Introductory - How To Perform Common Tasks in ACI PDF

Performing Common Tasks in ACI
BRKACI-1789
Adam Raffe
Solution Architect, Cisco Services
@adamraffe
conf t
BRKACI-1789 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
no shutdown vpc domain 5
ip address 10.1.1.1/24
conf t
interface e1/10 vrf context prod
channel-group 400 mode active
feature lldp router ospf 30

“ There’s a way to do it better– find it.
”
-- Thomas Edison
5
BRKACI-1789 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
In ACI, we do things differently...
Tenant
App Interface Filter
Profile Profile
Physical Switch Bridge

Domain Profile Domain VLAN Pool
L2
Private Outside
Network Contract
EPG Attachable
Entity
L3 Profile
Outside
Interface Filter
Selector
Subnet VMM
Domain
Agenda
ACI Technology Recap APIC GUI Familiarity Common Tasks
A Quick Recap on ACI
Nexus 9000 + APIC = ACI
APIC
APIC
APIC
ACI uses a policy based approach
that focuses on the application.
QoS QoS QoS
Filter Service Filter
Web App DB
External
Network
Web Tier App Tier DB Tier
EP1 EP2 EP1 EP2 EP1 EP2
Web Tier App Tier DB Tier
First, we need a way to identify and group together end points.
EPG “Web” EPG “App” EPG “DB”
In the ACI model, we do this using the End Point Group (EPG).
Once we have our EPGs defined, we need to create policies to
determine how they communicate with each other.
A contract typically refers to one or more ‘filters’ to define
specific protocols & ports allowed between EPGs.
Filters
TCP: 80
TCP: 443
A collection of EPGs and the policies that define how they
communicate form an Application Profile.
Pepsi-Tenant Coke-Tenant
A Tenant is a container for all

network, security,
troubleshooting and L4 – 7
service policies.
Tenant resources are isolated

from each other, allowing
management by different
administrators.
Private Network 1 Private Network 1

Private networks (also called
contexts) are defined within a
tenant to allow isolated and
potentially overlapping IP
Private Network 2 Private Network 2
address space.
Private Network 1 Private Network 1 Within a private network, one

or more bridge domains must
Bridge Domain 1 Bridge Domain 1
be defined.
A bridge domain is a L2
Private Network 2 Private Network 2 forwarding construct within the
fabric, used to constrain
broadcast and multicast traffic.
Getting Familiar With The APIC GUI
After logging in to the APIC, you’ll
see the initial ‘Dashboard’ screen.
The APIC dashboard provides you with an ‘at-a-glance’ view of the system
health and fault counts.
‘System Health’ shows you a view of the
overall health of the ACI system (all nodes, tenants, etc).
The lower half of the screen shows node and tenant health.
Move these sliders down
to show only nodes /
tenants with lower health.
The lower half of the screen shows node and tenant health.
On the right, you’ll see the fault
counts by domain
(e.g. access, tenant, security)…
…type
(config, environmental, etc)…
…and APIC cluster health.
At the top of the screen, the menu bar is used to
switch between the main configuration tabs.
Some tabs contain ‘sub-menus’ with further
configuration items.
Most screens within the APIC are built upon a
“navigation” pane and a “work” pane.
The navigation pane is on the left
hand side and allows navigation to all
configuration elements on a tab.
The work pane
displays
information
about the
component
selected in the
navigation pane.
What is under the ‘Tenants’ tab?
Application Profiles /
EPGs
Tenant Networking
(BDs, private networks,
external networking)
Security policies
(contracts & filters)
- Fabric topology info
- Physical node info (modules,
interfaces, IP addressing)
Policies relating to the fabric itself –
IS-IS, BGP, COOP, etc
Connectivity into the fabric – e.g.
interfaces, VLANs, CDP, LLDP, etc
Integration with server virtualisation systems
(vSphere, Hyper-V, etc)
L4-7 Device Package AAA, Firmware
Management Management,SNMP,
Syslog, etc
Choose Show API Inspector
from the “Welcome” menu.
The APIC has an “API

Inspector” – this allows you to
view the internal API calls
happening within the APIC.
It’s also possible to ‘save’
the XML of certain
objects (e.g. right click on
a tenant object and
select Save as…
Common
Tasks
Tenant ‘CiscoLive’
Network: CiscoLiveNet
Before we start, define
Bridge Domain: CiscoLiveBD your tenant, network and
bridge domain.
Spine-103 Spine-104
Leaf-101 Leaf-102
E1/1
VLAN 600
How do I do this in ACI?
The NX-OS way…
interface Ethernet1/1
switchport mode access
switchport access vlan 10
no shutdown
First, we need to define a VLAN pool.
VLAN
Pool
A VLAN pool is simply a range of

VLAN VLANs that could be applied to a
Pool
switch or interface.
VLAN
Pool
‘static’
‘dynamic’
Start by clicking on
Fabric | Access Policies
Create the pool using the

range you need.
Next, configure a Physical Domain.
VLAN Physical
Pool Domain
VLAN Physical
Pool Domain
A domain defines the ‘scope’ of

your VLANs – i.e. physical,
virtual, external, etc.
Your domain should reference the

VLAN Physical
Pool Domain VLAN pool configured earlier.
What next?
Introducing the Attachable Access Entity Profile!
VLAN Physical
AAEP
Pool Domain
What next?
Introducing the Attachable Access Entity Profile!
The AAEP groups together
VLAN Physical
Pool Domain
AAEP domains – e.g. physical,
virtual, external.
Now we need to start defining interface properties.
We do this using the Interface Policy Group.
Interface
VLAN Physical
AAEP Policy
Pool Domain
Group
Think of an interface policy group like a

port-profile in NX-OS. It’s used to control
various interface parameters.
Interface
VLAN Physical
AAEP Policy
Pool Domain
Group
LLDP
CDP
LACP
Storm
Control
Interface
VLAN Physical
AAEP Policy
Pool Domain
Group
LLDP
CDP
LACP
Storm
Control
Interface
VLAN Physical
AAEP Policy
Pool Domain
Group
The last steps are to apply these policies
to interfaces and switching nodes.
Interface
VLAN Physical
AAEP Policy
Pool Domain
Group
LLDP
CDP
LACP
Storm
Control
First, use an Interface Profile to select
the interfaces to apply to.
Interface Interface
VLAN Physical
AAEP Policy Profile /
Pool Domain
Group Selector
LLDP
CDP
LACP
Storm
Control
First, use an Interface Profile to select
the interfaces to apply to.
Interface Interface
VLAN Physical
Pool Domain
Group Selector
Finally, the Switch Profile specifies which
switching nodes to apply policy to.
Interface Interface
VLAN Physical Switch
Pool Domain Profile
Group Selector
LLDP
CDP
LACP
Storm
Control
Interface Interface
Pool Domain Profile
Group Selector
Interface Interface
Pool Domain Profile
Group Selector
You can use the Quick Start wizard to
simplify this process.
Interface Interface
Pool Domain Profile
Group Selector
LLDP
CDP
LACP
Storm
Control
What have we actually achieved here?
Spine-103 Spine-104
At this point, we have

Leaf-101
E1/1
Leaf-102 provisioned a VLAN pool
on node 101.
VLAN 600
We now switch to our tenant.
Create an
Application Profile.
Create an EPG.
The VLAN must be within the range
specified in your static pool earlier.
Spine-103 Spine-104
Leaf-101 Leaf-102
How do I create a vPC
vPC
pair in ACI?
The NX-OS way…
vpc domain 10
role priority 1
system-priority 1
peer-keepalive destination 10.1.1.1
Spine-103 Spine-104
Leaf-101 Leaf-102
No peer link in ACI vPC!
vPC
Verify vPC…
Now let’s create a vPC to the host…
Leaf-101 Leaf-102
vPC
Now let’s create a vPC to the host…
Spine-103 Spine-104
How do I attach a FEX to

Leaf-101 Leaf-102
an ACI fabric?
FEX-101
Verify FEX Connectivity
Verify FEX Connectivity
APIC
Spine-103 Spine-104
Configuring
Leaf-101 Leaf-102
Hypervisor Integration
ESXi Host
Hoes does this work?
APIC
Create
Application
Profile
Web
App
DB
Hoes does this work?
APIC
Create
Application Port Groups
Profile
Web Web
App App
DB DB
For this to work, two things must happen…
APIC vCenter
1) The APIC must communicate with vCenter

and an ‘APIC controlled’ DVS created.
Leaf
CDP / LLDP
ESXi Host
2) The leaf node must ‘discover’ the host

using CDP or LLDP.
First, create a dynamic VLAN pool.
Create the vCenter domain:
Verify VM Integration…
CL-VMM
Create AAEPs, Interface Policies, etc
for your hosts.
Spine-103 Spine-104
Interface Interface
Leaf-101 Leaf-102
Group Selector
ESXi Host
Our AAEP references a virtual domain.
AAEP
Make sure the host
can see the leaf node
via CDP / LLDP.
CL-VMM
Now add the

VMM domain to
your EPG…
A new port group has been created.
VLAN 209 has been allocated from our ‘dynamic’ pool.
How do I configure communication
between two EPGs?
EPG “Web” EPG “App”
EP1 EP2 EP1 EP2
EP3 EP4 EP3 EP4
We’ll start with two EPGs.
Create a filter and filter entry for the
protocol you want to allow.
Create a contract and reference the
filter you just created.
Now, provide the contract from one EPG
and consume from the other.
The final result
ACI Toolkit
108
The ACI toolkit is a Cisco Python project to simplify the ACI object model.
https://github.com/datacenter/acitoolkit
It also provides an application that provides NX-OS style CLI for certain tasks.
Cisco ACI Toolkit Command Shell
Copyright (c) 2014, Cisco Systems, Inc. All rights reserved.
fabric# switchto CL-Tenant
fabric-CL-Tenant# conf t
fabric-CL-Tenant(config)# bridgedomain CL-BD
Executing create bridgedomain command
fabric-CL-Tenant(config-bd)# ip address 50.50.50.50/24
Executing create subnet command
fabric-CL-Tenant(config-bd)# exit
fabric-CL-Tenant(config)# app CL-App
Executing create app command
fabric-CL-Tenant(config-app)# epg CL-EPG
Executing create epg command
In Summary…
Tenant
App Interface Filter
Profile Profile
Physical Switch Bridge

Domain Profile Domain VLAN Pool
Understand the basicsL2 of the ACI policy model.

Outside
Private
Network Contract
EPG Attachable
Entity
L3 Profile
Outside
Interface Filter
Selector
Subnet VMM
Domain
114
Use the API inspector and “Save As..” features
to help understand the API.
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations
Call to Action
• Visit the World of Solutions for
– Walk in Labs
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2015
• My blog: www.adamraffe.com

Introductory - How To Perform Common Tasks in ACI PDF

Uploaded by

Copyright:

Available Formats

Introductory - How To Perform Common Tasks in ACI PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introductory - How To Perform Common Tasks in ACI PDF

Uploaded by

Copyright:

Available Formats

Performing Common Tasks in ACI

channel-group 400 mode active

feature lldp router ospf 30

Physical Switch Bridge

ACI Technology Recap APIC GUI Familiarity Common Tasks

Filter Service Filter

EP1 EP2 EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4 EP3 EP4

EP1 EP2 EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4 EP3 EP4

First, we need a way to identify and group together end points.

EP1 EP2 EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4 EP3 EP4

EPG “Web” EPG “App” EPG “DB”

EP1 EP2 EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4 EP3 EP4

EPG “Web” EPG “App” EPG “DB”

EP1 EP2 EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4 EP3 EP4

EPG “Web” EPG “App” EPG “DB”

EP1 EP2 EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4 EP3 EP4

A Tenant is a container for all

Tenant resources are isolated

Private Network 1 Private Network 1

Private Network 1 Private Network 1 Within a private network, one

…and APIC cluster health.

The APIC has an “API

How do I do this in ACI?

A VLAN pool is simply a range of

Create the pool using the

A domain defines the ‘scope’ of

Your domain should reference the

Think of an interface policy group like a

What have we actually achieved here?

At this point, we have

How do I attach a FEX to

1) The APIC must communicate with vCenter

2) The leaf node must ‘discover’ the host

Now add the

EPG “Web” EPG “App”

EP1 EP2 EP1 EP2

EP3 EP4 EP3 EP4

Physical Switch Bridge

Understand the basicsL2 of the ACI policy model.

• All surveys can be completed via

You might also like