Cisco ACI Lab Sale Connect 2.0 PDF

Nexus 9000 ACI Boot Camp Lab Guide
Table of Contents
Lab Overview ........................................................................................................................... 4

Virtual Lab Physical Topology ................................................................................................... 4
Virtual Lab Logical Topology ..................................................................................................... 5
Virtual Lab Access .................................................................................................................... 5
Lab 1: Fabric Discovery ............................................................................................................. 6
Overview: ......................................................................................................................................... 6
Procedures: ...................................................................................................................................... 6
System Login: .............................................................................................................................................6
Register Nexus 9000 Switches to APIC: .................................................................................................. 10
Register Leaf1 Switch to APIC: ................................................................................................................ 11
Register Spine1 and Spine2 Switches to APIC: ....................................................................................... 12
Register Leaf2 Switch to APIC: ................................................................................................................ 13
Fabric View of Discovered Nexus 9000 Switches: .................................................................................. 13
Familiarizing Yourself with Fabric Switches: ......................................................................................... 14
Familiarizing Yourself with Fabric Controllers: ..................................................................................... 18
Summary: ....................................................................................................................................... 18
Lab 2: Building Out of Band Access to Spine and Leaf Switches ................................................ 19
Overview: ....................................................................................................................................... 19
Procedures: .................................................................................................................................... 19
Access the “mgmt” tenant: .................................................................................................................... 19
Creating Node Management Addresses................................................................................................. 20
Confirm Addresses have been assigned: ................................................................................................ 22
Summary ........................................................................................................................................ 23
Lab 3: Building VPCs to Connect to ESX-1 and ESX-2 ................................................................ 24
Overview: ....................................................................................................................................... 24
Procedures: .................................................................................................................................... 24
Create Interface Policies ......................................................................................................................... 24
Creating Interface Policy Groups ............................................................................................................ 29
Create Interface Profiles ......................................................................................................................... 31
Create Leaf Switch Profile....................................................................................................................... 33
Creating VPC Explicit Protection Group.................................................................................................. 35
Summary ........................................................................................................................................ 37
Lab 4: Building Basic Network Constructs................................................................................ 38
Overview: ....................................................................................................................................... 38
Procedures: .................................................................................................................................... 39
Building a Tenant: ................................................................................................................................... 39
Building a Private Layer 3 Network: ....................................................................................................... 40
Building a Bridge Domain ....................................................................................................................... 40
Building a Second Bridge Domain........................................................................................................... 43
Building a Third Bridge Domain .............................................................................................................. 44
1
Summary ........................................................................................................................................ 45
Lab 5: Building Policy Filters and Contracts ............................................................................. 46
Overview: ....................................................................................................................................... 46
Procedures: .................................................................................................................................... 46
Creating Filters:....................................................................................................................................... 46
Creating Contracts .................................................................................................................................. 53
Summary ........................................................................................................................................ 61
Lab 6: Deploying a 3-Tier Application Network Profile ............................................................. 62
Overview: ....................................................................................................................................... 62
Procedures: .................................................................................................................................... 62
Creating Application Profile:................................................................................................................... 62
Summary ........................................................................................................................................ 70
Lab 7: Integrating with VMware ............................................................................................. 71
Lab 7‐A: Registering VMM Domain................................................................................................ 71
Overview: ....................................................................................................................................... 71
VMware vCenter Server Topology: .................................................................................................. 71
Procedures: .................................................................................................................................... 72
Register APIC to VMware vCenter (Create VMM Domain): ................................................................... 72
Create vCenter Credentials: ................................................................................................................... 76
Create vCenter Server Object: ................................................................................................................ 76
Verifying APIC Connection to vCenter Server: ....................................................................................... 78
Summary: ....................................................................................................................................... 81
Lab 7‐B: Adding ESXi Hosts to APIC DVS......................................................................................... 82
Overview: ....................................................................................................................................... 82
Procedures: .................................................................................................................................... 82
Add ESXi Hosts to APIC DVS: ................................................................................................................... 82
Summary ........................................................................................................................................ 85
Lab 7‐C: Associating EPGs to the vCenter Domain ...................................................................... 86
Overview: ....................................................................................................................................... 86
Procedures: .................................................................................................................................... 86
Associating vCenter Domain to Application Server EPG: ....................................................................... 86
Associating vCenter Domain to Database Server EPG: .......................................................................... 88
Associating vCenter Domain to Web Server EPG: .................................................................................. 89
Summary: ....................................................................................................................................... 91
Lab 7‐D: Associating VM to EPG Port-Groups ................................................................................. 92
Overview: ....................................................................................................................................... 92
Procedures: .................................................................................................................................... 92
Map VMs to EPG Port-‐Groups: ........................................................................................................... 92
Edit Web-‐Server Settings: ..................................................................................................................... 93
Edit App-‐Server Settings: ...................................................................................................................... 95
Edit DB-‐Server Settings: ........................................................................................................................ 97
Summary: ....................................................................................................................................... 99
Lab 8: The Attachable Access Entity Profile (AAEP) ................................................................ 100
Overview: ..................................................................................................................................... 100
Procedures: .................................................................................................................................. 100
Creating Attachable Access Entity Profile ............................................................................................ 100
Confirming Creation of AAEP ................................................................................................................ 102
2
Summary ...................................................................................................................................... 103
Lab 9: Layer 3 External ......................................................................................................... 104
Overview ...................................................................................................................................... 104
Procedures: .................................................................................................................................. 105
Configure Fabric Pod Policy .................................................................................................................. 105
Configure Fabric Group Policies ........................................................................................................... 107
Configure Routed L3 External Network ................................................................................................ 109
Create External Routed Network ......................................................................................................... 109
Create External Node Profile ................................................................................................................ 111
Create OSPF Interface Profile ............................................................................................................... 112
Configure Consumer for L3-Out-EPG ...................................................................................................... 119
Confirm Contracts are in place ............................................................................................................. 120
Set Default OSPF Settings for Private Network .................................................................................... 121
Associate the L3 Outside Network to a Bridge Domain ....................................................................... 122
Summary ...................................................................................................................................... 123
Lab 10: Exploring Monitoring and Troubleshooting ............................................................... 124
Procedures: .................................................................................................................................. 124
Viewing Faults Using the GUI ............................................................................................................... 124
Events ................................................................................................................................................... 124
Viewing Events Using the GUI .............................................................................................................. 125
Log Retention Policies .......................................................................................................................... 125
Configuring Log Retention Policies in the GUI...................................................................................... 126
Using the API Inspector ........................................................................................................................ 126
Capturing an API Interchange for Inspection ....................................................................................... 126
Using the Managed Object Browser..................................................................................................... 128
Accessing Visore .................................................................................................................................. 128
Running a Query in Visore .................................................................................................................... 128
Supplemental Lab 1: Deploying a Service Graph into the Application Network Profile ........... 130
Overview ...................................................................................................................................... 130
Procedures ................................................................................................................................... 130
vCenter ACI Removal ............................................................................................................................ 130
Automation Through Python Scripting ................................................................................................. 134
Removing ACI Objects Created from Labs 2 -‐ 5: ................................................................................ 136
Deploying Service Graph through Northbound API: ............................................................................ 136
View Service Graph: .............................................................................................................................. 137
Verify on ASA ASDM GUI: ..................................................................................................................... 140
Verifying on vCenter: ............................................................................................................................ 142
Summary ...................................................................................................................................... 144
3
Lab Overview
The Cisco Nexus 9000 platform has two modes of operation. In the first mode Nexus 9000 utilizes an
enhanced version of the NXOS operating system to provide a traditional switching model with advanced
automation and programmability capabilities, which is known as “Standalone”.
In the second mode, ACI Mode the Nexus 9000 provides an Application Centric Representation of the
network as a whole utilizing advanced features and profile based deployment to abstract the complexity of
the underlying network while improving application visibility and greater business agility through DevOps
methodologies. These labs will focus on ACI mode.
Virtual Lab Physical Topology

The following is the virtual pod topology, which consists of the following virtual machines:
• vCenter Server (also use as the RDP jump box)

• ACI Simulator – release version 2.0.1m
o APIC1, APIC2 and APIC3
o Leaf1 and Leaf2
o Spine1 and Spine2
• ESXi-‐1
• ESXi-‐2
• Linux
This lab will also be configured “as if” it were connected a pair of UCS Fabric Interconnects. The assumption will
be that there will be a UCS domain will be on the same out-of-band network as the ACI APICs, OOB
Management for the Spines and Leafs as well as vCenter and the ESXi-1 and ESXi-2.
Figure 1: Virtual Lab Topology
4
Virtual Lab Logical Topology
For the purposes of consistency, we will refer to the logical setup of the ACI pod and he associated servers. This
will more closely reflect with would happen in a live ACI environment. As we progress, we will update the
diagram below as needed.
Figure 2: Virtual Lab Logical Topology
Virtual Lab Access

The virtual lab provides the user a Windows 2008 Server “jumpbox” to access their virtual pod. This
server is also used as the VMware Virtual Center Server, as shown above from the virtual lab topology. All
of the lab exercises will be completed within this jumpbox and does not require any other resources.
5
To access the jumpbox, Labops login, left-click on the “jumphost” assigned to you (the vCenter box)
Choose RDP Client to download a config file for your native RDP client.
(If you are using IE, you can use TerminalService instead to run an RDP client inside the browser)
You can login as either “administrator” or “student”
Administrator/C!sc0123
Student/P@ssw0rd
Lab 1: Fabric Discovery
Overview:
In this lab section, we will register the switches to the primary APIC controller (APIC1) to then discover the
rest of the fabric. This lab will walk you through this process then familiarize you with a fabric topology
portion of the APIC GUI. The following tasks will be completed
• System Login
• Register Nexus 9000 switches to APIC Controller
• Familiarization of Fabric Topology
Procedures:
System Login:
Open the “FireFox” browser within your desktop. The screen resolution of the Windows session is set at 1024
x 768. This cannot be changed and may cause you to scroll the left/right, up/down in Firefox while navigating
through the APIC GUI. To make things quicker and easier to navigate, you can change the resolution of
Firefox by opening the menu on the far right and clicking the “-“ sign to adjust to resolution.
Figure 3: Adjusting viewable area of the browser
6
The webpage should default to the IP Address of the APIC1 controller, which is https://192.168.1.11. If it
does not, please enter that into the browser or ask your instructor for assistance.
• The APIC GUI login prompt will appear, please type in the credential of “admin” for the User ID
and “cisco123” for the password
7
Figure 4: Application Policy Infrastructure Controller (APIC) Login screen
You will see the following Warning dialog box in which can click the “NO” button.
Figure 5: Deployment Warning message
We can permanently disable the Deployment Warning Message
Figure 6: User Settings
8
1. From the upper right corner, click on “admin”
2. Scroll down and click on “Settings”, you will be presented with a Application Settings box
Figure 7: Application Settings
1. Check off “Remember Tree Selection”

2. Check off “Disable Deployment Warnings at Login”
3. Click “OK”
Once you are logged in, you are presented with the Dashboard. You are logged in with global
administrative rights and your view includes all system components.
Figure 8: APIC GUI Dashboard View
9
Register Nexus 9000 Switches to APIC:
The top menu bar is broken down to several logical sections; the “Fabric” view is where you will register the
switches to the APIC. Follow the steps on the figure below.
Figure 9: APIC Fabric Section View
Note: Whenever you click on the top menu entries, the sub-‐menu text that is in the color “white” is where
the view is currently located. Other views from that sub-‐menu have the text color in “grey” are not in view
but can be selected. For example when you click on the top menu Fabric, the default view is set to
“INVENTORY” (highlighted by the yellow box) while the other entries are in grey.
1. Click on “Fabric” to get to the Fabric View.

2. Click on the “+” next to “Fabric Membership” to expand the view and you will notice the TEP-1‐
101 switch entry. This is a simulated “Serial Number” of the Nexus 9000 switch. This is our leaf
switch that the APIC1 is connected to, that has not yet been registered.
10
Register Leaf1 Switch to APIC:
We will now register the Leaf1 switch to the APIC. Follow the figures below to complete this task.
Figure 10: Registering First Switch to the APIC
1. Select “Fabric Membership” by clicking on that entry. Once you do, the view on the right-‐hand
side will show a switch with serial number “TEP-1‐101” and ID of “0”. Take notice that its role is
“leaf”.
2. We will now need to register this leaf switch. To do so, double-‐click on the row
“TEP-‐1-‐101”.
Figure 11: Registering Leaf Switch TEP-‐1-‐101
1. In the “NODE ID” box, type in 101. The Node ID for the switches starts at 101 as 1 – 100 is
reserved for other purposes.
2. In the “NODE NAME” box, type in Leaf1. You can technically provide any name for this switch
but for this lab purpose, please type in Leaf1. There is another box under “RACK NAME” but
we will skip entering anything into this box for this lab.
3. Once the ID and switch name is provided, click on “UPDATE”
Note: When the switch is registered, you will notice that an IP Address is assigned with a /32. This IP
Address is used for the VXLAN tunnel IP for the fabric on this switch.
11
Register Spine1 and Spine2 Switches to APIC:
With the first fabric switch registered, the APIC1 will now start discovering the fabric along with other
controllers that it can see. Please wait between 30-‐60 seconds for the APIC GUI to see other switches in the
fabric. You should see 2 additional switches appear in the “Fabric Membership” view. When you do, please
register those switches as well. To do so, follow the figures below to complete the task.
Figure 12: Discovery of Spine Switches
Note: The fabric has discovered 2 additional switches with serial numbers of “TEP‐1-‐103” and “TEP-‐1-104”.
Notice under the “ROLE” that these are spine switches with their Node ID set to 0. We will use TEP-1‐103 as our
Spine1 and TEP‐1-104 as our Spine2. For some pods, the TEP-‐1-‐104 maybe the first one discovered and other
pods will have TEP-‐1-‐103 discovered first. It is irrelevant which switch gets discovered first.
Figure 13: Registering Spine Switch TEP‐1-103
1. In the “NODE ID” box, type in 103.

2. In the “NODE NAME” box, type in Spine1. You can technically provide any name for this switch
but for this lab purpose, please type in Spine1. There is another box under “RACK NAME” but
12
Figure 14: Registering Spine Switch TEP-1-104

2. In the “NODE NAME” box, type in Spine2. You can technically provide any name for this switch
but for this lab purpose, please type in Spine2. There is another box under “RACK NAME” but
Register Leaf2 Switch to APIC:

With the spines now discovered, please wait an additional 30-‐60 seconds for the fabric to discover our
second leaf switch. Follow the figures below to complete the registration of the last switch in the fabric.
Figure 15: Registering Leaf Switch TEP‐1-102

2. In the “NODE NAME” box, type in Leaf2. You can technically provide any name for this switch
but for this lab purpose, please type in Leaf2. There is another box under “RACK NAME” but
Fabric View of Discovered Nexus 9000 Switches:

With all the switches now discovered in the fabric, you should see the following window shown in figure 13.
13
Figure 16: Fabric Discovery Completion View
Note: With the “Fabric Membership” view still selected, you should notice on the right-‐hand window view
of all of the switches that has been registered. Take note that each of the registered switches has an IP
Address shown. Also on the left-‐hand window view, you should see all of the switches shown under the
“Pod 1” expanded view. If you do not see this view (for example, if Leaf 2 is not yet under that section) , it
could be that the fabric is still in the discovery and refresh process.
Familiarizing Yourself with Fabric Switches:

With the fabric discovered, you can now familiarize yourself with the physical switches in the environment.
Follow the steps on the figure below to get a view of the switch Leaf1.
Figure 17: Familiarizing Leaf1 Switch
1. On the left-‐hand panel next to the “Pod1”, expand that entry by clicking on the “+”
2. Now select that switch “Leaf1 (Node-‐101)”
3. On the right-‐hand panel, click on the “TOPOLOGY” tab
4. On the Nexus 9396, click on both of the “green” ports (43 and 44) and the APICs will appear
14
Note: Here you will see the physical ports of the leaf switch Leaf1. You will notice that it shows the 2 APIC
controllers APIC1 and APIC2 connected to the interfaces on this switch.
Next, click on the “General” tab in the upper-right section of the window. You can go here to retrieve inventory
information about any of the Leaf or Spine switches in you environment.
Figure 18: Viewing Inventory Information for Leafs and Spines
Now click on the “Faults” tab in the same area of the window. In Cisco ACI, it is very important to review and
understand the Faults tab, though in this lab, there can be some false positives due to the nature of using the
Simulator, however in practice tracking down and resolving faults is one of the more critical tasks for a
successful Cisco ACI experience. Be aware that Faults are specific to the part of the fabric you are in. This means
when you are looking at a Leaf switch, the Faults tab will be focused on that, when you are on a Tenant tab, the
Faults will be specific to that.
15
Figure 19: Viewing Faults On A Leaf Switch
You can move around the rest of this section of the “FABRIC” view to look at the other switches.
With the physical fabric fully discovered, to get a topology overview of the environment (Pod 1), follow the
steps in the figure below to see this view.
Figure 20: Pod 1 Topology View
16
1. On the left-‐hand window, select on “Pod 1”
2. On the right-‐hand window, click on the “TOPOLOGY” tab
Note: The topology should show 3 APIC nodes, where APIC1 and APIC2 are connected to Leaf1 and APIC3 is
connected to Leaf2. Then there should also be connections from Leaf1 to both Spine1 and Spine2 and
connections from Leaf2 to Spine1 and Spine2. If you do not see lines as shown in figure 13, please wait up to
5 minutes as it varies between pods for the environment to build out the connections.
17
Familiarizing Yourself with Fabric Controllers:
From the previous view, we see three (3) controllers in our fabric. To get information about those
controllers, follow the figures below to familiarize managing these controllers.
Figure 21: Familiarizing Fabric Controllers
3. On the top menu, select on “SYSTEM”

4. Then on the sub-‐menu, click on “CONTROLLERS”
5. Expand the “Controllers” view on the left-‐hand side by clicking the “+” sign
6. Select “apic1 (Node-‐1)” to view information about the controller.
7. Click on “General” tab to view the APIC information
Summary:
Lab 1 is designed to familiarize you with the startup process of discovering the fabric and viewing each of the
physical components of the fabric. This lab also allows you to get familiar with navigating through the Fabric
view of the APIC GUI. This is the first critical step in building up the ACI environment and will be the baseline
infrastructure to build up your application network.
18
Lab 2: Building Out of Band Access to Spine and Leaf Switches
Overview:
In this lab we will build out-of-band access to the spine and leaf switches. This will let the
administrator SSH/telnet access to the switches for administration and monitoring. For
this lab, we will use the same IP address range as that of the APICs and ESX/vCenter
(192.168.1.0/24). We will then confirm that IPs addresses have been assigned and
working. Addresses will be assigned per the diagram below.
Figure 22: Virtual Lab Logical Topology
Procedures:
Access the “mgmt” tenant:

We will cover the concept of Tenants in the next section in greater detail. For now, we will proceed with
the following.
19
Figure 23: Access the mgmt tenant
1. On the top menu, select on “SYSTEM”

2. Then on the sub-‐menu, click on “mgmt”
3. Alternatively, you can also click on “mgmt” in the lower menu as well
Creating Node Management Addresses

When assigning OOB management IPs, you have the option to do so statically or dynamically via a pool of
IPs. For this exercise, we will create then dynamically.
Figure 24: Create Node Management Addresses
20
1. From the left side menu, expand “Tenant mgmt”
2. Go down to “Node Management Addresses”
3. Right click on “Static Node Management Addresses” and on the menu that pops up, choose
“Create Static Node Management Addresses”
You will then be presented with a screen to configure the settings. We will assign addresses statically to the
spines and leafs.
Figure 25: Create Node Management Address (Leaf1)
1. For Node Range, type “101” in the From field

2. For Node Range, type “101” in the To field
3. For Config, check off “Out-of-Band Addresses” – you will see more fields appear.
4. For Out-of-Band Addresses Management EPG, click the drop-down and choose “default”
5. For Out-of-Band IPv4 Addresses, type “192.168.1.111/24”
6. For Out-of-Band IPv4 Gateway, type “192.168.1.1”
7. Click “Submit”
8. You will be presented with the following confirmation. Click “Yes”
21
Repeat the process for Leaf2 (Node-102)= 192.168.1.112. Spine1 (Node-103)=192.168.1.113, Spine2
(Node-104)=192.168.1.114.
Confirm Addresses have been assigned:

For this section, we will confirm an IP is assigned to Leaf1, but this process can be repeated for all
switches.
Figure 26: Confirm Address Assignment
1. Select “Fabric” from the top menu – it will default to Inventory

2. In the left side menu, expand “Pod 1”
3. Expand “Leaf1 (Node-101)”
4. Expand ”Interfaces”
5. Go down to “Management Interfaces” and expand and select “mgmt0”
6. Confirm that an IP address has been assigned.
You can also check that an IP is assigned by using Putty to SSH to the switch:
Figure 27: SSH/Telnet to Leaf
22
1. Use Putty to SSH to the IP address “192.168.1.14”
2. When prompted, Click “Yes” to accept the host key
3. Login with the same credentials as the APIC – admin/cisco123
Summary
You now have successfully created a pool of IP addresses which were dynamically assigned to our spine
and leaf switches. tenant with a basic network VRF and a few of bridge domains. The ACI system
provides full configurability for multiple tenants. Depending on the chosen deployment model this will
allow users to segregate out management, administration, troubleshooting and the underlying network
infrastructure.
23
Lab 3: Building VPCs to Connect to ESX-1 and ESX-2
Overview:
The collective goal of labs 3 is to create VPCs between Leaf1 (node-101) and Leaf2 (node-102) in order to
connect to servers ESX-1 and ESX-2.
Figure 28: Diagram to VPCs to ESX-1 and ESX-2
In the lab, we will continue to build the physical infrastructure of the ACI fabric. We will create a series of
interface policies, and then gather them into interface policy groups. Also, we will create switch profiles
which will use interface policy groups in order to connect ESX-1 and ESX-2 using VPCs from Leaf1 and Leaf2.
There will be a series of elements which need to be created first before we can create the VPCs. The steps
are:
1. Create Interface Policies
2. Create Interface Policy Group
3. Create Interface Profiles (interface selectors)
4. Create Switch Profile
5. Create VPC Explicit Protection Group
Procedures:
Create Interface Policies

In standalone switches running IOS or NXOS, you can define the function of a port by specifying things like
link speed/duplex, CDP or Port Channel settings . In ACI, we will configure the same functionality by
creating specific policies and then aggregating them into a policy group.
Figure 29: Accessing Interface Policies
24
1. From the main menu, choose “Fabric”
2. From the sub-menu, Choose “Access Policies”
3. From the left menu, expand “Interfaces Policies”
4. Then, expand “Policies” to show a list of policies that are available to be configured
Creating Link Level Policy
Figure 30: Creating Link Level Policy
1. Highlight “Link Level” and right-click. Choose “Create Link Level Policy”
2. A pop-up window will appear to create a Link Level Policy
25
Figure 31: Link Level Policy
1. In the Create Link Level Policy Dialogue box. For Name, type “10G-No_Auto”
2. For Auto Negotiation, choose “off”
3. For speed, click the drop-down and choose “10 Gbps”
Create CDP Policy
Figure 32: Creating CDP Policy
1. From the Interface Policies section, highlight “CDP Interfaces”, right click and choose “Create
CDP Interface Policy”
2. A pop-up window will appear to create a CDP Interface Policy
26
Figure 33: Pop-up Creating CDP Interface Policy
1. For Name, type “CDP-ON”

2. The default for Admin State is already set to enable,
3. We will accept the default and click “Submit”
Create LLDP Policy
Figure 34: Create LLDP Policy
1. From the Interface Policies section, highlight “LLDP Interfaces”, right click and choose “Create
LLDP Interface Policy”
2. A pop-up window will appear to create a LLDP Interface Policy
27
Figure 35: Pop-up Creating LLDP Policy
3
4
1. For Name, type “LLDP-TXON-RXON”

2. The default for Receive State is already set to enable, we will accept the default.
3. The default for Transmit State is already set to enable, we will accept the default
Creating Port Channel Policy
Figure 36: Creating Port Channel
1. From the Interface Policies section, highlight “Port Channels”, right click and choose
“Create Port Channel Policy”
2. A pop-up window will appear to create a Port Channel Policy
28
Figure 37: Pop-up Creating Port Channel Policy
1. For Name, type “LACP-Active”

2. For Mode, click the drop-down and select “LACP Active”
We have just created 4 different interface policies. In anticipation of creating VPC connections to our ESX-1
and ESX-2 hosts, we will now bundle them in Interface Policy Groups, which are similar to port-profiles in
NXOS.
Creating Interface Policy Groups

Figure 38: Create VPC Interface Policy Group
1. Click “Fabric”
29
2. Click “Access Policies”
3. Expand “Interface Policies”
4. Highlight “Policy Groups”, right-click
5. Choose “Create VPC Interface Policy Group”
6. A pop-up window will appear to create a VPC Interface Policy group
Figure 39: Specify the Policy Group Identity
1. In the “Name:” field , type “VPC3”

2. In the “Link Level Policy:” field, click the drop-down and choose “10G-No_Auto”
3. In the “CDP Policy” field, click the drop-down and choose “CDP-ON”
4. In the “LLDP Policy” field, click the drop-down and choose “LLDP-TXON-RXON”
5. In the “Port Channel Policy:” click the drop down and choose ”LACP-Active”
Repeat the process and name the 2nd Interface Policy Group “VPC4”. Choose the identical settings as VPC3.
30
Create Interface Profiles
We will continue by creating Interface Profiles, which will select the interfaces we plan to use and link to
the Interface Policy Groups we created in the Previous lab. Once the interface profiles are complete, we
will create Switch Profiles. The Switch Profiles will choose a switch (or switches) and combine that with our
Interface Profile (which we use to select the interfaces to use).
We will start by creating interface profiles that will be used to select the ports we will use for each VPC.
Figure 40: Create Leaf Interface Profile
3. Expand “Interface Policies”
4. Expand “Profiles”
5. Right click “Leaf Profiles”, choose “Create Leaf Interface Profile”
6. A pop-up window will appear to create a Leaf Interface Profile
31
Figure 41: Specify the Profile Identity
1. For “Name:”, type “VPC3”

2. In the “Interface Selections:”, click the “+” at the far right. A pop-up window will appear to Specify
the selector identity
Figure 42: Specify Selector Identity
1. In the “Name:” field, type “VPC3-Int-Sel”

2. In the “Interface IDs:” field, type “1/3”
3. In the “Interface Policy Group:” field, click the drop-down and select “VPC3” – which we
created in the previous lab.
4. Click “OK”
32
5. Click “Submit”. This will bring you back to the Interface Selector Screen.
Repeat the process from above to add VPC4 from the Interface Selector – using 1/4 as your interface.
When you are done, you should see this:
Figure 43: Leaf Profiles
Create Leaf Switch Profile

Switch profiles are used to pick a switch (or switches) to tie in our selected interfaces. For example, in a
pair a switches, you may have 3 switch profiles. One for each individual switch and 1 more that will define
both switches in a group – which can be used for configuring VPCs.
We Continue by creating switch profile that will include both Leaf1 (Node-101) and Leaf2 (Node-102).
Figure 44: Create Leaf Switch Profile
33
3. Expand “Switch Policies”
4. Highlight “Profiles”, right-click and choose “Create Leaf Profile”
5. A pop-up window will appear to create a VPC Interface Policy group
Figure 45: Specify the Profile Identity
1. For “Name:”, type “SW-101-102-Prof”

2. In the “Leaf Switch” section, click the “+” to the far right
3. For “Name”, click inside the box and type “Sw-101-102”
4. For “Blocks”, click the drop-down and choose both “101” and “102”. Click outside the drop-down,
then choose “Update”
5. Click “Next” to select interfaces profiles
34
Figure 46: Confirm Selection of VPC3 and VPC4 in Interface Selector
1. Check the box next to VPC3

2. Check the box next to VPC4
3. Click “Finish”
When you are done, you should see the following:
Figure 47: Leaf Profile
Creating VPC Explicit Protection Group

In the previous sections, we have created all the elements needed to build a VPC - or in this case 2 VPCs.
One towards ESX-1 and another towards ESX-2. We will now create the actual VPC and tie the elements
together.
35
We will start by creating a “VPC Explicit Protection Group”. It’s basically the ACI way of saying “VPC Domain
ID”.
Figure 48: Create VPC Explicit Protection Group
3. Expand “Switch Policies”
4. Expand “Policies”, select “Virtual Port Channel default” then right-click and choose “Create
Explicit Protection Group”
5. A pop-up window will appear to create an Explicit Protection Group
Figure 49: Specify the Explicit Group Settings
36
1. In the “Name:” field, type “VPC-101-102”
2. In the “ID:” field, type “101”
3. In the “VPC Domain Policy” field, click the drop-down and choose “default”
4. In the “Switch 1:” field, click the drop-down and choose “101”
5. In the “Switch 2:” field, click the drop-down and choose “102”
Once completed, You should see the following screen.
Figure 50: Properties for VPC-101-102
Summary
In this lab, we built 2 physical VPC connections to ESX-1 and ESX-2, respectively. We started by creating 4
simple interface policies which will which we then bundled together in an Interface Policy Group. We then
selected the interfaces we will be using and bound the Interface Policy groups in an Interface profile and
further tied them into a switch profile that contained both Leaf1 and Leaf2 for the VPC. Finally. We tied all
these together and created the VPC through the use of an Explicit VPC Protection Group.
37
Lab 4: Building Basic Network Constructs
Overview:
In this lab we explore the tenancy capabilities of the ACI system. ACI is designed to scale from smaller
commercial environments, which may use a single tenant to large cloud providers with support for 64,000
tenants and above.
Figure 51: Tenant Tree View
The following tasks will be completed
• Building a Tenant
• Building a Private Layer 3 Network (VRF)
• Building a Bridge Domain
38
Procedures:
Building a Tenant:
If you are currently not logged into the APIC GUI please follow the steps to do so from Lab 1 “System
Login” before proceeding. We will use the wizard to create the Tenant. Follow the figure below to add a
tenant.
Figure 52: Adding a Tenant
1. From the top-‐menu, select “TENANTS”

2. On the sub-‐menu, click on “ADD TENANT” that is shown in the orange box
3. A pop-‐up window will appear to go through the process of adding a tenant.
Figure 53: Create Tenant Wizard
39
1. In the “Name” window, type in ACILab
2. In the “VRF Name” field, type in ACILab_VRF, which will create the VRF when finished
3. Leave the check box to default “Take me to the tenant when I click finish”
4. Click on “SUBMIT” to continue
Building a Private Layer 3 Network:

You will automatically be shifted “into” the Tenant for further configuration. Click on the “Networking”
folder from the Navigation pane. This is where we will create a bridge domain and private layer 3
Network.
We will keep things simple by creating 1 bridge domain for each eventual End Point Group (EPG) that will
be created – this is also sometimes referred to as Network Centric Mode and is a very common way to
start getting used to using ACI as it creates a closer feel to a traditional network.
Figure 54: Tenant Networking Overview
Building a Bridge Domain

The next window will create the Bridge Domain for this private L3 network.
1. Drag and drop the icon over the icon in order to add a bridge domain to the VRF
2. The following window will appear
40
Figure 55: Creating a Bridge Domain
3. In the “Name” window, type in ACILab_BD1

4. Set the “Forwarding” to Optimize
5. Leave the other options blank
6. Click on menu option at the top of the window for L3 Configurations and the following window
will appear
Figure 56: Creating Bridge Domain – L3 Configuration
41
7. In the “Subnets:” section, click on the “+” to add a gateway and mask and the following window
will appear
Figure 57: Create Subnet
8. Please type in for the “Gateway IP” as 10.10.10.1/24 and leave everything else as default in that
row.
9. Click on the “OK” button.
Figure 58: Completing the Creation of the Bridge Domain
42
10. Once the “OK” button has been clicked, the “OK” button on the previous screen will become
active. Please click on the “OK” button that is now active on that screen.
11. You will see the following when complete.
Figure 56: Drag and Drop BD creation – ACILab-BD1
Building a Second Bridge Domain
1. Following the same steps 1- 11 above to create a second bridge domain with the follow
information:
a. “Name” = ACILab_BD2
b. “Subnet” / “Gateway” = 20.20.20.1/24
43
Building a Third Bridge Domain
1. Following the same steps 1- 11 above to create a second bridge domain with the follow
information:
a. “Name” = ACILab_BD3
b. “Subnet” / “Gateway” = 30.30.30.1/24
3. You can now click on the “Tenant ACILab” on the left tree menu to see an overview of the tenant
and click through the menu and tabs to familiarize yourself with the other menus and options.
Figure 58: Overview of tenant ACILab
44
Summary
You now have successfully created a tenant with a basic network VRF and a few of bridge domains. The ACI
system provides full configurability for multiple tenants. Depending on the chosen deployment model this
will allow users to segregate out management, administration, troubleshooting and the underlying network
infrastructure.
45
Lab 5: Building Policy Filters and Contracts
Overview:
To build the foundation of the application profile, it is necessary to create filters within our
tenant that will be utilized by the contracts. Those contracts will then be associated with EPGs
that will make up our 3‐Tier application profile. The following are tasks that will be completed in
this section of the lab:
• Creating Filters
• Creating Contracts
Procedures:
Creating Filters:
Note: PLEASE MAKE SURE THAT YOU ARE ON THE “ACILab” TENANT BEFORE CREATING FILTERS
AND CONTRACTS
Create Web Filter

In this portion of the lab, we will first create a Web Server Filter
Figure 59: Creating Web Server Filter
1. In the ACILab tenant, expand the “Security Policies” window on the left-‐hand panel
2. Select the “Filters” section
3. On the right-‐hand panel, click on the “ACTIONS” button
46
4. Select “Create Filter”
Figure 60: Define Web Server Filter Information
1. In the “Name” window, type in Web_Filter

2. On the “Entries:” window, click on the “+” and a new entry window will appear. Please
provide the following information under each window:
• Name: http_filter
• EtherType: IP
• ARP Flag: <do nothing>
• IP Protocol: tcp
• Source Port/Range (From): Unspecified
• Source Port/Range (To): Unspecified
• Destination Port/Range (From): http
• Destination Port/Range (To): http
• TCP Session Rules: Unspecified
3. Click on “UPDATE”
Figure 61: Completing Creation of Web Server Filter
47
• Name: https_filter
• EtherType: IP
• Destination Port/Range (From): http
• Destination Port/Range (To): http
Figure 62: Specify Filter Identity
3. Once the “UPDATE” button is clicked, the “SUBMIT” button will be active. Please click on
“SUBMIT” to create the web filter.
48
Create App Filter
We will now create an Application Server filter
Figure 63: Creating Application Server Filter
1. Click on the “ACTIONS” button

Figure 64: Define Application Server Filter Information
1. In the “Name” window, type in App_Filter

• Name: app_filter
• EtherType: IP
49
• Destination Port/Range (From): 1433
• Destination Port/Range (To): 1433
Note: When entering in “1433” into the window for “Destination Port/Range (From)” and “Destination
Port/Range (To)”, make sure that you do not hit the tab key after entering in 1433. If you do so, the
window may choose “https” or another entry in the options. So make sure that after you enter 1433,
that the window shows 1433.
Figure 65: Completing Creation of Application Server Filter
1. Once the “UPDATE” button is clicked, the “SUBMIT” button will be active. Please click on
“SUBMIT” to create the web filter.
50
Create DB Filter
We will now create a Database Server filter
Figure 66: Creating Database Server Filter
1. Click on the “ACTIONS” button

Figure 67: Define Database Server Filter Information
1. In the “Name” window, type in DB_Filter

• Name: db_filter
• EtherType: IP
51
• Destination Port/Range (From): 1521
• Destination Port/Range (To): 1521
Figure 68: Completing Creation of Database Server Filter
1. click on “SUBMIT” to create the web filter.
Figure 69: View of Created Filters
52
Creating Contracts
With the filters created, we will now create the contracts that will use those filters. Please follow the
procedures below to create the various contracts and associate the filters to those contracts.
Create Web Contract

We will first create a Web Server Contract
Figure 70: Creating a Web Server Contract
1. In the ACILab tenant, expand the “Security Policies” window on the left-‐hand panel
2. Select the “Contracts” section
4. Select “Create Contract”
53
Figure 71: Providing Web Server Contract Information
1. In the “Name” window, type in Web_Con

2. Leave the other boxes default and click on the “+” next to “Subjects:”
Figure 72: Creating Web Server Contract Subject
1. In the “Name” window, type in web_subj
54
2. Make sure both “Reverse Filter Ports” and “Apply Both Directions” check box is checked
3. Under the “Filter Chain” window, click on the “+” sign to add a filter
4. From the drop-‐down arrow, click on that arrow to show the list of filters and select
“Web_Filter” under the “ACILab” tenant
5. Once selected, click on “Update”
Figure 73: Updating Filter Chain Selection
6. Click on “OK” to complete the filter chain selection
Figure 72: Completion of Web Server Contract
55
7. Please click on “SUBMIT” button to create the web server contract.
8. We will now create an Application Server Contract
Create Application Contract
Figure 73: Creating an Application Server Contract

Figure 74: Providing Application Server Contract Information
1. In the “Name” window, type in “App_Con”

56
Figure 75: Creating Application Server Contract Subject
3. In the “Name” window, type in “app_subj”.

4. Make sure both “Reverse Filter Ports” and “Apply Both Directions” check box is checked.
5. Under the “Filter Chain” window, click on the “+” sign to add a filter.
“App_Filter” under the “ACILab” tenant.
7. Once selected, click on “Update”.
Figure 76: Completion of Application Server Contract Subject
8. Once the “Update” button is clicked, the “OK” button will be active. Please click on “OK” to
create the web server contract subject.
57
Figure 77: Completion of Application Server Contract
Create DB Contract
We will now create a Database Server Contract
Figure 78: Creating a Database Server Contract

58
Figure 79: Providing Database Server Contract Information
3. In the “Name” window, type in DB_Con

Figure 80: Creating Database Server Contract Subject
59
5. In the “Name” window, type in db_subj
6. Make sure both “Reverse Filter Ports” and “Apply Both Directions” check box is checked
7. Under the “Filter Chain” window, click on the “+” sign to add a filter
“DB_Filter” under the “ACILab” tenant
9. Once selected, click on “Update”
Figure 81: Completion of Database Server Contract Subject
10. Once the “UPDATE” button is clicked, the “OK” button will be active. Please click on “OK” to
create the web server contract subject.
60
Figure 82: Completion of Database Server Contract
Figure 83: View of Created Contracts
Summary
You now have successfully created the tenant filters and contracts that can be fully utilized by any
Application Profile and EPGs. We will next focus on creating the application profile and EPGs that will
associate these contracts and filters.
61
Lab 6: Deploying a 3-Tier Application Network Profile
Overview:
With the filters and contracts created from the previous lab, we can now build our application profile. The
Application Profile allows your environment to build a template of network attributes and policies that
can be dynamically instantiated and seamlessly inserted. The following are tasks that will be completed in
this section of the lab
• Building an Application Profile for a 3-‐Tier Application
Procedures:
Creating Application Profile:

We will create a 3-‐Tier Application Profile
Figure 84: Creation of Application Profile
1. In the “ACILab” tenant, select “Application Profiles” on the left-‐hand panel

2. Click on the “ACTIONS” button on the right-‐hand panel
3. Select “Create Application Profile”
62
Figure 85: Providing Application Profile Information
1. In the “Name” window, type in “3Tier_App”.

2. In the “EPGs” window, click on the “+” to create an EPG
Figure 86: Create a Web Server EPG
1. In the “Name” window, type in Web_EPG

2. On the drop-‐down box for the “Bridge Domain” select “ACILab_BD1”
63
3. On the drop-down box for the “Provided Contract” select “Web_Con”
4. On the drop-down box for the “Consumed Contract” select “App_Con”
5. Click “Update”
Figure 87: Adding Another EPG
1. In the “EPGs” window, click on “+” to add another EPG
Figure 88: Create an Application Server EPG
64
1. In the “Name” window, type in App_EPG
3. On the drop-‐down box for the “Provided Contract” select “App_Con”
4. On the drop-‐down box for the “Consumed Contract” select “DB_Con”
5. Click “Update”
EPG Figure 89: Add Another EPG
65
1. In the “EPGs” window, click on “+” to add another EPG
66
Figure 90: Create a Database EPG
1. In the “Name” window, type in DB_EPG

3. On the drop-‐down box for the “Provided Contract” select “DB_Con”
4. On the drop-‐down box for the “Consumed Contract”, it may have pre-selected “DB_Con”. If that is
the case, look for a light grey arrow and click it to clear the selection.
5. Click “Update” to create the DB EPG
67
Figure 91: Add a Provided Contract for Web EPG
Figure 92: Complete Creation of 3Tier Application Profile
1. Click on “SUBMIT” to complete the task

68
Figure 93: Topology View of 3Tier Application Profile
1. On the “Application Profiles” section, click on “+” to expand the tree

2. Then select the application profile 3Tier_App
3. The flow diagram of the 3Tier-App profile can be re-arranged to show a more clear flow
Figure 94: Topology View of 3Tier Application Profile (re-arranged)
Note: This provides with a logical topology view of the application profile. You can familiarize yourself with
this view by selecting various tabs for more detail information.
69
Summary
Application profiles are a powerful tool for building out application connectivity and policy using repeatable
processes. Application connectivity is defined based on the service tiers or components provided and the
tiers they consume. Contracts define the policy for those connections and can be used for provider or
consumer relationships.
70
Lab 7: Integrating with VMware
Lab 7‐A: Registering VMM Domain
Overview:
In this lab section, we will register the APIC to our virtual environment, which will be using VMware’s
vCenter Server. This lab will walk you through this registration process, which will allow the APIC to push
application policies down to the virtual machines. This tight integration will be shown in another lab
exercise but in this lab section, we will focus on building the connection between the APIC and VMware’s
vCenter Server. The lab will complete the following tasks:
• Register APIC to VMware vCenter Server

o This will create a Distributed Virtual Switch inside VMware’s Network construct
• Verify APIC DVS has been created and connection between APIC and vCenter Server is
established
VMware vCenter Server Topology:

From the topology shown in the beginning of this lab, the vCenter Server is managing two (2) ESXi hosts. The
two ESXi hosts have 3 virtual machines named Web-‐Server, App-‐Server and DB-‐Server that are using the
standard vSwitch port-group 3Tier-‐App. There are additional virtual machines that are installed named
ASAv_01 for firewall usage and F5-‐LTM-‐VE for load-‐balancing. Those additional VMs will be used for our
Service Graph later in the lab.
Figure 95: Login to VMware vCenter Server
• Open the vSphere client on the desktop and leave the defaults, then click on “Login”
71
Figure 96: VMware Environment View
Note: If the VM’s have an “!” symbol next to their name then click on each VM on the tree on the left and then
click on the “Summary” tab, then answer the question on each VM with “I copied it”. It should look like the
above image when done.
Procedures:
Register APIC to VMware vCenter (Create VMM Domain):

If you are not logged into the APIC GUI please follow the steps to do so from Lab 1 before
proceeding. Follow the figures below to create the VMM Domain.
Figure 97: Creating VMM Domain
72
1. On the top menu, select “VM NETWORKING”
2. On the left-‐hand panel, select the “VMware” folder
3. Then on the right-‐hand panel, click on the “+” button
Figure 98: Specify Domain Users and Controllers
1. In the “Name” window box, please type in “My_vCenter”

2. In the “VLAN Pool:” window, click on the drop down arrow
3. Select “Create VLAN Pool” and the following window will appear
Figure 99: Specify VLAN Pool Identity
73
1. In the “Name:” window, type in ACILab_VLAN_Pool
2. In the “Encap Blocks:”, click on the “+” to create the VLAN Pool.
Figure 100: Providing VLAN range
3. In this lab, we will use VLAN range of 1001 -‐ 1100.

4. Select “Dynamic Allocation” as the Allocation Mode.
5. Click “OK”.
74
Figure 101: Completing Creation of VLAN Pool
1. Click on “SUBMIT” to create the VLAN Pool which will take you back to the Create vCenter
Domain page.
75
Create vCenter Credentials:
Figure 102: Creating vCenter Credentials Object
1. Next we will create the credentials to login to the vCenter server. To do this, click the “+” next
to the “vCenter Credentials:”
Figure 103: Providing vCenter Credentials
1. In the “Name” window, type in a object name for this credential, which in this case we will give it
administrator
2. In the “Username:” box, type in the username that is authenticated into the VMware
vCenter Server, which will be “administrator”
3. In the “Password: window, type in the password for the user administrator, which for this lab is
“C!sc0123”.
4. In the “Confirm Password:” window, retype in the password again.
5. Click on “OK” to complete the task
Create vCenter Server Object:

In the next task, we will create the VMware vCenter Server object.
1. To create the vCenter server object, click on the “+” next to “vCenter/vShield”
76
Figure 104: Configuring vCenter Server Information
WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!!
Within this “Create vCenter Domain” task, it is important to enter in the information EXACTLY as
shown in the lab guide.
1. Make sure the “vCenter” button is selected

2. In the “Name” window, type in “ACILab”
3. In the “Address”, type in the IP Address of the vCenter Server, which is
“192.168.1.100”
4. In the “DVS Version”, leave the default “vCenter Default”
5. In the “Status Collection”, leave it on “Disabled”
6. In the “Datacenter” window, type in “ACILab”
7. In the “Associated Credential:” drop-‐down box, select the credential object that was
created in the previous task, which should be administrator
8. Click on “OK”
77
Figure 105: Completing Creation of vCenter Domain
1. Click on “SUBMIT” to create the vCenter server object.
Verifying APIC Connection to vCenter Server:

To verify that we have a valid connection between the APIC and our VMware vCenter server, follow the figures
below to verify. PLEASE BE AWARE THAT THIS MIGHT TAKE A FEW MINUTES TO POPULATE.
78
Figure 106: Verification of vCenter Domain Connection to VMware vCenter Server
1. In the sub-‐menu, select “INVENTORY”

2. Expand the “VMware” by clicking on the “+” on the left-‐hand panel
3. You will then see the “My‐vCenter” entry that was created and expand it by clicking on the
“+” next to that entry
4. You will then see the “Controllers” entry that was created and expand it by clicking on the
“+” next to that entry
5. You will then see the “ACILab” entry that was created and expand it by clicking on the “+”
next to that entry
6. Then select the “Hypervisors” entry on the left-‐hand panel you should see that there are 2
ESXi hosts and other pertinent information of the VMware vCenter Server
Figure 107: Confirming VMM Integration
You can also verify this by using the vSphere client to view that the APIC DVS has been created. Follow the
figures below to verify this from a VMware perspective.
79
Figure 108: Verifying APIC DVS Creation
1. On the top menu of the vSphere client, click on the “Hosts and Clusters” entry and a drop-‐
box menu will appear.
2. Click on “Networking” to get you to the networking view from vCenter
Figure 109: Verifying vSphere Networking View
1. If the networking view is not expanded, then from the top view called “VC”, click on the “+”
to expand the view
2. The logical data center can be expanded by clicking on the “+” next to the entry
ACILab
3. The VMM Domain that was created in the lab is shown as a folder “My‐vCenter”, you will
now notice that a new DVS has been created named “My‐vCenter” and you can expand it.
80
You will notice the DVS uplink has been created. This verifies that the APIC has connection
to the VMware vCenter Server.
Note: The number next to the “DVUplinks” may be different depending on the VLAN assigned by ACI to the
uplink.
Summary:
The ACI is able to integrate with various hypervisor technologies, where VMware is one of vendor in this
space. The ACI supports Microsoft Hyper-‐V and later on other hypervisor vendors like KVM and Citrix. This
lab demonstrates the capability of integrating into VMware’s vCenter technology and will allow the APIC to
create policies that can be utilized by the VMware’s virtual environment.
81
Lab 7‐B: Adding ESXi Hosts to APIC DVS
Overview:
In this lab we will focus on adding the two (2) ESXi hosts to the APIC DVS. This will allow the APIC EPG to be
associated with VMware’s virtual environment. This section will be utilizing VMware’s vSphere client to be
able to add the host to the APIC DVS. This lab will complete the following task:
• Add both ESXi hosts (ESXi-‐01 and ESXi-‐02) to the APIC DVS (apicVswitch)
Procedures:
Add ESXi Hosts to APIC DVS:

If you are not logged into the vSphere client, follow the instructions from the previous lab to get to the
“Networking” view from VMware. Then follow the figures below to add the ESXi hosts to the APIC DVS.
Figure 110: Adding ESXi Hosts to APIC DVS
1. Make sure to select on the DVS name “My-‐vCenter” and right-‐click on “My-‐vCenter” DVS
to provide a sub-‐menu
2. Click on “Add Host”
82
Figure 111: Selecting Host NIC for APIC DVS Control
Note: Both ESXi hosts have “vmnic2” that is not being utilized and will be use for the APIC DVS. On some
pods that vmnic number maybe “vmnic1”.
WARNING WARNING WARNING -‐ DANGER WILL ROBINSON
DO NOT SELECT VMNIC0!!!!
1. Click on the check-‐box next to “vmnic2” for the first host with IP 192.168.1.101
2. Click on the check-‐box next to “vmnic2” for the second host with IP 192.168.1.102
3. Click on “Next” to continue
83
Figure 112: Migration of vmkernels
1. We will not migrate any vmKernels in this lab. So please click on “Next” to continue.
Figure 113: Migrating Virtual Machine Networking
84
1. We will also not migrate any virtual machine’s network interfaces during this process.
Please click on “Next” to continue.
Figure 114: Complete Adding Hosts to APIC DVS
1. Verify the information is correct and click on “Finish”
Figure 115: Verifying Added ESXi Hosts to APIC DVS
1. Click on the “Hosts” tab on the right-‐hand panel. You should now see the two ESXi hosts are
now added to the APIC DVS.
Summary
You now have successfully added the ESXi hosts to the APIC DVS. This section has put the foundation to
allow the APIC to create EPGs, which will create VMware port-‐groups that the virtual machines can utilize.
This will provide integration for the APIC to distribute policies to VMware’s virtual environment.
85
Lab 7‐C: Associating EPGs to the vCenter Domain
Overview:
In this lab we will focus on associating the EPGs to the VMM Domain. With the ESXi hosts already connected
to the APIC DVS, we can now associate the EPGs we created in the last lab to our VMware virtual environment.
Procedures:
Associating vCenter Domain to Application Server EPG:

Associate vCenter Domain to App_EPG
Figure 116: Associating vCenter Domain to Application Server EPG
1. Click on “Tenant” in the top menu, then expand in the left menu “Tenant ACILab”.
2. Next expand the “Application Profile” folder
3. Next expand the “3Tier_App” folder
4. Next expand the “Application EPGs” folder
5. Then expand the “EPG App_EPG” folder
6. Then select “Domains (VMs and bare metals)”
7. On the right-‐hand panel, click on “ACTIONS”
8. Then select “Add VMM Domain Association”
86
Figure 117: Associating My-vCenter vCenter Domain to App_EPG
1. On the “VMM Dom Profile:” drop-‐down box, select “VMware/My‐vCenter”

2. Choose the “Immediate” for “Deploy Immediacy”
3. Choose the “Immediate” for “Resolution Immediacy”
4. Click on “SUBMIT”
Figure 118: VMM Domain Formed with APP_EPG
87
Associating vCenter Domain to Database Server EPG:
Associating VMM Domain to DB_EPG
Figure 119: Associating VMM Domain to Database Server EPG
5. Then expand the “EPG DB_EPG” folder
88
Figure 120: Associating My-vCenter vCenter Domain to DB_EPG
1. On the “VMM Dom Profile:” drop-‐down box, select “My‐vCenter”

2. Choose “Immediate” for “Deploy Immediacy”
3. Choose “Immediate” for “Resolution Immediacy”
Figure 121: vCenter Domain Formed with DB_EPG
Associating vCenter Domain to Web Server EPG:

Associating VMM Domain to Web_EPG
89
Figure 122: Associating vCenter Domain to Web Server EPG
5. Then expand the “EPG Web_EPG” folder
Figure 123: Associating My-‐vCenter vCenter Domain to Web_EPG
90
1. On the “VMM Dom Profile:” drop-‐down box, select “My‐vCenter”
2. Choose the radio button “Immediate” for “Deploy Immediacy”
3. Choose the radio button “Immediate” for “Resolution Immediacy”
Figure 124: vCenter Domain Formed with Web_EPG
Figure 125: Verify EPG is in VMware vCenter Networking
Summary:
The ACI EPGs are now fully integrated into VMware’s virtualized environment and the VMs can now fully
utilize the ACI fabric infrastructure.
91
Lab 7‐D: Associating VM to EPG Port-Groups
Overview:
In this lab we will now convert the VMs from using the native vSwitch to the APIC DVS port-‐groups. This will
complete the integration of the APIC to the virtualized environment.
Procedures:
Map VMs to EPG Port-‐Groups:

Move to VMware’s “Hosts and Clusters” view
Figure 126: Move to VMware Hosts and Clusters View
1. From the tool bar menu, click on “Networking”

2. A menu list will drop down, please select “Hosts and Clusters”
92
Edit Web-‐Server Settings:
Edit Settings of Virtual Machine “Web‐Server”
Figure 127: Edit Settings of Web-‐Server VM
1. Select the VM “Web‐Server”

2. On the right-‐hand panel, click on “Edit virtual machine settings”
93
Figure 127: Choose APIC Application Profile Web EPG
1. Select “Network adapter 1”

2. Click on the “Network label:” drop-‐down box
3. Select “ACILab|3Tier_App-|Web_EPG” port-‐group
Figure 129: Confirming Network Adapter Changes
94
1. Click on the “OK” to complete the changes for Network adapter 1
Edit App-‐Server Settings:

Edit Settings of Virtual Machine “App‐Server”
Figure 130: Edit Settings of App-‐Server VM
1. Select the VM “App‐Server”

95
Figure 131: Choose APIC Application Profile App EPG

3. Select “ACILab-|3Tier_App-|App_EPG” port-‐group
96
Edit DB-‐Server Settings:
Edit Settings of Virtual Machine “DB-‐Server”
Figure 133: Edit Settings of DB-‐Server VM
1. Select the VM “DB-Server”

97
Figure 134: Choose APIC Application Profile DB EPG

3. Select “ACILab-|3Tier_App-|DB_EPG” port-‐group
98
Figure 136: Viewing VMware Virtual Machines Information from APIC GUI
1. Go to the “VM Networking” Tab

2. Under “Inventory” expand “VMware”
3. Expand “My-vCenter”
4. Expand “Controllers”
5. Expand “ACILab”
6. Expand “Hypervisors”
7. Expand both “192.168.1.101” and “192.168.1.102”
8. Expand “Virtual Machines” and select “Web-Server”
9. Take note that the “PORTGROUP” association is mapped to the Web_EPG.
Summary:
You have successfully provided full visibility and manageability from the APIC to the virtualized environment.
Insertion of services and policies can now be dynamically provisioned seamlessly while being managed from
a centralize management tool.
99
Lab 8: The Attachable Access Entity Profile (AAEP)
Overview:
We are almost done. Our physical infrastructure is provisioned and is connected to our virtual
infrastructure through the VMM integration, but traffic will not yet pass. We need a mechanism to tie our
logical network constructs (in this case, access facing VLANs) to the switch ports. The mechanism is called
the Attachable Access Entity Profile (AAEP or AEP). It’s often compared to a “switchport trunk allow vlan…”
command.
There are 3 steps involved. First, is the creation of a VLAN or a range of VLANs. The second step will be
creating a Domain to connect those VLANs to. The third step is tying them into the AAEP.
In Lab 7, we created a VLAN pool that will dynamically assign VLANs and we created a Virtual Domain. So
steps 1 and 2 are already completed. In this short lab, we will concentrate on the AAEP itself.
Procedures:
Creating Attachable Access Entity Profile
Figure 137: Creating AAEP
1. Click “Fabric” menu

2. Click “Access Policies” sub-menu
3. Expand “Global Policies”
4. Expand and highlight “Attachable Access Entity Profiles”
5. Right click and select “Create Attachable Access Entity Profile”
6. A pop-up screen will appear with the following:
Figure 138: Step 1 for AAEP

100
1. For “Name:”, type “AAEP-ESX”
2. For “Domains (VMM, Physical or External)…”, Click the “+”
3. For “Domain Profile”, click the drop-down and choose “My-vCenter (Vmm-VMware)” – which
we created in the previous lab.
4. Click “UPDATE”
5. Notice the change in “Encapsulation”(below) – Click “Next”
101
Confirming Creation of AAEP
Figure 139: Confirm Encapsulation
Figure 140: Step 2> Associations to Interfaces
102
1. In the “Select the Interfaces” section, you will see the Interface Policy Groups created in Lab 3. For
“VPC3”, click the radio button for “all”
2. For “VPC4”, click the radio button for “all”
3. Click “FINISH”
Figure 141: Confirm AAEP Creation
1. Confirm that AAEP-ESX was created successfully.
Summary
In this lab, we created an Attachable Access Entity Profile. The AAEP is used to connect the interfaces of
our switch to the VLANs and Domains. The below diagram summarizes where the AAEP fits and what
purpose it served.
Figure 142: Summary of AAEP
103
Lab 9: Layer 3 External
Overview
In this lab section, we will focus on how to create a Layer 3 External Routed network using OSPF in our
example. This lab is using a simulator, so no real validation can be performed but the steps in this lab will
demonstrate the procedures that are needed to create an External Layer 3 configuration.
We will be simulating the following environment:
Figure 143: Layer 3 Topology
The following is a list of procedures that are needed to complete the configuration of the External L3
Network:
• Configure Pod Policy

• Configure BGP Route Reflectors
• Assign default Pod Policy
• Configure Routed L3 External Network
• Create Node Profile
• Create Interface Profile
• Create External EPG Network
• Bind External Routed Network to Bridge Domain
104
Procedures:
Configure Fabric Pod Policy

In this section, we will configure fabric policies in regards to the internal fabric network in preparations
for layer 3 communications.
Configure BGP Route Reflectors

Figure 144: Configure Fabric Policies
1. Select “Fabric” from the top menu

2. Then select “Fabric Policies” in the sub-‐menu
3. On the left-‐hand pane, expand “Pod Policies”
4. Then expand “Policies”
5. The menu will show “BGP Route Reflectors default”, please select that entry
6. The right hand pane will show some configurations window, in the “Autonomous System
Number”, type in “1”
7. We will now also add both of our spines as our “BGP Route Reflectors” for our fabric,
to do so, click on the “+” next to “Route Reflector Nodes”
105
Figure 145: Adding BGP Route Reflectors
1. From the drop-‐down box at “Spine Node”, select the first spine, which is Node ID “103”
2. Click on “Submit”
Figure 146: Add Second Route Reflector
1. From the drop-‐down box at “Spine Node”, select the first spine, which is Node ID “103”
106
Figure 147: Complete Adding Route Reflector
Configure Fabric Group Policies

Next we will need to create a Pod Group Policy. Follow the steps below to complete this task.
Figure 148: Create Pod Policy Group
1. From “Fabric”
2. Select “Fabric Policies”
3. Expand “Pod Policies”
4. Highlight “Policy Groups”
5. Right click, select “Create POD Policy Group”
107
Figure 149: Configure Pod Policy Group
1. In the “Name” window, type in “PodPolicy”

2. At the “BGP Route Reflector Policy” drop-‐down box, select “default”
108
Configure Routed L3 External Network
In this section, we will create an External L3 Network for our tenant “ACILab”. Please follow the
procedure below to complete this task.
Create External Routed Network
Figure 150: Create Routed Outside Network
1. Select “Tenants” on the top menu

2. Select the tenant “ACILab” in the sub-‐menu
3. Expand “Networking” on the left-‐hand pane
4. Select “External Routed Networks” and right-‐click on that selection
5. Select “Create Routed Outside”
109
Figure 151: Configure L3 Routed Outside
1. In the “Name” window, type in “ACILab-L3-Out”

2. Select the check-‐box “OSPF” and leave the default “OSPF Area ID” to be “1”
3. In the drop-‐down box at “VRF”, click the drop down and select “ACILab/ACILab_VRF”
4. We will now need to configure Node & Interface Protocol Profiles, click on the “+” next to
that section
110
Create External Node Profile
Figure 151: Configure Node Profile
1. In the “Name” window, type in “Border-Leaf2” since we will map the outside network to
our Leaf2 switch
2. Click on the “+” next to “Nodes” section
Figure 152: Configure Border Node
1. In the drop-‐down box at “Node ID”, select “Leaf2 (Node-‐102)” which will then show up as
111
“topology/pod-1/node-102”
2. Type in the address “1.0.0.2” for the “Router ID”
Create OSPF Interface Profile

Figure 153: Create OSPF Interface Profile
• Click on “+” next to “OSPF Interface Profiles”
Figure 154: Configure OSPF Interface Profile
112
1. In the “Name” window, type in “L3-OSPF-Leaf2”
2. Under the “Interfaces” section, click on the “+” to add the “Routed Interfaces”. There are 2
additional options, which are “SVI” and “Routed Sub-‐Interfaces”, which we will not use in this
example.
Figure 155: Configure Routed Interface
1. In the drop-‐down box for “Path”, select the node “102” and select interface “eth1/1”
2. In the “IP Address” window, type in “40.40.40.1/24”
3. In the “MTU (bytes)” window, the default is set to “inherit”. Please enter in “1500”
113
Figure 156: Completion of Routed Interface Configuration
• Click “OK”
Figure 157: Completion of Node Profile Configuration
• Click “OK”
114
Figure 158: Continue Wizard to External Network EPG
• Click on “Next”
Figure 159: Create External Network EPG
• Click on “+” in the section “External EPG Networks”

115
Figure 160: Configure External EPG Network
1. In the “Name” window, type in “L3-Out-EPG”

2. We will now add a subnet to this EPG, click on the “+” under “Subnet”
Figure 161: Adding Subnet to External EPG
116
1. In the “Create Subnet” window, we will allow all subnets into this EPG. In a real environment,
this might be filtered to only allow certain subnets but for this lab, please enter in “0.0.0.0/0”.
The mask will automatically be filled out
Figure 162: Completion of External EPG Network
• Click “OK”
Figure 163: Completion of the Creating an External Routed L3 Network
117
• Click on “Finish”
Figure 164: ACILAb-L3-Out
118
Configure Consumer for L3-Out-EPG
With the External Routed Network configured, we will provide a provider/consumer permission to allow
communication to this outside network. Follow the steps below to complete this task.
Figure 165: Configure Consumed Contract for L3-Out-EPG
1. Expand “Networking” under the tenant ACILab

2. Expand “External Routed Networks”
3. Expand the created routed network “ACILab-L3-Out”
4. Expand “Networks”
5. Select “L3-Out-EPG”
6. On the right-‐hand pane click on the section called “Contracts”
7. Now under “Consumed Contracts” click on the “+”
Figure 166: Add Consumed Contract
• Under the “Consumed Contracts”, click on the +”
119
Figure 167: Add Consumed Contract
1. From the drop-‐down box, select “ACILab/Web_Con” from the “Type – Contract” and DO NOT
choose from the “Type – Imported Contract”
2. Once completed, click on “Update”
Confirm Contracts are in place
Figure 168: Confirm Updated App Profile
1. Click “Tenants”
120
2. Click “ACILab”
3. Expand “Tenant ACILab”
4. Expand “Application Profiles”
5. Select “3Tier-App” to view the updated visualization of the App Profile
Set Default OSPF Settings for Private Network

Another step that needs to be configured is the default timers for OSPF in the Private Network in the tenant
ACILab. Please follow the steps below.
Figure 169: Configuring OSFP Default Timers
1. Expand “Networking” and then expand “VRFs”

2. Select “ACILab_VRF”
3. In the “OSPF Timers”, select the drop-‐down box and select “default”
121
Associate the L3 Outside Network to a Bridge Domain
We will now complete the task of associating the L3 outside network to our bridge domain. Please follow
the steps to complete this task.
Figure 170: Associating L3 Outside Network to Bridge Domain
1. Expand “Bridge Domains”

2. Select “ACILab_BD1”
3. On the right-‐hand pane, choose “L3 Configuration”
4. in the section “Associate L3 Outs”, click on the “+”
5. From the drop-‐down box, select “ACILab/ACILab-‐L3-‐Out”
6. Click on “Update”
122
Figure 171: Final Topology
Summary
This completes the configuration of the external layer 3 network for communication to the outside of the
ACI fabric. This is using a simulator to demonstrate the process to complete this task and verification is not
available at this time for the simulator. In a physical fabric, there are verification tasks that will validate the
configuration that we have done here.
123
Lab 10: Exploring Monitoring and Troubleshooting
Procedures:
Viewing Faults Using the GUI

To view a summary of fault statistics for the overall system, click the Dashboard icon in the menu bar
of the APIC GUI. The fault counts by domain and by type are displayed in the dashboard tables.
Logged faults are presented in many places in the GUI, filtered to show only those faults relevant to the
current GUI context. Wherever a Records tab appears in the GUI Work pane, you can view the relevant
entries from the fault log.
For example, to view the faults related to a tenant, perform the following task.
1. In the menu bar, click Tenants.

2. In the sub-menu bar, click the name of the tenant.
3. In the Work pane, click the Faults tab.
Figure 172: Sample Tenant Faults View
1. Select “Tenants”
2. Then select the tenant “ACILab”
3. Select the top entry “Tenant ACILab” on the left hand pane
4. Then select the “Faults” tab on the right hand pane
To view more of the faults, just double-click on the entry and it will provide more details.
Events
The Application Policy Infrastructure Controller maintains a comprehensive, up-to-date run-time
representation of the administrative and operational state of the Application Centric Infrastructure
124
Fabric system in the form of a collection of managed objects (MOs). Any configuration or state change
in any MO is considered an event. Most events are part of the normal workflow and there is no need to
record their occurrence or to bring them to the attention of the user unless they meet one of the
following criteria:
• The event is an anomaly, such as a fault being raised
• The event is defined in the model as requiring notification
• The event follows a user action that is required to be auditable
Viewing Events Using the GUI

Logged events are presented in many places in the GUI, filtered to show only those events relevant to
the current GUI context. Wherever a History tab appears in the GUI Work pane, you can view the
relevant log entries from the event log, health log, or audit log.
For example, to view the event log, health log, or audit log related to authentication, perform the
following task.
Figure 173: Viewing History
• In the Tenant ACILab, select the “History” tab menu

• Then on the sub-menu, select “Events” to see the events that has occurred on this tenant
Log Retention Policies

The log retention policy specifies the retention and purge behavior of logs. The policy specifies the
maximum history record count and the number of records to purge with a purge interval. Records
are periodically purged to contain log growth. When the purge timer triggers, a number of records
equal to the Purge Window Size are deleted if the number of records in the log is greater than the
Maximum Size.
You can configure the following settings:
• Maximum Size — The maximum number of records to be maintained in the log. The range is
1000 to 500000 records; the default is 10,000 records.
• Purge Window Size — The maximum number of records to be deleted in a single swipe. Record
deletion is performed periodically (every 30 seconds) in batches. The maximum size of a batch
125
should be chosen to avoid spikes in I/O and CPU utilization. The range is 100 to 1000 records;
the default is 250 records.
Configuring Log Retention Policies in the GUI

To configure log retention policies using the GUI, perform the following task.
Figure 174: Log Retention Policies
1. Select “Admin” from the top menu

2. Select “Historical Record Policies”
3. From the left hand pane, expand “Switch Policies”
4. Then expand “Switch Audit Log Retention Policies”
5. Select “default”
On the right hand pane, you will see the settings that are configured. You can modify these and other settings
in this section.
Using the API Inspector
Capturing an API Interchange for Inspection

By using the API Inspector, which is a built-in tool of the APIC, you can capture API messaging as you
perform tasks in the APIC graphical user interface (GUI). The captured messages provide examples of the
API operation that you can use to develop external applications that will use the API.
126
Figure 175: API Inspector
• Click on the “welcome, admin” on the far right hand side of the GUI
• A drop-down menu will appear, please select “Show API Inspector”
Another pop-up window will appear that provides information of the objects of the ACI APIC
Figure 176: API Inspector Window
You can filter what you want to view and if you like to start cleanly, click on the “Clear” button. Once
the window is clear, you can execute an action on the GUI and the API Inspector will provide the output
that is executed. By default the API Inspector views everything and from there you can also do searches
as well.
127
Using the Managed Object Browser
The Managed Object Browser, or Visore, is a utility built into the APIC that provides a graphical view of
the managed objects (MOs) using a browser. The Visore utility uses the APIC REST API query methods
to browse MOs active in the Application Centric Infrastructure Fabric, allowing you to see the query
that was used to obtain the information. The Visore utility cannot be used to perform configuration
operations.
Note - Only the Firefox, Chrome, and Safari browsers are supported for Visore access.
Accessing Visore
To access the visore, open another tab on your browser and type in the following link:
https://192.168.1.11/visore.html
Figure 177: Visore Access
A pop-‐up window will appear for a login access. This is the same login to the APIC, which should be:
Username: admin
Password: cisco123
Running a Query in Visore

We will run a quick example query on the visore to provide some insights on how to navigate through
128
the APIC object tree.
Figure 178: Visore Query
1. In the “Class or DN” window, type in “fvTenant”

2. In the “Property” window, type in “name”
3. In the “Val1” window, type in “ACILab”
4. Click on “Run Query”
A window will appear that will display this object class for Tenant ACILab. The output is shown below.
Figure 179: Visore Query Output
129
Supplemental Lab 1: Deploying a Service Graph into the Application Network Profile
Overview
In this lab we will now focus on two (2) key features of the APIC solution. Where we can seamlessly insert
services, such as firewall, load-‐balancers, etc. into the application profile. With the open architecture of the
ACI solution, we can insert any vendor’s solution like Citrix, F5 and many others who want to integrate with
Cisco’s ACI architecture. The second key capability of ACI is the ability of scripting to build any of the objects
within the APIC. This allows orchestration tools to quickly deploy their solutions within minutes.
So in this lab, we will utilize a python script to remove the objects and then re‐build the objects to
demonstrate how seamless and quickly to deploy the Application Network Profile (ANP). Afterwards, we
will utilize the python script to insert the ASAv firewall into the ACI fabric as a service graph.
Procedures
Prior to executing the script to remove the ACI objects, we will need to remove the EPG port groups from the
virtual machines and remove the hosts from the ACI DVS that was created in lab 5. Follow the procedures
below to complete this task.
vCenter ACI Removal

First we will configure the virtual machine network to the vSwitch port group.
Figure 180: Editing Settings for Web Server VM
1. Select the VM “Web-Server”

130
Figure 181: Moving Web Server Port group to 3Tier-‐App

3. Select “3Tier-‐App” port-‐group
Figure 182: Edit Settings for App Server VM
1. Select the VM “App‐Server”

131
Figure 183: Moving App Server Port group to 3Tier-‐App

3. Select “3Tier-‐App” port-‐group
Figure 184: Edit Settings for DB Server VM
1. Select the VM “DB‐Server”

132
Figure 185: Moving DB Server Port group to 3Tier-‐App

3. Select “3Tier-App” port-‐group Next we will remove the ESXi hosts from the APIC DVS.
Figure 186: Remove ESXi Host 192.168.1.102 from APIC DVS
133
1. Make sure you are at the “Networking” view and then select the DVS “My-vCenter”
2. On the right pane, select the “Hosts” tab
3. We will remove both host but for this example, we will remove the server
192.168.1.102. Select this host and right-‐click to bring up the menu
4. When the menu appears, select “Remove from vSphere Distributed Switch”
5. A pop-‐up window will appear, click on “Yes” and the host will be removed from the
APIC DVS.
Repeat this step for the other server 192.168.1.101
Figure 187: Completed Removal of both ESXi hosts from My-‐vCenter DVS
With the hosts removed from the APIC DVS, it is not necessary to remove the DVS. The script will remove
the VMM Domain, which will then remove the APIC DVS from the vCenter server.
Automation Through Python Scripting

We will now go execute the python script to remove the objects that was created in labs 2 -‐ 5. To start
off, open a “Putty” session from the desktop to get to the Linux server.
134
Figure 188: Open Putty Session
1. Select the entry “dev-‐lnx”

2. Then click on “Load”
3. Then click on “Open” button
Figure 189: Login to “dev‐lnx” System
135
The login credentials are: Userid: user01, Password: user01
Removing ACI Objects Created from Labs 2 -‐ 5:

The dev‐lnx VM is an Ubuntu VM that houses the python scripts to allow us to automate the
configuration of the ACI fabric through XML. Please execute the python script to remove the ACI objects
from the dev-‐lnx VM.
user01@dev-‐lnx:$ ./securerequest.py Scripts/Blow_Me_Away.cfg <PLEASE HIT ENTER>
Hit return to process Scripts/DeleteL3Mgmt.xml <PLEASE HIT ENTER>
The python script will step through multiple XML scripts to remove the objects. You can verify in the
APIC GUI to see the removal of the objects, like the “ACILab” tenant, VMM Domain “My-‐vCenter” and
others. Once this script is completed, you can also go to the vCenter server to see that the “My-‐
vCenter” DVS has been removed as well.
With the objects removed, we will now show how quickly and easily it is to build those objects with the
python script in seconds. Please execute the python script to create the objects that was done in labs 2
– 5.
user01@dev-‐lnx:$ ./securerequest.py Scripts/Build_Lab2-‐5.cfg <PLEASE HIT ENTER>
Hit return to process Scripts/L3MgmtConnectivity.xml <PLEASE HIT ENTER>
The python script executed multiple XML scripts to build up the objects in the ACI fabric. You can go
through the GUI to validate the Contracts, Filters, Application Network Profiles and VMM Domain to
verify that they have been created. Also you can check the vCenter server that the VMM integration has
also been associated with the EPGs.
Please note that this python script DOES NOT add the ESXi hosts to the APIC DVS and DOES NOT move
the virtual machines network adapter portgroup to the ACI EPG. That process still needs to be done.
So before moving to the next part of the lab, PLEASE GO THROUGH LAB 5-‐B AGAIN to add the ESXi
hosts to the APIC DVS. It is not necessary to go through Lab 5-‐C or 5-‐D to complete the rest of the
lab exercises.
Deploying Service Graph through Northbound API:

This part of the lab, we will now execute the python script that will insert the Service Graph into the
tenant ACILab. The script will do the following tasks:
• Import ASA Device Package

• Create Device Cluster
o Create Logical Interfaces
o Create Concrete Device
• Create Service Graph
o Attach Contract Service Graph
136
We will now execute a python script that will build up the objects for the Service Graph.
Note: You will be walking through multiple steps in this python script utilizing XML scripts, while it
creates the objects. You can view the APIC GUI to check the objects after the XML script is executed.
user01@dev-‐lnx:$ ./securerequest.py Scripts/Build_Lab6.cfg <PLEASE HIT ENTER>
Hit return to upload Scripts/asa-‐device-‐pkg-‐1.0.1.35.zip <PLEASE HIT ENTER>
Note: The python script will run through the various XML scripts to create the APIC objects for the
Service Graph. Follow through the script and after each object creation, a message will explain what
each XML script does.
View Service Graph:

With the python script executed, you can now peruse through the APIC GUI to look at the Service
Graph that was created within this environment. Below are some screen shots that will verify the
creation.
137
Figure 190: L4-‐L7 Services Device Cluster
1. Select on the top—menu “Tenants”

2. Select on the sub-‐menu tenant “ACILab”
3. Expand the “Tenant ACILab” on the left-hand pane
4. Expand the “L4-L7 Services” on the left-‐hand pane
5. Expand the “L4-L7 Devices” on the left-‐hand pane
6. Then select the device name “Firewall”
Browse through this window to take a look at the information provided about the device cluster
and other relevant information about the Cisco firewall.
138
Figure 191: Service Graph Topology View
1. Select on the top—menu “Tenants”, then select on the sub-menu tenant “ACILab”
2. Expand the “Tenant ACILab” on the left-hand pane
3. Expand the “L4-L7 Services” on the left-‐hand pane
4. Expand the “Deployed Graph Instances” on the left-‐hand pane
5. Then select the graph name “Web_Con-FWGraph-ACILab_VRF”
Notice that the “Input1” and “Output1” are linked to the Cisco Firewall name “FWNode”. This provides
how the firewall service is seen.
139
Figure 192: Service Graph Binding to Contract
1. Expand “Security Policies” on the left hand pane

2. Then expand “Contracts”
3. Then expand the contract name “Web_Con”
4. Select the subject “web_subj”
The “Service Graph” option at the bottom of the window shows that this contract is bound to the
“ACILab/FWGraph”
Verify on ASA ASDM GUI:

We will now verify that configuration executed on the APIC is pushed to the virtual ASA. On the desktop
of your RPD server, open up the icon “Cisco ASDM-‐IDM Launcher”
140
Figure 193: Login to ASA
The login information for the ASA is IP Address: 192.168.1.103 and “admin/cisco123”. Click “OK” after
you have enter in the credentials.
Figure 194: ASDM Pop-‐Up Messages
141
Note: A couple of messages will appear after you log into the ASDM. The first will ask about trusting the
publisher. Please click on the check box “Always trust content from the publisher” and click on “Yes”.
A second window will appear about the ASA license state. Click on the check box “Do not show this
message again” and click on “OK” to continue.
Figure 195: ASA Home View
Note that the two interfaces for the ASA have been configured by the APIC with the node name and the
physical and logical interface name provided on the python script that was executed.
You can now browse both the APIC GUI and the ASDM-‐IDM GUI to see what has been configured.
Since the ASAv is a virtual machine on our ESXi server, the service graph also creates the necessary “Port
groups” for the virtual interfaces that was configured in the service graph. Follow the screen shots to view
this integration.
Verifying on vCenter:
Figure 196: vCenter Integration with ASAv Service Graph
142
• In the Networking view, expand “My‐vCenter” DVS
• Notice the 2 additional port groups that was created by the Service Graph in the lab
With these port groups added, ACI integration with the service graph also binds these port groups to
the appropriate network adapters of the ASAv virtual machine. To verify this association, go to the
ASAv VM to validate the port group.
Figure 197: ASAv VM Port group Association
1. In the “Hosts and Clusters” view, select the “ASAv_01” VM and right-‐click
2. Select “Edit Settings”
143
Figure 198: ASAv Network Adapter Port group
• Notice that “Network adapter 2” and “Network adapter 3” have port groups
associated from the ACILab
• Select one of these adapters (in this example Network adapter 2) and notice
that it uses the “internal” port group, which correlates to Gig0/0 on the ASAv
Summary
Cisco’s ACI solution provides you a very powerful tool to insert any services that has an open API to
communicate with the APIC. With the ease of scripting, deployments of any object within the APIC can
now be done in minutes or possibly seconds, thus reducing the amount of time to deploy your
application network.
144

Cisco ACI Lab Sale Connect 2.0 PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Cisco ACI Lab Sale Connect 2.0 PDF

Загружено:

Авторское право:

Доступные форматы

Nexus 9000 ACI Boot Camp Lab Guide

Lab Overview ........................................................................................................................... 4

Virtual Lab Physical Topology

• vCenter Server (also use as the RDP jump box)

Figure 1: Virtual Lab Topology

Figure 2: Virtual Lab Logical Topology

Virtual Lab Access

Lab 1: Fabric Discovery

Figure 3: Adjusting viewable area of the browser

Figure 5: Deployment Warning message

We can permanently disable the Deployment Warning Message

Figure 6: User Settings

Figure 7: Application Settings

1. Check off “Remember Tree Selection”

Figure 8: APIC GUI Dashboard View

Figure 9: APIC Fabric Section View

1. Click on “Fabric” to get to the Fabric View.

Figure 10: Registering First Switch to the APIC

Figure 11: Registering Leaf Switch TEP-‐1-‐101

Figure 12: Discovery of Spine Switches

Figure 13: Registering Spine Switch TEP‐1-103

1. In the “NODE ID” box, type in 103.

1. In the “NODE ID” box, type in 104.

Register Leaf2 Switch to APIC:

Figure 15: Registering Leaf Switch TEP‐1-102

1. In the “NODE ID” box, type in 102.

Fabric View of Discovered Nexus 9000 Switches:

Familiarizing Yourself with Fabric Switches:

Figure 17: Familiarizing Leaf1 Switch

Figure 18: Viewing Inventory Information for Leafs and Spines

Figure 20: Pod 1 Topology View

Figure 21: Familiarizing Fabric Controllers

3. On the top menu, select on “SYSTEM”

Figure 22: Virtual Lab Logical Topology

Access the “mgmt” tenant:

1. On the top menu, select on “SYSTEM”

Creating Node Management Addresses

Figure 24: Create Node Management Addresses

Figure 25: Create Node Management Address (Leaf1)

1. For Node Range, type “101” in the From field

Confirm Addresses have been assigned:

Figure 26: Confirm Address Assignment

1. Select “Fabric” from the top menu – it will default to Inventory

Figure 27: SSH/Telnet to Leaf

Figure 28: Diagram to VPCs to ESX-1 and ESX-2

Create Interface Policies

Creating Link Level Policy

Figure 30: Creating Link Level Policy

Create CDP Policy

Figure 32: Creating CDP Policy

1. For Name, type “CDP-ON”

Create LLDP Policy

Figure 34: Create LLDP Policy

1. For Name, type “LLDP-TXON-RXON”

Creating Port Channel Policy

Figure 36: Creating Port Channel

1. For Name, type “LACP-Active”

Creating Interface Policy Groups

Figure 39: Specify the Policy Group Identity

1. In the “Name:” field , type “VPC3”

Figure 40: Create Leaf Interface Profile

1. For “Name:”, type “VPC3”