Using ESGs (Endpoint Security Group) in ACI fabric to migrate from Network Centric to Application Centric

In Release 5.0 of ACI a new feature, ESGs was released.  This feature effectively allows us to decouple the security policy construct FROM EPGs which have a relationship to BDs  TO  ESGs which have a relationship to VRFs.

I had planned to read up on this feature and rewrite the previous article that I had written “ACI NetCentric 2 AppCentric using Microsegmentation” with modifications using the ESG feature of ACI release 5.0.  In that article, I had showed how to do migration to app centric using uSeg and Hierarchal EPGs.  With the new ESG feature you can skip the uSeg part and use ESGs  instead of the hierarchal EPGs at one go.  This effectively makes it much simpler and cleaner to configure and manage.

After reading the excellent CCO documentation on ESGs, I realized that there is really no need for me to write this up.   This CCO documentation has done a terrific job to explain ESGs and the use cases !  Please read this at your convenience.   You may very well find that this feature will be a good use case for your needs.

Also, please do not forget to pay close attention to the limitations (as of this writeup).


As of the Cisco APIC release 5.0(1), the following limitations apply:

  • Contracts between ESGs and EPGs are not supported.

  • The ESG feature is not integrated with the Cisco ACI Multi-Site.

  • The supported ESG selector is the IP address. MAC addresses, VM tags, or other criteria are not yet supported.

  • An ESG contract can be applied only for routed traffic with IP as the selector.

  • To prevent Layer 2 traffic (that is, non-routed traffic) from bypassing ESG security when IP is used as the selector, enable an intra EPG contract with a permit-all rule, such as the common default contract, on all of the EPGs that provide VLAN-to-interface binding for the ESG endpoints. If all the endpoints in the EPGs are classified to ESGs, you can alternatively enable intra EPG isolation with proxy ARP on the EPGs instead of the intra EPG contract. If the EPG is used only for VMM DVS integration, you can alternately enable the Allow Micro-Segmentation option instead of the other two options mentioned above. Either feature forces all communication between ESG endpoints to go through Layer 3 routing.

  • Taboo contracts are not supported with ESGs.

  • Inter-VRF service graphs between ESGs are not supported.

  • Only the EX and newer generation of leaf nodes are supported for ESG deployment.


Cisco APIC Security Configuration Guide, Release 5.0(x)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.