Cisco Application Centric
Infrastructure (ACI) architecture was designed with multitenancy in mind. ACI has built-in segmentation (with the help of endpoint groups and contracts) and security as part of the architecture, but
customers want the ability to secure and segment their data centers and the physical and virtual workloads for more control
and manageability reasons. For more granular and dynamic segmentation and to enhance security inside of the data center, the
ACI release 1.1(1) added support for microsegmentation.
Interface and VLAN/VXLAN IDs are used for endpoint group classification. In addition, you can use more granular endpoint group
derivation based on MAC, IP, or VM information. Even if endpoints are connected to the fabric with a VLAN/VXLAN ID on the
same port, you can provide a different security policy for each one. This section describes these microsegmentation capabilities
(intra-endpoint group isolation, IP-based endpoint group, and uSeg endpoint group) and how to configure them.
Guidelines and Limitations for Microsegmentation
Application Policy Infrastructure Controller (APIC) supports IP-based endpoint group, uSeg endpoint group, and intra-endpoint group isolation. APIC supports multi-hypervisor virtual endpoints and bare metal endpoints.
Table 1. Endpoint Group Isolation Support
Supported APIC Releases
uSeg endpoint groups (IP, MAC, VM attribute) for an AVS domain
1.1(1x) or later
uSeg endpoint groups (IP, MAC, VM attribute) for an SCVMM domain
1.2(1x) or later
uSeg endpoint groups (IP, MAC, VM attribute) for a VMware vDS domain
1.3(1x) or later
Requires a Cisco Nexus 9300-EX leaf switch.
IP-based endpoint groups for a physical domain
1.2(1x) or later
Requires a Cisco Nexus 9300-EX or Cisco Nexus 9500-EX line card.
IP-based endpoint group classification is applied only to routed traffic.
Intra-endpoint group isolation for VMware vDS and physical domain
1.2(2x) or later
Legacy mode bridge domain is not supported.
Intra-endpoint group isolation for AVS domain
1.3(1x) or later
Intra-Endpoint Group Isolation
By default, all endpoints in the same endpoint group can talk to each other without requiring a contract. Intra-endpoint group
(intra-EPG) isolation prevents all endpoints in the endpoint group from talking to each other. This is a private VLAN-equivalent
feature in a traditional network. Intra-EPG isolation reduces the number of endpoint group encapsulations that you must have
when many clients access a common service, but the clients are not allowed to communicate with each other.
Only use this feature when the VRF is in enforced mode, because the feature relies on the correct isolation based on the deployment
For example, assume that you have three endpoints: two are in the client endpoint group, while the other endpoint is in the
Web endpoint group. If there is a contract between endpoint groups, they can talk each other, as shown in the following figure:
If you enable intra-EPG isolation on the client endpoint group, the endpoints in the endpoint group cannot talk each other,
but inter-EPG communication is still permitted if there is a contract, as shown in the following figure:
Table 2. Callouts for Intra-EPG Isolation with a Contract
Endpoints in the same endpoint group cannot communicate with one another.
Inter-EPG communication is still permitted if there is a contract.
The backend uses PVLAN (private VLAN). After enabling intra-EPG isolation on the endpoint group, the APIC changes the vDS and port group configuration, and pushes the policy to the physical leaf, which prevents communication between
endpoint in the same endpoint group. The following screenshots show this configuration:
By default, you do not need to specify a VLAN encapsulation ID for port groups. The APIC chooses a VLAN from the dynamic VLAN pool that is associated with the VMM domain.
When you use PVLAN, if you have intermediate switches, such as UCS fabric interconnect, between the server and ACI leaf switch, you must configure PVLAN on the intermediate switches. That means that you must confirm which VLAN ID will be
used. If you add a static VLAN pool in the VMM domain, you can specify the VLAN ID from the static VLAN pool.
uSeg Endpoint Group for a Physical Domain
If you have two endpoints that are in the same VLAN on the same interface and use a VLAN ID and interface for endpoint group
classification, the endpoints will be in the same endpoint group. This implies that the endpoints have the same security policy.
In the figure, both Server-A and Server-B can connect to both Storage-A and Storage-B.
With an IP-based endpoint group, you can use an IP address for endpoint group classification. For example, 192.168.1.1 is
in endpoint group Storage-A and 192.168.1.2 is in endpoint group Storage-B even if they are in the same VLAN and interface.
The different endpoint groups enable you to apply different security policies to each endpoint.
In the figure, Server-A can only connect to Storage-A, while Server-B can only connect to Storage-B.
To create this configuration, you must create a base endpoint group "Storage" and associate it with a physical domain with
static bindings (path or leaf switches). Thus, both 192.168.1.1 and 192.168.1.2 are in the base endpoint group.
Next, create the uSeg endpoint groups "Storage-A" and "Storage-B", which are also associated with a physical domain with static
bindings (leaf switches). You can set multiple uSeg attributes in the uSeg endpoint groups. This example uses 192.168.1.1/32
for “Storage-A” and 192.168.1.2/32 for “Storage-B”, but you can specify a larger subnet, such as 172.16.1.0/24.
You must use the following configuration guidelines for the bridge domain and endpoint group setting:
The base endpoint group and uSeg endpoint group must be in the same bridge domain.
The bridge domain subnet is required and unicast routing must be enabled because IP-based endpoint group classification applies
only for routed traffic.
Deployment immediacy must be Immediate on the uSeg endpoint group.
uSeg Endpoint Group for a VMM Domain
A uSeg endpoint group for a VMM domain provides the ability to assign virtual endpoints automatically to an endpoint group
based on various attributes (MAC address, IP address, and virtual machine information).
If that you have a 3-tier application with several virtual machines in the different endpoint groups and you detect a vulnerability
in a particular virtual machine, you can isolate that virtual machine or you can apply a different security policy. Without
a uSeg endpoint group, endpoint group classification is based on the port group (VLAN encapsulation ID), and so you must change
the virtual machine vNIC to a different port group.
Using a uSeg endpoint group with a virtual machine attribute, you can move the endpoint to the different endpoint group without
changing virtual machine vNIC configuration. For example, if the virtual machine name is "Web03," the virtual machine is classified
to a uSeg endpoint group, and if the uSeg endpoint group does not have a contract with other endpoint groups, you can isolate
the virtual machine. After you determine the cause of the problem, you can delete the attribute configuration on the uSeg
endpoint group so that the virtual machine is automatically sent back to the base endpoint group "Web".
The following figure illustrates this scenario:
In the figure, the virtual machine "Web03" is classified in a uSeg EPG, and so the virtual machine "Web03" cannot communicate
with other virtual machines.
With the base endpoint group, the uSeg endpoint group can have a contract, and so another use case is migrating the endpoint
between different environments. Assume that you are setting up a new application on a server for a test environment and the
virtual machine "Test-Webxxx" is in the "Test-Web" endpoint group. Once virtual machine gets ready, you change the virtual
machine name to "Prod-Webxxx," which will move the virtual machine to Prod-Web endpoint group.
The following figure illustrates this scenario:
In the figure, the test network and production network are isolated. After changing the virtual machine name, the virtual
machine is moved to the production network.
To create this configuration, you must create a base endpoint group and uSeg endpoint group, which are associated with the
VMM domain. For example, we have virtual machine "Win7-1" in Base endpoint group "Client" and "Win2012-Web1" in Base endpoint
Next, create the uSeg endpoint group "Win2012," which is also associated with the same VMM domain that is specified by the
virtual machine attribute. In this example, if virtual machine name contains "2012," it will be in the uSeg endpoint group.
Once win2012-Web1 is moved to the uSeg endpoint group, it does not appear in the base endpoint group "Web." If you remove
the uSeg attribute, the virtual machine moves back to the base endpoint group "Web."
You can define multiple types of attributes in the uSeg endpoint group with the following precedences:
Table 3. uSeg Attribute Precedences
Data center (VMware)
Fabric Cloud (Hyper-V)
When you define string, you can choose one of the following operator types:
Additional References for Microsegmentation
For more information on microsegmentation, see the Cisco Application Centric Infrastructure Microsegmentation Solution White Paper document: