Cisco Aci 5.1 With Vmware Lab V1: Americas Headquarters

Cisco ACI 5.
1 with VMware Lab v1

First Published: 2020-09-22
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 About 1
About This Demonstration 1
Requirements 1
About This Solution 2
Topology 2
Before Presenting 3
Get Started 3
CHAPTER 2 Scenarios 7
APIC System Overview and Operations 7

System Health Dashboard 7
Create VMM Domain Profile for vCenter 15
Create VMM Domain Profile for vCenter Automatically 23
Create a Tenant and an Application Profile 23
Add a Tenant 25
Create VRF in dCloud 25
Create Bridge Domains 26
Bridge Domain - 192.168.20.0_24 26
Bridge Domain - 192.168.21.0_24 26
Bridge Domain - 192.168.22.0_24 26
Application Profiles 27
Create Application Profile EPG – 192.168.20.0_24 27
vSphere Review 29
What are the Endpoint Security Groups (ESGs) of ACI? (A New Feature of ACI 5) 30
Cisco ACI 5.1 with VMware Lab v1

iii
Contents
How Can ESGs Help? 30

What About the Contracts ? 30
Configure ESGs 31
Working with Contracts 33
Create and Apply a Contract 34
Contract – 22-DB to 21-App 34
Contract – 21-App to 20-Web 35
Connecting a Host to the ACI Fabric 37
Configure the Interface 38
Create Leaf Access Port Policy Group 39
Verify Physical Interfaces 40
CHAPTER 3 Appendix 43
Appendix A. Reset APIC Simulator 43

Appendix B. Fix My Demo 44
CHAPTER 4 What's Next? 47

iv
CHAPTER 1
About
• About This Demonstration, on page 1
• Requirements, on page 1
• About This Solution, on page 2
• Topology, on page 2
• Before Presenting, on page 3
• Get Started, on page 3
About This Demonstration

This lab provides an introduction to Cisco ACI when deployed with VMware.
ACI Simulator Limitations

Certain features of Cisco ACI are outside the scope of this demonstration, because the demonstration uses a
simulated environment rather than a physical one:
• The simulator must be rebooted if left running for more than a few days.
• The simulator returns to its initial state following a reboot.
• No traffic passes between devices connected to the simulated fabric (ESXi, VMs, etc.).
• Screen refresh may take slightly longer than expected.
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
Laptop Cisco AnyConnect

1
About
About This Solution
About This Solution

The Cisco Application Policy Infrastructure Controller (Cisco APIC) is the unifying point of automation and
management for the Cisco Application Centric Infrastructure (Cisco ACI) fabric. The Cisco APIC provides
centralized access to all fabric information, optimizes the application lifecycle for scale and performance,
supporting flexible application provisioning across physical and virtual resources.
Cisco ACI virtual machine networking provides hypervisors from multiple vendors programmable and
automated access to high-performance, scalable, virtualized data center infrastructure. Programmability and
automation are critical features of scalable data center virtualization infrastructure. The ACI open REST API
enables virtual machine (VM) integration with and orchestration of the policy-model-based ACI fabric. ACI
VM networking enables consistent enforcement of policies across both virtual and physical workloads managed
by hypervisors from multiple vendors.
For additional information, visit www.cisco.com/go/apic.
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can
see the IP address and user account credentials to use to access a component by clicking the component icon
in the Topology menu of your active session and in the scenario steps that require their use.
The figure below shows the virtual demonstration topology, which consists of the following virtual machines:
• APIC Simulator version 5.1 – includes Spine 1 and Spine 2, Leaf 1 and Leaf 2, APIC1, APIC2 and
APIC3
• VMware Virtual Center Server 7.0 Appliance
• VMware ESXi 7.0
• EMC vVNXe Storage Appliance
• Cisco Unified Computing System Platform Emulator 4.1
• Linux Tools Repository (CentOS 7)
• Active Directory 2019 (Domain Controller)
• Windows 10 Workstation

2
About
Before Presenting
Before Presenting
Cisco dCloud strongly recommends that you perform the tasks in this document before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Get Started
Follow these steps to schedule a session of the content and configure your presentation environment:
Step 1 Initiate your dCloud session. [Show Me How]

Note It may take up to 10 minutes for your session to become active.
Step 2 Connect to the demo workstation.

• Using Cisco AnyConnect (for best performance) already installed on your workstation.
a. Click Details.
b. In the Session Details window, scroll to the AnyConnect Credentials section [Show Me How for further details
and example]
c. After you are connected, use the local RDP client on your laptop [Show Me How for further details] using this
information.
Workstation 1: 198.18.133.36, Username: dcloud\demouser, Password: C1sco12345
• Use WebRDP, an HTML RDP Client.

a. In the demo topology, click the wkst1 icon and then, click Remote Desktop.

3
About
Get Started
Step 3 Double-click the APIC Login icon and then, log in with these credentials: admin/C1sco12345.
Step 4 Review the Welcome to APIC pop-up then, select Begin First time setup and then, click Close in the next page.
Example:

4
About
Get Started
Step 5 Select Fabric from the top menu then, select Inventory from the top sub-menu.
Step 6 In the left menu, click Fabric Membership and then, check that four devices are populated (IP addresses may vary).
Example:

5
About
Get Started
Step 7 If only TEP-1-101 is present, see Fix My Demo to discover the Fabric.
Note The fabric discovery can take up to 15 minutes to complete. If you log in before 15 minutes have passed, all
devices may not be discovered.

6
CHAPTER 2
Scenarios
• APIC System Overview and Operations, on page 7
• Create VMM Domain Profile for vCenter, on page 15
• Create a Tenant and an Application Profile, on page 23
• What are the Endpoint Security Groups (ESGs) of ACI? (A New Feature of ACI 5), on page 30
• Working with Contracts, on page 33
• Connecting a Host to the ACI Fabric, on page 37
APIC System Overview and Operations

This scenario provides an overview of the APIC System Health dashboard, and provides information on how
to drill down into a health score to identify a root issue.
System Health Dashboard
Step 1 On the demo workstation, open Application Policy Infrastructure Controller (if it is not already open) by clicking the
APIC Login icon
and then, log in with credentials admin/C1sco12345.

Step 2 In the Welcome pop-up, check Do not show on login then, click Begin Frist time setup and then, in the next page,
click Review and Configure to see what has been pre-configured; otherwise click Close to quit the welcome page.
See the following example.
Example:

7
Scenarios
Step 3 In the menu, click System to display the System Health Dashboard.
• Explain that you logged in with global administrative rights and your view includes all system components.
• Show the single-pane view, which provides a centralized, application-level visibility with real-time application
health monitoring across the physical and virtual environments.
• Show the health scores and explain how a health score is displayed for components that are being monitored by
APIC, such as.
• Fabric health
• Connections to virtual and physical environments
a) Show that the left pane contains health scores for the overall system as well as specific components.
b) Show that the right pane contains fault counts based on areas that have errors.

8
Scenarios
Step 4 In the dashboard, double-click the SYSTEM WIDE line with all the faults.
Example:
a) Double-click some of the faults, for example, the environmental fault with the PSU error.
Example:

9
Scenarios
b) Double-click one of the PSU faults to see more detailed information.

Example:
c) In Fault Properties, in the General tab, check out the Fault Code and Affected Object information.
On the Troubleshooting tab you will find audit logs and events related to this fault. If desired, view the information
in the History tab.
Example:

10
Scenarios
Step 5 Go back to the System Dashboard and double-click Leaf1.

Example:
Step 6 In the Leaf1 window, gear icon in the upper-left corner and then, uncheck to box to show all the components being
monitored.
We monitor a ton of data and report, by default, only the faulty ones.
a) Scroll down until the Equipment Policy Entity element with a health score of 90 displays.
Example:

11
Scenarios
Step 7 Click the fault to expand the Equipment Policy to view the Power Supply that is showing a fault.
Example:
Step 8 Right-click one of the faults and then, click Show Faults in the resulting menu.
Example:
Step 9 Examine the resulting table, which shows the details of the fault.
Example:

12
Scenarios
Step 10 Close the Show Faults window.

Step 11 In the APIC window, click Fabric then, in the menu, click Topology and then, click Topology to show the graphical
representation of the APIC fabric.
Example:
Step 12 In the Inventory menu, expand Pod1 and then, select Spine1 to show the health details for Spine1
Example:

13
Scenarios
Step 13 2. In the menu and click Leaf2 to see the Summary information for that Leaf.
Example:
Step 14 3.Click Tenants in the ACI menu and show that four tenants are configured.
Example:

14
Scenarios
Create VMM Domain Profile for vCenter

Cisco APIC integrates with third-party VM managers (VMMs) (for example, VMware vCenter) to extend
the benefits of Cisco ACI to the virtualized infrastructure. Cisco APIC enables Cisco ACI policies inside the
VMM system to be used by its administrator.
ACI fabric virtual machine manager (VMM) domains enables an administrator to configure connectivity
policies for VM controllers. The essential components of an ACI VMM domain policy include the following:
• VMM Domain Profile: groups VM controllers with similar networking policy requirements. For example,
VM controllers can share VLAN pools and application endpoint groups (EPGs). The APIC communicates
with the controller to publish network configurations such as port groups that are then applied to the
virtual workloads. The VMM domain profile includes the following essential components:
• Credential: associates a valid VM controller user credential with an APIC VMM domain.
• Controller: specifes how to connect to a VM controller that is part of a policy enforcement domain.
For example, the controller specifies the connection to a VMware vCenter that is part a VMM
domain.
• EPG Association: endpoint groups regulate connectivity and visibility among the endpoints within the
scope of the VMM domain policy. VMM domain EPGs behave as follows:
• The APIC pushes these EPGs as port groups into vCenter to a VMware Distributed Switch.
• An EPG can span multiple VMM domains, and a VMM domain can contain multiple EPGs.
• Attachable Entity Profile Association: associates a VMM domain with the physical network infrastructure.
An attachable entity profile (AEP) is a network interface template that enables deploying VM controller
policies on a large set of leaf switch ports. An AEP specifies which switches and ports are available, and
how they are configured.
• VLAN Pool Association: a VLAN pool specifies the VLAN IDs or ranges used for VLAN encapsulation
that the VMM domain consumes.
Step 1 Click Virtual Networking then, right-click VMware and then, select Create vCenter Domain.

15
Scenarios
Example:
Step 2 Enter My-vCenter for Virtual Switch Name and then, select the following options.
• VMware vSphere Distributed Switch
• VLAN Pool > dCloud_VLAN_Pool(dynamic)
Step 3 In the vCenter Credentials section, click the plus sign.

a) Enter defaultAccP for the name.
b) Enter username and password and then, confirm the password.
• User name: administrator@vsphere.local
• Password: C1sco12345!
c) Click OK.
Example:
Step 4 Provide the details of the vCenter to be connected to ACI.

a) Click the plus sign for vCenter.
b) Enter dCloud-DC for the name.
c) Enter 198.18.133.30 for the Host Name.
d) Enter dCloud-DC for the Datacenter.
e) Select defaultAccP the for the Associated Credentials.
Example:

16
Scenarios
Step 5 Click Submit.

Example:
Note The UCS Service Profiles are configured so that the interfaces that are connected to the ACI fabric have been
configured with the VLAN ranges defined in the dCloud_VLAN_Pool. As VMware Port Profiles are pushed
in from ACI, these VLANs from this pool are allocated.
Step 6 In Google Chrome, open the vCenter(html) tab then, check Use Windows sessions authentication box and then,
click login.

17
Scenarios
Note This is the last infrastructure configuration the network engineer does with ACI. The remaining steps are
done by the server administrator.
Step 7 Click the Networking tab then, expand vc1.dcloud.cisco.com then, expand dCloud-DC and then, look under dCloud-DC
to see that a VMware Distributed Switch has been added named My-vCenter.
Example:
Step 8 Right-click and then, select Add or Manage Hosts.

Example:
Step 9 In the Select Task window, select Add Hosts and then, click Next.
Example:

18
Scenarios
Step 10 In the Select Hosts window, select New hosts then, select all hosts then, click OK and then, click Next.
Example:
Step 11 In Manage physical adapters, highlight vmnic2 and then, click Assign Uplink.
Example:

19
Scenarios
Step 12 Click Auto Assign then, check Apply this uplink assignment to the rest of the hosts then, click OK and then, click
Next.
Example:
Step 13 Leave the defaults for Manage VMkernel adapters and then, click Next.
Example:

20
Scenarios
Step 14 Leave the defaults for Migrate VM networking and then, click Next.
Example:
Step 15 Review the information in Ready to Complete and then, click Finish.
Example:
Step 16 20. Select My-vCenter VDS then, click the Hosts tab and then, confirm that the hosts are connected to the VMware
Example:

21
Scenarios
Step 17 Return to the APIC window and then, expand VMware > My-vCenter > Controllers > dCloud-DC > Hypervisors.
Note If the ESXi hosts are not listed, then there was an issue in the creation of the VMM Domain Profile, and
APIC is not connected to vCenter. Verify the credentials in VMware > My-vCenter > vCenter Credentials.
Step 18 Expand one of the ESXi hosts to see the virtual machines and vmnics listed.
Example:
Step 19 Collapse Hypervisors then, expand DVS- My-vCenter > Portgroups and then, click My-vCenter-DVUplinks-XXX
to view the details about the Portgroup.
Example:

22
Scenarios
Create VMM Domain Profile for vCenter Automatically
Create VMM Domain Profile for vCenter Automatically
Note If you have followed the manual process, please skip this section, and go to Create a Tenant and an Application
Profile.
Step 1 On the desktop, click

Step 2 Select option 4 and then, press Enter.
Example:
Step 3 In the vSphere tab, notice that the ACI domain and Distributed switch is created automatically.
Step 4 In the APIC tab, notice that the ACI domain and switches are created automatically.
Create a Tenant and an Application Profile

A tenant is a logical container for application policies that enables an administrator to exercise domain-based
access control. A tenant represents a unit of isolation from a policy perspective, but it does not represent a
private network. Tenants can represent a customer in a service provider setting, an organization or domain in
an enterprise setting, or just a convenient grouping of policies.
Tenants can be isolated from one another or can share resources. The primary elements that the tenant contains
are:
• Virtual Routing and Forwarding (VRF) instances

23
Scenarios
Create a Tenant and an Application Profile
• Application Profiles that contain endpoint groups (EPGs)

• Contracts and filters
• Bridge Domains
• Outside Networks
A tenant in the ACI object model represents the highest-level object. Inside, you can differentiate between
the objects that define the tenant networking, such as private networks (VRFs), bridge domains and subnets;
and the objects that define the tenant policies such as application profiles and endpoint groups.
The system provides the following four kinds of tenants:
• User tenants are defined by the administrator according to the needs of users. They contain policies that
govern the operation of resources such as applications, databases, web servers, network-attached storage,
virtual machines, and so on.
• The common tenant is provided by the system but can be configured by the administrator. It contains
policies that govern the operation of resources accessible to all tenants, such as firewalls, load balancers,
Layer 4 to Layer 7 services, intrusion detection appliances, and so on.
• The infrastructure tenant is provided by the system but can be configured by the administrator. It contains
policies that govern the operation of infrastructure resources such as the VXLAN overlay and MP-BGP
configuration. It also enables the administrator to selectively deploy resources to one or more user tenants
through policies.
• The management tenant is provided by the system but can be configured by the administrator. It contains
policies that govern the operation of the ACI nodes management functions used for in-band and out-of-band
configuration.
There are four methodologies for setting up your ACI policies, as shown in the following illustration:
Options B and C are recommended methodologies. In option B, subnets can be used by any Tenant, option
C subnets are cannot be shared between tenants.
This Lab uses option D where everything is created in a single tenant as security is not a consideration in this
demonstration.

24
Scenarios
Add a Tenant
Add a Tenant
Step 1 Click Tenants.

Step 2 Click Add Tenant.
Step 3 In the Name field, enter dCloud.
Example
Create VRF in dCloud

A Virtual Routing and Forwarding (VRF) is a layer 3 context (or private network) that provides IP address
space isolation for tenants. Each tenant can have one or more VRFs, or share one default VRF with another
tenants when there is no overlapping IP addressing between them. In this lab, one default VRF is to be
configured in the common tenant.
Step 1 Drag the VRF icon onto the canvas below.

Example:
Step 2 In the Name field, enter vrf-01.


25
Scenarios
Create Bridge Domains
Create Bridge Domains

A Bridge Domain is a unique layer 2 forwarding domain that contains one or more subnets. Each Bridge
Domain must be linked to a context (VRF). Here two Bridge Domains are created, these are named in alignment
with the subnet addresses which they contain. A Bridge Domain can contain multiple subnets, aligning their
naming with a subnet that they contain makes them simple to understand.
Bridge Domain - 192.168.20.0_24
Step 1 Drag the Bridge Domain icon onto vrf-01 on the canvas.
Step 2 In the Name field, enter 192.168.20.0_24.
Step 3 Click the L3 Configurations tab.
Step 4 In the Subnets table, click + to add a row.
Step 5 In the Gateway IP field, enter 192.168.20.1/24 and then, click OK.
Step 6 Click OK.
Bridge Domain - 192.168.21.0_24
Step 6 Click OK.
Bridge Domain - 192.168.22.0_24
Step 6 Click OK.

26
Scenarios
Application Profiles
Application Profiles
Application Profiles enable you to model and visualize application layers that the APIC then automatically
renders in the network. The application profiles enable administrators to approach the network resource pool
in terms of applications rather than infrastructure building blocks, however a network-centric design is also
an option where a more traditional networking approach is preferred. The application profile is a container
that holds EPGs that are logically related to one another. EPGs can communicate with other EPGs in the same
application profile and with EPGs in other application profiles.
To deploy an application or network policy, you must create the required application profiles, filters, and
contracts.
In this example, the application is implemented by using three servers (a web server, an application server,
and a database server).
Step 1 Click Tenants and then, expand dCloud.

Step 2 Right-click Application Profiles and then, select Create Application Profile.
Step 3 In the Name field, enter MyApp and then, click Submit.
Create Application Profile EPG – 192.168.20.0_24
Step 1 Expand Application Profiles.

Step 2 Click MyApp and then, click Topology on the right side of the main panel.
Step 3 Drag the blue EPG icon from the top bar to the app profile canvas.
Step 4 In the Name field, enter 20-Web.
Step 5 In the Bridge Domain drop-down list, select 192.168.20.0_24 then, click OK and then, click Submit.
Note Make sure to click Submit before adding the VMware icon in the next step.
Step 6 Drag the orange VMware icon onto the 20-Web EPG until you see a link between them.
Example:

27
Scenarios
The VMM Domains window appears.

Step 7 Click the Toolbox icon at the top right and then, select Add VMM Association.
Step 8 In the VCenter Domain Field, select My-vCenter then, leave everything else as default and then, click Submit.
Step 9 Close the VMM domains Window.

Step 4 In the Name field, enter 21-App.

28
Scenarios
Step 6 Drag the orange VMware icon onto the 21-App EPG until you see a link between them.
Step 8 In the VCenter Domain Field, select My-vCenter then, leave everything else as default and then, click Submit

Step 4 In the Name field. enter 22-DB.
Step 6 Drag the orange VMware icon onto the 22-DB EPG until you see a link between them.
Step 8 In the VCenter Domain Field, select My-vCenter then, leave everything else as default and then, click Submit
vSphere Review
Step 1 In Google Chrome, return to vSphere (html).
Step 2 Notice that the EPGs have been pushed into the VMware VDS.
Note The port group in the preceding figure is automatically associated with the EPG that created that port group
and inherits all networking and application policies defined for that EPG. The policies will be removed if the
VM is detached from the port group. The system automatically and dynamically creates and removes policies
in the ACI stateless firewall.

29
Scenarios
What are the Endpoint Security Groups (ESGs) of ACI? (A New Feature of ACI 5)
What are the Endpoint Security Groups (ESGs) of ACI? (A New

Feature of ACI 5)
The Endpoint Security Groups (ESGs) are a new security component in ACI. It will not replace the endpoint
groups (EPGs) which are already here to group a set of endpoints, but to add a new layer of segmentation.
EPGs are associated to a single bridge domain (BD) and used to define security zones within a BD. EPGs
define both forwarding and security segmentation at the same time. The direct relationship between the BD
and an EPG limits the possibility of an EPG to spanning more than one BD. This limitation of EPGs is resolved
by using the new ESG constructs because it will allow the relationship between endpoints from multiple BD
/ EPGs (but limited to a single VRF).
The following diagram represents two ESGs (Front and Back) with all the other Tenant Objects. They are
grouping endpoints from different EPGs, different BD but inside a single VRF.
How Can ESGs Help?

From a customer standpoint, I can see the interest as most of the companies are beginning their migrations
from legacy to ACI by moving their networks into a network-centric model as it is easier than migrating
application per application. (It is almost impossible to find the detailed flows to be opened between all
application tiers….) With this network-centric model, after the migration to ACI, EPGs are bound to their
respective Bridge Domains (BD) and can limit the benefits of the application profiles, the micro-segmentation,
L4-L7 service insertion between EPGs, etc.
In these cases, the addition of an Endpoint Security Group (ESG) can help the companies to move towards
an application-centric model, instead of spending too much time preparing a proper migration from a
network-centric to an application-centric model.
What About the Contracts ?

Contract usage in the ESGs is the same as with EPGs.
• Endpoints belonging to the same ESG can communicate without the need for a contract.
• To enable communication between endpoints that belong to different ESGs, you need to configure
contracts between the ESGs.

30
Scenarios
Configure ESGs
Configure ESGs
Step 1 Click Tenants and then, dCloud.

Example:
Step 2 Expand dCloud then, expand Application Profiles then, expand MyApp then, right-click Endpoint Security Groups
and then, select Create Endpoint Security Group.
Example:
Step 3 Enter ESG_Front for the Name and then, select vrf-01 for VRF.
Example:

31
Scenarios
Configure ESGs
Step 4 Click + to add an IP Subnet then, in Create a Selector, in the IP Subnet: field, enter IP equals and 192.168.20.20
and then, click OK.
Example:
You can also configure:

• Intra-ESG isolation Enforced or Unenforced depending on the behavior you want to have between your endpoints.
Do they need to communicate with or without contracts inside an ESG?
• Preferred group: To allow two enforced ESGs to communicate without contract. This is the same behavior as for
the EPGs, if you don’t forget to enable the option inside the VRF.
Step 5 Leave Intra ESG Isolation and Preferred Group Member as defaulted and then, click Submit.
Example:

32
Scenarios
Working with Contracts
Endpoint Security Groups ESG_Front has been created. You can repeat the same steps to create another, if
you like.
Working with Contracts

Value Proposition: Contracts provide a way for the Cisco Application Centric Infrastructure (ACI) administrator
to control traffic flow within the ACI fabric between endpoint groups (EPGs). These contracts are built using
a provider-consumer model where one endpoint group provides the services it wants to offer and another
endpoint group consumes them. Contracts are assigned a scope of Global, Tenant, VRF, or Application Profile,
which limit the accessibility of the contract. Contracts are not needed for communication between endpoints
in the same EPG.
In brief, contracts consist of one or more subjects. Each subject contains one or more filters. Each filter contains
one or more entries. Each entry is equivalent to a line in an Access Control List (ACL) that is applied on the
Leaf switch to which the endpoint within the endpoint group is attached.
These items comprise contracts.
• Contract — A logical container for the subjects that contains the filters that govern the rules for
communication between endpoint groups (EPGs).
• Subjects — A group of filters for a specific application or service.
• Filters — Used to classify traffic based upon layer 2 to layer 4 attributes (such as Ethernet type, protocol
type, TCP flags and ports).
• Actions — Action to be taken on the filtered traffic.
Best Practice: Create filters in the common tenant, allowing them to be created and then consumed within all
user tenants.
In this scenario, we will create contacts with filters to allow communication between EPGs.

33
Scenarios
Create and Apply a Contract
Create and Apply a Contract

The purpose of this section is to create two contracts:
• The first contract, App2DB, allows the App tier to receive information from the DB tier. For this contract,
the App tier is the Consumer and the DB tier is the Provider.
• The second contract, Web2App, allows the Web tier to receive information from the App tier. For this
contract, the Web tier is the Consumer and the App tier is the Provider.
Contract – 22-DB to 21-App
Step 1 Click Tenants then, expand dCloud then, expand Application Profiles then, click MyApp and then, click Topology.
Example:
Step 2 Drag the contract icon over 22-DB and notice it automatically drops a gray arrow pointing to it from the 22-DB.
Step 3 Mouse-over 21-App and release.
Example:
A grey arrow points from the contract icon to 21-App.
Step 4 In the Consumer EPG / External Network drop-down list, ensure that dCloud/MyApp/epg-21-App is selected.
Step 5 In the Provider EPG / Internal Network drop-down list, ensure that dCloud/MyApp/epg-22-DB is selected.
Step 6 In the Contract Name field, enter App2DB.

34
Scenarios
Contract – 21-App to 20-Web
Step 7 Uncheck No Filter (Allow All Traffic).

Step 8 In the Filter Entries table, click + (add row).
Step 9 In the Name field, enter mysql.
Step 10 In the EtherType drop-down list, select IP.
Step 11 In the IP Protocol drop-down list, select tcp.
Step 12 In the Destination Port / Range (From) drop-down list, enter 3306.
Step 13 In the Destination Port / Range (To) drop-down list, enter 3306 then, click Update then, click OK and then, click
Submit.
The Application Profile – MyApp Topology shows the contract between 21-App and 22-DB.
Step 1 Click Tenants then, expand dCloud then, expand Application Profiles then, click MyApp and then, click Topology.
Step 2 Drag the contract icon over 21-App.
The contract icon is dropped automatically with a gray arrow pointing from 21-App to the contract icon.
Step 3 Move your mouse-pointer over 20-Web and then release.
A gray arrow points from the contract icon to 20-Web.

35
Scenarios
Step 4 In the Consumer EPG / External Network drop-down, select dCloud/MyApp/epg-20-Web.

Step 5 In the Provider EPG / Internal Network drop-down, select dCloud/MyApp/epg-21-App.
Step 6 In the Contract Name field, enter Web2App.
Step 7 Uncheck No Filter (Allow All Traffic).
Step 8 In the Filter Entries table, click + to add a row.
Step 9 In the Name field, enter https.
Step 10 In the EtherType drop-down list, select IP.
Step 11 In the IP Protocol drop-down list, select tcp.
Step 12 In the Source Port / Range (From) drop-down list, select https.
Step 13 In the Source Port / Range (To) drop-down list, select https.
Step 14 In the Destination Port / Range (From) drop-down list, enter 443.
Step 15 In the Destination Port / Range (To) drop-down list, enter 443 then, click Update then, click OK and then, click
Submit.
The Application Profile – MyApp Topology shows the contract between 21-App and 20-Web.

36
Scenarios
Connecting a Host to the ACI Fabric
Connecting a Host to the ACI Fabric

When an external device is connected, there are some questions that need to be answered:
• What types of Devices are these?
• What are the allowed VLAN/VLAN ranges for that connection?
• To which switch will this device be connected?
• To which interface will this device be connected?
• What Link Control Policies and port speed should be applied on that interface?
Cisco ACI uses access policies to configure external-facing interfaces that connect to devices such as virtual
machine controllers and hypervisors, hosts, network-attached storage, routers, or Fabric Extender (FEX)
interfaces. Access policies enable the configuration of:
• Port channels and virtual port channels
• Protocols such as Link Layer Discovery Protocol (LLDP), Cisco Discovery Protocol (CDP), or Link
Aggregation Control Protocol (LACP)
• Features such as statistics gathering, monitoring, and diagnostics
To implement a physical connection in ACI, first define the following:

• Domain – Defines what you want to connect (bare-metal server or switch, router, virtual environment,
etc.).

37
Scenarios
Configure the Interface
• VLAN/VSAN Pool – Defines which VLANs or VSANs this connection will use.
• AEP – Groups the Domains you need to allow through a specific port and their corresponding
VLANs/VSANs.
• Interface Profile – On which Interface do you need this connection?
• Interface Policy Group – A set of policies applied to an interface.
• Interface Policies – Actual policies (e.g. cdp, lldp, link speed, AEP, etc.) to implement.
• Switch Profile – On which Switch/Node?
These policies are accessible via the Fabric > Access Policies folder.
Configure the Interface

Now, we will use a wizard to create the required configuration for the selected interface.
Step 1 Click Fabric then, click Access Policies then, expand Quick Start.
Example:
Step 2 Select Interfaces And Policies then, in the right pane, select topology/pod-1/node-101 then, expand Pod1 and then,
select Leaf1(Node-101).
Example:
Step 3 Scroll down the page, you can see a few interfaces have been configured already.
Example:

38
Scenarios
Create Leaf Access Port Policy Group
Let’s configure a new interface using the wizard.
Step 4 Right-click Interfaces And Policies then, select Configure Interface and then, in the Leafs drop-down, select 101.
Step 5 In the Interfaces field, enter 1/51, 1/53.
Notice that the Leaf Profile Name and Interface Profile Name fields are automatically populated.
Step 6 In Interface Type, click Individual and then, in the Leaf Access Policy Group drop-down, select Create Leaf Access
Port Policy Group.
Example:
Create Leaf Access Port Policy Group
Step 1 In the Leaf Access Port Policy Group name field, enter Access_Port.

39
Scenarios
Verify Physical Interfaces
Step 2 In the Link Level drop-down list, select 10Gbps then, in the CDP drop-down list, select CDP-ON and then, in STP
drop-down list, select BPDUguard-On.
Step 3 In the Attached Entity Profile drop-down list, select dCloud_AEP and then, in the bottom of the panel, click Submit.
Step 4 Click Next then, click Finish and then, click OK.
Step 1 Click Fabric then, click Inventory and then, expand Pod 1.
Example:
Step 2 Select Leaf 1 (Node-101) then, select the Interface tab from right pane and then, in the drop-down list, change the mode
to configuration.

40
Scenarios
Step 3 Click 51, which we have configured in the earlier steps.

Step 4 Verify that the configuration of eth1/51 has been applied already and then, click Cancel.
Step 5 You can also click on any of the free interface port to apply L2 configuration
Step 6 Click port 55 and select L2 in top menu.
Step 7 For Physical Interface configuration, change auto negotiation to off then, change the speed to 10Gbps and then, click
the L2 tab.
Example:
Step 8 In L2 configuration, check BPDU Guard for STP Interface control, Disable MCP State, etc.
a) Take a look at the other settings, which are available under this menu and change, if desired.
Example:

41
Scenarios
Step 9 (Optional) If desired, apply the VLAN configuration in VLANs tab, otherwise click Submit.

42
CHAPTER 3
Appendix
• Appendix A. Reset APIC Simulator, on page 43
• Appendix B. Fix My Demo, on page 44
Appendix A. Reset APIC Simulator

If you experience issues for the ACI 5.1 with Vmware Lab, you can reboot the ACI Simulator. For example,
let’s say the VMM domain is not able to create and expand.
To reboot the ACI Simulator (acism5.1-1h) via Guest OS Control.
Step 1 In Cisco dCloud, click My Hub > Sessions and then, click View for the running demo.
Example:
Step 2 Select Servers in the menu bar and then, select Enable Status Polling.
Step 3 Expand the menu for acism5.1-1h and then, select Reset.
This performs a hard reboot of the simulator. As it is does not retain its configuration after a reboot, a clean reboot is
unnecessary.

43
Appendix
Appendix B. Fix My Demo
Note It will take up to 10 minutes before you can login and rebuild the Fabric using one of the Fabric Discovery
methods described in Fix My Demo.

Occasionally, things go wrong in your session. The Fix My Demo script enables resolution of common issues.
Use the Fix My Demo process to manually resolve the following issues:
• Apply the configuration to UCS Manager.
• Discover the ACI Fabric and apply the demo configuration to the ACI Simulator.
• Update the licenses applied to VMware vCenter and ESXi hosts.
• Reboot the UCS Director.
Note The ACI full fabric discovery can take up to 15 minutes. The apic3 controller will be discovered after all the
devices are discovered. You can monitor the progress by selecting Topology from the Inventory pane in the
APIC GUI. Fix My Demo script will apply the Initial Fabric configuration and Access Policy configuration
in APIC System Overview and Operations and Create VMM Domain Profile for vCenter.

44
Appendix
Step 1 On the demonstration workstation, click .

Step 2 Select option 1 and then, press Enter to discover the ACI Fabric and apply the demo configuration to the ACI Simulator.
Example:
Step 3 When prompted, press any key to continue.
After all the configuration has been applied, the Fix My Demo window closes.

45
Appendix
Step 4 After 10 mins., click and then, choose option 4 to automatically create VMM Domain.
What to do next
After the VMM Domain has been successfully created, you can continue with the Create a Tenant and an
Application Profile, as all the configurations required have been done.

46
CHAPTER 4
What's Next?
For more information about ACI, try these demonstrations.

• Cisco Network Assurance Engine 4.1 v1.1
• Cisco Network Insights for ACI on Application Services Engine v1

47
What's Next?

48

Cisco Aci 5.1 With Vmware Lab V1: Americas Headquarters

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Aci 5.1 With Vmware Lab V1: Americas Headquarters

Uploaded by

Copyright:

Available Formats

Cisco ACI 5.

1 with VMware Lab v1

APIC System Overview and Operations 7

Bridge Domain - 192.168.21.0_24 26

Bridge Domain - 192.168.22.0_24 26

Create Application Profile EPG – 192.168.21.0_24 28

Create Application Profile EPG – 192.168.22.0_24 29

Cisco ACI 5.1 with VMware Lab v1

How Can ESGs Help? 30

Appendix A. Reset APIC Simulator 43

CHAPTER 4 What's Next? 47

Cisco ACI 5.1 with VMware Lab v1

About This Demonstration

ACI Simulator Limitations

Cisco ACI 5.1 with VMware Lab v1

About This Solution

Cisco ACI 5.1 with VMware Lab v1

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Step 1 Initiate your dCloud session. [Show Me How]

Step 2 Connect to the demo workstation.

• Use WebRDP, an HTML RDP Client.

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

APIC System Overview and Operations

System Health Dashboard

and then, log in with credentials admin/C1sco12345.

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

b) Double-click one of the PSU faults to see more detailed information.

Cisco ACI 5.1 with VMware Lab v1

Step 5 Go back to the System Dashboard and double-click Leaf1.

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Step 10 Close the Show Faults window.

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Create VMM Domain Profile for vCenter

Cisco ACI 5.1 with VMware Lab v1

Step 3 In the vCenter Credentials section, click the plus sign.

Step 4 Provide the details of the vCenter to be connected to ACI.

Cisco ACI 5.1 with VMware Lab v1

Step 5 Click Submit.

Cisco ACI 5.1 with VMware Lab v1

Step 8 Right-click and then, select Add or Manage Hosts.

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Cisco ACI 5.1 with VMware Lab v1

Create VMM Domain Profile for vCenter Automatically

Step 1 On the desktop, click

Create a Tenant and an Application Profile

Cisco ACI 5.1 with VMware Lab v1

• Application Profiles that contain endpoint groups (EPGs)

Cisco ACI 5.1 with VMware Lab v1

Step 1 Click Tenants.

Create VRF in dCloud

Step 1 Drag the VRF icon onto the canvas below.

Step 2 In the Name field, enter vrf-01.

Cisco ACI 5.1 with VMware Lab v1