Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
1
Summary ........................................................................................................................................ 45
Lab 5: Building Policy Filters and Contracts ............................................................................. 46
Overview: ....................................................................................................................................... 46
Procedures: .................................................................................................................................... 46
Creating Filters:....................................................................................................................................... 46
Creating Contracts .................................................................................................................................. 53
Summary ........................................................................................................................................ 61
Lab 6: Deploying a 3-Tier Application Network Profile ............................................................. 62
Overview: ....................................................................................................................................... 62
Procedures: .................................................................................................................................... 62
Creating Application Profile:................................................................................................................... 62
Summary ........................................................................................................................................ 70
Lab 7: Integrating with VMware ............................................................................................. 71
Lab 7‐A: Registering VMM Domain................................................................................................ 71
Overview: ....................................................................................................................................... 71
VMware vCenter Server Topology: .................................................................................................. 71
Procedures: .................................................................................................................................... 72
Register APIC to VMware vCenter (Create VMM Domain): ................................................................... 72
Create vCenter Credentials: ................................................................................................................... 76
Create vCenter Server Object: ................................................................................................................ 76
Verifying APIC Connection to vCenter Server: ....................................................................................... 78
Summary: ....................................................................................................................................... 81
Lab 7‐B: Adding ESXi Hosts to APIC DVS......................................................................................... 82
Overview: ....................................................................................................................................... 82
Procedures: .................................................................................................................................... 82
Add ESXi Hosts to APIC DVS: ................................................................................................................... 82
Summary ........................................................................................................................................ 85
Lab 7‐C: Associating EPGs to the vCenter Domain ...................................................................... 86
Overview: ....................................................................................................................................... 86
Procedures: .................................................................................................................................... 86
Associating vCenter Domain to Application Server EPG: ....................................................................... 86
Associating vCenter Domain to Database Server EPG: .......................................................................... 88
Associating vCenter Domain to Web Server EPG: .................................................................................. 89
Summary: ....................................................................................................................................... 91
Lab 7‐D: Associating VM to EPG Port-Groups ................................................................................. 92
Overview: ....................................................................................................................................... 92
Procedures: .................................................................................................................................... 92
Map VMs to EPG Port-‐Groups: ........................................................................................................... 92
Edit Web-‐Server Settings: ..................................................................................................................... 93
Edit App-‐Server Settings: ...................................................................................................................... 95
Edit DB-‐Server Settings: ........................................................................................................................ 97
Summary: ....................................................................................................................................... 99
Lab 8: The Attachable Access Entity Profile (AAEP) ................................................................ 100
Overview: ..................................................................................................................................... 100
Procedures: .................................................................................................................................. 100
Creating Attachable Access Entity Profile ............................................................................................ 100
Confirming Creation of AAEP ................................................................................................................ 102
2
Summary ...................................................................................................................................... 103
Lab 9: Layer 3 External ......................................................................................................... 104
Overview ...................................................................................................................................... 104
Procedures: .................................................................................................................................. 105
Configure Fabric Pod Policy .................................................................................................................. 105
Configure Fabric Group Policies ........................................................................................................... 107
Configure Routed L3 External Network ................................................................................................ 109
Create External Routed Network ......................................................................................................... 109
Create External Node Profile ................................................................................................................ 111
Create OSPF Interface Profile ............................................................................................................... 112
Configure Consumer for L3-Out-EPG ...................................................................................................... 119
Confirm Contracts are in place ............................................................................................................. 120
Set Default OSPF Settings for Private Network .................................................................................... 121
Associate the L3 Outside Network to a Bridge Domain ....................................................................... 122
Summary ...................................................................................................................................... 123
Lab 10: Exploring Monitoring and Troubleshooting ............................................................... 124
Procedures: .................................................................................................................................. 124
Viewing Faults Using the GUI ............................................................................................................... 124
Events ................................................................................................................................................... 124
Viewing Events Using the GUI .............................................................................................................. 125
Log Retention Policies .......................................................................................................................... 125
Configuring Log Retention Policies in the GUI...................................................................................... 126
Using the API Inspector ........................................................................................................................ 126
Capturing an API Interchange for Inspection ....................................................................................... 126
Using the Managed Object Browser..................................................................................................... 128
Accessing Visore .................................................................................................................................. 128
Running a Query in Visore .................................................................................................................... 128
Supplemental Lab 1: Deploying a Service Graph into the Application Network Profile ........... 130
Overview ...................................................................................................................................... 130
Procedures ................................................................................................................................... 130
vCenter ACI Removal ............................................................................................................................ 130
Automation Through Python Scripting ................................................................................................. 134
Removing ACI Objects Created from Labs 2 -‐ 5: ................................................................................ 136
Deploying Service Graph through Northbound API: ............................................................................ 136
View Service Graph: .............................................................................................................................. 137
Verify on ASA ASDM GUI: ..................................................................................................................... 140
Verifying on vCenter: ............................................................................................................................ 142
Summary ...................................................................................................................................... 144
3
Lab Overview
The Cisco Nexus 9000 platform has two modes of operation. In the first mode Nexus 9000 utilizes an
enhanced version of the NXOS operating system to provide a traditional switching model with advanced
automation and programmability capabilities, which is known as “Standalone”.
In the second mode, ACI Mode the Nexus 9000 provides an Application Centric Representation of the
network as a whole utilizing advanced features and profile based deployment to abstract the complexity of
the underlying network while improving application visibility and greater business agility through DevOps
methodologies. These labs will focus on ACI mode.
This lab will also be configured “as if” it were connected a pair of UCS Fabric Interconnects. The assumption will
be that there will be a UCS domain will be on the same out-of-band network as the ACI APICs, OOB
Management for the Spines and Leafs as well as vCenter and the ESXi-1 and ESXi-2.
4
Virtual Lab Logical Topology
For the purposes of consistency, we will refer to the logical setup of the ACI pod and he associated servers. This
will more closely reflect with would happen in a live ACI environment. As we progress, we will update the
diagram below as needed.
5
To access the jumpbox, Labops login, left-click on the “jumphost” assigned to you (the vCenter box)
Choose RDP Client to download a config file for your native RDP client.
(If you are using IE, you can use TerminalService instead to run an RDP client inside the browser)
You can login as either “administrator” or “student”
Administrator/C!sc0123
Student/P@ssw0rd
Overview:
In this lab section, we will register the switches to the primary APIC controller (APIC1) to then discover the
rest of the fabric. This lab will walk you through this process then familiarize you with a fabric topology
portion of the APIC GUI. The following tasks will be completed
• System Login
• Register Nexus 9000 switches to APIC Controller
• Familiarization of Fabric Topology
Procedures:
System Login:
Open the “FireFox” browser within your desktop. The screen resolution of the Windows session is set at 1024
x 768. This cannot be changed and may cause you to scroll the left/right, up/down in Firefox while navigating
through the APIC GUI. To make things quicker and easier to navigate, you can change the resolution of
Firefox by opening the menu on the far right and clicking the “-“ sign to adjust to resolution.
6
The webpage should default to the IP Address of the APIC1 controller, which is https://192.168.1.11. If it
does not, please enter that into the browser or ask your instructor for assistance.
• The APIC GUI login prompt will appear, please type in the credential of “admin” for the User ID
and “cisco123” for the password
7
Figure 4: Application Policy Infrastructure Controller (APIC) Login screen
You will see the following Warning dialog box in which can click the “NO” button.
8
1. From the upper right corner, click on “admin”
2. Scroll down and click on “Settings”, you will be presented with a Application Settings box
Once you are logged in, you are presented with the Dashboard. You are logged in with global
administrative rights and your view includes all system components.
9
Register Nexus 9000 Switches to APIC:
The top menu bar is broken down to several logical sections; the “Fabric” view is where you will register the
switches to the APIC. Follow the steps on the figure below.
Note: Whenever you click on the top menu entries, the sub-‐menu text that is in the color “white” is where
the view is currently located. Other views from that sub-‐menu have the text color in “grey” are not in view
but can be selected. For example when you click on the top menu Fabric, the default view is set to
“INVENTORY” (highlighted by the yellow box) while the other entries are in grey.
10
Register Leaf1 Switch to APIC:
We will now register the Leaf1 switch to the APIC. Follow the figures below to complete this task.
1. Select “Fabric Membership” by clicking on that entry. Once you do, the view on the right-‐hand
side will show a switch with serial number “TEP-1‐101” and ID of “0”. Take notice that its role is
“leaf”.
2. We will now need to register this leaf switch. To do so, double-‐click on the row
“TEP-‐1-‐101”.
1. In the “NODE ID” box, type in 101. The Node ID for the switches starts at 101 as 1 – 100 is
reserved for other purposes.
2. In the “NODE NAME” box, type in Leaf1. You can technically provide any name for this switch
but for this lab purpose, please type in Leaf1. There is another box under “RACK NAME” but
we will skip entering anything into this box for this lab.
3. Once the ID and switch name is provided, click on “UPDATE”
Note: When the switch is registered, you will notice that an IP Address is assigned with a /32. This IP
Address is used for the VXLAN tunnel IP for the fabric on this switch.
11
Register Spine1 and Spine2 Switches to APIC:
With the first fabric switch registered, the APIC1 will now start discovering the fabric along with other
controllers that it can see. Please wait between 30-‐60 seconds for the APIC GUI to see other switches in the
fabric. You should see 2 additional switches appear in the “Fabric Membership” view. When you do, please
register those switches as well. To do so, follow the figures below to complete the task.
Note: The fabric has discovered 2 additional switches with serial numbers of “TEP‐1-‐103” and “TEP-‐1-104”.
Notice under the “ROLE” that these are spine switches with their Node ID set to 0. We will use TEP-1‐103 as our
Spine1 and TEP‐1-104 as our Spine2. For some pods, the TEP-‐1-‐104 maybe the first one discovered and other
pods will have TEP-‐1-‐103 discovered first. It is irrelevant which switch gets discovered first.
12
Figure 14: Registering Spine Switch TEP-1-104
13
Figure 16: Fabric Discovery Completion View
Note: With the “Fabric Membership” view still selected, you should notice on the right-‐hand window view
of all of the switches that has been registered. Take note that each of the registered switches has an IP
Address shown. Also on the left-‐hand window view, you should see all of the switches shown under the
“Pod 1” expanded view. If you do not see this view (for example, if Leaf 2 is not yet under that section) , it
could be that the fabric is still in the discovery and refresh process.
1. On the left-‐hand panel next to the “Pod1”, expand that entry by clicking on the “+”
2. Now select that switch “Leaf1 (Node-‐101)”
3. On the right-‐hand panel, click on the “TOPOLOGY” tab
4. On the Nexus 9396, click on both of the “green” ports (43 and 44) and the APICs will appear
14
Note: Here you will see the physical ports of the leaf switch Leaf1. You will notice that it shows the 2 APIC
controllers APIC1 and APIC2 connected to the interfaces on this switch.
Next, click on the “General” tab in the upper-right section of the window. You can go here to retrieve inventory
information about any of the Leaf or Spine switches in you environment.
Now click on the “Faults” tab in the same area of the window. In Cisco ACI, it is very important to review and
understand the Faults tab, though in this lab, there can be some false positives due to the nature of using the
Simulator, however in practice tracking down and resolving faults is one of the more critical tasks for a
successful Cisco ACI experience. Be aware that Faults are specific to the part of the fabric you are in. This means
when you are looking at a Leaf switch, the Faults tab will be focused on that, when you are on a Tenant tab, the
Faults will be specific to that.
15
Figure 19: Viewing Faults On A Leaf Switch
You can move around the rest of this section of the “FABRIC” view to look at the other switches.
With the physical fabric fully discovered, to get a topology overview of the environment (Pod 1), follow the
steps in the figure below to see this view.
16
1. On the left-‐hand window, select on “Pod 1”
2. On the right-‐hand window, click on the “TOPOLOGY” tab
Note: The topology should show 3 APIC nodes, where APIC1 and APIC2 are connected to Leaf1 and APIC3 is
connected to Leaf2. Then there should also be connections from Leaf1 to both Spine1 and Spine2 and
connections from Leaf2 to Spine1 and Spine2. If you do not see lines as shown in figure 13, please wait up to
5 minutes as it varies between pods for the environment to build out the connections.
17
Familiarizing Yourself with Fabric Controllers:
From the previous view, we see three (3) controllers in our fabric. To get information about those
controllers, follow the figures below to familiarize managing these controllers.
Summary:
Lab 1 is designed to familiarize you with the startup process of discovering the fabric and viewing each of the
physical components of the fabric. This lab also allows you to get familiar with navigating through the Fabric
view of the APIC GUI. This is the first critical step in building up the ACI environment and will be the baseline
infrastructure to build up your application network.
18
Lab 2: Building Out of Band Access to Spine and Leaf Switches
Overview:
In this lab we will build out-of-band access to the spine and leaf switches. This will let the
administrator SSH/telnet access to the switches for administration and monitoring. For
this lab, we will use the same IP address range as that of the APICs and ESX/vCenter
(192.168.1.0/24). We will then confirm that IPs addresses have been assigned and
working. Addresses will be assigned per the diagram below.
Procedures:
19
Figure 23: Access the mgmt tenant
20
1. From the left side menu, expand “Tenant mgmt”
2. Go down to “Node Management Addresses”
3. Right click on “Static Node Management Addresses” and on the menu that pops up, choose
“Create Static Node Management Addresses”
You will then be presented with a screen to configure the settings. We will assign addresses statically to the
spines and leafs.
21
Repeat the process for Leaf2 (Node-102)= 192.168.1.112. Spine1 (Node-103)=192.168.1.113, Spine2
(Node-104)=192.168.1.114.
You can also check that an IP is assigned by using Putty to SSH to the switch:
22
1. Use Putty to SSH to the IP address “192.168.1.14”
2. When prompted, Click “Yes” to accept the host key
3. Login with the same credentials as the APIC – admin/cisco123
Summary
You now have successfully created a pool of IP addresses which were dynamically assigned to our spine
and leaf switches. tenant with a basic network VRF and a few of bridge domains. The ACI system
provides full configurability for multiple tenants. Depending on the chosen deployment model this will
allow users to segregate out management, administration, troubleshooting and the underlying network
infrastructure.
23
Lab 3: Building VPCs to Connect to ESX-1 and ESX-2
Overview:
The collective goal of labs 3 is to create VPCs between Leaf1 (node-101) and Leaf2 (node-102) in order to
connect to servers ESX-1 and ESX-2.
In the lab, we will continue to build the physical infrastructure of the ACI fabric. We will create a series of
interface policies, and then gather them into interface policy groups. Also, we will create switch profiles
which will use interface policy groups in order to connect ESX-1 and ESX-2 using VPCs from Leaf1 and Leaf2.
There will be a series of elements which need to be created first before we can create the VPCs. The steps
are:
1. Create Interface Policies
2. Create Interface Policy Group
3. Create Interface Profiles (interface selectors)
4. Create Switch Profile
5. Create VPC Explicit Protection Group
Procedures:
24
1. From the main menu, choose “Fabric”
2. From the sub-menu, Choose “Access Policies”
3. From the left menu, expand “Interfaces Policies”
4. Then, expand “Policies” to show a list of policies that are available to be configured
1. Highlight “Link Level” and right-click. Choose “Create Link Level Policy”
2. A pop-up window will appear to create a Link Level Policy
25
Figure 31: Link Level Policy
1. In the Create Link Level Policy Dialogue box. For Name, type “10G-No_Auto”
2. For Auto Negotiation, choose “off”
3. For speed, click the drop-down and choose “10 Gbps”
4. Click “Submit”
1. From the Interface Policies section, highlight “CDP Interfaces”, right click and choose “Create
CDP Interface Policy”
2. A pop-up window will appear to create a CDP Interface Policy
26
Figure 33: Pop-up Creating CDP Interface Policy
1. From the Interface Policies section, highlight “LLDP Interfaces”, right click and choose “Create
LLDP Interface Policy”
2. A pop-up window will appear to create a LLDP Interface Policy
27
Figure 35: Pop-up Creating LLDP Policy
3
4
1. From the Interface Policies section, highlight “Port Channels”, right click and choose
“Create Port Channel Policy”
2. A pop-up window will appear to create a Port Channel Policy
28
Figure 37: Pop-up Creating Port Channel Policy
We have just created 4 different interface policies. In anticipation of creating VPC connections to our ESX-1
and ESX-2 hosts, we will now bundle them in Interface Policy Groups, which are similar to port-profiles in
NXOS.
1. Click “Fabric”
29
2. Click “Access Policies”
3. Expand “Interface Policies”
4. Highlight “Policy Groups”, right-click
5. Choose “Create VPC Interface Policy Group”
6. A pop-up window will appear to create a VPC Interface Policy group
30
Create Interface Profiles
We will continue by creating Interface Profiles, which will select the interfaces we plan to use and link to
the Interface Policy Groups we created in the Previous lab. Once the interface profiles are complete, we
will create Switch Profiles. The Switch Profiles will choose a switch (or switches) and combine that with our
Interface Profile (which we use to select the interfaces to use).
We will start by creating interface profiles that will be used to select the ports we will use for each VPC.
1. Click “Fabric”
2. Click “Access Policies”
3. Expand “Interface Policies”
4. Expand “Profiles”
5. Right click “Leaf Profiles”, choose “Create Leaf Interface Profile”
6. A pop-up window will appear to create a Leaf Interface Profile
31
Figure 41: Specify the Profile Identity
Repeat the process from above to add VPC4 from the Interface Selector – using 1/4 as your interface.
When you are done, you should see this:
We Continue by creating switch profile that will include both Leaf1 (Node-101) and Leaf2 (Node-102).
1. Click “Fabric”
2. Click “Access Policies”
33
3. Expand “Switch Policies”
4. Highlight “Profiles”, right-click and choose “Create Leaf Profile”
5. A pop-up window will appear to create a VPC Interface Policy group
34
Figure 46: Confirm Selection of VPC3 and VPC4 in Interface Selector
35
We will start by creating a “VPC Explicit Protection Group”. It’s basically the ACI way of saying “VPC Domain
ID”.
1. Click “Fabric”
2. Click “Access Policies”
3. Expand “Switch Policies”
4. Expand “Policies”, select “Virtual Port Channel default” then right-click and choose “Create
Explicit Protection Group”
5. A pop-up window will appear to create an Explicit Protection Group
36
1. In the “Name:” field, type “VPC-101-102”
2. In the “ID:” field, type “101”
3. In the “VPC Domain Policy” field, click the drop-down and choose “default”
4. In the “Switch 1:” field, click the drop-down and choose “101”
5. In the “Switch 2:” field, click the drop-down and choose “102”
6. Click “Submit”
Summary
In this lab, we built 2 physical VPC connections to ESX-1 and ESX-2, respectively. We started by creating 4
simple interface policies which will which we then bundled together in an Interface Policy Group. We then
selected the interfaces we will be using and bound the Interface Policy groups in an Interface profile and
further tied them into a switch profile that contained both Leaf1 and Leaf2 for the VPC. Finally. We tied all
these together and created the VPC through the use of an Explicit VPC Protection Group.
37
Lab 4: Building Basic Network Constructs
Overview:
In this lab we explore the tenancy capabilities of the ACI system. ACI is designed to scale from smaller
commercial environments, which may use a single tenant to large cloud providers with support for 64,000
tenants and above.
• Building a Tenant
• Building a Private Layer 3 Network (VRF)
• Building a Bridge Domain
38
Procedures:
Building a Tenant:
If you are currently not logged into the APIC GUI please follow the steps to do so from Lab 1 “System
Login” before proceeding. We will use the wizard to create the Tenant. Follow the figure below to add a
tenant.
39
1. In the “Name” window, type in ACILab
2. In the “VRF Name” field, type in ACILab_VRF, which will create the VRF when finished
3. Leave the check box to default “Take me to the tenant when I click finish”
4. Click on “SUBMIT” to continue
We will keep things simple by creating 1 bridge domain for each eventual End Point Group (EPG) that will
be created – this is also sometimes referred to as Network Centric Mode and is a very common way to
start getting used to using ACI as it creates a closer feel to a traditional network.
1. Drag and drop the icon over the icon in order to add a bridge domain to the VRF
2. The following window will appear
40
Figure 55: Creating a Bridge Domain
41
7. In the “Subnets:” section, click on the “+” to add a gateway and mask and the following window
will appear
8. Please type in for the “Gateway IP” as 10.10.10.1/24 and leave everything else as default in that
row.
9. Click on the “OK” button.
42
10. Once the “OK” button has been clicked, the “OK” button on the previous screen will become
active. Please click on the “OK” button that is now active on that screen.
11. You will see the following when complete.
1. Following the same steps 1- 11 above to create a second bridge domain with the follow
information:
a. “Name” = ACILab_BD2
b. “Subnet” / “Gateway” = 20.20.20.1/24
2. You will see the following when complete.
43
Building a Third Bridge Domain
1. Following the same steps 1- 11 above to create a second bridge domain with the follow
information:
a. “Name” = ACILab_BD3
b. “Subnet” / “Gateway” = 30.30.30.1/24
2. You will see the following when complete.
3. You can now click on the “Tenant ACILab” on the left tree menu to see an overview of the tenant
and click through the menu and tabs to familiarize yourself with the other menus and options.
44
Summary
You now have successfully created a tenant with a basic network VRF and a few of bridge domains. The ACI
system provides full configurability for multiple tenants. Depending on the chosen deployment model this
will allow users to segregate out management, administration, troubleshooting and the underlying network
infrastructure.
45
Lab 5: Building Policy Filters and Contracts
Overview:
To build the foundation of the application profile, it is necessary to create filters within our
tenant that will be utilized by the contracts. Those contracts will then be associated with EPGs
that will make up our 3‐Tier application profile. The following are tasks that will be completed in
this section of the lab:
• Creating Filters
• Creating Contracts
Procedures:
Creating Filters:
Note: PLEASE MAKE SURE THAT YOU ARE ON THE “ACILab” TENANT BEFORE CREATING FILTERS
AND CONTRACTS
1. In the ACILab tenant, expand the “Security Policies” window on the left-‐hand panel
2. Select the “Filters” section
3. On the right-‐hand panel, click on the “ACTIONS” button
46
4. Select “Create Filter”
Figure 60: Define Web Server Filter Information
47
1. On the “Entries:” window, click on the “+” and a new entry window will appear. Please
provide the following information under each window:
• Name: https_filter
• EtherType: IP
• ARP Flag: <do nothing>
• IP Protocol: tcp
• Source Port/Range (From): Unspecified
• Source Port/Range (To): Unspecified
• Destination Port/Range (From): http
• Destination Port/Range (To): http
• TCP Session Rules: Unspecified
2. Click on “UPDATE”
3. Once the “UPDATE” button is clicked, the “SUBMIT” button will be active. Please click on
“SUBMIT” to create the web filter.
48
Create App Filter
We will now create an Application Server filter
49
• Source Port/Range (From): Unspecified
• Source Port/Range (To): Unspecified
• Destination Port/Range (From): 1433
• Destination Port/Range (To): 1433
• TCP Session Rules: Unspecified
Note: When entering in “1433” into the window for “Destination Port/Range (From)” and “Destination
Port/Range (To)”, make sure that you do not hit the tab key after entering in 1433. If you do so, the
window may choose “https” or another entry in the options. So make sure that after you enter 1433,
that the window shows 1433.
3. Click on “UPDATE”
1. Once the “UPDATE” button is clicked, the “SUBMIT” button will be active. Please click on
“SUBMIT” to create the web filter.
50
Create DB Filter
We will now create a Database Server filter
51
• Destination Port/Range (From): 1521
• Destination Port/Range (To): 1521
• TCP Session Rules: Unspecified
3. Click on “UPDATE”
52
Creating Contracts
With the filters created, we will now create the contracts that will use those filters. Please follow the
procedures below to create the various contracts and associate the filters to those contracts.
1. In the ACILab tenant, expand the “Security Policies” window on the left-‐hand panel
2. Select the “Contracts” section
3. On the right-‐hand panel, click on the “ACTIONS” button
4. Select “Create Contract”
53
Figure 71: Providing Web Server Contract Information
54
2. Make sure both “Reverse Filter Ports” and “Apply Both Directions” check box is checked
3. Under the “Filter Chain” window, click on the “+” sign to add a filter
4. From the drop-‐down arrow, click on that arrow to show the list of filters and select
“Web_Filter” under the “ACILab” tenant
5. Once selected, click on “Update”
55
7. Please click on “SUBMIT” button to create the web server contract.
8. We will now create an Application Server Contract
56
Figure 75: Creating Application Server Contract Subject
8. Once the “Update” button is clicked, the “OK” button will be active. Please click on “OK” to
create the web server contract subject.
57
Figure 77: Completion of Application Server Contract
Create DB Contract
58
Figure 79: Providing Database Server Contract Information
59
5. In the “Name” window, type in db_subj
6. Make sure both “Reverse Filter Ports” and “Apply Both Directions” check box is checked
7. Under the “Filter Chain” window, click on the “+” sign to add a filter
8. From the drop-‐down arrow, click on that arrow to show the list of filters and select
“DB_Filter” under the “ACILab” tenant
9. Once selected, click on “Update”
10. Once the “UPDATE” button is clicked, the “OK” button will be active. Please click on “OK” to
create the web server contract subject.
60
Figure 82: Completion of Database Server Contract
11. Please click on “SUBMIT” button to create the web server contract.
Summary
You now have successfully created the tenant filters and contracts that can be fully utilized by any
Application Profile and EPGs. We will next focus on creating the application profile and EPGs that will
associate these contracts and filters.
61
Lab 6: Deploying a 3-Tier Application Network Profile
Overview:
With the filters and contracts created from the previous lab, we can now build our application profile. The
Application Profile allows your environment to build a template of network attributes and policies that
can be dynamically instantiated and seamlessly inserted. The following are tasks that will be completed in
this section of the lab
Procedures:
62
Figure 85: Providing Application Profile Information
64
1. In the “Name” window, type in App_EPG
2. On the drop-‐down box for the “Bridge Domain” select “ACILab_BD2”
3. On the drop-‐down box for the “Provided Contract” select “App_Con”
4. On the drop-‐down box for the “Consumed Contract” select “DB_Con”
5. Click “Update”
65
1. In the “EPGs” window, click on “+” to add another EPG
66
Figure 90: Create a Database EPG
67
Figure 91: Add a Provided Contract for Web EPG
Note: This provides with a logical topology view of the application profile. You can familiarize yourself with
this view by selecting various tabs for more detail information.
69
Summary
Application profiles are a powerful tool for building out application connectivity and policy using repeatable
processes. Application connectivity is defined based on the service tiers or components provided and the
tiers they consume. Contracts define the policy for those connections and can be used for provider or
consumer relationships.
70
Lab 7: Integrating with VMware
Overview:
In this lab section, we will register the APIC to our virtual environment, which will be using VMware’s
vCenter Server. This lab will walk you through this registration process, which will allow the APIC to push
application policies down to the virtual machines. This tight integration will be shown in another lab
exercise but in this lab section, we will focus on building the connection between the APIC and VMware’s
vCenter Server. The lab will complete the following tasks:
• Open the vSphere client on the desktop and leave the defaults, then click on “Login”
71
Figure 96: VMware Environment View
Note: If the VM’s have an “!” symbol next to their name then click on each VM on the tree on the left and then
click on the “Summary” tab, then answer the question on each VM with “I copied it”. It should look like the
above image when done.
Procedures:
72
1. On the top menu, select “VM NETWORKING”
2. On the left-‐hand panel, select the “VMware” folder
3. Then on the right-‐hand panel, click on the “+” button
73
1. In the “Name:” window, type in ACILab_VLAN_Pool
2. In the “Encap Blocks:”, click on the “+” to create the VLAN Pool.
74
Figure 101: Completing Creation of VLAN Pool
1. Click on “SUBMIT” to create the VLAN Pool which will take you back to the Create vCenter
Domain page.
75
Create vCenter Credentials:
1. Next we will create the credentials to login to the vCenter server. To do this, click the “+” next
to the “vCenter Credentials:”
1. In the “Name” window, type in a object name for this credential, which in this case we will give it
administrator
2. In the “Username:” box, type in the username that is authenticated into the VMware
vCenter Server, which will be “administrator”
3. In the “Password: window, type in the password for the user administrator, which for this lab is
“C!sc0123”.
4. In the “Confirm Password:” window, retype in the password again.
5. Click on “OK” to complete the task
1. To create the vCenter server object, click on the “+” next to “vCenter/vShield”
76
Figure 104: Configuring vCenter Server Information
Within this “Create vCenter Domain” task, it is important to enter in the information EXACTLY as
shown in the lab guide.
77
Figure 105: Completing Creation of vCenter Domain
78
Figure 106: Verification of vCenter Domain Connection to VMware vCenter Server
You can also verify this by using the vSphere client to view that the APIC DVS has been created. Follow the
figures below to verify this from a VMware perspective.
79
Figure 108: Verifying APIC DVS Creation
1. On the top menu of the vSphere client, click on the “Hosts and Clusters” entry and a drop-‐
box menu will appear.
2. Click on “Networking” to get you to the networking view from vCenter
1. If the networking view is not expanded, then from the top view called “VC”, click on the “+”
to expand the view
2. The logical data center can be expanded by clicking on the “+” next to the entry
ACILab
3. The VMM Domain that was created in the lab is shown as a folder “My‐vCenter”, you will
now notice that a new DVS has been created named “My‐vCenter” and you can expand it.
80
You will notice the DVS uplink has been created. This verifies that the APIC has connection
to the VMware vCenter Server.
Note: The number next to the “DVUplinks” may be different depending on the VLAN assigned by ACI to the
uplink.
Summary:
The ACI is able to integrate with various hypervisor technologies, where VMware is one of vendor in this
space. The ACI supports Microsoft Hyper-‐V and later on other hypervisor vendors like KVM and Citrix. This
lab demonstrates the capability of integrating into VMware’s vCenter technology and will allow the APIC to
create policies that can be utilized by the VMware’s virtual environment.
81
Lab 7‐B: Adding ESXi Hosts to APIC DVS
Overview:
In this lab we will focus on adding the two (2) ESXi hosts to the APIC DVS. This will allow the APIC EPG to be
associated with VMware’s virtual environment. This section will be utilizing VMware’s vSphere client to be
able to add the host to the APIC DVS. This lab will complete the following task:
• Add both ESXi hosts (ESXi-‐01 and ESXi-‐02) to the APIC DVS (apicVswitch)
Procedures:
1. Make sure to select on the DVS name “My-‐vCenter” and right-‐click on “My-‐vCenter” DVS
to provide a sub-‐menu
2. Click on “Add Host”
82
Figure 111: Selecting Host NIC for APIC DVS Control
Note: Both ESXi hosts have “vmnic2” that is not being utilized and will be use for the APIC DVS. On some
pods that vmnic number maybe “vmnic1”.
1. Click on the check-‐box next to “vmnic2” for the first host with IP 192.168.1.101
2. Click on the check-‐box next to “vmnic2” for the second host with IP 192.168.1.102
3. Click on “Next” to continue
83
Figure 112: Migration of vmkernels
1. We will not migrate any vmKernels in this lab. So please click on “Next” to continue.
84
1. We will also not migrate any virtual machine’s network interfaces during this process.
Please click on “Next” to continue.
1. Click on the “Hosts” tab on the right-‐hand panel. You should now see the two ESXi hosts are
now added to the APIC DVS.
Summary
You now have successfully added the ESXi hosts to the APIC DVS. This section has put the foundation to
allow the APIC to create EPGs, which will create VMware port-‐groups that the virtual machines can utilize.
This will provide integration for the APIC to distribute policies to VMware’s virtual environment.
85
Lab 7‐C: Associating EPGs to the vCenter Domain
Overview:
In this lab we will focus on associating the EPGs to the VMM Domain. With the ESXi hosts already connected
to the APIC DVS, we can now associate the EPGs we created in the last lab to our VMware virtual environment.
Procedures:
1. Click on “Tenant” in the top menu, then expand in the left menu “Tenant ACILab”.
2. Next expand the “Application Profile” folder
3. Next expand the “3Tier_App” folder
4. Next expand the “Application EPGs” folder
5. Then expand the “EPG App_EPG” folder
6. Then select “Domains (VMs and bare metals)”
7. On the right-‐hand panel, click on “ACTIONS”
8. Then select “Add VMM Domain Association”
86
Figure 117: Associating My-vCenter vCenter Domain to App_EPG
87
Associating vCenter Domain to Database Server EPG:
Associating VMM Domain to DB_EPG
1. Click on “Tenant” in the top menu, then expand in the left menu “Tenant ACILab”.
2. Next expand the “Application Profile” folder
3. Next expand the “3Tier_App” folder
4. Next expand the “Application EPGs” folder
5. Then expand the “EPG DB_EPG” folder
6. Then select “Domains (VMs and bare metals)”
7. On the right-‐hand panel, click on “ACTIONS”
8. Then select “Add VMM Domain Association”
88
Figure 120: Associating My-vCenter vCenter Domain to DB_EPG
89
Figure 122: Associating vCenter Domain to Web Server EPG
1. Click on “Tenant” in the top menu, then expand in the left menu “Tenant ACILab”.
2. Next expand the “Application Profile” folder
3. Next expand the “3Tier_App” folder
4. Next expand the “Application EPGs” folder
5. Then expand the “EPG Web_EPG” folder
6. Then select “Domains (VMs and bare metals)”
7. On the right-‐hand panel, click on “ACTIONS”
8. Then select “Add VMM Domain Association”
90
1. On the “VMM Dom Profile:” drop-‐down box, select “My‐vCenter”
2. Choose the radio button “Immediate” for “Deploy Immediacy”
3. Choose the radio button “Immediate” for “Resolution Immediacy”
4. Click on “SUBMIT”
Summary:
The ACI EPGs are now fully integrated into VMware’s virtualized environment and the VMs can now fully
utilize the ACI fabric infrastructure.
91
Lab 7‐D: Associating VM to EPG Port-Groups
Overview:
In this lab we will now convert the VMs from using the native vSwitch to the APIC DVS port-‐groups. This will
complete the integration of the APIC to the virtualized environment.
Procedures:
92
Edit Web-‐Server Settings:
Edit Settings of Virtual Machine “Web‐Server”
93
Figure 127: Choose APIC Application Profile Web EPG
94
1. Click on the “OK” to complete the changes for Network adapter 1
95
Figure 131: Choose APIC Application Profile App EPG
96
Edit DB-‐Server Settings:
Edit Settings of Virtual Machine “DB-‐Server”
97
Figure 134: Choose APIC Application Profile DB EPG
98
1. Click on the “OK” to complete the changes for Network adapter 1
Figure 136: Viewing VMware Virtual Machines Information from APIC GUI
Summary:
You have successfully provided full visibility and manageability from the APIC to the virtualized environment.
Insertion of services and policies can now be dynamically provisioned seamlessly while being managed from
a centralize management tool.
99
Lab 8: The Attachable Access Entity Profile (AAEP)
Overview:
We are almost done. Our physical infrastructure is provisioned and is connected to our virtual
infrastructure through the VMM integration, but traffic will not yet pass. We need a mechanism to tie our
logical network constructs (in this case, access facing VLANs) to the switch ports. The mechanism is called
the Attachable Access Entity Profile (AAEP or AEP). It’s often compared to a “switchport trunk allow vlan…”
command.
There are 3 steps involved. First, is the creation of a VLAN or a range of VLANs. The second step will be
creating a Domain to connect those VLANs to. The third step is tying them into the AAEP.
In Lab 7, we created a VLAN pool that will dynamically assign VLANs and we created a Virtual Domain. So
steps 1 and 2 are already completed. In this short lab, we will concentrate on the AAEP itself.
Procedures:
101
Confirming Creation of AAEP
102
1. In the “Select the Interfaces” section, you will see the Interface Policy Groups created in Lab 3. For
“VPC3”, click the radio button for “all”
2. For “VPC4”, click the radio button for “all”
3. Click “FINISH”
Summary
In this lab, we created an Attachable Access Entity Profile. The AAEP is used to connect the interfaces of
our switch to the VLANs and Domains. The below diagram summarizes where the AAEP fits and what
purpose it served.
103
Lab 9: Layer 3 External
Overview
In this lab section, we will focus on how to create a Layer 3 External Routed network using OSPF in our
example. This lab is using a simulator, so no real validation can be performed but the steps in this lab will
demonstrate the procedures that are needed to create an External Layer 3 configuration.
The following is a list of procedures that are needed to complete the configuration of the External L3
Network:
104
Procedures:
105
Figure 145: Adding BGP Route Reflectors
1. From the drop-‐down box at “Spine Node”, select the first spine, which is Node ID “103”
2. Click on “Submit”
1. From the drop-‐down box at “Spine Node”, select the first spine, which is Node ID “103”
2. Click on “Submit”
106
Figure 147: Complete Adding Route Reflector
1. Click on “Submit”
1. From “Fabric”
2. Select “Fabric Policies”
3. Expand “Pod Policies”
4. Highlight “Policy Groups”
5. Right click, select “Create POD Policy Group”
107
Figure 149: Configure Pod Policy Group
108
Configure Routed L3 External Network
In this section, we will create an External L3 Network for our tenant “ACILab”. Please follow the
procedure below to complete this task.
109
Figure 151: Configure L3 Routed Outside
110
Create External Node Profile
Figure 151: Configure Node Profile
1. In the “Name” window, type in “Border-Leaf2” since we will map the outside network to
our Leaf2 switch
2. Click on the “+” next to “Nodes” section
1. In the drop-‐down box at “Node ID”, select “Leaf2 (Node-‐102)” which will then show up as
111
“topology/pod-1/node-102”
2. Type in the address “1.0.0.2” for the “Router ID”
3. Click on “OK”
112
1. In the “Name” window, type in “L3-OSPF-Leaf2”
2. Under the “Interfaces” section, click on the “+” to add the “Routed Interfaces”. There are 2
additional options, which are “SVI” and “Routed Sub-‐Interfaces”, which we will not use in this
example.
Figure 155: Configure Routed Interface
1. In the drop-‐down box for “Path”, select the node “102” and select interface “eth1/1”
2. In the “IP Address” window, type in “40.40.40.1/24”
3. In the “MTU (bytes)” window, the default is set to “inherit”. Please enter in “1500”
4. Click on “OK”
113
Figure 156: Completion of Routed Interface Configuration
• Click “OK”
• Click “OK”
114
Figure 158: Continue Wizard to External Network EPG
• Click on “Next”
116
1. In the “Create Subnet” window, we will allow all subnets into this EPG. In a real environment,
this might be filtered to only allow certain subnets but for this lab, please enter in “0.0.0.0/0”.
The mask will automatically be filled out
2. Click on “OK”
• Click “OK”
117
• Click on “Finish”
118
Configure Consumer for L3-Out-EPG
With the External Routed Network configured, we will provide a provider/consumer permission to allow
communication to this outside network. Follow the steps below to complete this task.
119
Figure 167: Add Consumed Contract
1. From the drop-‐down box, select “ACILab/Web_Con” from the “Type – Contract” and DO NOT
choose from the “Type – Imported Contract”
2. Once completed, click on “Update”
1. Click “Tenants”
120
2. Click “ACILab”
3. Expand “Tenant ACILab”
4. Expand “Application Profiles”
5. Select “3Tier-App” to view the updated visualization of the App Profile
121
Associate the L3 Outside Network to a Bridge Domain
We will now complete the task of associating the L3 outside network to our bridge domain. Please follow
the steps to complete this task.
122
Figure 171: Final Topology
Summary
This completes the configuration of the external layer 3 network for communication to the outside of the
ACI fabric. This is using a simulator to demonstrate the process to complete this task and verification is not
available at this time for the simulator. In a physical fabric, there are verification tasks that will validate the
configuration that we have done here.
123
Lab 10: Exploring Monitoring and Troubleshooting
Procedures:
Logged faults are presented in many places in the GUI, filtered to show only those faults relevant to the
current GUI context. Wherever a Records tab appears in the GUI Work pane, you can view the relevant
entries from the fault log.
For example, to view the faults related to a tenant, perform the following task.
1. Select “Tenants”
2. Then select the tenant “ACILab”
3. Select the top entry “Tenant ACILab” on the left hand pane
4. Then select the “Faults” tab on the right hand pane
To view more of the faults, just double-click on the entry and it will provide more details.
Events
The Application Policy Infrastructure Controller maintains a comprehensive, up-to-date run-time
representation of the administrative and operational state of the Application Centric Infrastructure
124
Fabric system in the form of a collection of managed objects (MOs). Any configuration or state change
in any MO is considered an event. Most events are part of the normal workflow and there is no need to
record their occurrence or to bring them to the attention of the user unless they meet one of the
following criteria:
• The event is an anomaly, such as a fault being raised
For example, to view the event log, health log, or audit log related to authentication, perform the
following task.
• Maximum Size — The maximum number of records to be maintained in the log. The range is
1000 to 500000 records; the default is 10,000 records.
• Purge Window Size — The maximum number of records to be deleted in a single swipe. Record
deletion is performed periodically (every 30 seconds) in batches. The maximum size of a batch
125
should be chosen to avoid spikes in I/O and CPU utilization. The range is 100 to 1000 records;
the default is 250 records.
On the right hand pane, you will see the settings that are configured. You can modify these and other settings
in this section.
126
Figure 175: API Inspector
• Click on the “welcome, admin” on the far right hand side of the GUI
• A drop-down menu will appear, please select “Show API Inspector”
Another pop-up window will appear that provides information of the objects of the ACI APIC
You can filter what you want to view and if you like to start cleanly, click on the “Clear” button. Once
the window is clear, you can execute an action on the GUI and the API Inspector will provide the output
that is executed. By default the API Inspector views everything and from there you can also do searches
as well.
127
Using the Managed Object Browser
The Managed Object Browser, or Visore, is a utility built into the APIC that provides a graphical view of
the managed objects (MOs) using a browser. The Visore utility uses the APIC REST API query methods
to browse MOs active in the Application Centric Infrastructure Fabric, allowing you to see the query
that was used to obtain the information. The Visore utility cannot be used to perform configuration
operations.
Note - Only the Firefox, Chrome, and Safari browsers are supported for Visore access.
Accessing Visore
To access the visore, open another tab on your browser and type in the following link:
https://192.168.1.11/visore.html
Figure 177: Visore Access
A pop-‐up window will appear for a login access. This is the same login to the APIC, which should be:
Username: admin
Password: cisco123
128
the APIC object tree.
A window will appear that will display this object class for Tenant ACILab. The output is shown below.
129
Supplemental Lab 1: Deploying a Service Graph into the Application Network Profile
Overview
In this lab we will now focus on two (2) key features of the APIC solution. Where we can seamlessly insert
services, such as firewall, load-‐balancers, etc. into the application profile. With the open architecture of the
ACI solution, we can insert any vendor’s solution like Citrix, F5 and many others who want to integrate with
Cisco’s ACI architecture. The second key capability of ACI is the ability of scripting to build any of the objects
within the APIC. This allows orchestration tools to quickly deploy their solutions within minutes.
So in this lab, we will utilize a python script to remove the objects and then re‐build the objects to
demonstrate how seamless and quickly to deploy the Application Network Profile (ANP). Afterwards, we
will utilize the python script to insert the ASAv firewall into the ACI fabric as a service graph.
Procedures
Prior to executing the script to remove the ACI objects, we will need to remove the EPG port groups from the
virtual machines and remove the hosts from the ACI DVS that was created in lab 5. Follow the procedures
below to complete this task.
130
Figure 181: Moving Web Server Port group to 3Tier-‐App
133
1. Make sure you are at the “Networking” view and then select the DVS “My-vCenter”
2. On the right pane, select the “Hosts” tab
3. We will remove both host but for this example, we will remove the server
192.168.1.102. Select this host and right-‐click to bring up the menu
4. When the menu appears, select “Remove from vSphere Distributed Switch”
5. A pop-‐up window will appear, click on “Yes” and the host will be removed from the
APIC DVS.
Figure 187: Completed Removal of both ESXi hosts from My-‐vCenter DVS
With the hosts removed from the APIC DVS, it is not necessary to remove the DVS. The script will remove
the VMM Domain, which will then remove the APIC DVS from the vCenter server.
134
Figure 188: Open Putty Session
135
The login credentials are: Userid: user01, Password: user01
The python script will step through multiple XML scripts to remove the objects. You can verify in the
APIC GUI to see the removal of the objects, like the “ACILab” tenant, VMM Domain “My-‐vCenter” and
others. Once this script is completed, you can also go to the vCenter server to see that the “My-‐
vCenter” DVS has been removed as well.
With the objects removed, we will now show how quickly and easily it is to build those objects with the
python script in seconds. Please execute the python script to create the objects that was done in labs 2
– 5.
The python script executed multiple XML scripts to build up the objects in the ACI fabric. You can go
through the GUI to validate the Contracts, Filters, Application Network Profiles and VMM Domain to
verify that they have been created. Also you can check the vCenter server that the VMM integration has
also been associated with the EPGs.
Please note that this python script DOES NOT add the ESXi hosts to the APIC DVS and DOES NOT move
the virtual machines network adapter portgroup to the ACI EPG. That process still needs to be done.
So before moving to the next part of the lab, PLEASE GO THROUGH LAB 5-‐B AGAIN to add the ESXi
hosts to the APIC DVS. It is not necessary to go through Lab 5-‐C or 5-‐D to complete the rest of the
lab exercises.
Note: You will be walking through multiple steps in this python script utilizing XML scripts, while it
creates the objects. You can view the APIC GUI to check the objects after the XML script is executed.
Note: The python script will run through the various XML scripts to create the APIC objects for the
Service Graph. Follow through the script and after each object creation, a message will explain what
each XML script does.
137
Figure 190: L4-‐L7 Services Device Cluster
Browse through this window to take a look at the information provided about the device cluster
and other relevant information about the Cisco firewall.
138
Figure 191: Service Graph Topology View
1. Select on the top—menu “Tenants”, then select on the sub-menu tenant “ACILab”
2. Expand the “Tenant ACILab” on the left-hand pane
3. Expand the “L4-L7 Services” on the left-‐hand pane
4. Expand the “Deployed Graph Instances” on the left-‐hand pane
5. Then select the graph name “Web_Con-FWGraph-ACILab_VRF”
Notice that the “Input1” and “Output1” are linked to the Cisco Firewall name “FWNode”. This provides
how the firewall service is seen.
139
Figure 192: Service Graph Binding to Contract
The “Service Graph” option at the bottom of the window shows that this contract is bound to the
“ACILab/FWGraph”
140
Figure 193: Login to ASA
The login information for the ASA is IP Address: 192.168.1.103 and “admin/cisco123”. Click “OK” after
you have enter in the credentials.
141
Note: A couple of messages will appear after you log into the ASDM. The first will ask about trusting the
publisher. Please click on the check box “Always trust content from the publisher” and click on “Yes”.
A second window will appear about the ASA license state. Click on the check box “Do not show this
message again” and click on “OK” to continue.
Note that the two interfaces for the ASA have been configured by the APIC with the node name and the
physical and logical interface name provided on the python script that was executed.
You can now browse both the APIC GUI and the ASDM-‐IDM GUI to see what has been configured.
Since the ASAv is a virtual machine on our ESXi server, the service graph also creates the necessary “Port
groups” for the virtual interfaces that was configured in the service graph. Follow the screen shots to view
this integration.
Verifying on vCenter:
Figure 196: vCenter Integration with ASAv Service Graph
142
• In the Networking view, expand “My‐vCenter” DVS
• Notice the 2 additional port groups that was created by the Service Graph in the lab
With these port groups added, ACI integration with the service graph also binds these port groups to
the appropriate network adapters of the ASAv virtual machine. To verify this association, go to the
ASAv VM to validate the port group.
1. In the “Hosts and Clusters” view, select the “ASAv_01” VM and right-‐click
2. Select “Edit Settings”
143
Figure 198: ASAv Network Adapter Port group
• Notice that “Network adapter 2” and “Network adapter 3” have port groups
associated from the ACILab
• Select one of these adapters (in this example Network adapter 2) and notice
that it uses the “internal” port group, which correlates to Gig0/0 on the ASAv
Summary
Cisco’s ACI solution provides you a very powerful tool to insert any services that has an open API to
communicate with the APIC. With the ease of scripting, deployments of any object within the APIC can
now be done in minutes or possibly seconds, thus reducing the amount of time to deploy your
application network.
144