Exam 350-601 topic 1 question 86 discussion

C. 1. Set Allow Microsegmentation under the EPG VMM Domain Association to "True" 2. Set Intra-EPG Isolation to "Enforced" for the EPG 3. Set Intra-EPG Isolation to "Enforced" for the uSeg EPG. Setting "Allow Microsegmentation" to "True" enables the creation of uSeg EPGs. Setting "Intra-EPG Isolation" to "Enforced" for the EPG and uSeg EPG will allow for the enforcement of microsegmentation between the endpoints based on specific VM attributes. This will block the traffic between the subset of endpoints and the rest of the VMs in that EPG.

Cant be A, traffic must denied between vm intra-epg

Agreed, should be A

Intra-EPG Isolation Enforced = the main EPG can achieve isolation within itself. uSeg EPG Enforced = complete isolation each other and groups uSeg EPG Unenforced = controlled isolation can communicate with each other based on policies The request is to block traffic between a subset of endpoints in an EPG, not to completely isolate devices in an EPG

The goal here is to block traffic between VMM attribute based EP and the rest EP in same EPG. We do not have to block traffic within the VMM based attribute EP group and the normal EP group. So we don't need to set the Intra-EPG isolation to enforce in the base EPG and the uEPG.

I agree with saju777. Check out his reference, there is a config example: enforcement for intra-epg isolation to on, no need for additional enforcement cause its a standard EPG no useg EPG

I think its D. The Intra EPG Isolation option is left Unenforced here. https://aci-lab.ciscolive.com/lab/pod4/segmentation/mseg

I would go with A too, intra-EPG isolation is not required, the question is asking for blocking traffic between uSeg EPG and the EPG.

there is no requirement to block traffic between EPs in same EPG or same useg EPG

c is the correct one