Professional Documents
Culture Documents
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2020 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 About 1
About This Demonstration 1
Requirements 1
About This Solution 2
Topology 2
Before Presenting 3
Get Started 3
CHAPTER 2 Scenarios 7
Application Profiles 27
Create Application Profile EPG – 192.168.20.0_24 27
vSphere Review 29
What are the Endpoint Security Groups (ESGs) of ACI? (A New Feature of ACI 5) 30
CHAPTER 3 Appendix 43
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
Laptop Cisco AnyConnect
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can
see the IP address and user account credentials to use to access a component by clicking the component icon
in the Topology menu of your active session and in the scenario steps that require their use.
The figure below shows the virtual demonstration topology, which consists of the following virtual machines:
• APIC Simulator version 5.1 – includes Spine 1 and Spine 2, Leaf 1 and Leaf 2, APIC1, APIC2 and
APIC3
• VMware Virtual Center Server 7.0 Appliance
• VMware ESXi 7.0
• EMC vVNXe Storage Appliance
• Cisco Unified Computing System Platform Emulator 4.1
• Linux Tools Repository (CentOS 7)
• Active Directory 2019 (Domain Controller)
• Windows 10 Workstation
Before Presenting
Cisco dCloud strongly recommends that you perform the tasks in this document before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
Get Started
Follow these steps to schedule a session of the content and configure your presentation environment:
Step 3 Double-click the APIC Login icon and then, log in with these credentials: admin/C1sco12345.
Step 4 Review the Welcome to APIC pop-up then, select Begin First time setup and then, click Close in the next page.
Example:
Step 5 Select Fabric from the top menu then, select Inventory from the top sub-menu.
Step 6 In the left menu, click Fabric Membership and then, check that four devices are populated (IP addresses may vary).
Example:
Step 7 If only TEP-1-101 is present, see Fix My Demo to discover the Fabric.
Note The fabric discovery can take up to 15 minutes to complete. If you log in before 15 minutes have passed, all
devices may not be discovered.
Step 1 On the demo workstation, open Application Policy Infrastructure Controller (if it is not already open) by clicking the
APIC Login icon
Step 3 In the menu, click System to display the System Health Dashboard.
• Explain that you logged in with global administrative rights and your view includes all system components.
• Show the single-pane view, which provides a centralized, application-level visibility with real-time application
health monitoring across the physical and virtual environments.
• Show the health scores and explain how a health score is displayed for components that are being monitored by
APIC, such as.
• Fabric health
• Connections to virtual and physical environments
a) Show that the left pane contains health scores for the overall system as well as specific components.
b) Show that the right pane contains fault counts based on areas that have errors.
Step 4 In the dashboard, double-click the SYSTEM WIDE line with all the faults.
Example:
a) Double-click some of the faults, for example, the environmental fault with the PSU error.
Example:
c) In Fault Properties, in the General tab, check out the Fault Code and Affected Object information.
On the Troubleshooting tab you will find audit logs and events related to this fault. If desired, view the information
in the History tab.
Example:
Step 6 In the Leaf1 window, gear icon in the upper-left corner and then, uncheck to box to show all the components being
monitored.
We monitor a ton of data and report, by default, only the faulty ones.
a) Scroll down until the Equipment Policy Entity element with a health score of 90 displays.
Example:
Step 7 Click the fault to expand the Equipment Policy to view the Power Supply that is showing a fault.
Example:
Step 8 Right-click one of the faults and then, click Show Faults in the resulting menu.
Example:
Step 9 Examine the resulting table, which shows the details of the fault.
Example:
Step 12 In the Inventory menu, expand Pod1 and then, select Spine1 to show the health details for Spine1
Example:
Step 13 2. In the menu and click Leaf2 to see the Summary information for that Leaf.
Example:
Step 14 3.Click Tenants in the ACI menu and show that four tenants are configured.
Example:
• EPG Association: endpoint groups regulate connectivity and visibility among the endpoints within the
scope of the VMM domain policy. VMM domain EPGs behave as follows:
• The APIC pushes these EPGs as port groups into vCenter to a VMware Distributed Switch.
• An EPG can span multiple VMM domains, and a VMM domain can contain multiple EPGs.
• Attachable Entity Profile Association: associates a VMM domain with the physical network infrastructure.
An attachable entity profile (AEP) is a network interface template that enables deploying VM controller
policies on a large set of leaf switch ports. An AEP specifies which switches and ports are available, and
how they are configured.
• VLAN Pool Association: a VLAN pool specifies the VLAN IDs or ranges used for VLAN encapsulation
that the VMM domain consumes.
Step 1 Click Virtual Networking then, right-click VMware and then, select Create vCenter Domain.
Example:
Step 2 Enter My-vCenter for Virtual Switch Name and then, select the following options.
• VMware vSphere Distributed Switch
• VLAN Pool > dCloud_VLAN_Pool(dynamic)
c) Click OK.
Example:
Note The UCS Service Profiles are configured so that the interfaces that are connected to the ACI fabric have been
configured with the VLAN ranges defined in the dCloud_VLAN_Pool. As VMware Port Profiles are pushed
in from ACI, these VLANs from this pool are allocated.
Step 6 In Google Chrome, open the vCenter(html) tab then, check Use Windows sessions authentication box and then,
click login.
Note This is the last infrastructure configuration the network engineer does with ACI. The remaining steps are
done by the server administrator.
Step 7 Click the Networking tab then, expand vc1.dcloud.cisco.com then, expand dCloud-DC and then, look under dCloud-DC
to see that a VMware Distributed Switch has been added named My-vCenter.
Example:
Step 9 In the Select Task window, select Add Hosts and then, click Next.
Example:
Step 10 In the Select Hosts window, select New hosts then, select all hosts then, click OK and then, click Next.
Example:
Step 11 In Manage physical adapters, highlight vmnic2 and then, click Assign Uplink.
Example:
Step 12 Click Auto Assign then, check Apply this uplink assignment to the rest of the hosts then, click OK and then, click
Next.
Example:
Step 13 Leave the defaults for Manage VMkernel adapters and then, click Next.
Example:
Step 14 Leave the defaults for Migrate VM networking and then, click Next.
Example:
Step 15 Review the information in Ready to Complete and then, click Finish.
Example:
Step 16 20. Select My-vCenter VDS then, click the Hosts tab and then, confirm that the hosts are connected to the VMware
Example:
Step 17 Return to the APIC window and then, expand VMware > My-vCenter > Controllers > dCloud-DC > Hypervisors.
Note If the ESXi hosts are not listed, then there was an issue in the creation of the VMM Domain Profile, and
APIC is not connected to vCenter. Verify the credentials in VMware > My-vCenter > vCenter Credentials.
Step 18 Expand one of the ESXi hosts to see the virtual machines and vmnics listed.
Example:
Step 19 Collapse Hypervisors then, expand DVS- My-vCenter > Portgroups and then, click My-vCenter-DVUplinks-XXX
to view the details about the Portgroup.
Example:
Note If you have followed the manual process, please skip this section, and go to Create a Tenant and an Application
Profile.
Step 3 In the vSphere tab, notice that the ACI domain and Distributed switch is created automatically.
Step 4 In the APIC tab, notice that the ACI domain and switches are created automatically.
A tenant in the ACI object model represents the highest-level object. Inside, you can differentiate between
the objects that define the tenant networking, such as private networks (VRFs), bridge domains and subnets;
and the objects that define the tenant policies such as application profiles and endpoint groups.
The system provides the following four kinds of tenants:
• User tenants are defined by the administrator according to the needs of users. They contain policies that
govern the operation of resources such as applications, databases, web servers, network-attached storage,
virtual machines, and so on.
• The common tenant is provided by the system but can be configured by the administrator. It contains
policies that govern the operation of resources accessible to all tenants, such as firewalls, load balancers,
Layer 4 to Layer 7 services, intrusion detection appliances, and so on.
• The infrastructure tenant is provided by the system but can be configured by the administrator. It contains
policies that govern the operation of infrastructure resources such as the VXLAN overlay and MP-BGP
configuration. It also enables the administrator to selectively deploy resources to one or more user tenants
through policies.
• The management tenant is provided by the system but can be configured by the administrator. It contains
policies that govern the operation of the ACI nodes management functions used for in-band and out-of-band
configuration.
There are four methodologies for setting up your ACI policies, as shown in the following illustration:
Options B and C are recommended methodologies. In option B, subnets can be used by any Tenant, option
C subnets are cannot be shared between tenants.
This Lab uses option D where everything is created in a single tenant as security is not a consideration in this
demonstration.
Add a Tenant
Example
Step 1 Drag the Bridge Domain icon onto vrf-01 on the canvas.
Step 2 In the Name field, enter 192.168.20.0_24.
Step 3 Click the L3 Configurations tab.
Step 4 In the Subnets table, click + to add a row.
Step 5 In the Gateway IP field, enter 192.168.20.1/24 and then, click OK.
Step 6 Click OK.
Step 1 Drag the Bridge Domain icon onto vrf-01 on the canvas.
Step 2 In the Name field, enter 192.168.21.0_24.
Step 3 Click the L3 Configurations tab.
Step 4 In the Subnets table, click + to add a row.
Step 5 In the Gateway IP field, enter 192.168.21.1/24 and then, click OK.
Step 6 Click OK.
Step 1 Drag the Bridge Domain icon onto vrf-01 on the canvas.
Step 2 In the Name field, enter 192.168.22.0_24.
Step 3 Click the L3 Configurations tab.
Step 4 In the Subnets table, click + to add a row.
Step 5 In the Gateway IP field, enter 192.168.22.1/24 and then, click OK.
Step 6 Click OK.
Application Profiles
Application Profiles enable you to model and visualize application layers that the APIC then automatically
renders in the network. The application profiles enable administrators to approach the network resource pool
in terms of applications rather than infrastructure building blocks, however a network-centric design is also
an option where a more traditional networking approach is preferred. The application profile is a container
that holds EPGs that are logically related to one another. EPGs can communicate with other EPGs in the same
application profile and with EPGs in other application profiles.
To deploy an application or network policy, you must create the required application profiles, filters, and
contracts.
In this example, the application is implemented by using three servers (a web server, an application server,
and a database server).
Step 6 Drag the orange VMware icon onto the 20-Web EPG until you see a link between them.
Example:
Step 6 Drag the orange VMware icon onto the 21-App EPG until you see a link between them.
The VMM Domains window appears.
Step 7 Click the Toolbox icon at the top right and then, select Add VMM Association.
Step 8 In the VCenter Domain Field, select My-vCenter then, leave everything else as default and then, click Submit
Step 9 Close the VMM domains Window.
Step 6 Drag the orange VMware icon onto the 22-DB EPG until you see a link between them.
The VMM Domains window appears.
Step 7 Click the Toolbox icon at the top right and then, select Add VMM Association.
Step 8 In the VCenter Domain Field, select My-vCenter then, leave everything else as default and then, click Submit
Step 9 Close the VMM domains Window.
vSphere Review
Step 2 Notice that the EPGs have been pushed into the VMware VDS.
Note The port group in the preceding figure is automatically associated with the EPG that created that port group
and inherits all networking and application policies defined for that EPG. The policies will be removed if the
VM is detached from the port group. The system automatically and dynamically creates and removes policies
in the ACI stateless firewall.
Configure ESGs
Step 2 Expand dCloud then, expand Application Profiles then, expand MyApp then, right-click Endpoint Security Groups
and then, select Create Endpoint Security Group.
Example:
Step 3 Enter ESG_Front for the Name and then, select vrf-01 for VRF.
Example:
Step 4 Click + to add an IP Subnet then, in Create a Selector, in the IP Subnet: field, enter IP equals and 192.168.20.20
and then, click OK.
Example:
Step 5 Leave Intra ESG Isolation and Preferred Group Member as defaulted and then, click Submit.
Example:
Endpoint Security Groups ESG_Front has been created. You can repeat the same steps to create another, if
you like.
Best Practice: Create filters in the common tenant, allowing them to be created and then consumed within all
user tenants.
In this scenario, we will create contacts with filters to allow communication between EPGs.
Step 1 Click Tenants then, expand dCloud then, expand Application Profiles then, click MyApp and then, click Topology.
Example:
Step 2 Drag the contract icon over 22-DB and notice it automatically drops a gray arrow pointing to it from the 22-DB.
Step 3 Mouse-over 21-App and release.
Example:
A grey arrow points from the contract icon to 21-App.
Step 4 In the Consumer EPG / External Network drop-down list, ensure that dCloud/MyApp/epg-21-App is selected.
Step 5 In the Provider EPG / Internal Network drop-down list, ensure that dCloud/MyApp/epg-22-DB is selected.
Step 6 In the Contract Name field, enter App2DB.
The Application Profile – MyApp Topology shows the contract between 21-App and 22-DB.
Step 1 Click Tenants then, expand dCloud then, expand Application Profiles then, click MyApp and then, click Topology.
Step 2 Drag the contract icon over 21-App.
The contract icon is dropped automatically with a gray arrow pointing from 21-App to the contract icon.
Step 3 Move your mouse-pointer over 20-Web and then release.
A gray arrow points from the contract icon to 20-Web.
The Application Profile – MyApp Topology shows the contract between 21-App and 20-Web.
Cisco ACI uses access policies to configure external-facing interfaces that connect to devices such as virtual
machine controllers and hypervisors, hosts, network-attached storage, routers, or Fabric Extender (FEX)
interfaces. Access policies enable the configuration of:
• Port channels and virtual port channels
• Protocols such as Link Layer Discovery Protocol (LLDP), Cisco Discovery Protocol (CDP), or Link
Aggregation Control Protocol (LACP)
• Features such as statistics gathering, monitoring, and diagnostics
• VLAN/VSAN Pool – Defines which VLANs or VSANs this connection will use.
• AEP – Groups the Domains you need to allow through a specific port and their corresponding
VLANs/VSANs.
• Interface Profile – On which Interface do you need this connection?
• Interface Policy Group – A set of policies applied to an interface.
• Interface Policies – Actual policies (e.g. cdp, lldp, link speed, AEP, etc.) to implement.
• Switch Profile – On which Switch/Node?
These policies are accessible via the Fabric > Access Policies folder.
Step 1 Click Fabric then, click Access Policies then, expand Quick Start.
Example:
Step 2 Select Interfaces And Policies then, in the right pane, select topology/pod-1/node-101 then, expand Pod1 and then,
select Leaf1(Node-101).
Example:
Step 3 Scroll down the page, you can see a few interfaces have been configured already.
Example:
Step 4 Right-click Interfaces And Policies then, select Configure Interface and then, in the Leafs drop-down, select 101.
Step 5 In the Interfaces field, enter 1/51, 1/53.
Notice that the Leaf Profile Name and Interface Profile Name fields are automatically populated.
Step 6 In Interface Type, click Individual and then, in the Leaf Access Policy Group drop-down, select Create Leaf Access
Port Policy Group.
Example:
Step 1 In the Leaf Access Port Policy Group name field, enter Access_Port.
Step 2 In the Link Level drop-down list, select 10Gbps then, in the CDP drop-down list, select CDP-ON and then, in STP
drop-down list, select BPDUguard-On.
Step 3 In the Attached Entity Profile drop-down list, select dCloud_AEP and then, in the bottom of the panel, click Submit.
Step 4 Click Next then, click Finish and then, click OK.
Step 1 Click Fabric then, click Inventory and then, expand Pod 1.
Example:
Step 2 Select Leaf 1 (Node-101) then, select the Interface tab from right pane and then, in the drop-down list, change the mode
to configuration.
Step 8 In L2 configuration, check BPDU Guard for STP Interface control, Disable MCP State, etc.
a) Take a look at the other settings, which are available under this menu and change, if desired.
Example:
Step 9 (Optional) If desired, apply the VLAN configuration in VLANs tab, otherwise click Submit.
Step 1 In Cisco dCloud, click My Hub > Sessions and then, click View for the running demo.
Example:
Step 2 Select Servers in the menu bar and then, select Enable Status Polling.
Step 3 Expand the menu for acism5.1-1h and then, select Reset.
This performs a hard reboot of the simulator. As it is does not retain its configuration after a reboot, a clean reboot is
unnecessary.
Note It will take up to 10 minutes before you can login and rebuild the Fabric using one of the Fabric Discovery
methods described in Fix My Demo.
Note The ACI full fabric discovery can take up to 15 minutes. The apic3 controller will be discovered after all the
devices are discovered. You can monitor the progress by selecting Topology from the Inventory pane in the
APIC GUI. Fix My Demo script will apply the Initial Fabric configuration and Access Policy configuration
in APIC System Overview and Operations and Create VMM Domain Profile for vCenter.
After all the configuration has been applied, the Fix My Demo window closes.
Step 4 After 10 mins., click and then, choose option 4 to automatically create VMM Domain.
What to do next
After the VMM Domain has been successfully created, you can continue with the Create a Tenant and an
Application Profile, as all the configurations required have been done.