Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
10
Helpful
5
Replies

Is it possible to have an EPG in multiple ESGs

Go to solution
Christoph Neulinger
Level 1
Level 1

‎11-11-2021 10:49 PM

For me one of the problems in the security enforcement in ACI is that a device can only belong to one EPG.
So far I understood that ESGs is the way to separate routing (subnets) from security enforcement.

 

Does anyone now if the problem is fixed with the ESGs? Can one EPG belong to more then one ESG?
The use case for that is that we have a lot of rules that are OS depended like DomainController access and Installation Servers for the Windows platform. I would like to create one contract to allow all of the basic needs for the platform but Windows servers are of cause in many different EPGs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to Sergiu.Daniluk

‎11-12-2021 07:49 AM

Yes, to clarify this is the EPG Selector/Matching I'm referring to above.  You can use more granular (higher precedence) selectors which can apply to endpoints in the same EPG, but and any endpoint should only be subject to a single match.
@Sergiu.Daniluk are you saying you've had the same endpoint belong to multiple ESGs at the same time?  
From our docs:
If an object is matched by multiple tag selectors via the same or different policy tags, the object is associated to the tag selector that matched first. Subsequent tag selectors are then ignored. If an object is matched by multiple tag selectors when no tag selector had matched the object previously, no tag selectors take effect until the conflict match is resolved. A fault is raised under the ESG and under the object that is matched by multiple tag selectors.

Robert

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎11-12-2021 06:18 AM - edited ‎11-12-2021 06:19 AM

An EPG can only belong to one ESG at a time.  Both EPGs and ESGs are methods to decouple Policy from endpoint Identity.   The advantage ESGs have over EPGs is they can include members across different Bridge Domains.  (Remember that a single Bridge Domain can still have multiple different Subnets assigned to it).

From your use-case you may want to look at Contract Inheritance.  This would allow you to define a base set of filters for contracts, then you can get more granular with additional filters.  There's still the limitations of contracts only being allowed between EPGs <> EPGs or ESG <> ESG but not EPGs <> ESGs (with exception of L3out_EPGs).  

Robert

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to Robert Burns

‎11-12-2021 06:49 AM - edited ‎11-12-2021 06:49 AM

Hi @Robert Burns 

Isn't this limitation you are talking about, where an EPG can belong to only one ESG at a time, only applies if the "EPG selector" is used?

I have used both IP/mac and vmmtags to classify EPs from the same EPG in different ESGs and the policy enforcement worked without any issues.

Can you double-check please if this limitation applies to any selector type? Because if it does, then the configuration guide fails to highlight this and must be updated. 

 

Thanks,

Sergiu

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to Sergiu.Daniluk

‎11-12-2021 07:49 AM

Yes, to clarify this is the EPG Selector/Matching I'm referring to above.  You can use more granular (higher precedence) selectors which can apply to endpoints in the same EPG, but and any endpoint should only be subject to a single match.
@Sergiu.Daniluk are you saying you've had the same endpoint belong to multiple ESGs at the same time?  
From our docs:
If an object is matched by multiple tag selectors via the same or different policy tags, the object is associated to the tag selector that matched first. Subsequent tag selectors are then ignored. If an object is matched by multiple tag selectors when no tag selector had matched the object previously, no tag selectors take effect until the conflict match is resolved. A fault is raised under the ESG and under the object that is matched by multiple tag selectors.

Robert

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to Robert Burns

‎11-12-2021 11:58 PM

Hi @Robert Burns 

What confused me was what you mentioned: "An EPG can only belong to one ESG at a time"

From your statement, I understood that all endpoints from an EPG can belong to only one ESG.

But I think what you wanted to say is "An endpoint can only belong to one ESG at a time" or, "when using EPG selector, an EPG can only belong to one ESG at a time".

In other words, if you use IP/mac/tag selector for ESG, endpoints from a single EPG can belong to different ESGs, but an EP can belong to only one ESG at a time (based on the selector).

 

Is my understanding correct?

 

Thanks,

Sergiu

Go to solution
Christoph Neulinger
Level 1
Level 1
In response to Robert Burns

‎11-14-2021 09:30 PM

Hi @Robert Burns,

when we first discussed security enforcement in ACI, I really liked the idea of contract inheritance.
The problem is that for most of the security measures we now only use the EPGs to create an object on the FMC.

 

The goal would have been to automatically group all windows workloads into a group on the FMC to create the necessary basic rules.

 

I am not aware of any other functionality (e.g. tagging) in ACI to achieve this.

Christoph

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License