Professional Documents
Culture Documents
com/ACI-First-7-Days-Notes
Opinions expressed are solely my own and do not express the views or opinions of my employer.
January ,
ACI Advantages
1 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
ACI solves the above challenges by providing a simple Leaf/Spine Topology, ECMP
which removes the dependency on STP and so on an so forth .
2 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
All the internal communication betweek the Spines,Leafs and the APIC happens on the
Infra IP Address denoted by red T in the picture above. The reachability provided by this
Infra Network is then used to deploy the required L /L config wherever needed on the
leafs.
ISIS : This enables IP reachability between TEPs , the APIC assigns the TEP address.
MP-BGP : This is L Out Configuration . The routes learned via the WAN (L Out in the
above pic) needs to be “reflected” / “learnt” by other Leafs. Hence the MP-BGP config.
Note that the no manual config is required except for the the assignment of RR (Route
Reflector)
Using the above two components we build the Underlay Network which builds as the
foundation for the overlay network.
Basic Details about the Ports on the APIC and the the Leafs/Spine
3 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Irrespective of what APIC IP Address you connect to via HTTP you see the same data
Its a good idea to ensure all the controller status are in healthy status while troubleshooting
an APIC issue
4 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
You can access the the Leafs and the Spines using their Console ports on via the APIC
(which in turn connects via VTEP addreses). BUT it is advisable to have individual
Management IP Addreses assigned to these devices directly (config done after discovery) ,
so that inc ase we need to access them.
Each device needs their individual mgmt IP (Oulined above) rechability for AAA and
5 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
NTP
ACI Backups
Full Backup
Snapshots
6 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Full Backup
Note in the picture below that when , this setting is disabled during the backup ; the
passwords stored for VMWare Integration or any third part integration are NOT exported. If
its enabled , the password is exported in an encrypted fashion.
7 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
What’s unders the Fabric Tab - This is where you build the
UNDERLAY
Under Fabric we have Fabric Policies and Access Policies
Fabric Policies
Fabric policies govern the operation of internal fabric interfaces. Fabric policies
configure interfaces that connect spine and leaf switches. Fabric policies can
enable features such as monitoring (statistics collection and statistics export),
troubleshooting (on-demand diagnostics and SPAN), or NTP.
Access Policies
Access policies govern the operation of interfaces that provide external access to the
fabric. Access policies configure external-facing interfaces that do not connect to
a spine switch. External-facing interfaces connect to external devices such as virtual
8 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Tenant Policies
logical container or a folder for application policies. This container can represent an
actual tenant, an organization, or a domain or can just be used for the convenience of
organizing information.
9 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Static Binding
10 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Policy Control Enfrocement defines if the any contracts policies will be enforced or not.
With the above binding configured , you can extend your legacy VLAN configuration to
ACI and vice versa
11 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
12 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Endpoint
What is an endpoint ?
We can find more details about the same on the specific Leaf
MAC and / IP Address are stored in the Endpoint Table Exception is L Out , If we use
the same mechanism of learnign all the IP Address , on the MAC address on Nexus router
we would have thousand of / . Other IP Information is used int he Ip Table just as the
normal routing. That is the reason why we use arp table for L out.
13 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Pervasive Gateway
Pervasive gateway means a local gateway residing on every switch for each subnet on that
switch.
Proxy Routing
Every endpoint learn by a Leaf is informed to every spine using multicast. This way every
SPINE knows about every endpoint in the network.
When Leafs do not know a path to a remote endpoint , they can query the Spine for the
same.
14 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Topology
15 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
16 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Fabric : Cisco ACI inventory and configuration point for intra-fabric and access policies
Hyper-V, or KVM
L4-L7 Services : Package repository for upper-layer service elements, such as firewalls or
Admin : Menu for controlling the operation, administration, and maintenance (OAM) aspects
Apps : App center used for deploying applications in the Cisco ACI
The Cisco ACI solution uses an overlay, based on VXLAN, to virtualize the physical
infrastructure. This overlay, like most overlays, requires the data path at the edge of the
network to map from the tenant end-point address in the packet, also known as its identifier,
to the location of the endpoint, also known as its locator. This mapping occurs in a function
called a tunnel endpoint (TEP), also known as VXLAN tunnel end point (VTEP). The VTEP
addresses are displayed in the INFRASTRUCTURE IP column. The TEP address pool
. . . / has been configured on the Cisco APIC using the initial setup dialog. The APIC
assigns the TEP addresses to the fabric switches via DHCP, so the infrastructure IP
addresses in your fabric will be different from the figure.
Clickign on the Node provides information on the neigbor and port connectivity
17 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
The Link Layer Discovery Protocol (LLDP) is responsible for discovering directly
adjacent neighbors. When run between the Cisco APIC and a leaf switch, it precedes
three other processes: Tunnel endpoint (TEP) IP address assignment, node software
upgrade (if necessary), and the intra-fabric messaging (IFM) process, which is used
by the Cisco APIC to push policy to the leaves.
18 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
apic1# acidiag -h
usage: acidiag [-h] [-v]
{avread,fnvread,fnvreadex,rvread,rvreadle,crashsuspecttracker,bootother,bootcurr,journal,logs,
...
positional arguments:
{avread,fnvread,fnvreadex,rvread,rvreadle,crashsuspecttracker,bootother,bootcurr,journal,
sub-command help
avread read appliance vector
fnvread read fabric node vector
fnvreadex read fabric node vector (extended mode)
rvread read replica vector
rvreadle read replica leader summary
crashsuspecttracker
read crash suspect tracker state
bootother on next boot, boot other Linux Partition, and display
updated /etc/grub.conf
bootcurr on next boot, boot current Linux Partition, and
19 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Total 3 nodes
Cisco APIC Version ( . ) allows you to configure the system and view the configuration
through the CLI.
apic1# conf t
apic1(config)# sh run
# Command: show running-config
aaa banner 'Application Policy Infrastructure Controller'
aaa authentication login console
exit
<... output omitted ...>
*Notice that you assign a subnet , and IP Addresses are choosen from that block**
20 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
To assign to the ONLY ONE devide put the same number twice
21 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Removing OOB Management Address Does not affect the capabilit to SSH from APIC
to Leaf as this happens with the inra network which ACI had seatup
22 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
This is where you can validate the OOB Management address of a specific Leaf/Spine
23 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
24 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Notice above that you have separate config item named “Port Channel Policy” in ACI
What’s happenign int he above step is that you are defining the characteristics of what a
25 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
3. Configure a VPC Protection Group table with these settings and click Submit.
Name: ACI
ID: 100
vPC domain policy: default
Switch 1: leaf-a (switch ID 101)
26 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Verification
show vpc status show the Peer Link Connectivt and ALso list the Port Channels that
are configured on the Leafs
27 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Notice that in the above configuration the Port Channel Number is NOT the same ,
one and other is for the SAME port channel configured towards a single end
host
28 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Note once the vPC config above is complete you can verify your config in the UI
29 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
one default VRF with other tenants when there is no overlapping IP addressing
being used in the ACI fabric.
3. Create a bridge domain, named Presales-BD , associated with the Presales VRF inside
the Sales tenant.
A bridge domain is a unique Layer forwarding domain that contains one or more
subnets. Each bridge domain must be linked to a VRF. By default, unicast routing is
enabled. ARP flooding is disabled so that unicast routing will be performed on the
target IP address. Endpoint dataplane learning controls whether the remote leaf
switch should update the IP-to-VTEP information with the source VTEP of traffic
coming from this bridge domain.
Note: First-hop security and other policies are enabled on a per tenant bridge
domain basis. As the bridge domain may be deployed on a single or across multiple
leaf switches, the first-hop security threat control and mitigation mechanisms cater
30 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
1. Configure four subnets for the Presales-BD with these default gateways:
10.0.1.254/24 , 10.0.2.254/24 , 10.0.3.254/24, and 10.0.4.254/24 .
5. Create a Contract Web-Access and include the filter Basic-Ping-SSH and HTTP
31 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
32 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
1. Create a vCenter VMM Domain in ACI and also configure the Dynamic VLAN Range .
33 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
1. Create an AAEP name vCenter AAEP and join the vCenter VMM Domain and the ESX
Policy Group created in Lab 2
2. Now go to the Interface Policy Group ESX and attach the vCetner AAEP to it as well.
3. Add ESXi Host . . . to the DVS Switchs and assign the uplinks
34 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
3. Now go the APIC and look for the Uplink vmnics there ans see the discovered peers
(leafs)
35 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
4. Now associate the Application Profile s Domain (VMs and BareMetals) to the VMM
Domain created.
This will create the EPGs under this Application Profile as port groups in VMWare!
Now these Port Groups can be assigned to different VMs which in ACI map to
different EPGs.
36 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
In this activity you will deploy ASAv as a service in the Cisco ACI. The traffic between the
DB and BACKUP EPGs will go through the ASAv. You will implement two types of
operations:
managed and
unmanaged mode
37 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Step . LOAD the device package A device package contains the mappings and
abstrations of the object model of the device that is being controlled and the scripts to
configure the device.
L4–L7 Services > Packages > Quick Start > Import Device Package (asa-device-
pkg- . . . .zip)
Step . REVIEW the details of the package You should see several web policy
profiles, for routed and transparent mode. All of them initially permit web traffic, with
different combinations of IP version and NAT.
38 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
EXAMINE WebPolicyForRoutedMode, the first profile in the list. This section is the
configuration placeholder for a Cisco ASA deployment in the Layer mode. Among others,
you will see the configuration of an ACL and the external and internal interfaces.
NOTE: If you do not customize these settings, the firewall will be configured with a single
ACL (access-list-inbound) to permit HTTP and HTTPS.
Step . Verify OOB Management to ASAv All communication between the Cisco
APIC and the Cisco ASAv occurs via HTTPS. The Cisco ASAv has been pre-
provisioned with the necessary commands to enable HTTPS/SSH management
access.
Step . Notice all the ports of the ASAv in VSphere are assigned to the default
VM Network . Once L -L is complete you will see the ports change.
Step . Login to ASAv and verify basic configs AND HTTPs access
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.71 255.255.255.0
39 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
40 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
41 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
42 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
43 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
44 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
45 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
46 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Step . Go to Services > L –L , expand Deployed Devices, and examine the ASA-
Presales device. You should see the VLAN encapsulations for the cluster
devices.
47 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Step . Customize the Cisco ASAv Configuration You can assign ASAv interface IP
48 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
49 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
50 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Step . Exami
Step . Exami
Step . Exami
Step . Exami
Step . Exami
Overview
Course Goal and Objectives
Prerequisites
Course Outline
Module 1: Cisco ACI Component Review
51 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Share:
*/
52 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
0Configure
Commentsand devopssimplified.com
Verify Static EPGs Disqus' Privacy Policy 1 Login
Site Map
About Me
Archive
Talks
Contact
A personal website about technical things I find useful. Also, random ramblings and rants.
53 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
Techsupport Files
54 of 55 23-04-2020, 07:40 pm
First 7 Days ACI | Devops Simplified https://blog.devopssimplified.com/ACI-First-7-Days-Notes
55 of 55 23-04-2020, 07:40 pm