time issues are likely to develop organically. You would possibly discover you will have created increasingly more EPG/BD mixtures however later understand that many of those EPGs truly share the identical safety profile. With EPGs, you’d be deploying and consuming extra contract sources to realize what you need, plus probably including to your administration burden with extra objects to control. With ESGs, now you can merely group all these brownfield EPGs and their endpoints and apply the frequent safety insurance policies solely as soon as. What’s essential is you are able to do this with out altering something having to do with IP addressing or BD settings they’re utilizing to speak.

So how do I assign an endpoint to an ESG? You do that with a collection of matching standards. Within the first launch of ESGs, you have been restricted within the sorts of matching standards. Ranging from ACI 5.2(1), we have now expanded matching standards to offer extra flexibility for endpoint classification and ease for the consumer. Amongst them: Tag Selectors (based mostly on MAC, IP, VM tag, subnet), complete EPG Selectors, and IP Subnet Selectors. All the main points about totally different selectors could be discovered right here: https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/security-configuration/cisco-apic-security-configuration-guide-60x/endpoint-security-groups-60x.html.

EPG to ESG Migration Simplified

In case the place your infrastructure is diligently segmented with EPGs and contracts that mirror utility tiers’ dependencies, ESGs are designed to help you migrate your coverage with just a bit effort.

The primary query that the majority most likely involves your thoughts is how one can obtain that? With the EPG Selector, one of many new strategies of classifying endpoints into ESGs, we allow a seamless migration to the brand new grouping idea by inheriting contracts from the EPG degree. That is a simple strategy to shortly transfer all of your endpoints inside a number of EPGs into your new ESGs.

For a greater understanding, let’s consider the under instance. See Determine 1. Now we have a easy two EPGs setup that we’ll migrate to ESGs. Presently, the communication between them is achieved with contract Ctr-1.

Excessive-level migration steps are as follows:

  1. Migrate EPG 1 to ESG 1
  2. Migrate EPG 2 to ESG 2
  3. Substitute the present contract with the one utilized between newly created ESGs.
Two EPGs with contract in place
Determine-1- Two EPGs with the contract in place

Step one is to create a brand new ESG 1 the place EPG 1 is matched utilizing the EPG Selector. It implies that all endpoints that belong to this EPG grow to be a part of a newly created ESG . These endpoints nonetheless talk with the opposite EPG(s) due to an computerized contract inheritance (Word: You can not configure an express contract between ESG and EPG).

This state, depicted in Determine 2, is taken into account as an intermediate step of a migration, which the APIC experiences with F3602 fault till you migrate excellent EPG(s) and contracts. This fault is a method for us to encourage you to proceed with a migration course of so that every one safety configurations are maintained by ESGs. This can hold the configuration and design easy and maintainable. Nevertheless, you do not need to do it . You’ll be able to progress in response to your mission schedule.

Interim migration step
Determine 2 – Interim migration step

As a subsequent step, with EPG Selector, you migrate EPG 2 to ESG 2, respectively. Remember the fact that nothing stands in the best way of putting different EPGs into the identical ESG (even when these EPGs discuss with totally different BDs). Communication between ESGs continues to be allowed with contract inheritance.

To finish the migration, as a remaining step, configure a brand new contract with the identical filters as the unique one – Ctr-1-1. Assign one ESG as a supplier and the second as a shopper, which takes priority over contract inheritance. Lastly, take away the unique Ctr-1 contract between EPG 1 and EPG 2. This step is proven in Determine 3.

Final setup with ESGs and new contract
Determine 3 – Remaining setup with ESGs and new contract

Simple Migration to ACI

The earlier instance is especially relevant when segmentation on the EPG degree is already utilized in response to the applying dependencies. Nevertheless, not everybody might understand that ESG additionally simplifies brownfield migrations from current environments to Cisco ACI.

A place to begin for a lot of new ACI clients is how EPG designs are applied.  Usually, the most typical selection is to implement such that one subnet is mapped to 1 BD and one EPG to mirror outdated VLAN-based segmentation designs (Determine 4). Up to now, transferring from such a state to a extra application-oriented strategy the place an utility is damaged up into tiers based mostly on operate has not been trivial. It has usually been related to the necessity to switch some workloads between EPGs, or re-addressing servers/companies, which generally results in disruptions.

EPG = BD segmentation design
Determine 4 – EPG = BD segmentation design

Introducing application-level segmentation in such a deployment mannequin is difficult until you utilize ESGs. So how do I make this migration from pure EPG to utilizing ESG? With the brand new selectors out there, you can begin very broadly after which, when prepared, start to outline further element and coverage. It’s a multi-stage course of that also permits endpoints to speak with out disruption as we make the transition gracefully. Usually, the steps of this course of could be outlined as follows:

  1. Classify all endpoints into one “catch-all” ESG
  2. Outline new segmentation teams and seamlessly take out endpoints from “catch-all” ESG to newly created ESGs.
  3. Proceed till all endpoints are assigned to new safety teams.

In step one (Determine 5), you’ll be able to allow free communication between EPGs, by classifying all of them utilizing EPG selectors and placing them (quickly) into one “catch-all” ESG. That is conceptually much like any “permit-all” options you could have used previous to ESGs (e.g. vzAny, Most popular Teams).

All EPGs are temporarily put into one ESG
Determine 5 – All EPGs are quickly put into one ESG

Within the second step (Determine 6), you’ll be able to start to form and refine your safety coverage by seamlessly taking out endpoints from the catch-all ESG and placing them into different newly created ESGs that meet your safety coverage and desired consequence. For that, you should use different endpoint selector strategies out there – on this instance – tag selectors. Remember the fact that there is no such thing as a want to vary any networking constructs associated to those endpoints. VLAN binding to interfaces with EPGs stays the identical. No want for re-addressing or transferring between BDs or EPGs.

Gradual migration from an existing network to Cisco ACI
Determine 6 – Gradual migration from an current community to Cisco ACI

As you proceed to refine your safety insurance policies, you’ll find yourself in a state the place your entire endpoints at the moment are utilizing the ESG mannequin. As your knowledge middle cloth grows, you do not need to spend any time worrying about which EPG or which BD subnet is required as a result of ESG frees you of that tight coupling. As well as, you’ll acquire detailed visibility into endpoints which can be a part of an ESG that characterize a division (like IT or Gross sales within the above instance) or utility suite. This makes administration, auditing, and different operational facets simpler.

Intuitive route-leaking

It’s nicely understood that getting Cisco ACI to interconnect two VRFs in the identical or totally different tenants is feasible with none exterior router. Nevertheless, two further facets should be ensured for one of these communication to occur. First is common routing reachability and the second is safety permission.

On this very weblog, I said that ESG decouples forwarding from safety coverage. That is additionally clearly seen when you could configure inter-VRF connectivity. Consult with Determine 7 for high-level, intuitive configuration steps.

Simplified route-leaking configuration
Determine 7. Simplified route-leaking configuration. Just one course is proven for higher readability

On the VRF degree, configure the subnet to be leaked and its destined VRF to ascertain routing reachability. A leaked subnet should be equal to or be a subset of a BD subnet. Subsequent connect a contract between the ESGs in numerous VRFs to permit desired communication to occur. Lastly, you’ll be able to put apart the necessity to configure subnets underneath the supplier EPG (as an alternative of underneath the BD solely), and make changes to outline the right BD scope. These will not be required anymore. The tip result’s a a lot simpler strategy to arrange route leaking with not one of the typically complicated and cumbersome steps that have been needed utilizing the standard EPG strategy.

To discover extra particulars of this idea that the networking trade has dubbed “route leaking”, discuss with the Endpoint Safety Teams chapter within the Cisco APIC Safety Configuration Information.


Due to the idea of ESGs, the safety and segmentation capabilities of Cisco ACI turned extra versatile and highly effective. Significantly utilizing ESGs within the migration path from a mannequin the place 1 EPG equals 1 BD, to a extra refined community coverage is one thing that appears to be usually missed.

Our work shouldn’t be but executed. We are going to proceed to allow new makes use of for ESG with new options. Probably the most anticipated characteristic that will probably be coming quickly is ESG assist with Nexus Dashboard Orchestrator (NDO) for purchasers who’ve chosen to deploy Multi-Website throughout knowledge facilities and areas. Keep tuned!




Most Popular

Recent Comments