Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intra EPG Isolation Support For AVS

Published byArlene Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "Intra EPG Isolation Support For AVS"— Presentation transcript:

1 Intra EPG Isolation Support For AVS

2 Agenda Intra EPG Deny Overview Deployment & Implementation Scenarios
Use cases: Shared Management/Backup Example Topology Feature Specifications & Implementation in OS Isolation of known Unicast Isolation of UUC/Mcast/Bcast VMware Integration Configuration & Troubleshooting Enabling Feature Switch commands Troubleshooting Additional Information

3 Intra EPG Isolation Overview
EPG to EPG communication is driven by contracts. Intra EPG communication is open. The Intra EPG Deny feature allows putting an EPG in a mode such that communication between its members is blocked It allows optimizing resources for scenarios where EP have common access requirements but are independent. For instance: Independent clients accessing a common backup service This feature avoids having to define numerous EPGs and different encapsulations for these cases.

4 Intra EPG Deny Overview – AVS Support
Only supported in VXLAN mode ACI fabric implements isolation for directly connected EPs but isolation rules need to be extended to AVS VLEAFs. AVS implement isolation for local switching Isolation of inter-host traffic is achieved on the leaves An EPG is isolated for all domains or none

5 Hardware / Software Support
Feature is supported on AVS VMM domains in VXLAN mode. Hardware support All hardware platforms (1st gen and next gen) supported by this release.

6 Why & Where Do We Need This Feature
Network Deployment Examples

7 Use Cases: Shared Management / Backup
Legend Mgmt EPG1, Ctx:Ctx2 Mgmt EPG2, Ctx:Ctx2 EPG1, Ctx:Ctx1 EPG2, Ctx:Ctx2 Each VM may belong to different Tenant and their own context All VMs have one mgmt interface in Mgmt Ctx, Ctx2 All VMs from different tenants should not be accessible from each other via MgmtEpg

8 Example Topology Inter-host traffic is dropped for isolated EPGs.
Isolated EPGs can talk to other EPGs with contract Blade swtich AVS EPG2 EPG1 - Isolated Intra-host traffic is dropped at AVS (VxLAN-LS)

9 Feature Specifications & Implementation

10 Isolation Of Known Unicast: VXLAN
Deny-Contracts (Common to NS and Sugarbowl): - To prevent L2/L3 known unicast communication - Install implicit contract: sclass=Vxlan-sclass, dclass=Vxlan-sclass => Drop - 1 entry per Vxlan, installed at the top - Note: sclass is same as PcTag Please refer slide 26 for more information on checking deny-contracts on switch.

11 Isolation Of UUC / Mcast / Bcast For VXLAN
Broadcom and Sugarbowl: All isolated VxLANs will have VNIDs within a reserved range “0x to 0x90FFFF” Ingress and egress ACLs are installed to drop these packets Ingress ACL: Any packet ingressing via an isolated EPG will hit the below rule InPorts: Front Panel + VNID = isolated => Mark IntPri = 7 (just an unused number) Egress ACL: If packet ingressed from an isolated EPG and also egressing via another isolated EPG, then the packet gets dropped. InPorts = Internal + VNID = isolated + IntPri = 7 => Drop

12 Switch Limitations This feature rides on top of intra-EPG isolation support developed for Brazos. The feature is recommended and expected to work only in VRF enforced mode because it relies on the correct isolation based on deployment of contracts.

13 VMM Integration – AVS Mode
Only VXLAN mode supported All Eps in EPG is isolated Inter-host traffic is blocked on the leaves Intra-host traffic is blocked on AVS, locally AVS Isolated EPG

14 Configuration & Troubleshooting

15 Enabling Feature – GUI

16 Enabling Feature – CLI Executed in CLI config mode
Command Syntax: (config-tenant-app-epg) [no] isolation enforced Executed in CLI config mode Default value is “not enforced” (same switching behavior as today)

17 Enabling Feature – XML Default pcEnfPref value is “unenforced”
XML Syntax: <polUni> <fvTenant name='t0' status='created,modified'> <fvAp name='a0' status='created,modified'> <fvAEPg name='EPG5' pcEnfPref="enforced" status='created,modified’/> </fvAp> </fvTenant> </polUni> Default pcEnfPref value is “unenforced”

18 Switch Commands First do “show vlan” on a leaf to check VLAN and EPG association Lets say EPG is “E2” We can see that EPG “E2” has been assigned a VLAN “16” Leaf4# show vlan | grep E2 VLAN Name Status Ports AVST1:A1:E active Eth1/31, Eth1/32, Eth1/41 Leaf4#

19 Switch Commands (cont.)
Open vsh_lc, and see if the encapsulation type is FD_VXLAN and the corresponding VNID is programmed correctly VLAN 16 has VNID = and it’s type is FD_VXLAN module-1# show system internal eltmc info vlan brief VLAN-Info VlanId HW_VlanId Type Access_enc Type Access_enc Fabric_enc Type Fabric_enc BDVlan =================================================================================== FD_VXLAN VXLAN Unknown

20 Switch Commands (cont.)
Give a detailed dump of the interested VLAN Confirm that VLAN 16 is isolated Leaf4# vsh_lc module-1# show system internal eltmc info vlan 16 | grep isolated isolated: ::: primary_encap:

21 Troubleshooting

22 Troubleshooting – VMM Only supported in VXLAN Mode
If an isolated EPG is associated with AVS VLAN domains, EPG will be un-deployed from those domains and a fault will be raised on the EPG.

23 Troubleshooting – VMM (cont.)
Verify isolation config on VMM related objects:

24 Troubleshooting – VMM (cont.)
Verify isolation config on the leaf:

25 Troubleshooting – Switch
If end points within the same isolated EPG are able to talk with each other, then try the following: Using switch commands, check if “isolation” is setup for the respective VxLAN. If it’s not set up, then isolation within EPG wont work. Leaf4# vsh_lc module-1# show system internal eltmc info vlan 16 | grep isolated isolated: ::: primary_encap:

26 Troubleshooting Switch (cont.)
Check if deny zoning rule for the policy is installed correctly within switch. For this, retrieve pcTag of the EPG (refer configuration guide) and use it in the below command. Following example checks if a deny rule is configured for an isolated EPG with pcTag = Check which packets are actually hitting the rule. If you don’t find above rule, then isolation for EPG won’t work. Using the above command, retrieve the rule identifier, in this case “4102” Then use below command to check if traffic is hitting this rule. If it doesn't hit, then isolation won’t work.

27 Troubleshooting – AVS Check if isolation is enabled for the EPG by using the following command on AVS. ~ # vemcmd dpa dump profile_cfg =>dpa command is: dump profile_cfg Profile: alias: dvportgroup-90 eppdn: uni/epp/fv-[uni/tn-T1/ap-AP1/epg-EPG-3] <- EPG Name . EPP seg arp flood 1 EPP seg intra-epg policy 1 <- This indicates isolation is enabled EPP IP/MAC profile FALSE Microsegment table id Ports (using): 2 51 52 Ports (holding): 2

28 Troubleshooting – AVS (cont.)
Execute the following command to check the drop-stats for unicast and broadcast/multicast traffic within AVS due to the isolation policy. ~ # vemcmd show intra-epg-policy-stats LTL ucast-packets bumcast-packets VM-Name Ubuntu-2.eth0 Ubuntu-3.eth0 The following log can be enabled to debug any isolation-related traffic issues. vemlog debug sflayer2 all vemlog show all The logging for this module can be disabled using the following command. vemlog debug sflayer2 default

Download ppt "Intra EPG Isolation Support For AVS"

Similar presentations

© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.

Network Certification Preparation. Module - 5 Basic troubleshooting of IP addressing issues Basic troubleshooting of RIP and IGRP Basic troubleshooting.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V

© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.

TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
VXLAN – Deepdive Module 5

VXLAN – Deepdive Module 5
1 © 2015-2016 OneCloud and/or its affiliates. All rights reserved. VXLAN Overview Module 4.

1 © OneCloud and/or its affiliates. All rights reserved. VXLAN Overview Module 4.
Www.ciscopress.com Switching Basics and Intermediate Routing CCNA 3 Chapter 8.

Switching Basics and Intermediate Routing CCNA 3 Chapter 8.
HP Hybrid Switches. HP OpenFlow Enabled Switches OF Firmware for Existing Procurve Switches – 5406zl, 5412zl, 3500yl and 6600 – Supports OpenFlow 1.0.

HP Hybrid Switches. HP OpenFlow Enabled Switches OF Firmware for Existing Procurve Switches – 5406zl, 5412zl, 3500yl and 6600 – Supports OpenFlow 1.0.
Switching Topic 2 VLANs.

Switching Topic 2 VLANs.
Module 10: Windows Firewall and Caching Fundamentals.

Module 10: Windows Firewall and Caching Fundamentals.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Multicasting within UCS Qiese Dides.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Multicasting within UCS Qiese Dides.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2002, Cisco Systems, Inc. All rights reserved..

© 2002, Cisco Systems, Inc. All rights reserved..
2016-6-6XRBLOCK IETF 85 Atlanta Network Virtualization Architecture Design and Control Plane Requirements draft-fw-nvo3-server2vcenter-01 draft-wu-nvo3-nve2nve.

XRBLOCK IETF 85 Atlanta Network Virtualization Architecture Design and Control Plane Requirements draft-fw-nvo3-server2vcenter-01 draft-wu-nvo3-nve2nve.

Similar presentations

Ads by Google