You can use microsegmentation with Cisco ACI to create new uSeg EPGs to contain VMs from a single application EPG. By default, VMs within an application EPG can communicate with each other; however, you might want to prevent communication between groups of VMs if VRF is in enforced mode and there is no contract between uSeg EPGs.
For this example, let’s assume that you need to deploy a virtual desktop infrastructure (VDI) for the Human Resources, Finance, and Operations departments. The VDI virtual desktop VMs are part of a single application EPG called EPG_VDI with identical access requirements to the rest of the application EPGs.
Service contracts are built in such a way that the EPG-VDI has access to Internet resources and internal resources. But at the same time, the company must ensure that each of the VM groups—Human Resources, Finance, and Operations—cannot access the others even though they belong to the same application EPG, EPG_VDI.
To meet this requirement, you can create filters in the Cisco APIC that would check the names of the VMs in the application EPG, EPG_VDI. If you create a filter with the value “HR_VM,” the Cisco APIC creates a uSeg EPG—a microsegment—for all Human Resource VMs. The Cisco APIC looks for matching values in all the EPGs in a tenant even though you want to group the matching VMs within one EPG. So, when you create VMs, it is recommended that you choose names unique within the tenant.
Similarly, you can create filters with the keyword “FIN_VMs” for Finance virtual desktops and “OPS_VMs” for Operations virtual desktops. These uSeg EPGs are represented as new EPGs within the Cisco APIC policy model. You can then apply contracts and filters to control access between the VM groups even though they belong to the same application EPG.
As shown in Figure 18-15, all the virtual desktop VMs from the Human Resources, Finance, and Operations groups have been moved from the application EPG, EPG_VDI, to new uSeg EPGs: EPG_OPS_MS, EPG_FIN_MS, and EPG_HR_MS. Each uSeg EPG has the attribute type VM Name with a value to match key parts of the VM’s name. EPG_OPS_MS has the value OPS_VM, so all VMs in the tenant containing OPS_VM in their names become part of EPG_OPS_MS. The other uSeg EPGs have corresponding values, resulting in the movement of VMs in the tenant with matching names to the uSeg EPGs.