ACI First 7 Days Notes

First 7 Days ACI | Devops Simplified https://blog.devopssimplified.
com/ACI-First-7-Days-Notes
First Days ACI

by Vikas Srivastava
Opinions expressed are solely my own and do not express the views or opinions of my employer.
January ,
Notes on “Your First Seven Days Of ACI”

- BRKACI- Ciscolive! Session
Day - Why ACI
ACI Advantages
1 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
ACI solves the above challenges by providing a simple Leaf/Spine Topology, ECMP
which removes the dependency on STP and so on an so forth .
ACI Fabric Discovery Basics
2 of 55 23-04-2020, 07:40 pm
All the internal communication betweek the Spines,Leafs and the APIC happens on the
Infra IP Address denoted by red T in the picture above. The reachability provided by this
Infra Network is then used to deploy the required L /L config wherever needed on the
leafs.
ISIS : This enables IP reachability between TEPs , the APIC assigns the TEP address.
ISIS is automatically established and requires no configuration.
MP-BGP : This is L Out Configuration . The routes learned via the WAN (L Out in the
above pic) needs to be “reflected” / “learnt” by other Leafs. Hence the MP-BGP config.
Note that the no manual config is required except for the the assignment of RR (Route
Reflector)
Using the above two components we build the Underlay Network which builds as the
foundation for the overlay network.
APIC Controlled Basics
Basic Details about the Ports on the APIC and the the Leafs/Spine
3 of 55 23-04-2020, 07:40 pm
The Blue cables connect to the Leafs

The Red cables is the CIMC connection (MGMT)
The Green Ones are the interfaces on which the Managment Interface of the APIC
resides.
Irrespective of what APIC IP Address you connect to via HTTP you see the same data
Its a good idea to ensure all the controller status are in healthy status while troubleshooting
an APIC issue
Day - Infrastructure and Policies
4 of 55 23-04-2020, 07:40 pm
Managment Access to Switches
You can access the the Leafs and the Spines using their Console ports on via the APIC
(which in turn connects via VTEP addreses). BUT it is advisable to have individual
Management IP Addreses assigned to these devices directly (config done after discovery) ,
so that inc ase we need to access them.
Each device needs their individual mgmt IP (Oulined above) rechability for AAA and
5 of 55 23-04-2020, 07:40 pm
NTP
ACI Backups
There are two ways to do backups
Full Backup
Snapshots
Capability to compare configuration (Snapshots)
6 of 55 23-04-2020, 07:40 pm
Full Backup
Note in the picture below that when , this setting is disabled during the backup ; the
passwords stored for VMWare Integration or any third part integration are NOT exported. If
its enabled , the password is exported in an encrypted fashion.
7 of 55 23-04-2020, 07:40 pm
What’s unders the Fabric Tab - This is where you build the
UNDERLAY
Under Fabric we have Fabric Policies and Access Policies
Fabric Policies
Fabric policies govern the operation of internal fabric interfaces. Fabric policies
configure interfaces that connect spine and leaf switches. Fabric policies can
enable features such as monitoring (statistics collection and statistics export),
troubleshooting (on-demand diagnostics and SPAN), or NTP.
Access Policies
Access policies govern the operation of interfaces that provide external access to the
fabric. Access policies configure external-facing interfaces that do not connect to
a spine switch. External-facing interfaces connect to external devices such as virtual
8 of 55 23-04-2020, 07:40 pm
machine controllers and hypervisors, hosts, routers, or fabric extenders (FEX).
Whats unders the Tenants Tab - This is where you build

the OVERLAY
Tenant Policies
Tenant Policies : Its is more about configuration related to EPG/BD/VRF. A tenant is a
logical container or a folder for application policies. This container can represent an
actual tenant, an organization, or a domain or can just be used for the convenience of
organizing information.
9 of 55 23-04-2020, 07:40 pm
We have three types of configuration in Tenant Policies
Static Binding
10 of 55 23-04-2020, 07:40 pm
Policy Control Enfrocement defines if the any contracts policies will be enforced or not.
Policy Control Direction defines which direction it is applied.
An Example of a Static Path Binding Config
With the above binding configured , you can extend your legacy VLAN configuration to
ACI and vice versa
11 of 55 23-04-2020, 07:40 pm
In Picture above VLAN from N K is extended to ACI
Cisco ACI VMWare Integration
Step . Define the vCenter Domain We are going to talk to .

Step . ACI and VMWare handshake (the communication between APIC and
VMWare happens on the Out of Band Network NOT on the INFRA network; We can
use the Inband network but is NOT recommened.)
Step . vCenter goes ahead and created a vDS on the VMWare
Step . VMWare Admins Associated the ESXi to the vDS created above
Step . Between the vDS and ACI ; LLDP happens , this will tell what VMWare
Blade is on what Leaf.
Step . Associate the EPGs to the VMMDomain
Step . and Step The EPGs are auto mapped to VMWare Port Groups and are
created in VMWare
Step . Now since ACI knows about the Server location based the information
learned from LLDP , ACI and now push the policy on the exact switch where
needed (Instead of pushing it everywhere).
12 of 55 23-04-2020, 07:40 pm
So the network path is established above for the VM to ACI
Day - Forwarding Overview
Endpoint
What is an endpoint ?
It’s a combination of MAC address and IP Address.
We can see it on the APIC
We can find more details about the same on the specific Leaf
MAC and / IP Address are stored in the Endpoint Table Exception is L Out , If we use
the same mechanism of learnign all the IP Address , on the MAC address on Nexus router
we would have thousand of / . Other IP Information is used int he Ip Table just as the
normal routing. That is the reason why we use arp table for L out.
ACI Leafs Can Learn via ARP via Methods
ACI Learns the :
13 of 55 23-04-2020, 07:40 pm
Source MAC and Source IP during ARP

A routed frame triggers a Source IP and MAC Address Learning
Pervasive Gateway
Pervasive gateway means a local gateway residing on every switch for each subnet on that
switch.
Proxy Routing
Every endpoint learn by a Leaf is informed to every spine using multicast. This way every
SPINE knows about every endpoint in the network.
When Leafs do not know a path to a remote endpoint , they can query the Spine for the
same.
14 of 55 23-04-2020, 07:40 pm
Day - Network Centric Migrations
Day - Multi Location Deployments
Day - Troubleshooting Tools
Day - Additional Resources
Digital Learning Topologies
Topology
15 of 55 23-04-2020, 07:40 pm
Out of Band Management Access
Lab . Explore the Cisco ACI Fabric

Inventory
Digital Learning
16 of 55 23-04-2020, 07:40 pm
Fabric : Cisco ACI inventory and configuration point for intra-fabric and access policies
Virtual Networking : Configuration menu for VM Manager interoperability, such as vCenter,
Hyper-V, or KVM
L4-L7 Services : Package repository for upper-layer service elements, such as firewalls or
load balancers, that can be inserted into the fabric
Admin : Menu for controlling the operation, administration, and maintenance (OAM) aspects
Operations : Menu for visibility, troubleshooting, and capacity profiling
Apps : App center used for deploying applications in the Cisco ACI
The Cisco ACI solution uses an overlay, based on VXLAN, to virtualize the physical
infrastructure. This overlay, like most overlays, requires the data path at the edge of the
network to map from the tenant end-point address in the packet, also known as its identifier,
to the location of the endpoint, also known as its locator. This mapping occurs in a function
called a tunnel endpoint (TEP), also known as VXLAN tunnel end point (VTEP). The VTEP
addresses are displayed in the INFRASTRUCTURE IP column. The TEP address pool
. . . / has been configured on the Cisco APIC using the initial setup dialog. The APIC
assigns the TEP addresses to the fabric switches via DHCP, so the infrastructure IP
addresses in your fabric will be different from the figure.
Clickign on the Node provides information on the neigbor and port connectivity
17 of 55 23-04-2020, 07:40 pm
The Link Layer Discovery Protocol (LLDP) is responsible for discovering directly
adjacent neighbors. When run between the Cisco APIC and a leaf switch, it precedes
three other processes: Tunnel endpoint (TEP) IP address assignment, node software
upgrade (if necessary), and the intra-fabric messaging (IFM) process, which is used
by the Cisco APIC to push policy to the leaves.
This is where you can see the switch level details
Interface Level Details
18 of 55 23-04-2020, 07:40 pm
ACI Diag is the Diagnostic Command for the APIC
apic1# acidiag -h
usage: acidiag [-h] [-v]
{avread,fnvread,fnvreadex,rvread,rvreadle,crashsuspecttracker,bootother,bootcurr,journal,logs,
...
positional arguments:
{avread,fnvread,fnvreadex,rvread,rvreadle,crashsuspecttracker,bootother,bootcurr,journal,
sub-command help
avread read appliance vector
fnvread read fabric node vector
fnvreadex read fabric node vector (extended mode)
rvread read replica vector
rvreadle read replica leader summary
crashsuspecttracker
read crash suspect tracker state
bootother on next boot, boot other Linux Partition, and display
updated /etc/grub.conf
bootcurr on next boot, boot current Linux Partition, and
19 of 55 23-04-2020, 07:40 pm
display updated /etc/grub.conf

journal Contents of journal logs
logs show log history
telemetry enable/disable telemetry
hwcheck Quick check of APIC Hardware
apic1# acidiag fnvread

ID Pod ID Name Serial Number IP Address Role State LastUpdMsgId
----------------------------------------------------------------------------------
101 1 leaf-a FDO21351F7L 10.0.128.66/32 leaf active 0
102 1 leaf-b FDO21351F9A 10.0.128.64/32 leaf active 0
201 1 spine FDO214111Q5 10.0.128.65/32 spine active 0
Total 3 nodes
Cisco APIC Version ( . ) allows you to configure the system and view the configuration
through the CLI.
apic1# conf t
apic1(config)# sh run
# Command: show running-config
aaa banner 'Application Policy Infrastructure Controller'
aaa authentication login console
exit
<... output omitted ...>
Static Out of Band management Address
*Notice that you assign a subnet , and IP Addresses are choosen from that block**
20 of 55 23-04-2020, 07:40 pm
Result of Above configuration
To assign to the ONLY ONE devide put the same number twice
21 of 55 23-04-2020, 07:40 pm
leaf-a# show lldp neighbors

Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
3560-x.dc.local Eth1/1 120 BR Gi1/0/3
apic1 Eth1/2 120 eth2-1
spine Eth1/49 120 BR Eth1/1
Total entries displayed: 3
Removing OOB Management Address Does not affect the capabilit to SSH from APIC
to Leaf as this happens with the inra network which ACI had seatup
22 of 55 23-04-2020, 07:40 pm
This is where you can validate the OOB Management address of a specific Leaf/Spine
Lab . Configuring Port Channel
In this Lab we wil configure the following scenario
23 of 55 23-04-2020, 07:40 pm
The following components are to be configured (show in purple)
High Level Steps
24 of 55 23-04-2020, 07:40 pm
Configuring the Port Character
1. Enable the CDP in a CDP interface policy that is named CDP-Enabled .

2. Configure an interface policy ( LLDP-Disabled ), with LLDP disabled.
3. Configure a port channel policy, named PC-Policy , with a static port channel
mode. Ensure that you have Static Channel—Mode On
Notice above that you have separate config item named “Port Channel Policy” in ACI
1. Configure vPC Interface Policy Group - An interface policy group gathers

multiple interface policies into one set. A vPC interface policy group gathers the
policies with the purpose of activating them on a vPC interface bundle. In
your topology, the hypervisor is connected to the leaves in a redundant fashion that
allows a vPC deployment. You will configure a vPC policy group for your hypervisor.
Name is IPG-VPC-ESX and add everything you created above within it.
What’s happenign int he above step is that you are defining the characteristics of what a
25 of 55 23-04-2020, 07:40 pm
vPC member port would look like
1. Create a Leaf Interface Profile name InterProf-ESX

2. Select the Interfaces as 1/3
3. Select the Interface Policy Group created above int he Port Charachter section :
IPG-VPC-ESX
Configuring the Switch Character
1. Create a Leaf Profile - LeafProfile-ESX , add both-leaves and

2. Associate the Interface Selector Interface-Profile-ESX This is the actual step
where the Interface Profile and Switch Profile connect.
Finally Configure vPC between Leafs
1. Review/Look at the VPC Default Domain

Fabric > Access Policies > Switch Policies > Policies > VPC Domain.
2. Add both leaf switches to the vPC security policy

Fabric > Access Policies > Switch Policies > Policies > Virtual Port Channel
default.
3. Configure a VPC Protection Group table with these settings and click Submit.
Name: ACI
ID: 100
vPC domain policy: default
Switch 1: leaf-a (switch ID 101)
26 of 55 23-04-2020, 07:40 pm
Switch 2: leaf-b (switch ID 102)
Verification
After the above configuration you will see
show vpc status show the Peer Link Connectivt and ALso list the Port Channels that
are configured on the Leafs
leaf-a# show vpc

Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 100

Peer status : peer adjacency formed ok
vPC keep-alive status : Disabled
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)
Operational Layer3 Peer : Disabled
vPC Peer-link status

---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
leaf-a# show vpc role
vPC Role status

----------------------------------------------------
27 of 55 23-04-2020, 07:40 pm
vPC role : primary

Dual Active Detection Status : 0
vPC system-mac : 00:23:04:ee:be:64
vPC system-priority : 32667
vPC local system-mac : 70:7d:b9:f3:f1:c5
vPC local role-priority : 101
Notice that in the above configuration the Port Channel Number is NOT the same ,
one and other is for the SAME port channel configured towards a single end
host
28 of 55 23-04-2020, 07:40 pm
Note once the vPC config above is complete you can verify your config in the UI
Lab . Configure Cisco ACI Logical

Constructs
29 of 55 23-04-2020, 07:40 pm
High Level Steps
1. Create a Tenant Sales - skip the step to create the VRF.

2. Create a VRF named Pre-Sales under Sales tenant - Without creatign a
Bridge Domain in the same step. Each tenant can have one or more VRFs, or share
one default VRF with other tenants when there is no overlapping IP addressing
being used in the ACI fabric.
3. Create a bridge domain, named Presales-BD , associated with the Presales VRF inside
the Sales tenant.
A bridge domain is a unique Layer forwarding domain that contains one or more
subnets. Each bridge domain must be linked to a VRF. By default, unicast routing is
enabled. ARP flooding is disabled so that unicast routing will be performed on the
target IP address. Endpoint dataplane learning controls whether the remote leaf
switch should update the IP-to-VTEP information with the source VTEP of traffic
coming from this bridge domain.
Note: First-hop security and other policies are enabled on a per tenant bridge
domain basis. As the bridge domain may be deployed on a single or across multiple
leaf switches, the first-hop security threat control and mitigation mechanisms cater
30 of 55 23-04-2020, 07:40 pm
to a single switch and multiple switch scenarios.
1. Configure four subnets for the Presales-BD with these default gateways:
10.0.1.254/24 , 10.0.2.254/24 , 10.0.3.254/24, and 10.0.4.254/24 .
2. Create Application Profile Tiered-App and create EPGs Web , App , DB
3. Create another filter named HTTP add HTTP under it.

4. Configre a filter names Basic-Ping-SSH and under it create ICMP , SSH
5. Create a Contract Web-Access and include the filter Basic-Ping-SSH and HTTP
31 of 55 23-04-2020, 07:40 pm
1. Finally do the following
32 of 55 23-04-2020, 07:40 pm
Lab . Configure VMM Domain

Integration
PICTURE DRAWING HERE
Cisco ACI supports three integration methods with VMware vCenter:
Distributed Virtual Switch (DVS)
Cisco Application Virtual Switch (Cisco AVS)
Cisco ACI Virtual Edge (AVE)
1. Create a vCenter VMM Domain in ACI and also configure the Dynamic VLAN Range .
33 of 55 23-04-2020, 07:40 pm
1. Provide the vCenter Credentials and IP Address of vCenter

2. The steps provisions VMWare DVS named Sales-vCetner in the VMWare environment
1. Create an AAEP name vCenter AAEP and join the vCenter VMM Domain and the ESX
Policy Group created in Lab 2
2. Now go to the Interface Policy Group ESX and attach the vCetner AAEP to it as well.
3. Add ESXi Host . . . to the DVS Switchs and assign the uplinks
For this lab
vmnic2 --- uplink1

vmnic3 --- uplink2
34 of 55 23-04-2020, 07:40 pm
1. Ensure CDP is on in vCetner side
2. Verify the Leaf is discovered
3. Now go the APIC and look for the Uplink vmnics there ans see the discovered peers
(leafs)
35 of 55 23-04-2020, 07:40 pm
4. Now associate the Application Profile s Domain (VMs and BareMetals) to the VMM
Domain created.
This will create the EPGs under this Application Profile as port groups in VMWare!
Now these Port Groups can be assigned to different VMs which in ACI map to
different EPGs.
36 of 55 23-04-2020, 07:40 pm
Lab . Deploy Cisco ACI Virtual Edge

and Microsegmentation
Lab . Integrate Cisco ASAv with Cisco

APIC
Cisco Application-Centric Infrastructure (ACI) provides the capability to insert Layer

through Layer functions using an approach that is called a service graph. It can be
considered as a superset of service insertion. Meaningful Layer through Layer
services can include firewalls, load balancing, SSL offloading, and application acceleration.
In this activity you will deploy ASAv as a service in the Cisco ACI. The traffic between the
DB and BACKUP EPGs will go through the ASAv. You will implement two types of
operations:
managed and
unmanaged mode
and identify the differences between the two.
High Level Steps
37 of 55 23-04-2020, 07:40 pm
Step . LOAD the device package A device package contains the mappings and
abstrations of the object model of the device that is being controlled and the scripts to
configure the device.
L4–L7 Services > Packages > Quick Start > Import Device Package (asa-device-
pkg- . . . .zip)
Step . REVIEW the details of the package You should see several web policy
profiles, for routed and transparent mode. All of them initially permit web traffic, with
different combinations of IP version and NAT.
38 of 55 23-04-2020, 07:40 pm
EXAMINE WebPolicyForRoutedMode, the first profile in the list. This section is the
configuration placeholder for a Cisco ASA deployment in the Layer mode. Among others,
you will see the configuration of an ACL and the external and internal interfaces.
NOTE: If you do not customize these settings, the firewall will be configured with a single
ACL (access-list-inbound) to permit HTTP and HTTPS.
Step . Create TENANT Networking

Create Backup-BD with the Presales VRF**
Create a new EPG ( Backup ), associate it with the new bridge domain ( Backup-BD )
and check the option Associate to VM Domain Profiles AND Associate it with your
VMM domain (Sales-vCenter)
Step . Reuse the TRANSACT VM as a BACKUP VM Delete the 10.0.4.254/24

subnet from the Presales-BD bridge domain and configure it for the Backup-BD bridge
domain. assign the TRANSACT VM to the Backup port group .
Step . Verify OOB Management to ASAv All communication between the Cisco
APIC and the Cisco ASAv occurs via HTTPS. The Cisco ASAv has been pre-
provisioned with the necessary commands to enable HTTPS/SSH management
access.
Step . Notice all the ports of the ASAv in VSphere are assigned to the default
VM Network . Once L -L is complete you will see the ports change.
Step . Login to ASAv and verify basic configs AND HTTPs access
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.71 255.255.255.0
39 of 55 23-04-2020, 07:40 pm
route management 0.0.0.0 0.0.0.0 192.168.10.254 1
aaa authentication http console LOCAL

aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL auto-enable
http server enable

http 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 management
username admin password CsI1KX6iq7UBl3KK privilege 15 -- Important
Step . Create a L –L Device for Cisco ASAv
40 of 55 23-04-2020, 07:40 pm
Step . Create and Apply Service Graph
Check the Above Config Here
41 of 55 23-04-2020, 07:40 pm
NOTICE That nothing has yet been deployed on the ASAv
Step . Apply the service graph template to the DB-to-Backup traffic
42 of 55 23-04-2020, 07:40 pm
Double-click the network_ip_address field of the network object web_server and

enter the IP address of the TRANSACT VM ( . . . / ).
Step . Check ASA Config
43 of 55 23-04-2020, 07:40 pm
ciscoasa# show running-config access-list

access-list access-list-inbound extended permit tcp any object web_server eq www
access-list access-list-inbound extended permit tcp any object web_server eq https
ciscoasa# show running-config access-group

access-group access-list-inbound in interface externalIf
ciscoasa# show running-config object network

object network web_server
subnet 10.0.4.1 255.255.255.255
ciscoasa# show running-config interface GigabitEthernet 0/0

!
interface GigabitEthernet0/0
nameif internalIf
security-level 100
no ip address
ciscoasa# show running-config interface GigabitEthernet 0/1

!
interface GigabitEthernet0/1
nameif externalIf
Step . Verify Contract is applied
44 of 55 23-04-2020, 07:40 pm
Also lok at the Subject
Step . Look at the Topology
45 of 55 23-04-2020, 07:40 pm
Step . Examine the L –L service parameters of the provider EPG (Backup).
Step . Examine the deployed graph instance and device.
46 of 55 23-04-2020, 07:40 pm
Step . Go to Services > L –L , expand Deployed Devices, and examine the ASA-
Presales device. You should see the VLAN encapsulations for the cluster
devices.
47 of 55 23-04-2020, 07:40 pm
Step . Notice the VM Settings
Step . Notice the Roll Back Options
Step . Customize the Cisco ASAv Configuration You can assign ASAv interface IP
48 of 55 23-04-2020, 07:40 pm
Addresses right from the ACI.
49 of 55 23-04-2020, 07:40 pm
ciscoasa# show interface ip brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.0.4.253 YES manual up up
GigabitEthernet0/1 10.0.3.253 YES manual up
You can verify the connectivity in the ASA
ciscoasa# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list access-list-inbound; 2 elements; name hash: 0xcb5bd6c7
access-list access-list-inbound line 1 extended permit tcp any object web_server eq
access-list access-list-inbound line 1 extended permit tcp any host 10.0.4.1 eq www
access-list access-list-inbound line 2 extended permit tcp any object web_server eq
access-list access-list-inbound line 2 extended permit tcp any host 10.0.4.1 eq https
Use L –L Device in Unmanaged Mode

Step . Exami
50 of 55 23-04-2020, 07:40 pm
Step . Exami
Step . Exami
Step . Exami
Step . Exami
Step . Exami
ACI Operations and Troubleshooting (CI-ACIOPS)
Outline: ACI Operations and Troubleshooting (ACIOPS)

Course Introduction
Overview
Course Goal and Objectives
Prerequisites
Course Outline
Module 1: Cisco ACI Component Review
Lesson 1: Cisco ACI Architecture and Network Review

ACI and APIC Review
Tenant, Management Tenant and Context Review
VLAN and VRF Review
Bridge Domain Review
Application Profile Review
End Point Group Review
Lesson 2: Cisco ACI Policy Review
ACI Contract Review
ACI Filter Review
ACI Subject Review
Lesson 3: Cisco ACI Unified Fabric Review
Cisco ACI Server Connectivity Review
Implementing Cisco Application Centric Infrastructure – Advanced
51 of 55 23-04-2020, 07:40 pm
Cisco ACI Routing Review

https://www.cisco.com/c/dam/en_us/training-events/le /le /cln/marketing/exam-topics
/ - -DCACIA.pdf
Subscribe via RSS
Share:
General Lab Issues ACI Learning
*/
52 of 55 23-04-2020, 07:40 pm
0Configure
Commentsand devopssimplified.com
Verify Static EPGs Disqus' Privacy Policy 1 Login
Recommend Sort by Best
Start the discussion…
LOG IN WITH OR SIGN UP WITH DISQUS ?
Subscribe Add Disqus to your siteAdd DisqusAdd Do Not Sell My Data
Site Map
About Me
Archive
Talks
Contact
Subscribe via RSS
A personal website about technical things I find useful. Also, random ramblings and rants.
53 of 55 23-04-2020, 07:40 pm
Techsupport Files
54 of 55 23-04-2020, 07:40 pm
55 of 55 23-04-2020, 07:40 pm

ACI First 7 Days Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACI First 7 Days Notes

Uploaded by

Copyright:

Available Formats

First 7 Days ACI | Devops Simplified https://blog.devopssimplified.

First Days ACI

Notes on “Your First Seven Days Of ACI”

Day - Why ACI

ACI Fabric Discovery Basics

ISIS is automatically established and requires no configuration.

APIC Controlled Basics

The Blue cables connect to the Leafs

Day - Infrastructure and Policies

Managment Access to Switches

There are two ways to do backups

Capability to compare configuration (Snapshots)

machine controllers and hypervisors, hosts, routers, or fabric extenders (FEX).

Whats unders the Tenants Tab - This is where you build

Tenant Policies : Its is more about configuration related to EPG/BD/VRF. A tenant is a

We have three types of configuration in Tenant Policies

Policy Control Direction defines which direction it is applied.

An Example of a Static Path Binding Config

In Picture above VLAN from N K is extended to ACI

Cisco ACI VMWare Integration

Step . Define the vCenter Domain We are going to talk to .

So the network path is established above for the VM to ACI

Day - Forwarding Overview

It’s a combination of MAC address and IP Address.

We can see it on the APIC

ACI Leafs Can Learn via ARP via Methods

ACI Learns the :

Source MAC and Source IP during ARP

Day - Network Centric Migrations

Day - Multi Location Deployments

Day - Troubleshooting Tools

Day - Additional Resources

Digital Learning Topologies

Out of Band Management Access

Lab . Explore the Cisco ACI Fabric

Virtual Networking : Configuration menu for VM Manager interoperability, such as vCenter,

load balancers, that can be inserted into the fabric

Operations : Menu for visibility, troubleshooting, and capacity profiling

This is where you can see the switch level details

Interface Level Details

ACI Diag is the Diagnostic Command for the APIC

display updated /etc/grub.conf

apic1# acidiag fnvread

Static Out of Band management Address

Result of Above configuration

leaf-a# show lldp neighbors

Lab . Configuring Port Channel

In this Lab we wil configure the following scenario

The following components are to be configured (show in purple)

High Level Steps

Configuring the Port Character

1. Enable the CDP in a CDP interface policy that is named CDP-Enabled .

1. Configure vPC Interface Policy Group - An interface policy group gathers

vPC member port would look like

1. Create a Leaf Interface Profile name InterProf-ESX

Configuring the Switch Character

1. Create a Leaf Profile - LeafProfile-ESX , add both-leaves and

Finally Configure vPC between Leafs

1. Review/Look at the VPC Default Domain

2. Add both leaf switches to the vPC security policy

Switch 2: leaf-b (switch ID 102)

After the above configuration you will see

leaf-a# show vpc