ACI ESG

Overview of EPG and ESG:

• EPG (Endpoint Group): Groups endpoints (e.g., servers or VMs) logically for defining application-based connectivity and security policies.

• ESG (Endpoint Security Group): Groups endpoints for security purposes, offering flexibility for micro-segmentation and granular security.

  
  

EPG (Endpoint Group)

• Groups endpoints (like servers or VMs) based on application requirements.

• Tied to traditional network identifiers (VLAN, subnet, VXLAN).

• Manages both forwarding (which VLAN/subnet to use) and security (through contracts).

  
  

Limited to a single bridge domain; each EPG is tied to one bridge domain.

ESG (Endpoint Security Group)

• Groups endpoints for security purposes, regardless of their EPG or network settings.

• Focuses on micro-segmentation and advanced security (contracts only).

• Can span multiple bridge domains because it’s tied to a VRF (not a single bridge domain).

• Allows more flexible classification methods (IP addresses, MAC addresses, security tags, etc.).

• Provides finer control over security policies, but EPGs are still needed for VLAN binding and basic forwarding.

  
  
  
  

About Endpoint Security Groups (ESGs)

• ESG Purpose

  • Improves security segmentation by grouping endpoints based on security needs across different bridge domains.

  • Lets you create security “zones” within a VRF rather than just a single bridge domain.

• Key Differences from EPG

  • Forwarding: EPGs handle both forwarding and security; ESGs handle only security.

  • Scope: EPGs link to a single bridge domain; ESGs link to a single VRF but can include endpoints from multiple bridge domains in that VRF.

  • Classification Methods: ESGs use selectors (IP, MAC, tags, etc.) to dynamically group endpoints, while EPGs mainly use VLANs/subnets.

• Contracts

  • Same ESG: Endpoints in the same ESG communicate freely (no contract needed).

  • Different ESGs: Must have a contract to communicate.

  • Outside Fabric: A contract is needed between an ESG and an external EPG (l3extInstP).

  • ESG vs. EPG: A contract directly between an ESG and an EPG is not supported.

Key Features of ESG:

1. Selectors:

   • Defines which endpoints belong to the ESG using flexible criteria:

     • Tag Selector: Classifies endpoints based on tags like MAC, IP, or VM attributes.

     • EPG Selector: Inherits contracts from existing EPGs for seamless migration.

     • IP Subnet Selector: Groups endpoints by IP or subnet.

     • Service EPG Selector: Manages traffic to Layer 4-7 devices.

2. Contracts:

   • Acts like ACLs, specifying allowed traffic between ESGs.

   • Used to enforce security rules for communication within or between ESGs.

3. Granularity:

   • Enables micro-segmentation by isolating endpoints within the same EPG or across multiple bridge domains.

     
     

ESG Traffic Filtering Examples

ESG-to-ESG Filtering

• Example:

  • There are four bridge domains, each mapped to an EPG.

  • Two IP addresses from different BDs can belong to the same ESG, so they communicate freely.

  • IP addresses in another ESG will be blocked unless a contract is set up between ESGs.

Outside-to-ESG Filtering

• To allow traffic from outside to an ESG, you create a contract between the external EPG (l3extInstP) and the ESG.

• From the L3Out’s perspective, contracts with ESGs behave the same as with EPGs.

How ESGs Are Implemented

• Association with VRF

  • Each ESG is tied to a single VRF.

  • The VRF can use ingress or egress policy enforcement modes.

• Deployment on Leaf Nodes

  • ACI deploys the ESG configuration to all leaf nodes that host the VRF instance.

  • Only after an endpoint matching ESG selectors is learned, the contract rules are applied.

• Class ID (pcTag/sclass)

  • Every ESG has a global pcTag, unique across the entire fabric.

  • Contracts between ESGs only create security rules (no forwarding decisions).

• Continued Need for EPG

  • EPGs are still required to set up VLAN bindings on leaf interfaces (where endpoints connect).

ESG Selectors and Classification

• Selector Types

  1. Tag Selector: Matches endpoints based on policy tags (MAC/IP tags, VM tags, etc.).

  2. EPG Selector: Matches all endpoints in a specific EPG (so you can migrate from EPG security to ESG security).

  3. IP Subnet Selector: Matches endpoints based on IP or subnet.

  4. Service EPG Selector: Matches service EPGs (devices from a service graph).

     
     

• Layer 2 Traffic Limitation

  • IP-based selectors only classify traffic at Layer 3 (routed traffic).

  • MAC-based selectors classify both switched (Layer 2) and routed (Layer 3) traffic.

  • If you use IP-based selectors and need to enforce security at Layer 2, you generally enable proxy ARP or use other advanced configurations to force traffic to be routed.

Contracts in ESG

• Similar to EPGs

  • Control which protocols and ports can pass between ESGs.

  • An ESG can be provider, consumer, or both.

  • Preferred groups let multiple ESGs talk freely if they are in the same group.

    
    

• Supported Relationships

  • ESG ⇔ ESG

  • ESG ⇔ L3Out EPG

  • ESG ⇔ inband-EPG

  • ESG ⇔ vzAny

  • Not Supported: ESG ⇔ EPG directly.

Common GUI Tasks with ESGs

Creating a Tag Selector

1. Go to Tenants → select tenant → Application Profiles → Endpoint Security Groups → pick an ESG → Selectors → Tag Selectors.

2. Right-click Tag Selectors → Create a Tag Selector.

3. Specify Tag Key, choose Value Operator (contains, equals, regex), and Tag Value.

4. Click Submit.

Creating an EPG Selector

1. Go to Tenants → select tenant → Application Profiles → Endpoint Security Groups → pick an ESG → Selectors → EPG Selectors.

2. Right-click EPG Selectors → Create an EPG Selector.

3. Check the EPGs you want to include.

4. Click Submit.

   
   

Creating an IP Subnet Selector

1. Go to Tenants → select tenant → Application Profiles → Endpoint Security Groups → pick an ESG → Selectors → IP Subnet Selectors.

2. Right-click IP Subnet Selectors → Create an IP Subnet Selector.

3. Enter the exact IP or subnet.

4. Click Submit.

Creating a Service EPG Selector

1. Go to Tenants → select tenant → Application Profiles → Endpoint Security Groups → pick an ESG → Selectors → Service EPG Selectors.

2. Right-click Service EPG Selectors → Create a Service EPG Selector.

3. Pick the service EPG from the drop-down list (from a device selection policy).

4. Click Submit.

Creating an Endpoint MAC Tag

1. Go to Tenants → choose tenant → Application Profiles → pick an application profile → Application EPGs → pick an EPG → Operational tab → Client Endpoints.

2. Right-click on a row → Configure an Endpoint MAC Tag.

3. Specify the MAC address, Bridge Domain, VRF (if needed), and add policy tags.

4. Click Submit.

Creating an Endpoint IP Tag

1. Go to Tenants → choose tenant → Application Profiles → pick an application profile → Application EPGs → pick an EPG → Operational tab → Client Endpoints.

2. Right-click on a row → Configure an Endpoint IP Tag.

3. Specify the IP address, VRF, and add policy tags.

4. Click Submit.

Applying a Contract to an ESG

1. Go to Tenants → pick tenant → Application Profiles → Endpoint Security Groups → select your ESG.

2. Right-click Contracts → choose Add Provided/Consumed Contract or Intra-ESG Contract.

3. Pick or create a contract, optionally add QoS or labels.

4. Click Submit.

Route Leaking with ESG

• Internal Subnets

  • You can “leak” a bridge domain subnet from one VRF to another.

  • Go to Tenants → Networking → VRFs → Inter-VRF Leaked Routes for ESG → EPG/BD Subnets → configure.

  • Enter the subnet, choose whether it’s advertised to other VRFs, and select the target VRFs.

• External Prefixes

  • Learned from an L3Out in the source VRF; you can leak them to another VRF.

  • Similar process: Tenants → Networking → VRFs → Inter-VRF Leaked Routes for ESG → External Prefixes → create.

  • Specify IP range and target VRFs.

Layer 4 to Layer 7 (L4-L7) Integration with ESG

• Service Graphs

  • Same configuration steps as with EPG-based service graphs.

  • Instead of associating the contract with an EPG, associate it with ESGs.

  • Choose “Endpoint Security Group” as the type when applying a service graph to a contract.

  • You can also apply a service graph to vzAny if needed.

Step-by-Step guide to configure an Endpoint Security Group (ESG) in Cisco ACI.

1. Preparations: Verify or Create Required ACI Objects

1. Create a Tenant (or pick an existing tenant).

   • In the APIC GUI, go to Tenants → Add Tenant and provide the necessary details.

2. Create or Verify a VRF within the Tenant.

   • Go to Tenant → Networking → VRFs → Create VRF.

   • ESGs attach to a single VRF (unlike EPGs, which attach to a Bridge Domain).

3. Create or Verify the required Bridge Domains (BDs).

   • Go to Tenant → Networking → Bridge Domains → Create Bridge Domain.

   • Ensure each BD is associated with the correct VRF.

   • EPGs are still needed for VLAN-to-interface bindings on the leaf switches.

4. Create or Verify EPGs (optional, but generally needed for physical or virtual interface bindings).

   • Go to Tenant → Application Profiles → Add Application Profile.

   • Under the Application Profile, create EPGs that map to your VLANs/subnets.

   • Although ESGs handle security, EPGs are still used for forwarding (VLAN and subnet binding).

     
     

2. Create an Endpoint Security Group (ESG)

1. In the APIC GUI, go to:

   • Tenants → your_tenant_name → Application Profiles → application_profile_name.

   • Expand Endpoint Security Groups.

2. Right-click Endpoint Security Groups → Create Endpoint Security Group (name it, e.g., “Web-ESG”).

3. In the Create Endpoint Security Group dialog:

   • Name: Provide a descriptive name for the ESG.

   • VRF: Select the VRF in which the ESG will operate.

   • (Optional) Description: Provide a brief description.

4. Click Submit.

3. Define Which Endpoints Belong to the ESG (Selectors)

ESGs classify endpoints based on different “selectors,” such as IP subnets, MAC addresses, tags, or existing EPGs. You can configure multiple selector types to match the endpoints you want in the ESG.

3.1 Tag Selector

1. In the APIC GUI, navigate to:

   • Tenant → Application Profiles → Endpoint Security Groups → your_ESG_name → Selectors → Tag Selectors.

2. Right-click Tag Selectors → Create a Tag Selector.

3. In the Create a Tag Selector dialog:

   • Tag Key / Tag Value: Provide or select existing policy tag info (e.g., “environment=dev”).

   • Operator (Contains, Equals, Regex): Choose the matching condition.

   • Description: Optional note.

4. Click Submit.

3.2 EPG Selector

1. In the same Selectors section, expand EPG Selectors.

2. Right-click EPG Selectors → Create an EPG Selector.

3. In the Create an EPG Selector dialog:

   • EPGs in ESG VRF: Check the boxes for any EPG(s) in the same VRF that should be included in this ESG.

   • Description: Optional.

4. Click Submit.

3.3 IP Subnet Selector

1. Go to IP Subnet Selectors under the same ESG → Selectors area.

2. Right-click IP Subnet Selectors → Create an IP Subnet Selector.

3. In the Create an IP Subnet Selector dialog:

   • IP Subnet (value): Enter an exact IP address (e.g., 192.168.10.11) or a subnet (e.g., 192.168.10.0/24).

   • Description: Optional.

4. Click Submit.

3.4 Service EPG Selector (for L4-L7 device EPGs)

1. Go to Service EPG Selectors → Create a Service EPG Selector.

2. In the Create a Service EPG Selector dialog:

   • Service EPG: Select from the list of automatically generated EPGs for service devices (from L4-L7 device selection policies).

   • Description: Optional.

3. Click Submit.

   
   

4. (Optional) Creating/Assigning Policy Tags to Endpoints

If you plan to classify endpoints by policy tags (Tag Selectors in ESG), you must assign policy tags to either the endpoint’s MAC or IP address:

4.1 Assign a Policy Tag to an Endpoint MAC

1. Navigate to:

   • Tenants → your_tenant → Application Profiles → app_profile → Application EPGs → epg_name → Operational → Client Endpoints.

2. Right-click the endpoint row → Configure an Endpoint MAC Tag.

3. In the dialog:

   • Confirm the MAC Address, and if needed, specify a BD (* for “any BD in VRF”).

   • Under Policy Tags, add a Tag Key and Value (e.g., key: “environment”, value: “dev”).

4. Click Submit.

4.2 Assign a Policy Tag to an Endpoint IP

1. Similar to the above steps, but select Configure an Endpoint IP Tag.

2. Provide the IP address and VRF, then add the desired Policy Tags.

   
   

5. Configure Contracts for the ESG

5.1 Understanding ESG Contracts

• Endpoints within the same ESG communicate without a contract.

• For ESG-to-ESG communication, you need a contract.

• For Outside-to-ESG traffic, create a contract between l3extInstP (External EPG) and the ESG.

• An ESG cannot directly have a contract with a normal EPG (only with other ESGs, L3Out EPGs, inband EPGs, or vzAny).

5.2 Adding a Contract to ESG

1. Go to:

   • Tenants → tenant_name → Application Profiles → app_profile_name → Endpoint Security Groups → your_ESG_name.

2. Right-click Contracts → choose one of:

   • Add Provided Contract

   • Add Consumed Contract

   • Add Intra-ESG Contract (for applying security rules within the same ESG if you want isolation inside the ESG)

3. In the Add Contract dialog:

   • Enter or select an existing Contract Name (or create a new one).

   • (Optional) Choose a QoS policy or Label.

4. Click Submit.

6. (Optional) Route Leaking with ESG

If you need to leak routes between VRFs or allow external prefixes, you can configure “Inter-VRF Leaked Routes” for ESG. This is similar to normal route leaking but done under the ESG’s VRF.

1. Leaking Internal Subnets (BD Subnets):

   • Tenants → tenant → Networking → VRFs → Inter-VRF Leaked Routes for ESG → EPG/BD Subnets.

   • Right-click → Configure EPG/BD Subnet to leak → fill in the subnet & choose target VRF destinations.

2. Leaking External Prefixes (From L3Out):

   • Tenants → tenant → Networking → VRFs → Inter-VRF Leaked Routes for ESG → External Prefixes.

   • Right-click → Create Leaked External Prefix → specify IP prefix & choose target VRFs.

     
     

7. (Optional) Layer 4 to Layer 7 Service Integration

If you want to insert a firewall or load balancer using a service graph, you can apply it in almost the same way as for EPGs. The main difference is you select ESG as the “endpoint group type”:

1. Go to Tenants → tenant → Services → L4-L7 → Service Graph Templates.

2. Right-click your Service Graph Template → Apply L4-L7 Service Graph Template.

3. In STEP 1 > Contract:

   • Select Endpoint Security Group as the type.

   • Choose consumer/provider ESGs (or do an Intra-ESG contract).

   • Pick an existing contract or create a new one.

4. Click Next, fill in the device details, and Finish.

   
   

8. Verify and Troubleshoot

1. Check Endpoint Classification:

   • In the APIC GUI, open the ESG → Operational tab (if available) or check the EPG → Operational > Client Endpoints to see if the endpoints match the ESG selectors.

2. Check Contracts:

   • Confirm that the correct filters/policies are in place for ESG-to-ESG or L3Out-to-ESG communication.

3. Check Leaf Nodes (optional CLI):

   • Log into leaf switches to verify if the policy-cam rules (TCAM entries) are programmed correctly after endpoints match the ESG selectors.

4. Layer 2 vs. Layer 3 Traffic:

   • If you use IP-based selectors, remember that Layer 2 “switched” traffic bypasses IP-based classification. Enable proxy ARP or micro-segmentation features if you need strict Layer 2 security enforcement.

     
     

Summary of Key Points

1. Create an ESG under a Tenant and VRF.

2. Define Selectors (Tag, EPG, IP Subnet, or Service EPG) to classify endpoints into the ESG.

3. Apply Contracts between ESGs (or ESG and L3Out EPG) to control inter-group communication.

4. Route Leaking and Service Graphs work similarly to normal ACI setups, but you reference ESG instead of EPG.

5. Remember EPG is still required for VLAN bindings and bridging logic, but the ESG focuses on security.

Common Use Cases:

1. Traffic Filtering:

   • Example: Two endpoints in different VLANs but the same ESG can communicate without a contract, whereas endpoints in different ESGs need explicit contracts.

2. External Communication:

   • Contracts between ESGs and external devices (via L3Out) are required for outside access.

3. Layer 4-7 Integration:

   • Use service graphs with ESGs to manage advanced traffic inspection or load balancing.

4. Route Leaking:

   • Facilitates sharing subnets or prefixes across VRFs using ESG-defined rules.

Key Takeaways

1. EPGs are for basic network and security grouping, directly tied to a single bridge domain.

2. ESGs provide advanced security and micro-segmentation at the VRF level, offering more flexibility and spanning multiple bridge domains.

3. Contracts are necessary for communication between different groups (EPGs or ESGs) to define which protocols and ports are allowed.

4. Selectors in ESGs let you classify endpoints by IP, MAC, tags, or by referencing an entire EPG or service EPG.

5. Proxy ARP is important if you rely on IP-based ESG selectors and need to ensure layer 2 traffic also gets security enforcement.

6. Route leaking and service graphs with ESGs follow similar steps to those used with EPGs, but the main difference is that contracts and forwarding are separated.

Reference : https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/security-configuration/cisco-apic-security-configuration-guide-60x/endpoint-security-groups-60x.html