The VMM domain is integrated between Cisco APICs and vCenter using a distributed vSwitch. The traffic must be blocked between a subset of endpoints in an
EPG based on specific VM attributes and the rest of the VMs in that EPG. Which set of actions blocks this traffic?
To block traffic between a subset of endpoints in an EPG based on VM attributes, microsegmentation must be enabled, and intra-EPG isolation needs to be enforced. First, enable microsegmentation by setting 'Allow Microsegmentation' to 'True'. Then, enforce intra-EPG isolation for the primary EPG to ensure traffic directions are controlled. Finally, set intra-EPG isolation for the uSeg EPG to 'Unenforced', which allows controlled communication based on policies while blocking specific traffic based on VM attributes. This configuration balances enforcing isolation at the EPG level while allowing specific policy-driven traffic control within the microsegmented group.
c is the correct one
I think its D. The Intra EPG Isolation option is left Unenforced here. https://aci-lab.ciscolive.com/lab/pod4/segmentation/mseg
I meant uSeg Intra-EPG Isolation left Unenforced. Base EPG Intra-EPG Isolation is Enforced.
C. 1. Set Allow Microsegmentation under the EPG VMM Domain Association to "True" 2. Set Intra-EPG Isolation to "Enforced" for the EPG 3. Set Intra-EPG Isolation to "Enforced" for the uSeg EPG. Setting "Allow Microsegmentation" to "True" enables the creation of uSeg EPGs. Setting "Intra-EPG Isolation" to "Enforced" for the EPG and uSeg EPG will allow for the enforcement of microsegmentation between the endpoints based on specific VM attributes. This will block the traffic between the subset of endpoints and the rest of the VMs in that EPG.
Intra-EPG Isolation Enforced = the main EPG can achieve isolation within itself. uSeg EPG Enforced = complete isolation each other and groups uSeg EPG Unenforced = controlled isolation can communicate with each other based on policies The request is to block traffic between a subset of endpoints in an EPG, not to completely isolate devices in an EPG
there is no requirement to block traffic between EPs in same EPG or same useg EPG
I would go with A too, intra-EPG isolation is not required, the question is asking for blocking traffic between uSeg EPG and the EPG.
I agree with saju777. Check out his reference, there is a config example: enforcement for intra-epg isolation to on, no need for additional enforcement cause its a standard EPG no useg EPG
The goal here is to block traffic between VMM attribute based EP and the rest EP in same EPG. We do not have to block traffic within the VMM based attribute EP group and the normal EP group. So we don't need to set the Intra-EPG isolation to enforce in the base EPG and the uEPG.
Agreed, should be A