New and Changed Information

The following table provides an overview of the significant changes up to this current release. The table does not provide an exhaustive list of all changes or of the new features up to this release.

Cisco APIC Release Version

Feature

Description

6.1(4)

Support for microsegmentation with Nutanix VMM integration

Microsegmentation support for the Nutanix VMM domain. Also, support for:

  • Intra-ESG isolation

  • Intra-EPG isolation enhancement

6.0(3)

Support for Nutanix AHV integration

You can integrate Nutanix AHV with Cisco Application Centric Infrastructure (ACI). Integration enables you to use Cisco Application Policy Infrastructure Controller (APIC) to create and work with Nutanix network constructs.

Cisco APIC and Nutanix AHV integration

Beginning with Cisco Application Policy Infrastructure Controller (APIC) Release 6.0(3), you can integrate Nutanix AHV with Cisco Application Centric Infrastructure (ACI).

The Cisco APIC integrates with Nutanix AHV and enhances the network management capabilities. The integration provides virtual and physical network automation and VM endpoints visibility in Cisco ACI.

This document provides information for integrating Nutanix AHV with Cisco ACI, including prerequisites and installation. You should be familiar with Nutanix AHV and Cisco ACI. For detailed information about Nutanix AHV, see the Nutanix website.

Benefits of the integration

Following are the benefits of the integration:

  • Native integration with Nutanix cluster running AHV.

  • Visibility into the cluster (Nutanix) from APIC. Fetch inventory data like VMs, hosts, switches, subnets, security policies from Nutanix.

  • Collect statistics and provide statistics display from APIC. The collected statistics are:

    • VM Nic Stats (Transmit Packets and Bytes, Received Packets and Bytes)

    • Host Nic Stats (Transmit Packets and Bytes, Received Packets and Bytes)

    • Host Stats (CPU and memory usage )

    • VM stats (CPU and memory usage)

  • Support for EPGs to configure networking on Nutanix.

  • Support for intra-EPG policies (intra-EPG contract is not supported).

Cisco ACI and Nutanix terminology

Some terminology differs between Cisco ACI and Nutanix. The following table lists differences to be aware of.

Cisco ACI

Nutanix AHV

EPG/ port group

Subnet

Data center

Cluster

Cluster controller

Prism element

Cluster

Prism central

ESG, uSeg EPG

Secured entity

Contract

Security policy rules

Guidelines and limitations

Following are the guidelines and limitations for the Cisco ACI-Nutanix AHV integration:

  • One VMM domain can be associated to only one Prism Central and one Prism Element.

  • No two subnets can have the same VLAN on a vSwitch.

  • Nutanix VMM domain supports only the pre-provision resolution immediacy.

  • If a subnet is in use by a VM, the following operations cannot be done on Nutanix even if the configuration is changed on APIC:

    • the subnet VLAN, IP address pool cannot be changed.

    • the subnet cannot be deleted.

  • Bond type configuration for uplink of virtual switch is not supported from Cisco APIC.

  • NetFlow, floating L3Out and layer 4 to layer 7 device running on Nutanix VMM domain are not supported.

  • Multi-site integration is not supported, that is, no support for association of EPG to Nutanix VMM from NDO (Nexus Dashboard Orchestrator).

See the Virtualization Compatibility Matrix for the supported Prism Central and AOS versions.

Workflow for the integration

The following section elaborates the tasks involved for the integration. It is a combination of procedures to be accomplished on the Cisco APIC 6.0(3) GUI and the Nutanix Prism Central GUI. The tasks to be performed on the Cisco APIC GUI and the Nutanix Prism Central GUI are listed below.

  1. (on Cisco APIC) Create a Nutanix VMM domain.

  2. (on Nutanix Prism Central) Assign host links to the virtual switch.

  3. (on Cisco APIC) Associate EPGs for the VMM domain.

  4. (on Nutanix Prism Central) Assign VMs to subnets and categories.

The details of the procedures performed on the Cisco APIC GUI are available in the subsequent pages. The Nutanix-relevant tasks are explained in the context of the integration, for more details about the procedure and GUI, refer the Nutanix website.

Topology

Figure 1. Cisco APIC-Nutanix Prism Integration

The image above shows a sample topology. The Cisco APIC manages the ACI fabric and policies. The VMs connected to the virtual switch are managed by the Nutanix Prism. ACI fabric provides network connectivity for VMs in AHV Hosts with the uplinks (Uplink1 and 2).

EPG association with the Nutanix VMM domain

Each EPG created on the Cisco APIC can be associated with a Nutanix VMM domain. The VMM domain creates a corresponding subnet on the Nutanix Prism. The EPG configuration also creates default categories. They are:

  • AppType : aci-domainname~TenantName~APName

  • AppTier : aci-domainname~TenantName~APName~EPGName

  • AciOwnerTag : aci-domainname~Tenantname~APName~EPGName

The subnet(s) created on Nutanix are:

  • aci-domainname|TenantName|APName|EPGName (default)

  • custom epg name if Custom EPG Name is specified


    Note

    The supported character length limit for subnet name is 55 characters. If the subnet name exceeds that limit, the subnet is not created.

Intra-EPG isolation

Intra-EPG Isolation is a security mechanism that blocks communication between physical or virtual endpoints within the same EPG. By default, endpoints in the same EPG can communicate with each other. However, in some situations, it may be necessary to completely isolate these endpoints from one another within an EPG.

A Cisco ACI Nutanix VMM domain creates a security policy in the Nutanix Prism Central for each EPG that has intra-EPG isolation enabled. Nutanix applies the security policy for the AppType category (see categories mentioned in the section above) and prevents the communication of VMs in the associated AppTier.

From APIC release 6.1(4), FNS next-gen (NG) security policy is used to configure intra-EPG isolation. The category is automatically associated to the EPG member VMs and the security policy blocks communication between the VMs. ACI-EPG tag is created for the EPGs; the VMs that are part of the EPG are automatically assigned to this ACI-EPG tag. No manual intervention is required on the Nutanix Prism Central.


Note

Intra-EPG isolation is not supported for IPv6 traffic because intra-EPG solution is implemented by Nutanix security policy for the Nutanix VMM domain. Nutanix security policy is applicable to IPv4 traffic only. However, IPv6 traffic is allowed by default even if intra EPG isolation is configured from APIC. You can change the security policy setting on the Nutanix UI to deny IPv6 traffic. This will deny all IPv6 traffic to and from the VMs which are associated with the security policy.

Intra-ESG isolation

Intra-ESG isolation is a security mechanism that prevents physical or virtual endpoints that are in the same ESG from communicating with each other. After enabling intra ESG isolation, endpoints in an ESG cannot communicate with each other. A corresponding security policy is created or updated on Prism Central.

To enable intra-ESG isolation, on the APIC GUI, navigate to Tenants > Application Profiles > Endpoint Security Groups. On the ESG screen, under Policy, for the Intra ESG Isolation field, select the Enforced option.

For the detailed procedure about creating an ESG, see the Endpoint Security Groups chapter in the Cisco APIC Security Configuration Guide.

IP address management

When you enable IP Address Management (IPAM) on an EPG, Nutanix creates an internal DHCP server for the subnet corresponding to the EPG. IPv4 addresses for VMs in this subnet are allocated by this internal DHCP server. If the EPG is created without enabling IPAM, you may need to use an external DHCP server for VM IP assignment. See the Associate an EPG to a VMM domain section for details about IPAM configuration.

Create a VMM domain

Use this procedure to create a VMM domain. A VMM domain needs to be created to specify the connectivity details to the Nutanix Controller. The VMM domain will also provide visibility into the Nutanix Cluster.

Before you begin

Confirm that the Nutanix cluster is up; Prism Central and Prism Element are healthy.

Procedure

Step 1

Log in to Cisco APIC.

Step 2

Go to Virtual Networking > Nutanix.

The Domains page appears.

Step 3

At the upper right of the Domains page, click Actions > Create Domain.

Step 4

In the Create Domain page, complete the following steps:

  1. In the General area, in the Name field, enter a name for the domain.

  2. In the Settings area > for the Access Mode field, choose Read Only or Read Write.

    If you select Read Only, the VMM domain enables you to view inventory information for a vSwitch in the Prism Central that Cisco APIC does not manage. If you select Read Write, ensure you have administrator privileges.

  3. Enter the Custom vSwitch Name.

    To use an existing vSwitch (on Nutanix), enter the name. For this task (VMM domain creation), you can use an existing switch or Cisco APIC can create a vSwitch. If you leave the field blank, Cisco APIC creates a virtual switch on Nutanix while creating the VMM domain. The virtual switch cannot be modified after creation.

    Note

     

    You can create a new switch if you are using AOS version 6.6 and Prism Central that supports Nutanix v4 APIs. If you are using AOS version 6.5, use an existing virtual switch. It is recommended to check the relevant Nutanix documentation to confirm that your AOS and Prism Central versions support Nutanix v4 APIs.

  4. For the VLAN Pool field, click Select VLAN Pool. In the Select VLAN Pool dialog box, choose an existing VLAN pool or create a new one.

  5. For the Attachable Access Entity Profile field, click Select Attachable Access Entity Profile. In the Select Attachable Access Entity Profile dialog box, choose an existing attachable access entity profile or create a new one.

  6. For the Security Domains field, click Add Security Domain and select the security domain from the displayed list.

    This is a security feature where you can assign access to the required domains.

  7. In the Controller area, click Add Controller. In the displayed pop-up window, enter the following details:

    1. Name – enter the controller name (Prism Central in Nutanix).

    2. Hostname or IP Address – enter the IP address of the Nutanix Prism Central.

    3. Datacenter – enter the cluster name (as created on Nutanix) that the Cisco APIC needs to manage.

    4. Cluster AOS Version – select the minimum cluster version (Nutanix Acropolis OS (AOS) version). The communication between Cisco APIC and Nutanix is based on the selected AOS version.

    5. Stats Mode – select the Enabled check-box to fetch the information from Network Statistics in Nutanix.

    6. For the Credentials field, click Select Credentials > Create Credentials. In the Create Credentials dialog box, enter a name for the credentials, a description, a username, and a password. Click Save.

      Note

       

      Ensure that the Nutanix username specified here (vmmDomain creation) has admin privileges on Nutanix.

    7. Select Advanced Settings.

      The Port Details field is displayed.

      Port is set to the default value, 0. Use the default setting to connect to Nutanix Prism Central on port 9440. Enter a non-zero value if Nutanix Prism Central is using a custom port other than 9440.

    8. For the Cluster Controller field, click Add Cluster Controller. In the Add Cluster Controller pop-up window, enter the details of the cluster which is part of the controller. Each cluster is referred to as Prism Element in Nutanix. Enter the name, IP address of the Nutanix Prism Element, the cluster name (Nutanix Prism Element Cluster), port, and credentials. Ensure that the cluster name entered here is the same as the Datacenter name in the Add Controller screen.

      (Optional) In Advanced Settings, enter the Port Details as mentioned in Step 7.

    9. Click OK.

  8. Click Save (Create Domain screen).

    After the creation of the VMM domain, the created domain is displayed under Virtual Networking > Nutanix> Domains screen. Click the Domain Name (first column) to get the VMM inventory details about each domain. The inventory details are displayed as tabs. To check for faults, click the Event Analytics tab.

    Note

     

    Only one cluster per VMM domain is supported; that is, one Prism Central can have one Prism Element. If you need more clusters, repeat the above procedure to create more VMM domains.

What to do next

Assign host uplink links (using the Nutanix Prism Central GUI)

  1. Log in to Nutanix Prism Central.

  2. Navigate to Network and Security > Subnets > Network Config.

  3. On the Network Configuration window that is displayed, select the Virtual Switch tab. The list of virtual switches available on Nutanix is displayed. You can use a virtual switch from the available list or create new one (see sub-step (c) in the above procedure).

  4. Configure the interfaces of the virtual switch. Select the interfaces in the hosts that are connected to the ACI fabric.

  5. To set the uplink configuration, select the Bond type. The bond types and the associated APIC configurations are:

    Bond Type

    APIC Configuration

    No Uplink Bond

    Configure Leaf Access Port Policy Group and associate to the Interface

    Active-Active

    Configure PC or VPC Policy Group and associate to the interfaces

    Active-Backup

    Configure Leaf Access Port Policy Group and associate to the Interface

    Active-Active with MAC pinning

    Configure Leaf Access Port Policy Group and associate to the Interface

    For details about port policy configurations, see the Cisco APIC Basic Configuration Guide, Release 6.0(x).

  6. If intra-EPG isolation is configured, microsegmentation needs to be enabled in Prism Central for the clusters managed by VMM domains. Navigate to Prism Central Settings > Flow > Microsegmentation.

Associate an EPG to a VMM domain

Use this procedure for associating an EPG to a VMM domain. You can enable IPAM if you need Nutanix to create an internal DHCP server for the subnet corresponding to the EPG.

Each EPG created on APIC, which is associated with an Nutanix VMM domain, will create a corresponding subnet on Nutanix Prism. The EPG configuration will also create a few default categories corresponding to the EPG.

Following are the guidelines and restrictions, if IPAM is enabled using the procedure given below:

  • IPAM Gateway is mandatory, cannot be modified after creation.

  • DHCP Server Override address is optional, cannot be modified after creation.

  • DHCP pool can be dynamically modified but ensure the VM address usage is valid during DHCP pool changes.

  • After enabling IPAM on an EPG, you cannot disable it. You need to delete the VMM association and re-associate (with IPAM disabled).

  • IPAM configuration can be modified if the subnet is not associated to a VM NIC.


Note

It is recommended to manage IPAM configuration from Cisco APIC. If you must manage IPAM directly on Nutanix, do not configure IPAM on Cisco APIC. Ensure that you are configuring IPAM on either Cisco APIC or on Nutanix.

Before you begin

The required prerequisites are:

  • Create a VMM domain.

  • Create a tenant, application profile and at least one EPG.

  • If you are enabling intra-EPG isolation using the procedure detailed below, ensure to enable microsegmentation on Nutanix Prism Central for the clusters managed by VMM domains.

Procedure

Step 1

Log in to Cisco APIC.

Step 2

Go to Tenants > tenant > Application Profiles > application_profile > Application EPGs > application_epg > Domains (VMs and Bare-Metals).

Step 3

Choose Domains (VMs and Bare-Metals), click the Action icon at the upper right of the central pane and choose Add VMM Domain Association. The action icon is indicated by a crossed hammer and wrench.

Step 4

In the Add VMM Domain Association dialog box, enter the following details:

  1. From the VMM Domain Profile drop-down list, choose the Nutanix domain (that you earlier created, using Create a VMM domain).

  2. Select the required Deploy Immediacy. The options are Immediate and On Demand.

    The only supported Resolution Immediacy is Pre-provision (which is not displayed on the GUI).

  3. For VLAN Mode, choose either Static or Dynamic.

    By default, a VLAN is dynamically assigned from the VLAN pool. If you select Static, enter the Port Encapsulation. Ensure to enter the correct value (from the VLAN pool range).

    Note

     

    Nutanix does not allow VLAN ID change for an existing subnet, and a subnet cannot be deleted if there is a VM using it. If you change the VLAN ID of an EPG on Cisco APIC, then, either of the following is possible:

    • If there is no VM using the subnet, APIC will update the subnet with the new VLAN ID.

    • If there is a VM using the subnet, APIC will change the existing subnet to original_name|inactive, and create a new one with the original_name and a new VLAN ID. VM administrator needs to update the VM VNIC to subnet association.

    The inactive subnet using the earlier VLAN will not be automatically deleted by APIC. Nutanix administrator will need to delete it after all the VMs are migrated to the new subnet.

  4. IPAM Enabled – Check the check-box to enable IP Address Management (IPAM).

  5. IPAM gateway Address – enter the gateway address the VMs can use to connect to the network.

  6. DHCP Server Override – enter the DHCP server IP address used by Nutanix. Set this field to specify the address to be used by the DHCP server (Nutanix). If you do not specifically mention this, Nutanix will auto-derive the IP address, which is the highest in the subnet.

  7. DHCP Address Pool – enter the DHCP address pool. Select the DHCP address pool or create a new one. On the APIC GUI, navigate to Policies > VMM > Address Management Policies to view or manage the IP Address pools.

  8. Custom EPG Name – Enter a name for the EPG.

    When you associate an EPG with a VMM domain, a default name is generated in this format - TenantName|ApplicationProfile|EPGName. When you enter a name here, the Nutanix subnet is created with the custom EPG name (as entered here), instead of the default name.

Step 5

Click Submit.

Step 6

(Optional) To enable intra-EPG isolation, navigate to Tenant > Application Profiles > AP_name > Application EPGs > EPG_name.

  1. On the work pane, go to Policy > General tab.

  2. For the Intra EPG Isolation field, select the Enforced option. (By default, Unenforced is selected.)

What to do next

Attach VMs (using the Nutanix Prism Central GUI)

  1. Log in to Nutanix Prism Central.

  2. Navigate to Compute and Storage > VMs.

  3. From the displayed list of VMs, select the required VM. Click the Actions button > Update.

  4. On the Update VM window, in the Resources tab > Networks area, click Attach to Subnet. Select the subnet.

    When an EPG is created and associated to a domain, a subnet is created on Nutanix (as described in the Associate EPG to a VMM Domain procedure, above).

  5. Click Next.

  6. On the Management tab, select the Category from the drop down list. Associate two categories for each EPG. They are- AppTier:aci, AppType:aci. These two categories are default category types on Prism Central. The values/ tags are created for these categories after EPG association to the VMM domain (as seen below). 

    
AppType : aci-domainname~TenantName~APName
AppTier : aci-domainname~TenantName~APName~EPGName

  7. (Optional) If intra EPG isolation is enabled on the EPG, navigate to Network and Security > Security Policies to confirm if the rule has been created. Security policies (in Enforced status) are created by the Cisco APIC to support intra EPG isolation.

Microsegmentation for the Nutanix VMM domain

Microsegmentation is a network security technique that:

  • divides a network into logical security zones for improved isolation,

  • enables assignment of endpoints to dynamic groups based on network or VM-based attributes, and

  • allows enforcement of granular policies within distributed virtualized environments

For generic microsegmentation-related information, and details about basic microsegmentation constructs, see the Microsegmentation with Cisco ACI chapter in the Cisco ACI Virtualization Guide. We assume that you are familiar with EPGs, ESGs, tenants, contracts, and other key concepts relating to Cisco ACI policies.

Beginning with Cisco APIC 6.1(4), microsegmentation is supported for the Nutanix VMM domain. Unlike the other integrations, the Nutanix virtual switch (vSwitch) does not support private VLAN (PVLAN). For classification and enforcement of contracts for the VM traffic, you need to enable Flow Network Security (FNS) policies on the Nutanix Prism Central.

Microsegmentation for the Nutanix VMM domain can be achieved by creating microsegment endpoint groups (uSeg EPGs) or Endpoint Security Groups (ESGs). An ESG or uSeg EPG is mapped to a secured entity in Nutanix. For each ESG or uSeg EPG, a category and tag are created in Nutanix, and VMs classified into the ESG or uSeg EPG are assigned the corresponding tag. Secured entities in Nutanix are defined based on these tags. ACI contracts are implemented through Nutanix security policies using FNS next-gen.

Flow network security

Flow network security (FNS) is a microsegmentation solution provided by Nutanix. FNS implements microsegmentation with a simplified policy management system. FNS offers

  • policy-based network security tightly integrated into Nutanix AHV and Prism Central.

  • rich visualization, automation, and security for virtual machines (VMs) running on AHV. By using multiple Prism Central categories (logical groups), you can create a powerful distributed firewall that works as an application-centric policy management tool for securing VM traffic.

FNS elements

The key FNS elements for the integration are:

  • Categories: a simple text key-value pair used to define groups of VMs that policies are applied to. Categories allow you to flexibly group VMs based on attributes to define security policies. When you use logical categories, you no longer need to base policy definitions solely on network addresses or manually update policies to handle network changes. Your security policy can automatically apply to a VM independent of its network configuration.

  • Security Policies: rules that determine what is allowed between a source and a destination. Objects which have security policies applied to them are referred to as Secured Entities (SE). A logical grouping of SEs that share common security policies form a Secured Entity Group (SEG). A rule inside an application policy includes all the inbound and outbound traffic for specific secured entities. A single rule can include multiple sources and multiple destinations.

Policy translation

Contracts are created on the APIC GUI. Security policies on Nutanix are created based on the defined contracts for each endpoint. Nutanix blocks all traffic by default, allowing only specified traffic through contracts. Each security policy includes inbound and outbound rules for managing traffic flow. Consider an example where a contract is created on APIC with these rules: 

Filter Rule: Allow TCP traffic on port 8000 
Consumer: ESG_DB 
Provider: ESG_APP

Nutanix security policies are symmetric and based on destination ports. Based on the contract, two security policies are created on Nutanix, one for each ESG.

Policy for ESG_APP (Provider)


Inbound Rule:
From ESG_DB, allow traffic on TCP port 8000
Outbound Rule:
To ESG_DB, allow traffic on TCP ANY (permit)

Policy for ESG_DB (Consumer)


Inbound Rule:
From ESG_APP, allow traffic on TCP ANY (permit)
Outbound Rule:
To ESG_APP, allow traffic on TCP port 8000

Limitations for microsegmentation on the Nutanix VMM domain

Generic limitations

  • vzAny is not supported.

  • Intra-ESG and intra-EPG contracts are not supported.

  • VLAN basic subnet is not supported (only VLAN subnet is supported).

  • In a mixed VMware and Nutanix environment, only contract filters supported in Nutanix FNS are allowed to be configured.

  • Mac / IP-based tags are not supported.

  • Contract related statistics for policy enforced on Nutanix is not pulled into APIC (due to API support limitation on Nutanix).

  • Only one vNIC per VM is supported.

Filtering capability-related limitations

These limitations are applicable as the rules in Nutanix differ for filtering capabilities provided by ACI contracts.

  • Bidirectional TCP/UDP/ICMP filters with “reverse filter ports” as true are supported.

  • Only DST port-based filtering is supported (no support for SRC port-based filtering).

  • Only permit rules are allowed (no support for deny).

  • PBR/copy support is not supported.

  • IPv6 is not supported.

Requirements for configuring microsegmentation on the Nutanix VMM domain

On the APIC GUI

  • Navigate to Virtual Networking > Nutanix and check the following for the prism central installed on the Nutanix cluster:

    • FNS next-generation, version 4.1.0.

      Use the allssh cat /home/nutanix/flow/flow_version.txt command to check the FNS version.

    • Prism Central (PC) version is pc.2024.2.0.x

    • AOS version 6.10

  • Create an EPG (or EPGs) on which the uSeg EPG and ESG will be configured.

On the Nutanix GUI

  • Run the commands, flow_cli flow.enable_cisco_aci_mode and allssh genesis stop flow microseg; cluster start to enable aci mode and restart fns, respectively.

  • Navigate to Prism Central Settings and confirm that the Network Controller Service Status is set to Enabled and check the Set as default check-box to set the VLAN as a network VLAN. Then, click Microsegmentation on the left navigation pane, the Microsegmentation screen is displayed. Check the Enable Microsegmentation check-box. FNS next-gen is displayed.

  • Create a category to classify the VMs (example: ACI_VM_Category).

Configure microsegmentation using microsegment endpoint groups

Use the following procedure to configure microsegmentation with Cisco ACI on the Nutanix VMM domain. Microsegmentation for the Nutanix VMM domain can be achieved by creating uSeg EPGs based on existing application EPGs. Ensure to choose the same bridge domain (BD) for the new uSeg EPG and the application EPG.

For details about EPGs, see the Cisco APIC Layer 2 Networking Configuration Guide.

Before you begin

See the Requirements for configuring microsegmentation on the Nutanix VMM domain section.

Procedure

Step 1

Log into the Cisco APIC.

Step 2

Choose Tenants and then choose the tenant where you want to create a microsegment.

Step 3

In the tenant navigation pane, expand the tenant folder, the Application Profiles folder, and the profile folder.

  1. Expand the Application EPGs folder and the folder for the application EPG.

  2. Right-click on the folder Domains (VMs and Bare-Metals).

  3. Click the Actions icon.

  4. In the Add VMM Domain Association dialog box, after you choose the VMM domain, check the Allow Micro-Segmentation check box.

  5. For the VLAN mode, select Dynamic for automatic VLAN allocation.

  6. Click Submit.

  7. (Optional; verification on the Nutanix GUI) The associated EPG creates a corresponding subnet and category on Prism Central. The created category is indicated as ACI-EPG. The VLAN id is also displayed.

Step 4

In the tenant navigation pane, right-click the uSeg EPGs folder, and then choose Create Useg EPG.

Step 5

In the tenant navigation pane, right-click the uSeg EPGs folder and then choose Create uSeg EPG.

Step 6

In the Create uSeg EPG Step 1 > Identitydialog box, complete the following steps to create a uSeg EPG for a group of VMs:

  1. In the Name field, enter a name.

    Choose a name that indicates that the new uSeg EPG is a microsegment.

  2. In the intra-EPG isolation field, select enforced or unenforced.

    If you select enforced, Cisco ACI prevents all communication between the endpoint devices within this uSeg EPG.

  3. In the Bridge Domain area, choose a bridge domain from the drop-down list.

    Ensure to select the same bridge domain that is used for the application EPG. Otherwise, the Nutanix uSeg will not match VM attributes and will not place the VM into a uSeg EPG.

  4. Click Next.

Step 7

In the Create USeg EPG Step 2 > Domains, complete the following steps to associate the uSeg EPG with a VMM domain.

  1. Click the + (plus) icon at the right of the dialog box.

  2. From the Domain Profile drop-down list, select the Nutanix domain.

  3. Click Finish.

Step 8

In the navigation page for the tenant, open the folder for the uSeg EPG that you just created.

Step 9

Click the uSeg Attributes folder.

The uSeg Attributes work pane is displayed, allowing you to configure attributes to filter which VMs you want to add to the uSeg EPG.

Step 10

From the match drop-down list, choose Match Any or Match All.

The match feature enables you to use multiple attributes to filter VMs for the uSeg EPG. The default is Match Any. The match all feature is supported for VM-based attributes only.

Step 11

Click the + or the +( icon to add a filtering statement.

The + icon allows you to create a simple statement, one that creates a filter for a single attribute. You can add multiple simple statements to filter for multiple attributes. The +( icon allows you to create a block, or nested, statement, which allows you to set attributes in a hierarchy, which filters for the highest-level attribute first and then filters for lower-level attributes.

For Nutanix VMM domain, only the VM– Tag attribute is supported. Select the category, an operator and the tag value. The category and tag value are created on Prism Central. Associate the category to the VM. Based on the example mentioned in the prerequisites section, the category (indicated in the box below) corresponds to the ACI_VM_Category.

Based on the uSeg EPG created on APIC, the ACI-uSeg-EPG category is created in Prism Central. The value is indicated in this format: aci-domain_name|tenant_name|AP_name|uSegEPG_name. A corresponding security policy is also created on Prism Central.

Note

 

Creating a new category is optional. You can use an existing Prism Central category, such as apptier and apptype. For communication between the uSeg EPG and application EPG, define a contract. The security policy on Prism Central is updated based on the rules defined in the contract.

Configure microsegmentation using endpoint security groups

Use this procedure to create an endpoint security group which will classify the VMs on Nutanix. For classifying EPGs using ESGs for the Nutanix VMM domain, the supported parameters are Tag Selector and EPG selector. For details about selectors, see the Cisco APIC Security Configuration Guide.

Before you begin

See the Requirements for configuring microsegmentation on the Nutanix VMM domain section.

Procedure

Step 1

Log into the Cisco APIC.

Step 2

Choose Tenants and then choose the tenant where you want to create a microsegment.

Step 3

In the tenant navigation pane, expand the tenant folder, the Application Profiles folder, and the profile folder.

  1. Expand the Application EPGs folder and the folder for the application EPG.

  2. Right-click on the folder Domains (VMs and Bare-Metals).

  3. Click the Actions icon.

  4. In the Add VMM Domain Association dialog box, after you choose the VMM domain, check the Allow Micro-Segmentation check box.

  5. Click Submit.

  6. (Optional; verification on the Nutanix GUI) The associated EPG creates a corresponding subnet and category on Prism Central. The created category is indicated as ACI-EPG. The VLAN id is also displayed.

Step 4

See the Creating an ESG procedure in the Cisco APIC Security Configuration Guide. Ensure to adhere to the following:

  1. In the Identity pane, ensure that the VRF matches with the VRF that was earlier created for the endpoint group.

  2. In the Selectors pane, add the EPGs that are classified under this ESG.

  3. (Optional) As the ESG is created using the APIC GUI, check on the Nutanix GUI for the corresponding ACI-ESG category. A security policy is created for the ESG.

See the Applying a Contract to an ESG procedure in the Cisco APIC Security Configuration Guide to define a contract between ESGs.

Classification of virtual machines

The classification of the virtual machines in Nutanix is based on the associated ESGs or the uSeg-EPGs. After the creation of uSeg EPGs (or ESGs) on APIC, the VMs are matched to ESGs or uSEg-EPGs by their custom tags or by their EPGs. Security policies are enforced on a VM based on the ACI-defined category assigned to it.

Nutanix Prism Central

Cisco APIC

VM is attached to a subnet

ACI tag for the subnet is calculated and automatically assigned.

VM matches an ESG

ACI-ESG tag is assigned to the VM.

VM matches an uSeg-EPG

ACI-uSeg EPG tag is assigned to the VM.

VM does not match any ESG or uSeg-EPG

ACI-EPG tag remains assigned to the VM.

Tag precedence for the VMs (in descending order):

  • ESG match based on tag selector.

  • ESG match based on uSeg-EPG selector.

  • uSeg-EPG match based on tag.

  • ESG match based on EPG selector.

  • ACI-EPG tag based on the attached subnet.

Sample usecases

Microsegmentation using uSeg EPGs

Outline of the usecase: segmentation for endpoints in the same subnet.

All endpoints are in the same subnet but due to security requirements, they cannot communicate with each other or can only communicate with each other on a particular UDP/TCP port. The endpoints can be in the same Nutanix domain or could reside in different domains (such as VMware). 


Topology:
EPG1, EPG2 are both in Bridge domain 1 (BD1)
VM11, VM12, VM13 are endpoints in the Nutanix VMM domain
E1, E2 are endpoints in the VMware Domain
E1, VM11, VM12, VM13 in EPG1
E2 in EPG2

Solution: Define two uSeg EPGs: uSeg1 and uSeg2 and configure the required uSeg attributes to enforce communication between VM13 and the other endpoints.VM13 can communicate with the other endpoints when a contract is applied between useg1 and useg2.

Microsegmentation using ESGs

Outline of the usecase:

  • Grouping endpoints from different EPGs (EPG1, EPG2, EPG3) in a single ESGA, so those endpoints VM1-1, VM1-2, VM2, VM3 can communicate without any contract. This helps to simplify the security configuration.

  • Allow segmentation between endpoints even when they are in same subnet. For example VM3, VM4 are in same subnet but they cannot communicate with each other. 


Topology:
EPG1, EPG2 are both in Bridge domain 1 (BD1)
EPG3 in BD2
VM1-1, VM1-2 are in EPG1 and ESGA
VM2 is in EPG2 and ESGA
VM3 is in EPG3 and ESGA
VM4 is in EPG3 and ESGB

Solution:

Consider ESGA as Host-1 and ESGB as Host-2. Both the hosts are in the same cluster and the same VMM domain.

  • For intra-host, intra-EPG, and inter-ESG (VM3 and VM4), contract enforcement happens on the Nutanix side.

  • For intra-host, inter-EPG, intra-ESG (VM1-1 and VM2), contract enforcement happens on the Nutanix side.

  • For inter-host, inter-EPG and inter-ESG (VM1-1 and VM4), contract enforcement happens on the Nutanix side and on the ACI fabric too.

  • For inter-domain traffic, contract enforcement always happens on the ACI fabric.