microsegmentation with cisco...

Microsegmentation with Cisco ACI

This chapter contains the following sections:

• Microsegmentation with Cisco ACI, page 1

Microsegmentation with Cisco ACIMicrosegmentationwith the CiscoApplication Centric Infrastructure (ACI) provides the ability to automaticallyassign endpoints to logical security zones called endpoint groups (EPGs) based on various attributes. Thischapter contains conceptual information about Microsegmentation with Cisco ACI.

Microsegmentation with Cisco ACI provides support for virtual endpoints attached to Cisco ApplicationVirtual Switch (AVS) and for Microsoft vSwitch using the OpFlex protocol. This feature is not available withVMware DVS.

Microsegmentation with Cisco ACI also provides support for physical endpoints using IP-based EPGs.

Because you can configure Microsegmentation with Cisco ACI for physical and virtual endpoints, beaware of the following:

Note

• You can share the same IP-based EPGs for both physical and virtual endpoints.

• If you want to use MAC-based EPGs and any other attribute (except IP) for virtual end points, youmust not have any overlapping subnets for physical and virtual end points.

Microsegmentation polices used by the Cisco AVS andMicrosoft vSwitch are centrally managed by the CiscoApplication Policy Infrastructure Controller (APIC) and enforced by the fabric. This section assumes that youare familiar with EPGs, tenants, contracts, and other key concepts regardingACI policies. For more information,see Cisco Application Centric Infrastructure Fundamentals.

Benefits of Microsegmentation with Cisco ACIEndpoint groups (EPGs) are used to group virtual machines (VMs) within a tenant and apply filtering andforwarding policies to them. Microsegmentation with Cisco ACI adds the ability to associate EPGs with

Cisco ACI Virtualization Guide, Release 1.2(2x) 1

network or VM-based attributes, enabling you to filter with those attributes and apply more dynamic policies.Microsegmentation with Cisco ACI also allows you to apply policies to any endpoints within the tenant.

Example: Microsegmentation with Cisco ACI Within a Single EPG or Multiple EPGs in the Same Tenant

You might assign web servers to an EPG so that you can apply the similar policies. By default, all endpointswithin an EPG can freely communicate with each other. However, if this web EPG contains a mix of productionand development web servers, you might not want to allow communication between these different types ofweb servers. Microsegmentation with Cisco ACI allows you to create a new EPG and autoassign endpointsbased on their VM name attribute, such as "Prod-xxxx" or "Dev-xxx".

Example: Microsegmentation for Endpoint Quarantine

You might have separate EPGs for web servers and database servers, and each one contains both Windowsand Linux VMs. If a virus affecting only Windows threatens your network, you can isolate Windows VMsacross all EPGs by creating a newEPG called, for example, "Windows-Quarantine" and applying the VM-basedoperating systems attribute to filter out all Windows-based endpoints. This quarantined EPG could have morerestrictive communication policies, such as limiting allowed protocols or preventing communication to anyother EPGs by not having any contract. A microsegment EPG can have a contract or not have a contract.

How Microsegmentation Using Cisco ACI WorksMicrosegmentation using Cisco ACI involves the Cisco APIC, vCenter or Microsoft System Center VirtualMachine Manager (SCVMM), and leaf switches. This section describes the workflow for Microsegmentationusing Cisco AVS or Microsoft vSwitch.

Cisco APIC

1 The user configures a VMM domain Cisco AVS or Microsoft vSwitch in the Cisco APIC.2 The Cisco APIC connects to vCenter (for Cisco AVS) or SCVMM (for Microsoft vSwitch) and does the

following:

a Creates an instance of Cisco AVS or Microsoft vSwitch.

b Syncs VM and hypervisor inventory information from the associated VMware vCenter or MicrosoftSCVMM.

3 The user creates a base EPG and associates it with a vCenter/SCVMM domain. In each vCenter/SCVMMdomain, a new encapsulation is allocated for this base EPG. The base EPG does not have any attributes.

The vCenter/SCVMMadministrator assigns virtual endpoints to this base EPG—not to any attribute-basedEPGs. It is the base EPG that appears in vCenter/SCVMM as a port group.

Note

4 The user creates an attribute-based EPG and associates it with the VMM domain.

The attribute-based EPG does not appear in vCenter/SCVMM as a port group; it has a special function:The attribute-based EPG has VM-based attributes to match filter criteria. If a match occurs between theattribute-based EPG VM attributes and VMs, the Cisco APIC dynamically assigns the VMs to theattribute-based EPG.

Cisco ACI Virtualization Guide, Release 1.2(2x)2

Microsegmentation with Cisco ACIHow Microsegmentation Using Cisco ACI Works

The endpoints are transferred from the base EPG to the attribute-based EPG. If the attribute-based EPGis deleted, the endpoints are assigned back to the base EPG.

The attribute-based EPG must be assigned to a VMM domain in order for it to take effect on Cisco AVSor Microsoft vSwitch. When you associate an attribute-based EPG to a VMM domain, its criteria will beapplied for that VMM domain only.

Leaf Switch and Cisco AVS or Microsoft vSwitch

1 The physical leaf switch pulls the attribute policies from the Cisco APIC.

2 The Cisco AVS or Microsoft vSwitch sends a VM attach message to the physical leaf switch using theOpFlex protocol when a VM attaches to Cisco AVS or Microsoft vSwitch.

3 The physical leaf switch matches the VM against the configured attribute policies for the tenant.

4 If the VM matches the configured VM attributes, the physical leaf switch pushes the attribute-basedEPG—along with the corresponding encapsulation— to Cisco AVS or Microsoft vSwitch.

Note that this action does not change the original port-group assignment for the VM in vCenter/SCVMM.

Packet Forwarding

1 When the VM sends the data packets, Cisco AVS orMicrosoft vSwitch tags the packets using encapsulationcorresponding to the attribute-based EPG, not the base EPG.

2 The physical leaf hardware sees an attribute-based encapsulated VM packet and matches it with theconfigured policy.

The VM is dynamically assigned to an attribute-based EPG, and the packet is forwarded based on thepolicy defined for that particular attribute-based EPG.

Attributes for Microsegmentation with Cisco ACIApplying attributes to EPGs enables you to apply forwarding and security policies with greater granularitythan you can to EPGs without attributes. Attributes are unique within the tenant.

There are two types of attributes that you can apply to EPGs: network-based attributes and VM-based attributes.You apply the attributes in Cisco APIC when you configure the EPG.

The APIC GUI, when you configure an attribute-based EPG, initially uses the term VM attributes to referto all attributes—network-based and VM-based. However, when you choose the option for creatingattributes, the GUI then specifies the type of attribute.

Note

Network-Based Attributes

The network-based attributes areMACAddress Filter and IP Address Filter. You can apply one or moreMACor IP addresses to an EPG.

For IP addresses, you simply specify the address or the subnet; for MAC addresses, you simply specify theaddress. You do not specify an operator or any other information relating to the attribute.


Microsegmentation with Cisco ACIAttributes for Microsegmentation with Cisco ACI

VM-Based Attributes

You can applymultiple VM-based attributes to an EPG. The VM-based attributes are VMMDomain, OperatingSystem, Hypervisor Identifier, Datacenter, VM Identifier, VM Name, and VNic Dn (vNIC domain name).

The attribute Datacenter corresponds to Cloud for Microsoft vSwitch.Note

If you have Cisco AVS, the Custom Attribute allows you to define an attribute based on criteria not used inother attributes. For example, you might want to define a Custom Attribute called "Security Zone" in vCenterand then associate this attribute to one or more VMs with such values as "DMZ" or "Edge." The APICadministrator can then create an attribute-based EPG based on that VM custom attribute.

When you create any VM-based attribute, in addition to naming the attribute, you must do the following:

1 Specify the attribute type, such as VM Name or Hypervisor Identifier.

2 Specify the operator, such as Equals, or Starts With.

3 Specify the value, such as a particular vNIC or name of the operating system.

Custom Attribute

Custom Attribute, which appears in the APIC GUI as a VM attribute, is available for Cisco AVS only.

If you want to use Custom Attribute, you also need to add it in VMware vSphere Web Client. We recommenddoing so before configuringMicrosegmentationwith Cisco AVS in Cisco APIC so you can choose the CustomAttribute in the drop-down list while configuring Microsegmentation policy in Cisco APIC. You can add theCustom Attribute in vSphere Web Client after you configure Microsegmentation with Cisco AVS in CiscoAPIC; however, you won't see the Custom Attribute in the drop-down list in Cisco APIC, although you cantype the name in the text box.

See VMware vSphere ESXi and vCenter Server documentation for instructions for adding a CustomAttributein vSphere Web Client.

Uniqueness of Attributes Within a Tenant

Attributes must be unique within a tenant. Uniqueness depends on the value of the attribute.

For example, for a network-based attribute, you can use the attribute IP Address Filter multiple times withina tenant provided that the attribute has a different value for the IP address each time it is used. So you cannotuse the IP Address Filter attribute with the address 192.168.33.77 more than once; however, you can use theIP Address Filter attribute a second time, provided that the IP address is different, for example 192.168.33.78.

For a VM-based attribute, you can use an attribute more than once within the tenant only if its combinationof attribute type, operator, and value is unique. For example, you can use the Operating System attribute withthe Operator "Equals" and the value "Microsoft Windows 7 (64-bit)" to specify only 64-bit Windows 7machines. You can then use the Operating System attribute with the Operator "contains" and the value"Microsoft Windows 7" to specify all Windows 7 machines, 32 or 64 bit.

Precedence of AttributesWhen there are multiple attribute-based EPGs within a tenant, filtering rules are applied in a certain orderbased on the attributes.


Microsegmentation with Cisco ACIPrecedence of Attributes

How Rules for Attribute Precedence are Applied

When multiple attributes are defined for attribute-based EPGs within a VM, rules are applied in a certainorder. Rules are applied first for MAC-address attributes, then IP-address attributes, and then VM-basedattributes. In addition, rules are applied to VM-based attributes in a certain order.

The following table lists the attributes that can be associated with EPGs in order of precedence:

ExamplePrecedence OrderTypeAttribute

5c:01:23:ab:cd:ef1NetworkMAC Address Filter

192.168.33.77

10.1.0.0/16

2NetworkIP Address Filter

a1:23:45:67:89:0b3VMVNic Dn (vNIC domainname)

VM-5984VMVM Identifier

HR_VDI_VM15VMVM Name

host-256VMHypervisor Identifier

AVS-SJC-DC17VMVMM Domain

SJC-DC18VMDatacenter

SG_DMZ9VMCustom Attribute

(Cisco AVS only)

Windows 200810VMOperating System

For VM-based attributes, when a matching rule is found, the subsequent rule is skipped. For network-basedattributes, any attribute is matched.

For network-based and VM-attributes, if no matching attribute is found, the default rule for the base EPG isapplied.

Precedence is not relevant for single EPGs containing multiple attributes; any attribute is matched.

Examples of how Rules for Precedence are Applied

You might have four attribute-based EPGs associated with the same VM and that each has a different networkor VM attribute: Operating System, Hypervisor Identifier, IP Address Filter, and another has MAC AddressFilter. Rules are applied in this order: MAC Address Filter, IP Address Filter, Hypervisor Identifier, andOperating System. The rule is applied toMACAddress Filter, and the subsequent rules are skipped. However,if the attribute-based EPG with the MAC Address Filter attribute is deleted, the rule is applied to IP AddressFilter, and the subsequent rules are skipped—and so on with the other attributes.

In another case, you might have attribute-based EPGs associated with the same VM and each has a differentVM attribute: VMM Domain, Datacenter, Custom Attribute, and VNic Dn. The rule is applied to VNic Dn,


Microsegmentation with Cisco ACIPrecedence of Attributes

and the subsequent rules as skipped. However, if the attribute-based EPGwith the VNic Dn attribute is deleted,the rule is applied to VMMDomain, and the subsequent rules are skipped–and so on with the other attributes.

Precedence of OperatorsIn addition to applying filtering rules based on attributes of microsegmented EPGs within a tenant, CiscoAPIC applies filtering rules within VM-based attributes based on the operator type.

When you configure a microsegment with a VM-based attribute, you select one of four operators: Contains,EndsWith, Equals, or Starts With. Each operators specifies the string or value match for the specific attribute.

For example, you might want to create a microsegment with the VM Name attribute and want to filter forVMs with names that start with "HR_VM" or VMs that contain "HR" anywhere in their name. Or you mightwant to configure a microsegment for a specific VM and filter for the name "HR_VM_01."

How Rules for Operator Precedence are Applied

The operators for a specific VM attribute within a tenant determine the order in which the VM-based attributesfor microsegments are applied. They also determine which operator will have precedence among a group ofmicrosegments that share the same attribute and overlapping values. The table below shows the default operatorprecedence for Cisco AVS and Microsoft vSwitch:

Precedence OrderOperator Type

1Equals

2Contains

3Starts With

4Ends With

Examples of how Rules for Precedence are Applied

You have three Human Resources VM machines in a datacenter cluster under the same tenant:VM_01_HR_DEV, VM_01_HR_TEST, and VM_01_HR_PROD. You have created two microsegmentedEPGs based on the VM Name attribute:

Microsegment HR-VM-01-PRODMicrosegment CONTAIN-HRCriterion

VM NameVM NameAttribute type

EqualsContainsOperator type

VM_01_HR_PRODVM_01_HRValue

Because the operator type Equals has precedence over the operator type Contains, the valueVM_01_HR_PRODismatched before the value VM_01_HR. So the VMnamedVM_01_HR_PRODwill be put intomicrosegmentHR-VM-01-PROD because it is an exact criterion match and because the operator Equals has precedence


Microsegmentation with Cisco ACIPrecedence of Operators

over the operator Contains, even though the VM name matches both microsegments. The other two VMs willbe put in the Microsegment CONTAIN-HR.

Scenarios for Using Microsegmentation with Cisco ACIThis section contains examples of circumstances in which you might find Microsegmentation useful in yournetwork.

Using Microsegmentation with Cisco ACI with VMs Within a Single Base EPGYou can use Microsegmentation with Cisco ACI to create a new, attribute-based EPG to contain VMs froma single base EPG. By default, VMs within a base EPG can communicate with each other; however, you mightwant to prevent communication between some VMs within the EPG.

Example: Putting VMs from the Same Base EPG into a Microsegmented EPG

Your company deploys a virtual desktop infrastructure (VDI) for its Human Resources, Finance, and Operationsdepartments. The VDI virtual desktop VMs are part of a single base EPG called EPG_VDI with identicalaccess requirements to the rest of the base EPGs.

Service contracts are built in such a way such that the EPG-VDI has access to Internet resources and internalresources. But at the same time, the company must ensure that each of the VM groups—Human Resources,Finance, and Operations—cannot access the others even though they belong to the same base EPG, EPG_VDI.

To meet this requirement, you can create filters in the Cisco APIC that would check the names of the VMsin the base EPG_VDI. If you create a filter with the value "HR_VM," Cisco APIC creates an attribute-basedEPG—amicrosegment—for all Human Resource VMs. Cisco APIC looks for matching values in all the EPGsin a tenant even though you want to group the matching VMs within one EPG. So when you create VMs, werecommend that you choose names unique within the tenant.

Similarly, you can create filters with the keyword "FIN_VMs" for Finance virtual desktops and "OPS_VMs"for Operations virtual desktops. These attribute-based EPGs microsegments are represented as new EPGs


Microsegmentation with Cisco ACIScenarios for Using Microsegmentation with Cisco ACI

within the Cisco APIC policy model. You can then apply contracts and filters to control access between theVM groups even though they belong to the same base EPG.

Figure 1: Microsegmentation with Cisco ACI with VMs from a Single Base EPG

In the illustration above, all the virtual desktop VMs from the Human Resources, Finance, and Operationsgroups have been moved from the base EPG, EPG_VDI, to new, attribute-based EPGs: EPG_OPS_MS,EP_FIN_MS, and EPG_HR_MS. Each attribute-based EPG has the attribute type VM Name with a value tomatch key parts of the VM's name. EPG_OPS_MS has the value OPS_VM, so all VMs in the tenant containingOPS_VM in their names become part of EPG_OPS_MS. The other attribute-based EPGs have correspondingvalues, resulting in the movement of VMs in the tenant with matching names to the attribute-based EPGs.

Using Microsegmentation with Cisco ACI with VMs in Different Base EPGsYou can configure Microsegmentation with Cisco ACI to put VMs that belong to different base EPGs into anew attribute-based EPG. You might want to do this to apply policy to VMs that share a certain characteristicalthough they belong to different base EPGs.

Example: Putting VMs in Different Base EPGs into a New Attribute-Based EPG

Your company deploys a three-tier web application. The application is built on VMs that run different operatingsystems and different versions of the same operating system. For example, the VMsmight run Linux,Windows2008, and Windows 2008 R2. The application is distributed; the company has divided the VMs into threedifferent EPGs: EPG_Web, EPG_App, and EPG_DB.

Because of a recent vulnerability in the Windows 2008 operating system, your company's security teamdecided to quarantine VMs running Windows 2008 in case those VMs are compromised. The security teamalso decided to upgrade allWindows 2008 VMs toWindows 2012. It also wants to microsegment all productionVMs across all EPGs and restrict external connectivity to those VMs.

To meet this requirement, you can configure an attribute-based EPG in the Cisco APIC. The attribute wouldbe Operating System, and the value of the attribute would be Windows 2008.

You can now quarantine the VMs running Windows 2008 and upgrade them to Windows 2012. Once theupgrade is complete, the VMs will no longer be part of the attribute-based EPG you created for VMs running



Windows 2008. This change will be reflected dynamically to Cisco APIC, and those virtual machines revertto their original EPGs.

Figure 2: Microsegmentation with Cisco ACI in Different Base EPGs

In the illustration above, the new attribute-based EPG EPG_Windows has the attribute type Operating Systemand the value Windows. The VMs App_VM_2, DB_VM_1, DB_VM_2, and Web_VM_2, run Windows astheir operating system—and so have been moved to the new attribute-based EPG EPG_Windows. However,the VMs App_VM_1, DB_VM_3, and Web_VM_1 run Linux and so remain in their base EPGs.

Using Microsegmentation with Network-based AttributesYou can use Cisco APIC to configure Microsegmentation with Cisco ACI to create a new, attribute-basedEPG using a network-based attribute, a MAC address or one or more IP addresses. You can configureMicrosegmentation with Cisco ACI using network-based attributes to isolate VMs within a single base EPGor VMs in different EPGs.

Using an IP-based Attribute

You can use an IP-based filter to isolate a single IP address, a subnet, or multiple of noncontiguous IP addresses.Isolating multiple IP addresses in a single microsegment can be more convenient that specifying VMs byname. You might want to isolate VMs based on IP addresses as a quick and simply way to create a securityzone, similar to using a firewall.

Using a MAC-based Attribute

You can use a MAC-based filter to isolate a single MAC address or multiple MAC addresses. You mightwant to do this if you have a server sending bad traffic in he network; by creating a microsegment with aMAC-based filter, you can isolate the server.



Configuring Microsegmentation with Cisco ACIThe following sections contain instructions for configuring Microsegmentation with Cisco AVS or MicrosoftvSwitch using the Cisco APIC GUI and NX-OS style CLI. You can adapt the procedures for your network'sspecific needs.

If VXLAN load balancing is enabled in the VMware vCenter domain profile, Microsegmentation withCisco ACI is not supported on the domain.

Note

Microsegmentation with Cisco ACI for Cisco AVS is not supported for cross-vCenter and cross-vDSVMotion.

Note

Workflow for Configuring Microsegmentation with Cisco ACIThis section provides a high-level description of the tasks that you need to perform in order to configureMicrosegmentation with Cisco ACI.

1 Create the microsegment: Specify a name and bridge domain for the new attribute-based EPG and choosea network-based or VM-based attribute for the EPG.

2 Associate the newmicrosegment with a VMMdomain profile and choose the EPG's resolution immediacy.

3 Verify that the attribute-based EPG was created correctly.

Follow the instructions for these steps in the Configuring Microsegmentation with Cisco ACI, on page 10section in this guide.

Prerequisites for Configuring Microsegmentation with Cisco ACIBefore you can configure Microsegmentation with Cisco ACI for Cisco AVS or Microsoft vSwitch, you needto fulfil the following prerequisites.

• You must already have VMs with names that can be used with the filters that you will use when creatingthe attribute-based EPGs.

If you do not have VMs with names that can be used, you can go ahead and create the attribute-basedEPGs and then change the VM names that can be used with the filters. Cisco APIC will automaticallymake the VMs part of the new attribute-based EPGs.

• You must already have a base EPG.

• You must have chosen your own attributes, names, and values.Attributes, names, and values used in the preceding scenarios were provided as examples.

• You must create a contract before creating a microsegment with one or more attributes if you want toassociate the EPG with a contract.


Microsegmentation with Cisco ACIConfiguring Microsegmentation with Cisco ACI

• If you have a Cisco AVS and want to use a VM Custom Attribute, you also need to add it in VMwarevSphere Web Client. We recommend doing so before configuring Microsegmentation in Cisco APICso you can choose the Custom Attribute in the drop-down list while configuring the microsegment inhe Cisco APIC GUI.

See VMware vSphere ESXi and vCenter Server documentation for instructions for adding a CustomAttribute in vSphere Web Client.

• For Microsoft vSwitch based Microsegmentation - SCVMM 2012 R2 with Update Rollup 9 is required.Update Rollup 9 includes a feature called "Enable Dynamic VLAN on the vNIC of a virtual machine",which will be automatically enabled by the Cisco SCVMM Agent to allow live migration of VirtualMachines which utilize Microsegmentation with ACI. For more information, see Microsoft'sdocumentation: https://support.microsoft.com/en-us/kb/3129784 .

Configuring Microsegmentation with Cisco ACI Using the GUIYou can use Cisco APIC configure Microsegmentation with Cisco ACI to put VMs that belong to differentbase EPGs or the same EPG into a new attribute-based EPG. The task is essentially the same for Cisco AVSand Microsoft vSwitch; the slight difference is noted in the procedure.

Caution: Cisco recommends that you do not mix configuration modes (Advanced or Basic). When you makea configuration in either mode and change the configuration using the other mode, unintended changes canoccur. For example, if you apply an interface policy to two ports using Advanced mode and then change thesettings of one port using Basic mode, your changes might be applied to both ports.

The procedure for configuringMicrosegmentation for Cisco ACI is the same in Advancedmode and Basicmode.

Note

Procedure

Step 1 Log into the Cisco APIC, choosing Advanced or Basic mode.Step 2 Choose TENANTS and then choose the tenant within which you want to create a microsegment.Step 3 In the tenant navigation pane, expand the tenant folder, the Application Profiles folder, the profile folder,

and the Application EPGs folder.Step 4 Take one of the following actions:

• If you want to put VMs from the same base EPG into a new, attribute-based EPG, click the base EPGcontaining the VMs.

• If you want to put VMs from different base EPGs into a new, attribute-based EPG, click one of the baseEPG containing the VMs.

The properties for the base EPG appear in the work pane.Step 5 In the work pane, click the OPERATIONAL tab at the top right of the screen.Step 6 Below the OPERATIONAL tab, ensure that the Client End-Points tab is active.



https://support.microsoft.com/en-us/kb/3129784

The work pane displays all the VMs that belong to the base EPG.Step 7 Note the VLANor VXLAN encapsulation ID for the VMorVMs that youwant to put into a newmicrosegment.Step 8 If you want to put VMs from different base EPGs into a new attribute-based EPG, repeat Step 4 through Step

7 for each of the base EPGs.Step 9 In the tenant navigation pane, right-click the uSeg EPGs folder, and then choose Create Useg EPG.Step 10 Complete the following series of steps to begin creation of an attribute-based EPG for one of the groups of

VMs:a) In the Create uSeg EPG dialog box, in the Name field, enter a name.

We recommend that you choose a name that indicates that the new attribute-based EPG is a microsegment.

b) In the Bridge Domain area, choose a bridge domain from the drop-down list.c) In the uSeg Attributes area, choose IP Address Filter,MAC Address Filter or VM Attributes Filter

from the + drop-down list on the right side of the dialog box.

Step 11 Complete one of the following series of steps to configure the filter.Then...If you want to use...

1 In the Create IP Attribute dialog box, in the Name field, enter a name.We recommend that you choose a name that reflects the filter's function.

2 In the IP Address field, enter an IP address or a subnet with the appropriate subnetmask.

3 Click OK.4 (Optional) Create a second IP Address filter by repeating Step 10 c through Step

11 c.Youmight want to do this to include discontinuous IP addresses in themicrosegment.

5 In the Create uSeg EPG dialog box, click SUBMIT.

An IP-basedattribute

1 In the Create MAC Attribute dialog box, in the Name field, enter a name.We recommend that you choose a name that reflects the filter's function.

2 In theMAC Address field, enter a MAC address.3 Click OK.4 In the Create uSeg EPG dialog box, click SUBMIT.

A MAC-basedattribute



Then...If you want to use...

1 In the Create VM Attribute dialog box, in the Name field, enter a name.We recommend that you choose a name that reflects the filter's function.

2 In the Type area, choose one of the VM attribute types, from the drop-down list.If you have a Cisco AVS, you can choose any VM attribute type; if you have aMicrosoft vSwitch, you can choose anyVM attribute type exceptCustomAttribute.

3 In the Operator area, choose the appropriate operator from the drop-down list.4 Enter or choose the appropriate value.

If you choose Equals as the operator, you type a value into a Value fieldonly if you chose VMMDomain or Datacenter as the VM attribute type.Otherwise, you choose a value appropriate to the VM attribute type fromdrop-down lists.

Note

5 Click OK.6 In the Create uSeg EPG dialog box, click SUBMIT.

A VM-basedAttribute

Step 12 Complete the following steps to associate the Microsegmentation EPG with a VMM domain.a) In the navigation pane, ensure that the uSeg EPG folder is open and then open the container for the

microsegment that you just created.b) Click the folder Domains (VMs and Bare-Metals).c) On the right side of the work pane, click ACTIONS and then choose Add VMM Domain Association

from the drop-down list.d) In the Add VMM Domain Association dialog box, choose a profile from the VMM Domain Profile

drop-down list.If you have a Cisco AVS, choose a VMware domain; if you have a Microsoft vSwitch, choose a Microsoftdomain.

e) In the Deploy Immediacy area, accept the default On Demand.f) In the Resolution Immediacy area, accept the default Immediate.g) In the Port Encap area, specify a static VLAN, or leave the field empty and Cisco APIC will dynamically

allocate a VLAN or VXLAN from the appropriate pool.If you specify a static VLAN, you must choose one from a static encapsulation block within theVLAN pool that you set up earlier. Static VLAN is available only for VLAN and not VXLAN.

Note

h) Click SUBMIT.

Step 13 Repeat Step 9 through Step 12 for any other the other attribute-based EPGs that you want to create.

What to Do Next

Verify that the attribute-based EPG was created correctly.

If you configured a VM-based attribute, complete the following steps:

1 In the Cisco APIC navigation pane, click the new microsegment.2 In the work pane, click theOPERATIONAL tab and then ensure that theClient End-Points tab is active.



3 In the work pane, verify that the VMs that you wanted to move from the base EPG appear as endpointsfor the new attribute-based EPG. Also verify that the VMs have a VLAN or VXLAN ID different fromthe one that you noted in Step 7.

4 In the navigation pane, click the base EPG of the VMs that you moved to the new microsegment.

5 In the work plane, click the OPERATIONAL tab, click the Client End-Points and then verify that theVMs that you moved to the new, attribute-based EPG no longer appear as endpoints for the base EPG.

If you configured an IP- or MAC-based attribute, make sure that traffic is running on the VMs that you putinto the new microsegments.

Configuring Microsegmentation with Cisco ACI Using the NX-OS-style CLIThis section describes how to configure Microsegmentation with Cisco ACI for Cisco AVS or MicrosoftvSwitch using VM-based attributes within a base EPG.

Procedure

Step 1 In the CLI, enter configuration mode:

Example:apic1# configureapic1(config)#

Step 2 Create the microsegment:

Example:This example uses a filter based on the attribute VM Name.apic1(config)# tenant cli-ten1apic1(config-tenant)# application cli-a1apic1(config-tenant-app)# epg cli-uepg1 type micro-segmentedapic1(config-tenant-app-uepg)# bridge-domain member cli-bd1apic1(config-tenant-app-uepg)# attribute cli-uepg-att match vm-name contains <cos1>#Schemes to express the namecontains containsendsWith ends-withequals equalsstartsWith starts-with

apic1(config-tenant-app-uepg)# {vmware-domain | microsoft-domain} member cli-vmm1

Example:This example uses a filter based on an IP address.apic1(config)# tenant cli-ten1apic1(config-tenant)# application cli-a1apic1(config-tenant-app)# epg cli-uepg1 type micro-segmentedapic1(config-tenant-app-uepg)# bridge-domain member cli-bd1apic1(config-tenant-app-uepg)# attribute cli-upg-att match ip <X.X.X.X>#Schemes to express the ipA.B.C.D IP AddressA.B.C.D/LEN IP Address and mask


Example:This example uses a filter based on a MAC address.apic1(config)# tenant cli-ten1apic1(config-tenant)# application cli-a1apic1(config-tenant-app)# epg cli-uepg1 type micro-segmented



apic1(config-tenant-app-uepg)# bridge-domain member cli-bd1apic1(config-tenant-app-uepg)# attribute cli-upg-att match mac <FF-FF-FF-FF-FF-FF>#Schemes to express the macE.E.E MAC address (Option 1)EE-EE-EE-EE-EE-EE MAC address (Option 2)EE:EE:EE:EE:EE:EE MAC address (Option 3)EEEE.EEEE.EEEE MAC address (Option 4)


Step 3 Verify the microsegment creation:

Example:apic1(config-tenant-app-uepg)# show running-config# Command: show running-config tenant cli-ten1 application cli-app1 epg cli-uepg1 typemicro-segmented# Time: Thu Oct 8 11:54:32 2015tenant cli-ten1application cli-app1epg cli-esx1bu type micro-segmentedbridge-domain cli-bd1attribute cli-uepg-att match vm-name equals cos1{vmware-domain | microsoft-domain} member cli-vmm1exit

exitexit

Configuring Microsegmentation with Cisco ACI Using the REST APIThis section describes how to configure Microsegmentation with Cisco ACI for Cisco AVS or MicrosoftvSwitch using the REST API.

Procedure

Step 1 Log in to the Cisco APIC.Step 2 Post the policy to https://APIC-ip-address/api/node/mo/.xml.

Example:The following example configures a microsegment named 41-subnet using an IP-based attribute.<polUni><fvTenant dn="uni/tn-User-T1" name="User-T1">

<fvAp dn="uni/tn-User-T1/ap-Base-EPG" name="Base-EPG"><fvAEPg dn="uni/tn-User-T1/ap-Base-EPG/epg-41-subnet" name="41-subnet"

isAttrBasedEPg="yes" ><fvRsBd tnFvBDName="BD1" /><fvCrtrn name="Security1">

<fvIpAttr name="41-filter" ip="12.41.0.0/16"/></fvCrtrn><fvRsDomAtt tDn="uni/vmmp-Microsoft/dom-cli-vmm1"/> / <fvRsDomAtt

tDn="uni/vmmp-VMware/dom-cli-vmm1"/></fvAEPg>

</fvAp></fvTenant>

</polUni>isAttrBasedEPg="yes" is required in Cisco APIC Release1.2(1).

Note



microsegmentation with cisco...

Documents