In modern data centers, workloads are becoming more agile and evolving to include bare metal, virtual machines (VMs) across multi-hypervisors and container endpoints. Security across these workloads is one of the main concerns, particularly how endpoints within an application tier of a multi-tiered application can be segmented. Microsegmentation is a technique that uses “attributes” to classify endpoints of an End Point Group (EPG). These attributes can be based on virtual machine and network attributes. For example, a data center administrator can dynamically enforce security policies, quarantine compromised or rogue endpoints based on VM attributes (i.e. VM name, VM id, Operating System (OS) type) and/or network attributes (IP, MAC addresses). Also, the data center administrator can implement microsegmentation across multi-tiered applications hosted across multiple hypervisors and bare metal server environments with granular endpoint security enforcement.
Traditionally microsegmentation within an Application Centric Infrastructure (ACI) has been implemented by assigning unique virtual local area networks (VLANs) to the end points so that the end points are segmented. This model does not stop end points from learning the real MAC address of other microsegmented end points in the same bridge-domain, thereby putting the VMs under constant threat of MAC spoof attack. If any endpoints get compromised, another end point can send traffic under the disguise of other end points, leading to a major security hole within data centers. Also, VLAN scale is linearly affected along with the end points which require this feature.