Skip to content
Network as Code

Security Group

Security Group provides micro-segmentation capabilities on NX-OS by classifying endpoints into security groups based on IP address, VLAN, or external subnets. Traffic between groups is controlled by security contracts applied per VRF, which reference policy maps containing class-map-based filtering rules. Security Group requires the security-group feature to be enabled and system routing template-security-groups to be configured.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

configuration (nxos.devices)

Section titled “configuration (nxos.devices)”
NameTypeConstraintMandatoryDefault Value
security_groupClass[security_group]No

security_group (nxos.devices.configuration)

Section titled “security_group (nxos.devices.configuration)”
NameTypeConstraintMandatoryDefault Value
mac_segmentationChoiceenabled, disabledNo
security_groupsList[security_groups]No
class_mapsList[class_maps]No
policy_mapsList[policy_maps]No

security_groups (nxos.devices.configuration.security_group)

Section titled “security_groups (nxos.devices.configuration.security_group)”
NameTypeConstraintMandatoryDefault Value
idIntegermin: 1, max: 65535Yes
nameStringNo
match_connected_endpoints_ipv4List[match_connected_endpoints_ipv4]No
match_connected_endpoints_ipv6List[match_connected_endpoints_ipv6]No
match_vlansClass[match_vlans]No

class_maps (nxos.devices.configuration.security_group)

Section titled “class_maps (nxos.devices.configuration.security_group)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
descriptionStringNo
filter_entriesList[filter_entries]No

policy_maps (nxos.devices.configuration.security_group)

Section titled “policy_maps (nxos.devices.configuration.security_group)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
descriptionStringNo
classesList[classes]No

match_connected_endpoints_ipv4 (nxos.devices.configuration.security_group.security_groups)

Section titled “match_connected_endpoints_ipv4 (nxos.devices.configuration.security_group.security_groups)”
NameTypeConstraintMandatoryDefault Value
vrfStringYes
addressIPYes

match_connected_endpoints_ipv6 (nxos.devices.configuration.security_group.security_groups)

Section titled “match_connected_endpoints_ipv6 (nxos.devices.configuration.security_group.security_groups)”
NameTypeConstraintMandatoryDefault Value
vrfStringYes
addressIPYes

match_vlans (nxos.devices.configuration.security_group.security_groups)

Section titled “match_vlans (nxos.devices.configuration.security_group.security_groups)”
NameTypeConstraintMandatoryDefault Value
idsListInteger[min: 1, max: 4094]No
rangesList[ranges]No

filter_entries (nxos.devices.configuration.security_group.class_maps)

Section titled “filter_entries (nxos.devices.configuration.security_group.class_maps)”
NameTypeConstraintMandatoryDefault Value
nameStringYes
dscpIntegermin: 0, max: 63No
fragmentsBooleantrue, falseNo
icmpv4_typeIntegermin: 0, max: 255No
icmpv6_typeIntegermin: 0, max: 255No

classes (nxos.devices.configuration.security_group.policy_maps)

Section titled “classes (nxos.devices.configuration.security_group.policy_maps)”
NameTypeConstraintMandatoryDefault Value
classStringYes
actionChoicedeny, permitNo
countBooleantrue, falseNo
logBooleantrue, falseNo
redirectStringNo

ranges (nxos.devices.configuration.security_group.security_groups.match_vlans)

Section titled “ranges (nxos.devices.configuration.security_group.security_groups.match_vlans)”
NameTypeConstraintMandatoryDefault Value
fromIntegermin: 1, max: 4094Yes
toIntegermin: 1, max: 4094Yes

Examples

Section titled “Examples”

Example 1: Security groups with connected endpoint and VLAN selectors

nxos:
  devices:
    - name: LEAF1
      configuration:
        feature:
          security_group: true
        security_group:
          security_groups:
            - id: 2681
              name: web_sg
              match_connected_endpoints_ipv4:
                - vrf: galactic_vrf
                  address: 172.17.101.0/24
            - id: 2682
              name: mail_sg
              match_connected_endpoints_ipv4:
                - vrf: galactic_vrf
                  address: 172.17.102.0/24
            - id: 5000
              name: monitoring-net
              match_vlans:
                ids: [2402]

Example 2: Class maps and policy maps for security filtering

nxos:
  devices:
    - name: LEAF1
      configuration:
        feature:
          security_group: true
        security_group:
          class_maps:
            - name: icmp
              description: Match ICMP (auto generated)
            - name: tcp_443
              description: Match TCP port 443
              filter_entries:
                - name: tcp_443_entry
            - name: tcp_80
              description: Match TCP port 80
              filter_entries:
                - name: tcp_80_entry
          policy_maps:
            - name: any-to-any_icmp
              description: Any to Any traffic
              classes:
                - class: icmp
                  action: permit
            - name: mail_web_tcp_443
              description: Mail to Web traffic
              classes:
                - class: tcp_443
                  action: permit
                  count: true
                  log: false

Example 3: VRF security enforcement

nxos:
  devices:
    - name: LEAF1
      configuration:
        system:
          routing: template-security-groups
        feature:
          security_group: true
        vrfs:
          - name: galactic_vrf
            vni: 560000
            security_enforce_tag: 11905
            security_enforce_default: deny