nexus 9000 aci boot camp lab guide v 1.19

Nexus 9000 ACI Boot Camp Lab Guide

Table of Contents Lab Overview ............................................................................................................................................... 5

Virtual Lab Topology ................................................................................................................................ 5

Virtual Lab Access .................................................................................................................................... 6

Lab 1: Fabric Discovery ............................................................................................................................... 6

Overview: ................................................................................................................................................. 6

Procedures: .............................................................................................................................................. 6

System Login: ....................................................................................................................................... 6

Register Nexus 9000 Switches to APIC: ................................................................................................ 7

Register Leaf1 Switch to APIC: ............................................................................................................. 8

Register Spine1 and Spine2 Switches to APIC: ..................................................................................... 9

Register Leaf2 Switch to APIC: ........................................................................................................... 11

Fabric View of Discovered Nexus 9000 Switches: .............................................................................. 11

Familiarizing Fabric Switches: ............................................................................................................ 12

Familiarizing Fabric Controllers: ......................................................................................................... 13

Summary: ............................................................................................................................................... 14

Lab 2: Building Basic Network Constructs .................................................................................................. 15

Overview: ............................................................................................................................................... 15

Procedures: ............................................................................................................................................ 15

Building a Tenant: .............................................................................................................................. 16

Building a Private Layer 3 Network: ................................................................................................... 17

Building a Bridge Domain ................................................................................................................... 19

Summary ................................................................................................................................................ 24

Lab 3: Building Policy Filters and Contracts ............................................................................................... 25

Overview: ............................................................................................................................................... 25

Procedures: ............................................................................................................................................ 25

Creating Filters: .................................................................................................................................. 25

Creating Contracts ............................................................................................................................. 31

Summary ................................................................................................................................................ 40

Lab 4: Deploying a 3-Tier Application Network Profile .............................................................................. 41

Overview: ............................................................................................................................................... 41

Procedures: ............................................................................................................................................ 41

Creating Application Profile: .............................................................................................................. 41

Summary ................................................................................................................................................ 53

Lab 5: Integrating with VMware ............................................................................................................... 54

Lab 5-A: Registering VMM Domain ........................................................................................................ 54

Overview: ............................................................................................................................................... 54

VMware vCenter Server Topology: ........................................................................................................ 54

Procedures: ............................................................................................................................................ 55

Register APIC to VMware vCenter (Create VMM Domain): ............................................................... 55

Create vCenter Domain: .................................................................................................................... 56

Create VLAN Pool: .............................................................................................................................. 56

Create vCenter Credentials: ............................................................................................................... 58

Create vCenter Server Object: ........................................................................................................... 59

Verifying APIC Connection to vCenter Server: ................................................................................... 62

Summary: ............................................................................................................................................... 64

Lab 5-B: Adding ESXi Hosts to APIC DVS ................................................................................................ 65

Overview: ............................................................................................................................................... 65

Procedures: ............................................................................................................................................ 65

Add ESXi Hosts to APIC DVS: .............................................................................................................. 65

Summary ................................................................................................................................................ 68

Lab 5-C: Associating EPG to vCenter Domain ........................................................................................ 69

Overview: ............................................................................................................................................... 69

Procedures: ............................................................................................................................................ 69

Associating vCenter Domain to Application Server EPG: ................................................................... 69

Associating vCenter Domain to Database Server EPG: ...................................................................... 70

Associating vCenter Domain to Web Server EPG: .............................................................................. 72

Summary: ............................................................................................................................................... 74

Lab 5-D: Associating VM to EPG Port-Groups ........................................................................................ 75

Overview: ............................................................................................................................................... 75

Procedures: ............................................................................................................................................ 75

Map VMs to EPG Port-Groups: .......................................................................................................... 75

Edit Web-Server Settings: .................................................................................................................. 75

Edit App-Server Settings: ................................................................................................................... 78

Edit DB-Server Settings: ..................................................................................................................... 80

Summary: ............................................................................................................................................... 82

Lab 6: Deploying a Service Graph into the Application Network Profile ................................................... 83

Overview ................................................................................................................................................ 83

Procedures ............................................................................................................................................. 83

vCenter ACI Removal ......................................................................................................................... 83

Automation Through Python Scripting .............................................................................................. 87

Removing ACI Objects Created from Labs 2 - 5: ................................................................................ 88

Deploying Service Graph through Northbound API: .......................................................................... 89

View Service Graph: ........................................................................................................................... 89

Verify on ASA ASDM GUI: .................................................................................................................. 91

Verifying on vCenter: ......................................................................................................................... 93

Summary ................................................................................................................................................ 94

Lab 7: Layer 3 External ............................................................................................................................... 95

Configure Fabric Pod Policy ................................................................................................................... 95

Configure BGP Route Reflectors ........................................................................................................ 96

Configure Fabric Group Policies ......................................................................................................... 98

Configure Routed L3 External Network ............................................................................................... 100

Create External Routed Network ..................................................................................................... 100

Create External Node Profile ........................................................................................................... 101

Create OSPF Interface Profile .......................................................................................................... 102

Configure Provider/Consumer for L3-Out-EPG ................................................................................ 107

Set Default OSPF Settings for Private Network ................................................................................ 109

Associate the L3 Outside Network to a Bridge Domain ................................................................... 110

Summary .............................................................................................................................................. 111

Lab 8: Exploring Monitoring and Troubleshooting .................................................................................. 112

Viewing Faults Using the GUI ............................................................................................................... 112

Procedure ............................................................................................................................................ 112

Events .............................................................................................................................................. 112

Viewing Events Using the GUI .............................................................................................................. 113

Log Retention Policies .......................................................................................................................... 113

Configuring Log Retention Policies in the GUI ..................................................................................... 113

Using the API Inspector ........................................................................................................................ 114

Capturing an API Interchange for Inspection ................................................................................... 114

Using the Managed Object Browser .................................................................................................... 115

Accessing Visore ............................................................................................................................... 115

Running a Query in Visore ............................................................................................................... 116

Lab Overview The Cisco Nexus 9000 platform has two modes of operation. In the first mode Nexus 9000 utilizes an enhanced version of the NXOS operating system to provide a traditional switching model with advanced automation and programmability capabilities.

In the second mode, ACI Mode the Nexus 9000 provides an Application Centric Representation of the network as a whole utilizing advanced features and profile based deployment to abstract the complexity of the underlying network while improving application visibility and greater business agility through DevOps methodologies. These labs will focus on ACI mode.

Virtual Lab Topology The following is the virtual pod topology, which consists of the following virtual machines:

vCenter Server (also use as the RDP jump box) ACI Simulator

o APIC1, APIC2 and APIC3 o Leaf1 and Leaf2 o Spine1 and Spine2

ESXi-1 ESXi-2 Linux

Figure 1: Virtual Lab Topology

Virtual Lab Access The virtual lab provides the user a Windows 2008 Server jumpbox to access their virtual pod. This server is also used as the VMware Virtual Center Server, as shown above from the virtual lab topology. All of the lab exercises will be completed within this jumpbox and does not require any other resources. Please ask your instructor how to access your pod jumpbox.

Lab 1: Fabric Discovery

Overview: In this lab section, we will register the switches to the primary APIC controller (APIC1) to then discover the rest of the fabric. This lab will walk you through this process then familiarize you with a fabric topology portion of the APIC GUI. The following tasks will be completed

System Login Register Nexus 9000 switches to APIC Controller Familiarization of Fabric Topology

Procedures:

System Login: Open the Chrome browser within your desktop. The webpage should default to the IP Address of the APIC1 controller, which is https://192.168.1.11. If it does not, please enter that into the browser or ask your instructor for assistance.

The APIC GUI login prompt will appear, please type in the credential of admin for the User ID and cisco123 for the password

Figure 2: Application Policy Infrastructure Controller (APIC) Login screen

Once you are logged in, you are presented with the Dashboard. You are logged in with global administrative rights and your view includes all system components.

Figure 3: APIC GUI Dashboard View

Register Nexus 9000 Switches to APIC: The top menu bar is broken down to several logical sections; the Fabric view is where you will register the switches to the APIC. Follow the steps on the figure below.

Figure 4: APIC Fabric Section View

Note: Whenever you click on the top menu entries, the sub-menu text that is in the color white is where the view is currently located. Other views from that sub-menu have the text color in grey are not in view but can be selected. For example when you click on the top menu

Fabric, the default view is set to INVENTORY (highlighted by the yellow box) while the other entries are in grey.

1. Click on Fabric to get to the Fabric View. 2. Click on the + next to Fabric Membership to expand the view and you will

notice the TEP-1-101 switch entry. This is a simulated Serial Number of the Nexus 9000 switch. This is our leaf switch that the APIC1 is connected to, that has not yet been registered.

Register Leaf1 Switch to APIC: We will now register the Leaf1 switch to the APIC. Follow the figures below to complete this task.

Figure 5: Registering First Switch to the APIC

1. Select Fabric Membership by clicking on that entry. Once you do, the view on the right-hand side will show a switch with serial number TEP-1-101 and ID of 0. Take notice that its role is leaf.

2. We will now need to register this leaf switch. To do so, double-click on the row TEP-1-101.

Figure 6: Registering Leaf Switch TEP-1-101

1. In the ID box, type in 101. The Node ID for the switches starts at 101 as 1 100 is reserved for other purposes.

2. In the SWITCH NAME box, type in Leaf1. You can technically provide any name for this switch but for this lab purpose, please type in Leaf1. There is another box under RACK but we will skip entering anything into this box for this lab.

3. Once the ID and switch name is provided, click on UPDATE 4. A pop-up window will appear stating SUCCESS, please click on OK

Note: When the switch is registered, you will notice that an IP Address is assigned with a /32. This IP Address is used for the VXLAN tunnel IP for the fabric on this switch.

Register Spine1 and Spine2 Switches to APIC: With the first fabric switch registered, the APIC1 will now start discovering the fabric along with other controllers that it can see. Please wait between 30-60 seconds for the APIC GUI to see other switches in the fabric. You should see 2 additional switches appear in the Fabric Membership view. When you do, please register those switches as well. To do so, follow the figures below to complete the task.

Figure 7: Discovery of Spine Switches

Note: The fabric has discovered 2 additional switches with serial numbers of TEP-1-103 and TEP-1-104. Notice under the ROLE that these are spine switches with their Node ID set to 0. We will use TEP-1-103 as our Spine1 and TEP-1-104 as our Spine2. For some pods, the TEP-1-104 maybe the first one discovered and other pods will have TEP-1-103 discovered first. It is irrelevant which switch gets discovered first.

Figure 8: Registering Spine Switch TEP-1-103

1. In the ID box, type in 103. 2. In the SWITCH NAME box, type in Spine1. You can technically provide any name

for this switch but for this lab purpose, please type in Spine1. There is another box under RACK but we will skip entering anything into this box for this lab.


Figure 9: Registering Spine Switch TEP-1-104

1. In the ID box, type in 104. 2. In the SWITCH NAME box, type in Spine2. You can technically provide any name

for this switch but for this lab purpose, please type in Spine2. There is another box under RACK but we will skip entering anything into this box for this lab.


Register Leaf2 Switch to APIC: With the spines now discovered, please wait an additional 30-60 seconds for the fabric to discover our second leaf switch. Follow the figures below to complete the registration of the last switch in the fabric.

Figure 10: Registering Leaf Switch TEP-1-102

1. In the ID box, type in 102. 2. In the SWITCH NAME box, type in Leaf2. You can technically provide any name

for this switch but for this lab purpose, please type in Leaf2. There is another box under RACK but we will skip entering anything into this box for this lab.


Fabric View of Discovered Nexus 9000 Switches: With all the switches now discovered in the fabric, you should see the following window shown in figure 11.

Figure 11: Fabric Discovery Completion View

Note: With the Fabric Membership view still selected, you should notice on the right-hand window view of all of the switches that has been registered. Take note that each of the registered switches has an IP Address shown. Also on the left-hand window view, you should see all of the switches shown under the Pod 1 expanded view. If you do not see this view, it could be that the fabric is still in the discovery and refresh process.

Familiarizing Fabric Switches: With the fabric discovered, you can now familiarize yourself with the physical switches in the environment. Follow the steps on the figure below to get a view of the switch Leaf1.

Figure 12: Familiarizing Leaf1 Switch

1. On the left-hand panel next to the Pod1, expand that entry by clicking on the + 2. Now select that switch Leaf1 (Node-101) 3. On the right-hand panel, click on the TOPOLOGY tab 4. On the Nexus 9396, click on both of the green ports and the APICs will appear

Note: Here you will see the physical ports of the leaf switch Leaf1. You will notice that it shows the 2 APIC controllers APIC1 and APIC2 connected to the interfaces on this switch.

You can move around the rest of this section of the FABRIC view to look at the other switches.

With the physical fabric fully discovered, to get a topology overview of the environment (Pod 1), follow the steps in the figure below to see this view.

Figure 13: Pod 1 Topology View

1. On the left-hand window, select on Pod 1 2. On the right-hand window, click on the TOPOLOGY tab

Note: The topology should show 3 APIC nodes, where APIC1 and APIC2 are connected to Leaf1 and APIC3 is connected to Leaf2. Then there should also be connections from Leaf1 to both Spine1 and Spine2 and connections from Leaf2 to Spine1 and Spine2. If you do not see lines as shown in figure 13, please wait up to 5 minutes as it varies between pods for the environment to build out the connections.

Familiarizing Fabric Controllers: From the previous view, we see three (3) controllers in our fabric. To get information about those controllers, follow the figures below to familiarize managing these controllers.

Figure 14: Familiarizing Fabric Controllers

1. On the top menu, select on SYSTEM 2. Then on the sub-menu, click on CONTROLLERS 3. Expand the Controllers view on the left-hand side by clicking the + sign 4. Select apic1 (Node-1) to view information about the controller.

Summary: Lab 1 is designed to familiarize you with the startup process of discovering the fabric and viewing each of the physical components of the fabric. This lab also allows you to get familiar with navigating through the Fabric view of the APIC GUI. This is the first critical step in building up the ACI environment and will be the baseline infrastructure to build up your application network.

Lab 2: Building Basic Network Constructs

Overview: In this lab we explore the tenancy capabilities of the ACI system. ACI is designed to scale from smaller commercial environments, which may use a single tenant to large cloud providers with support for 64,000 tenants and above.

Figure 15: Tenant Tree View

The following tasks will be completed

Building a Tenant Building a Private Layer 3 Network Building a Bridge Domain

Procedures:

Building a Tenant: 1. If you are currently not logged into the APIC GUI please follow the steps to do so from Lab 1

System Login before proceeding. We will use the wizard to create the Tenant. Follow the figure below to add a tenant.

Figure 16: Adding a Tenant

1. From the top-menu, select TENANTS 2. On the sub-menu, click on ADD TENANT that is shown in the orange box 3. A pop-up window will appear to go through the process of adding a tenant.

Figure 17: Create Tenant Wizard

1. In the Name window, type in ACILab 2. In the Security Domain: box section, select the check-box next to all and

mgmt. 3. Click on NEXT to continue

Building a Private Layer 3 Network: Next window will appear to add a network. This is where we will create a private layer 3 Network.

Figure 18: Add a Private Layer 3 Network

1. Leave the check box to default Take me to the tenant when I click finish 2. Click on the green + to add a network 3. Another pop-up window will appear to create the network, which will be the VRF.

Figure 19: Creating Network VRF

1. In the Name window, type in ACILab_VRF 2. Verify Create A Bridge Domain check box is checked 3. Leave everything else default or blank and click on NEXT to continue

Building a Bridge Domain The next window will create the Bridge Domain for this private L3 network.

Figure 20: Creating a Bridge Domain

1. In the Name window, type in ACILab_BD1

2. Leave the other options blank and in the Subnets: window, click on the + to add a gateway and mask. Please type in for the Gateway as 10.10.10.1 and Mask as 255.255.255.0. After you type in the subnet mask, the Gateway window will add the netmask to the screen box.

3. Once the information is added, click on UPDATE

Figure 21: Completing the Creation of the Bridge Domain

1. Once the UPDATE has been click, the OK button will become active. Please click on the OK button to complete this task

Figure 22: Adding a Second Bridge Domain

1. Click on the green + button to create another Bridge Domain

Figure 23: Adding Another Bridge Domain

1. In the Name window, type in ACILab_BD2 2. Click on Next

Figure 24: Adding Subnet in Bridge Domain

1. Click on the + to add a subnet and in the Subnets: window add a gateway and mask. Please type in for the Gateway as 20.20.20.1 and Mask as 255.255.255.0. After you type in the subnet mask, the Gateway window will add the netmask to the screen box.

2. Click on UPDATE

Figure 25: Completing the Addition of the Bridge Domain

1. Click OK to complete the task

Figure 26: Completion of Creating a Tenant

1. Click on FINISH to complete this task of creating the Tenant

Figure 27: View of the ACILab Tenant

Note: The GUI will take you to the new tenant ACILab. You can look around at the different windows of this tenant.

Summary You now have successfully created a tenant with a basic network VRF and a couple of bridge domains. The ACI system provides full configurability for multiple tenants. Depending on the chosen deployment model this will allow users to segregate out management, administration, troubleshooting and the underlying network infrastructure.

Lab 3: Building Policy Filters and Contracts

Overview: To build the foundation of the application profile, it is necessary to create filters within our tenant that will be utilized by the contracts. Those contracts will then be associated with EPGs that will make up our 3-Tier application profile. The following are tasks that will be completed in this section of the lab

Creating Filters Creating Contracts

Procedures:

Creating Filters: Note: PLEASE MAKE SURE THAT YOU ARE ON THE ACILab TENANT BEFORE CREATING FILTERS AND CONTRACTS

Create Web Filter In this portion of the lab, we will first create a Web Server filter

Figure 28: Creating Web Server Filter

1. In the ACILab tenant, expand the Security Policies window on the left-hand panel 2. Select the Filters section 3. On the right-hand panel, click on the ACTIONS button 4. Select Create Filter

Figure 29: Define Web Server Filter Information

1. In the Name window, type in Web_Filter 2. On the Entries: window, click on the + and a new entry window will appear.

Please provide the following information under each window: Name: web_filter EtherType: IP ARP Flag: IP Protocol: tcp Source Port/Range (From): Unspecified Source Port/Range (To): Unspecified Destination Port/Range (From): http Destination Port/Range (To): http TCP Session Rules: Unspecified

3. Click on UPDATE

Figure 30: Completing Creation of Web Server Filter

1. Once the UPDATE button is clicked, the SUBMIT button will be active. Please click on SUBMIT to create the web filter.

Create App Filter We will now create an Application Server filter

Figure 31: Creating Application Server Filter

1. Click on the ACTIONS button 2. Select Create Filter

Figure 32: Define Application Server Filter Information

1. In the Name window, type in App_Filter 2. On the Entries: window, click on the + and a new entry window will appear.

Please provide the following information under each window: Name: app_filter EtherType: IP ARP Flag: IP Protocol: tcp Source Port/Range (From): Unspecified Source Port/Range (To): Unspecified Destination Port/Range (From): 1433 Destination Port/Range (To): 1433 TCP Session Rules: Unspecified

Note: When entering in 1433 into the window for Destination Port/Range (From) and Destination Port/Range (To), make sure that you do not hit the tab key after entering in 1433. If you do so, the window may choose https or another entry in the options. So make sure that after you enter 1433, that the window shows 1433.

3. Click on UPDATE

Figure 33: Completing Creation of Application Server Filter


Create DB Filter We will now create a Database Server filter

Figure 34: Creating Database Server Filter

1. Click on the ACTIONS button 2. Select Create Filter

Figure 35: Define Database Server Filter Information

1. In the Name window, type in DB_Filter 2. On the Entries: window, click on the + and a new entry window will appear.

Please provide the following information under each window: Name: db_filter EtherType: IP ARP Flag: IP Protocol: tcp Source Port/Range (From): Unspecified Source Port/Range (To): Unspecified Destination Port/Range (From): 1521 Destination Port/Range (To): 1521 TCP Session Rules: Unspecified

3. Click on UPDATE

Figure 36: Completing Creation of Database Server Filter


Figure 37: View of Created Filters

Creating Contracts

Create Web Contract Now with the filters created, we will first create a Web Server Contract

Figure 38: Creating a Web Server Contract

1. In the ACILab tenant, expand the Security Policies window on the left-hand panel 2. Select the Contracts section 3. On the right-hand panel, click on the ACTIONS button 4. Select Create Contract

Figure 39: Providing Web Server Contract Information

1. In the Name window, type in Web_Con 2. Leave the other boxes default and click on the + next to Subjects:

Figure 40: Creating Web Server Contract Subject

1. In the Name window, type in web_subj 2. Make sure both Reverse Filter Ports and Apply Both Directions check box is

checked 3. Under the Filter Chain window, click on the + sign to add a filter 4. From the drop-down arrow, click on that arrow to show the list of filters and select

Web_Filter under the ACILab tenant 5. Once selected, click on Update

Figure 41: Updating Filter Chain Selection

1. Click on OK to complete the filter chain selection

Figure 42: Completion of Web Server Contract

1. Please click on SUBMIT button to create the web server contract. 2. We will now create an Application Server Contract

Create Application Contract

Figure 43: Creating an Application Server Contract

1. On the right-hand panel, click on the ACTIONS button 2. Select Create Contract

Figure 44: Providing Application Server Contract Information

1. In the Name window, type in App_Con 2. Leave the other boxes default and click on the + next to Subjects:

Figure 45: Creating Application Server Contract Subject

1. In the Name window, type in app_subj

2. Make sure both Reverse Filter Ports and Apply Both Directions check box is checked

3. Under the Filter Chain window, click on the + sign to add a filter 4. From the drop-down arrow, click on that arrow to show the list of filters and select

App_Filter under the ACILab tenant 5. Once selected, click on Update

Figure 46: Completion of Application Server Contract Subject

1. Once the Update button is clicked, the OK button will be active. Please click on OK to create the web server contract subject.

Figure 47: Completion of Application Server Contract

1. Please click on SUBMIT button to create the web server contract.

Create DB Contract We will now create a Database Server Contract

Figure 48: Creating a Database Server Contract

1. On the right-hand panel, click on the ACTIONS button 2. Select Create Contract

Figure 49: Providing Database Server Contract Information

1. In the Name window, type in DB_Con 2. Leave the other boxes default and click on the + next to Subjects:

Figure 50: Creating Database Server Contract Subject

1. In the Name window, type in db_subj 2. Make sure both Reverse Filter Ports and Apply Both Directions check box is

checked 3. Under the Filter Chain window, click on the + sign to add a filter 4. From the drop-down arrow, click on that arrow to show the list of filters and select

DB_Filter under the ACILab tenant 5. Once selected, click on Update

Figure 51: Completion of Database Server Contract Subject

1. Once the UPDATE button is clicked, the OK button will be active. Please click on OK to create the web server contract subject.

Figure 52: Completion of Database Server Contract

1. Please click on SUBMIT button to create the web server contract.

Figure 53: View of Created Contracts

Summary You now have successfully created the tenant filters and contracts that can be fully utilized by any Application Profile and EPGs. We will next focus on creating the application profile and EPGs that will associate these contracts and filters.

Lab 4: Deploying a 3-Tier Application Network Profile

Overview: With the filters and contracts created from the previous lab, we can now build our application profile. The Application Profile allows your environment to build a template of network attributes and policies that can be dynamically instantiated and seamlessly inserted. The following are tasks that will be completed in this section of the lab

Building an Application Profile for a 3-Tier Application

Procedures:

Creating Application Profile: 1. We will create a 3-Tier Application Profile

Figure 54: Creation of Application Profile

1. In the ACILab tenant, select Application Profiles on the left-hand panel 2. Click on the ACTIONS button on the right-hand panel 3. Select Create Application Profile

Figure 55: Providing Application Profile Information

1. In the Name window, type in 3Tier_App 2. In the EPGs window, click on the + to create an EPG

Figure 56: Create a Web Server EPG

1. In the Name window, type in Web_EPG 2. On the drop-down box for the Bridge Domain select ACILab_BD1

3. Click OK to created the Web EPG

Figure 57: Adding Another EPG

1. In the EPGs window, click on + to add another EPG

Figure 58: Create an Application Server EPG

1. In the Name window, type in App_EPG 2. On the drop-down box for the Bridge Domain select ACILab_BD1 3. Click OK to created the App EPG

Figure 59: Add Another EPG

1. In the EPGs window, click on + to add another EPG

Figure 60: Create a Database EPG

1. In the Name window, type in DB_EPG 2. On the drop-down box for the Bridge Domain select ACILab_BD1 3. Click OK to created the DB EPG

Figure 61: Add a Provided Contract for Web EPG

1. Make sure that the Web_EPG is selected 2. Then click on the + under the Provided Contracts

Figure 62: Select Web Contract as the Provided Contract for the Web EPG

1. On the Name drop-down box, select ACILab/Web_Con 2. Click on OK

Figure 63: Add a Consumed Contract for the Web EPG

1. Make sure that the Web_EPG is selected and then click on the + under the Consumed Contracts

Figure 64: Select Web Contract as the Consumed Contract for the Web EPG

1. On the Name drop-down box, select ACILab/App_Con 2. Click on OK

Figure 65: Add a Provided Contract for App EPG

1. Make sure that the App_EPG is selected and then click on the + under the Provided Contracts

Figure 66: Select App Contract as the Provided Contract for the App EPG

1. On the Name drop-down box, select ACILab/App_Con 2. Click on OK

Figure 67: Add a Consumed Contract for the App EPG

1. Make sure that the App_EPG is selected and then click on the + under the Consumed Contracts

Figure 68: Select Database Contract as the Consumed Contract for the App EPG

1. On the Name drop-down box, select ACILab/DB_Con 2. Click on OK

Figure 69: Add a Provided Contract for DB EPG

1. Make sure that the DB_EPG is selected and then click on the + under the Provided Contracts

Figure 70: Select DB Contract as the Provided Contract for the DB EPG

1. On the Name drop-down box, select ACILab/DB_Con 2. Click on OK

Figure 71: Complete Creation of 3Tier Application Profile

1. Click on SUBMIT to complete the task

Figure 72: Topology View of 3Tier Application Profile

1. On the Application Profiles section, click on + to expand the tree 2. Then select the application profile 3Tier_App

Note: This provides with a logical topology view of the application profile. You can familiarize yourself with this view by selecting various tabs for more detail information.

Summary Application profiles are a powerful tool for building out application connectivity and policy using repeatable processes. Application connectivity is defined based on the service tiers or components provided and the tiers they consume. Contracts define the policy for those connections and can be used for provider or consumer relationships.

Lab 5: Integrating with VMware Lab 5-A: Registering VMM Domain Overview: In this lab section, we will register the APIC to our virtual environment, which will be using VMwares vCenter Server. This lab will walk you through this registration process, which will allow the APIC to push application policies down to the virtual machines. This tight integration will be shown in another lab exercise but this lab section here will focus on building the connection between the APIC and VMwares vCenter Server. The lab will complete the following tasks

Register APIC to VMware vCenter Server o This will create a Distributed Virtual Switch inside VMwares Network construct

Verify APIC DVS has been created and connection between APIC and vCenter Server is established

VMware vCenter Server Topology: From the topology shown in the beginning of this lab, the vCenter Server is managing two (2) ESXi hosts. The two ESXi hosts have 3 virtual machines named Web-Server, App-Server and DB-Server that are using the standard vSwitch port-group 3Tier-App. There is an additional virtual machine that is installed named ASAv_01 for firewall usage. The figure below shows how this virtual environment is configured.

Figure 73: Login to VMware vCenter Server

Open the vSphere client on the desktop and leave the defaults, then click on Login

Figure 74: VMware Environment View

Procedures:

Register APIC to VMware vCenter (Create VMM Domain): If you are not logged into the APIC GUI please follow the steps to do so from Lab 1 before proceeding. Follow the figures below to create the VMM Domain.

Figure 75: Creating VMM Domain

1. On the top menu, select VM NETWORKING 2. Then under the sub-menu, click on POLICIES

3. On the left-hand panel, select VM Provider VMware 4. Then on the right-hand panel, click on ACTIONS 5. Then select Create vCenter Domain 6. In the next few steps, a wizard will walk you through on how to create a VMM

Domain. Please follow the screen shots to complete this task.

Create vCenter Domain: Figure 76: Creating vCenter Domain

1. In the Name window box, please type in My-vCenter 2. In the VLAN Pool: window, click on the drop down arrow 3. Select Create VLAN Pool

Create VLAN Pool: Figure 77: Creating a VLAN Pool

1. In the Name: window, type in ACILab_VLAN_Pool 2. In the Encap Blocks:, click on the + to create the VLAN Pool.

Figure 78: Providing VLAN range

1. In this lab, we will use VLAN range of 1001 - 1100. Please enter this information as show in the figure below and click on OK.

Figure 79: Completing Creation of VLAN Pool

1. Click on SUBMIT to create the VLAN Pool

Create vCenter Credentials: Figure 80: Creating vCenter Credentials Object

1. Next we will create the credentials to login to the vCenter server. To do this, click the + next to the vCenter Credentials:

Figure 81: Providing vCenter Credentials

1. In the Name window, type in a object name for this credential, which in this case we will give it administrator

2. In the Username: box, type in the username that is authenticated into the VMware vCenter Server, which will be student

3. In the Password: window, type in the password for the user administrator, which for this lab is P@ssw0rd (that is a zero not an uppercase O).

4. In the Confirm Password: window, retype in the password again. 5. Click on OK to complete the task

Create vCenter Server Object: In the next task, we will create the VMware vCenter Server object.

Figure 82: Creation of VMM Domain Controller (vCenter Server)

1. To create the vCenter server object, click on the + next to vCenter/vShield

Figure 83: Configuring vCenter Server Information

WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!!

Within this Create vCenter Domain task, it is important to enter in the information EXACTLY as shown in the lab guide.

1. Make sure the vCenter button is selected 2. In the Name window, type in ACILab 3. In the Address, type in the IP Address of the vCenter Server, which is

192.168.1.100 4. In the Datacenter window, type in ACILab 5. In the Associated Credential: drop-down box, select the credential object that

was created in the previous task, which should be administrator 6. Click on OK

Figure 84: Completing Creation of vCenter Domain

1. Click on SUBMIT to create the vCenter server object.

Verifying APIC Connection to vCenter Server: To verify that we have a valid connection between the APIC and our VMware vCenter server, follow the figures below to verify.

Figure 85: Verification of vCenter Domain Connection to VMware vCenter Server

1. In the sub-menu, select INVENTORY 2. Expand the VMware by clicking on the + on the left-hand panel 3. You will then see the My-vCenter entry that was created and expand it by clicking

on the + next to that entry 4. Then select the ACILab entry on the left-hand panel, then on the right-hand side

you should that there are 2 ESXi hosts and other pertinent information of the VMware vCenter Server

You can also verify this by using the vSphere client to view that the APIC DVS has been created. Follow the figures below to verify this from a VMware perspective.

Figure 86: Verifying APIC DVS Creation

1. On the top menu of the vSphere client, click on the Hosts and Clusters entry and a drop-box menu will appear.

2. Click on Networking to get you to the networking view from vCenter

Figure 87: Verifying vSphere Networking View

1. If the networking view is not expanded, then from the top view called VC, click on the + to expand the view

2. The logical data center can be expanded by clicking on the + next to the entry ACILab

3. The VMM Domain that was created in the lab is shown as a folder My-vCenter, you will now notice that a new DVS has been created named My-vCenter and you can expand it. You will notice the DVS uplink has been created. This verifies that the APIC has connection to the VMware vCenter Server.

Summary: The ACI is able to integrate with various hypervisor technologies, where VMware is one of vendor in this space. The ACI supports Microsoft Hyper-V and later on other hypervisor vendors like KVM and Citrix. This lab demonstrates the capability of integrating into VMwares vCenter technology and will allow the APIC to create policies that can be utilized by the VMwares virtual environment.

Lab 5-B: Adding ESXi Hosts to APIC DVS

Overview: In this lab we will focus on adding the two (2) ESXi hosts to the APIC DVS. This will allow the APIC EPG to be associated with VMwares virtual environment. This section will be utilizing VMwares vSphere client to be able to add the host to the APIC DVS. This lab will complete the following task:

Add both ESXi hosts (ESXi-01 and ESXi-02) to the APIC DVS (apicVswitch)

Procedures:

Add ESXi Hosts to APIC DVS: If you are not logged into the vSphere client, follow the instructions from the previous lab to get to the Networking view from VMware. Then follow the figures below to add the ESXi hosts to the APIC DVS.

Figure 88: Adding ESXi Hosts to APIC DVS

1. Make sure to select on the DVS name My-vCenter and right-click on My-vCenter DVS to provide a sub-menu

2. Click on Add Host

Figure 89: Selecting Host NIC for APIC DVS Control

Note: Both ESXi hosts have vmnic2 that is not being utilized and will be use for the APIC DVS. On some pods that vmnic number maybe vmnic1.

WARNING WARNING WARNING - DANGER WILL ROBINSON

DO NOT SELECT VMNIC0!!!!

1. Click on the check-box next to vmnic2 for the first host with is IP 192.168.1.101 2. Click on the check-box next to vmnic2 for the second host with IP 192.168.1.102 3. Click on Next to continue

Figure 90: Migration of vmkernels

1. We will not migrate any vmkernels in this lab. So please click on Next to continue.

Figure 91: Migrating Virtual Machine Networking

1. We will also not migrate any virtual machines network interfaces during this process. Please click on Next to continue.

Figure 92: Complete Adding Hosts to APIC DVS

1. Verify the information is correct and click on Finish

Figure 93: Verifying Added ESXi Hosts to APIC DVS

1. Click on the Hosts tab on the right-hand panel. You should now see the two ESXi hosts are now added to the APIC DVS.

Summary You now have successfully added the ESXi hosts to the APIC DVS. This section has put the foundation to allow the APIC to create EPGs, which will create VMware port-groups that the virtual machines can utilize. This will provide integration for the APIC to distribute policies to VMwares virtual environment.

Lab 5-C: Associating EPG to vCenter Domain

Overview: In this lab we will focus on associating the EPGs to the VMM Domain. With the ESXi hosts already connected to the APIC DVS, we can now associate the EPGs we created in the last lab to our VMware virtual environment.

Procedures:

Associating vCenter Domain to Application Server EPG: Associate vCenter Domain to App_EPG

Figure 94: Associating vCenter Domain to Application Server EPG

1. On the left-hand panel, expand the 3Tier_App application profile 2. Then expand the Application EPG App_EPG 3. Then select Domains (VMs and bare metals) 4. On the right-hand panel, click on ACTIONS 5. Then select Add VMM Domain Association

Figure 95: Associating My-vCenter vCenter Domain to App_EPG

1. On the VMM Dom Profile: drop-down box, select My-vCenter 2. Choose the radio button Immediate for Deploy Immediacy 3. Choose the radio button Immediate for Resolution Immediacy 4. Click on SUBMIT

Figure 96: VMM Domain Formed with APP_EPG

Associating vCenter Domain to Database Server EPG: Associating VMM Domain to DB_EPG

Figure 97: Associating VMM Domain to Database Server EPG

1. On the left-hand panel, expand the Application EPG DB_EPG 2. Then select Domains (VMs and bare metals) 3. On the right-hand panel, click on ACTIONS 4. Then select Add VMM Domain Association

Figure 98: Associating My-vCenter vCenter Domain to DB_EPG


Figure 99: vCenter Domain Formed with DB_EPG

Associating vCenter Domain to Web Server EPG: Associating VMM Domain to Web_EPG

Figure 100: Associating vCenter Domain to Web Server EPG

1. On the left-hand panel, expand the Application EPG Web_EPG 2. Then select Domains (VMs and bare metals) 3. On the right-hand panel, click on ACTIONS 4. Then select Add VMM Domain Association

Figure 101: Associating My-vCenter vCenter Domain to Web_EPG


Figure 102: vCenter Domain Formed with Web_EPG

Figure 103: Verify EPG is in VMware vCenter Networking

Summary: The ACI EPGs are now fully integrated into VMwares virtualized environment and the VMs can now fully utilize the ACI fabric infrastructure.

Lab 5-D: Associating VM to EPG Port-Groups

Overview: In this lab we will now convert the VMs from using the native vSwitch to the APIC DVS port-groups. This will complete the integration of the APIC to the virtualized environment.

Procedures:

Map VMs to EPG Port-Groups: Move to VMwares Hosts and Clusters view

Figure 104: Move to VMware Hosts and Clusters View

1. From the tool bar menu, click on Networking 2. A menu list will drop down, please select Hosts and Clusters

Edit Web-Server Settings: Edit Settings of Virtual Machine Web-Server

Figure 105: Edit Settings of Web-Server VM

1. Select the VM Web-Server 2. On the right-hand panel, click on Edit virtual machine settings

Figure 106: Choose APIC Application Profile Web EPG

1. Select Network adapter 1 2. Click on the Network label: drop-down box 3. Select ACILab-3Tier_App-Web_EPG port-group

Figure 107: Confirming Network Adapter Changes

1. Click on the OK to complete the changes for Network adapter 1

Edit App-Server Settings: Edit Settings of Virtual Machine App-Server

Figure 108: Edit Settings of App-Server VM

1. Select the VM App-Server 2. On the right-hand panel, click on Edit virtual machine settings

Figure 109: Choose APIC Application Profile App EPG

1. Select Network adapter 1 2. Click on the Network label: drop-down box 3. Select ACILab-3Tier_App-App_EPG port-group



Edit DB-Server Settings: Edit Settings of Virtual Machine DB-Server

Figure 111: Edit Settings of DB-Server VM

1. Select the VM DB-Server 2. On the right-hand panel, click on Edit virtual machine settings

Figure 112: Choose APIC Application Profile DB EPG

1. Select Network adapter 1 2. Click on the Network label: drop-down box 3. Select ACILab-3Tier_App-DB_EPG port-group



Figure 114: Viewing VMware Virtual Machines Information from APIC GUI

Go to the VM Networking Tab under Inventory expand VMware My-vCenter ACILab Hypervisors 192.168.1.101 Virtual Machines and select Web-Server. Take note that the PORTGROUP association is mapped to the Web_EPG.

Summary: You have successfully provided full visibility and manageability from the APIC to the virtualized environment. Insertion of services and policies can now be dynamically provisioned seamlessly while being managed from a centralize management tool.

Lab 6: Deploying a Service Graph into the Application Network Profile Overview In this lab we will now focus on two (2) key features of the APIC solution. Where we can seamlessly insert services, such as firewall, load-balancers, etc. into the application profile. With the open architecture of the ACI solution, we can insert any vendors solution like Citrix, F5 and many others who want to integrate with Ciscos ACI architecture. The second key capability of ACI is the ability of scripting to build any of the objects within the APIC. This allows orchestration tools to quickly deploy their solutions within minutes.

So in this lab, we will utilize a python script to remove the objects and then re-build the objects to demonstrate how seamless and quickly to deploy the Application Network Profile (ANP). Afterwards, we will utilize the python script to insert the ASAv firewall into the ACI fabric as a service graph.

Procedures Prior to executing the script to remove the ACI objects, we will need to remove the EPG portgroups from the virtual machines and remove the hosts from the ACI DVS that was created in lab 5. Follow the procedures below to complete this task.

vCenter ACI Removal First we will configure the virtual machine network to the vSwitch portgroup.

Figure 115: Editing Settings for Web Server VM

1. Select the VM Web-Server 2. On the right-hand panel, click on Edit virtual machine settings

Figure 116: Moving Web Server Portgroup to 3Tier-App

1. Select Network adapter 1 2. Click on the Network label: drop-down box 3. Select 3Tier-App port-group

Figure 117: Edit Settings for App Server VM

1. Select the VM App-Server 2. On the right-hand panel, click on Edit virtual machine settings

Figure 118: Moving App Server Portgroup to 3Tier-App


Figure 119: Edit Settings for DB Server VM

1. Select the VM DB-Server 2. On the right-hand panel, click on Edit virtual machine settings

Figure 120: Moving DB Server Portgroup to 3Tier-App


Next we will remove the ESXi hosts from the APIC DVS.

Figure 121: Remove ESXi Host 192.168.1.102 from APIC DVS

1. Make sure you are at the Networking view and then select the DVS My-vCenter 2. On the right pane, select the Hosts tab 3. We will remove both host but for this example, we will remove the server

192.168.1.102. Select this host and right-click to bring up the menu 4. When the menu appears, select Remove from vSphere Distributed Switch 5. A pop-up window will appear, click on Yes and the host will be removed from the

APIC DVS.

Repeat this step for the other server 192.168.1.101

Figure 122: Completed Removal of both ESXi hosts from My-vCenter DVS

With the hosts removed from the APIC DVS, it is not necessary to remove the DVS. The script will remove the VMM Domain, which will then remove the APIC DVS from the vCenter server.

Automation Through Python Scripting We will now go execute the python script to remove the objects that was created in labs 2 - 5. To start off, open a Putty session from the desktop to get to the Linux server.

Figure 123: Open Putty Session

1. Select the entry dev-lnx 2. Then click on Load 3. Then click on Open button

Figure 124: Login to dev-lnx System

The login credentials are: Userid: user01, Password: user01

Removing ACI Objects Created from Labs 2 - 5: The dev-lnx VM is an Ubuntu VM that houses the python scripts to allow us to automate the configuration of the ACI fabric through XML. Please execute the python script to remove the ACI objects from the dev-lnx VM.

user01@dev-lnx:$ ./securerequest.py Scripts/Blow_Me_Away.cfg

Hit return to process Scripts/DeleteL3Mgmt.xml

The python script will step through multiple XML scripts to remove the objects. You can verify in the APIC GUI to see the removal of the objects, like the ACILab tenant, VMM Domain My-vCenter and others. Once this script is completed, you can also go to the vCenter server to see that the My-vCenter DVS has been removed as well.

With the objects removed, we will now show how quickly and easily it is to build those objects with the python script in seconds. Please execute the python script to create the objects that was done in labs 2 5.

user01@dev-lnx:$ ./securerequest.py Scripts/Build_Lab2-5.cfg

Hit return to process Scripts/L3MgmtConnectivity.xml

The python script executed multiple XML scripts to build up the objects in the ACI fabric. You can go through the GUI to validate the Contracts, Filters, Application Network Profiles and VMM Domain to verify that they have been created. Also you can check the vCenter server that the VMM integration has also been associated with the EPGs.

Please note that this python script DOES NOT add the ESXi hosts to the APIC DVS and DOES NOT move the virtual machines network adapter portgroup to the ACI EPG. That process still needs to be done.

So before moving to the next part of the lab, PLEASE GO THROUGH LAB 5-B AGAIN to add the ESXi hosts to the APIC DVS. It is not necessary to go through Lab 5-C or 5-D to complete the rest of the lab exercises.

Deploying Service Graph through Northbound API: This part of the lab, we will now execute the python script that will insert the Service Graph into the tenant ACILab. The script will do the following tasks:

Import ASA Device Package Create Device Cluster

o Create Logical Interfaces o Create Concrete Device

Create Service Graph o Attach Contract Service Graph

We will now execute a python script that will build up the objects for the Service Graph.

Note: You will be walking through multiple steps in this python script utilizing XML scripts, while it creates the objects. You can view the APIC GUI to check the objects after the XML script is executed.

user01@dev-lnx:$ ./securerequest.py Scripts/Build_Lab6.cfg

Hit return to upload Scripts/asa-device-pkg-1.0.1.35.zip

Note: The python script will run through the various XML scripts to create the APIC objects for the Service Graph. Follow through the script and after each object creation, a message will explain what each XML script does.

View Service Graph: With the python script executed, you can now peruse through the APIC GUI to look at the Service Graph that was created within this environment. Below are some screen shots that will verify the creation.

Figure 125: L4-L7 Services Device Cluster

1. Select on the sub-menu tenant ACILab 2. Expand the L4-L7 Services on the left-hand pane 3. Expand the Device Cluster on the left-hand pane 4. Then select the device cluster name Firewall

Browse through this window to take a look at the information provided about the device cluster and other relevant information about the Cisco firewall.

Figure 126: Service Graph Topology View

1. Expand the Service Graphs on the left hand pane 2. Select the service graph name FWGraph

Notice that the Input1 and Output1 are linked to the Cisco Firewall name FWNode. This provides how the firewall service is seen.

Figure 127: Service Graph Binding to Contract

1. Expand Security Policies on the left hand pane 2. Then expand Contracts 3. Then expand the contract name Web_Con 4. Select the subject web_subj

Highlighted in the Service Graph window in the red box shows that this contract is bound to the ACILab/FWNode

Verify on ASA ASDM GUI: We will now verify that configuration executed on the APIC is pushed to the virtual ASA. On the desktop of your RPD server, open up the icon Cisco ASDM-IDM Launcher

Figure 128: Login to ASA

The login information for the ASA is IP Address: 192.168.1.103 and admin/cisco123. Click OK after you have enter in the credentials.

Figure 129: ASDM Pop-Up Messages

Note: A couple of messages will appear after you login to the ASDM. The first will ask about trusting the publisher. Please click on the check box Always trust content from the publisher and click on Yes. A second window will appear about the ASA license state. Click on the check box Do not show this message again and click on OK to continue.

Figure 130: ASA Home View

Note that the two interfaces for the ASA have been configured by the APIC with the node name and the physical and logical interface name provided on the python script that was executed.

You can now browse both the APIC GUI and the ASDM-IDM GUI to see what has been configured.

Since the ASAv is a virtual machine on our ESXi server, the service graph also creates the necessary Portgroups for the virtual interfaces that was configured in the service graph. Follow the screen shots to view this integration.

Verifying on vCenter: Figure 131: vCenter Integration with ASAv Service Graph

In the Networking view, expand My-vCenter DVS Notice the 2 additional portgroups that was created by the Service Graph in the lab

With these portgroups added, ACI integration with the service graph also binds these portgroups to the appropriate network adapters of the ASAv virtual machine. To verify this association, go to the ASAv VM to validate the portgroup.

Figure 132: ASAv VM Portgroup Association

1. In the Hosts and Clusters view, select the ASAv_01 VM and right-click 2. Select Edit Settings

Figure 133: ASAv Network Adapter Portgroup

Notice that Network adapter 2 and Network adapter 3 have portgroups associated from the ACILab

Select one of these adapters (in this example Network adapter 2) and notice that it uses the internal portgroup, which correlates to Gig0/0 on the ASAv

Summary Ciscos ACI solution provides you a very powerful tool to insert any services that has an open API to communicate with the APIC. With the ease of scripting, deployments of any object within the APIC can now be done in minutes or possibly seconds, thus reducing the amount of time to deploy your application network.

Lab 7: Layer 3 External In this lab section, we will focus on how to create a Layer 3 External Routed network using OSPF as our use example. This lab is using a simulator, so no real validation can be performed but the steps in this lab will demonstrate the procedures that are needed to create an External Layer 3 configuration.

We will be simulating the following environment:

Figure 134: Layer 3 Topology

The following is a list of procedures that are needed to complete the configuration of the External L3 Network:

Configure Pod Policy o Configure BGP Route Reflectors o Assign default Pod Policy

Configure Routed L3 External Network o Create Node Profile o Create Interface Profile

Create External EPG Network Bind External Routed Network to Bridge Domain

Configure Fabric Pod Policy In this section, we will configure fabric policies in regards to the internal fabric network in preparations for layer 3 communications.

Configure BGP Route Reflectors Figure 135: Configure Fabric Policies

1. Select Fabric from the top menu 2. Then select Fabric Policies in the sub-menu 3. On the left-hand pane, expand Pod Policies 4. Then expand Policies 5. The menu will show BGP Route Reflectors default, please select that entry 6. The right hand pane will show some configurations window, in the Autonomous

System Number, type in 1 7. We will now also add both of our spines as our BGP Route Reflectors for our

fabric, to do so, click on the + next to Route Reflector Nodes

Figure 136: Adding BGP Route Reflectors

1. From the drop-down box at Spine Node, select the first spine, which is Node ID 103

2. Click on Submit

Figure 137: Add Second Route Reflector

1. Click on the + next to Route Reflector Nodes to add a second Route Reflector

Figure 138: Add Second Route Reflector

1. From the drop-down box at Spine Node, select the first spine, which is Node ID 104

2. Click on Submit

Figure 139: Complete Adding Route Reflector

1. Click on Submit

Configure Fabric Group Policies Next we will need to create a Pod Group Policy. Follow the steps below to complete this task.

Figure 140: Create Pod Policy Group

1. Select Policy Groups 2. On the right-hand pane, click on Actions 3. A drop-down menu will appear, select Create POD Policy Group

Figure 141: Configure Pod Policy Group

1. In the Name window, type in PodPolicy 2. At the BGP Route Reflector Policy drop-down box, select default 3. Click on Submit

Figure 142: Configure Default Pod Policy

1. Select default on the left-hand pane 2. From the Fabric Policy Group drop-down box, select PodPolicy 3. Click on Submit

Configure Routed L3 External Network In this section we will create an External L3 Network for our tenant ACILab. Please follow the procedure below to complete this task.

Create External Routed Network Figure 143: Create Routed Outside Network

1. Select Tenants on the top menu 2. Select the tenant ACILab in the sub-menu 3. Expand Networking on the left-hand pane 4. Select External Routed Networks and right-click on that selection 5. Select Create Routed Outside

Figure 144: Configure L3 Routed Outside

1. In the Name window, type in ACILab-L3-Out 2. Select the check-box OSPF and leave the default OSPF Area ID to be 1 3. In the drop-down box at Private Network, select ACILab_VRF 4. We will now need to configure Node & Interface Profiles, click on the + next to

that section

Create External Node Profile Figure 145: Configure Node Profile

1. In the Name window, type in Border-Leaf2 since we will map the outside network to our Leaf2 switch

2. Click on the + next to Nodes section

Figure 146: Configure Border Node

1. In the drop-down box at Node ID, select Leaf2 (Node-102) which will then show up as topology/pod-1/node-102

2. Type in the address 1.0.0.2 for the Router ID 3. Click on OK

Create OSPF Interface Profile Figure 147: Create OSPF Interface Profile

Click on + next to OSPF Interface Profiles

Figure 148: Configure OSPF Interface Profile

1. In the Name window, type in L3-OSPF-Leaf2 2. Under the Interfaces section, click on the + to add the Routed Interfaces.

There are 2 additional options, which are SVI and Routed Sub-Interfaces, which we will not use in this example.

Figure 149: Configure Routed Interface

1. In the drop-down box for Path, select the node 102 and select interface eth1/1

2. In the IP Address window, type in 30.30.30.1/24 and the mask will automatically fill out the correct subnet mask.

3. In the MTU (bytes) window, the default is set to inherit. Please enter in 1500 4. Click on OK

Figure 150: Completion of Routed Interface Configuration

Click OK

Figure 151: Completion of Node Profile Configuration

Click OK

Figure 152: Continue Wizard to External Network EPG

Click on Next

Figure 153: Create External Network EPG

Click on + in the section External EPG Networks

Figure 154: Configure External EPG Network

1. In the Name window, type in L3-Out-EPG 2. We will now add a subnet to this EPG, click on the + under Subnet

Figure 155: Adding Subnet to External EPG

1. In the External Subnet window, we will allow all subnets into this EPG. In a real environment, this will filtered to allow certain subnets but for this lab, please enter in 0.0.0.0/0. The mask will automatically be filled out

2. Click on OK

Figure 156: Completion of External EPG Network

Click OK

Figure 157: Completion of the Creating a External Routed L3 Network

Click on Finish

Configure Provider/Consumer for L3-Out-EPG With the External Routed Network configured, we will provide a provider/consumer permission to allow communication to this outside network. Follow the steps below to complete this task.

Figure 158: Configure Provider Contract for L3-Out-EPG

1. Expand Networking under the tenant ACILab 2. Expand External Routed Networks 3. Expand the created routed network ACILab-L3-Out 4. Expand Networks 5. Select L3-Out-EPG 6. On the right-hand pane on the section Provided Contracts, click on the +

Figure 159: Add Provided Contract

1. From the drop-down box, select the contract common 2. Once completed, click on Update

We will now need to add the Consumed Contract.

Figure 160: Add an Entry to Consumed Contract

Under the Consume Contracts, click on the +

Figure 161: Add default/common to Consumed Contract

1. From the drop-down box, select common from the Type Contract and DO NOT choose from the Type Imported Contract

2. Once completed, click on Update

Figure 162: Complete Provided/Consumed Contract for L3-Out-EPG

Click on Submit

Set Default OSPF Settings for Private Network Another step that needs to be configured is the default timers for OSPF in the Private Network in the tenant ACILab. Please follow the steps below.

Figure 163: Configuring OSFP Default Timers

1. Expand Private Networks 2. Select ACILab_VRF 3. In the OSPF Timers, select the drop-down box and select default 4. Click on Submit

Associate the L3 Outside Network to a Bridge Domain We will now complete the task of associating the L3 outside network to our bridge domain. Please follow the steps to complete this task.

Figure 164: Associating L3 Outside Network to Bridge Domain

1. Expand Bridge Domains 2. Select ACILab_BD1 3. On the right-hand pane in the section Associate L3 Outs, click on the + 4. From the drop-down box, select ACILab/ACILab-L3-Out 5. Click on Update

Figure 165: Complete Association of L3 Outside Network to Bridge Domain

Click on Submit

Summary This completes the configuration of the external layer 3 network for communication to the outside of the ACI fabric. This is using a simulator to demonstrate the process to complete this task and verification is not available at this time for the simulator. In a physical fabric, there are verification tasks that will validate the configuration that we have done here.

Lab 8: Exploring Monitoring and Troubleshooting Viewing Faults Using the GUI To view a summary of fault statistics for the overall system, click the Dashboard icon in the menu bar of the APIC GUI. The fault counts by domain and by type are displayed in the dashboard tables.

Logged faults are presented in many places in the GUI, filtered to show only those faults relevant to the current GUI context. Wherever a Records tab appears in the GUI Work pane, you can view the relevant entries from the fault log.

For example, to view the faults related to a tenant, perform the following task.

Procedure 1. In the menu bar, click Tenants. 2. In the sub-menu bar, click the name of the tenant. 3. In the Work pane, click the Faults tab.

Figure 166: Sample Tenant Faults View

1. Select Tenants 2. Then select the tenant ACILab 3. Select the top entry Tenant ACILab on the left hand pane 4. Then select the Faults tab on the right hand pane

To view more of the faults, just double-click on the entry and it will provide more details.

Events The Application Policy Infrastructure Controller maintains a comprehensive, up-to-date run-time representation of the administrative and operational state of the Application Centric Infrastructure Fabric system in the form of a collection of managed objects (MOs). Any configuration or state change in any MO is considered an event. Most events are part of the normal workflow and there is no need to record their occurrence or to bring them to the attention of the user unless they meet one of the following criteria:

The event is an anomaly, such as a fault being raised

The event is defined in the model as requiring notification

The event follows a user action that is required to be auditable

Viewing Events Using the GUI Logged events are presented in many places in the GUI, filtered to show only those events relevant to the current GUI context. Wherever a History tab appears in the GUI Work pane, you can view the relevant log entries from the event log, health log, or audit log.

For example, to view the event log, health log, or audit log related to authentication, perform the following task.

Figure 167: Viewing History

In the Tenant ACILab, select the History tab menu Then on the sub-menu, select Events to see the events that has occurred on this tenant

Log Retention Policies The log retention policy specifies the retention and purge behavior of logs. The policy specifies the maximum history record count and the number of records to purge with a purge interval. Records are periodically purged to contain log growth. When the purge timer triggers, a number of records equal to the Purge Window Size are deleted if the number of records in the log is greater than the Maximum Size.

You can configure the following settings:

Maximum Size The maximum number of records to be maintained in the log. The range is 1000 to 500000 records; the default is 10,000 records.

Purge Window Size The maximum number of records to be deleted in a single swipe. Record deletion is performed periodically (every 30 seconds) in batches. The maximum size of a batch should be chosen to avoid spikes in I/O and CPU utilization. The range is 100 to 1000 records; the default is 250 records.

Configuring Log Retention Policies in the GUI To configure log retention policies using the GUI, perform the following task.

Figure 168: Log Retention Policies

1. Select Admin from the top menu 2. Select Historical Record Policies 3. From the left hand pane, expand Switch Policies 4. Then expand Switch Audit Log Retention Policies 5. Select default

On the right hand pane, you will see the settings that are configured. You can modify these and other settings in this section.

Using the API Inspector

Capturing an API Interchange for Inspection By using the API Inspector, which is a built-in tool of the APIC, you can capture API messaging as you perform tasks in the APIC graphical user interface (GUI). The captured messages provide examples of the API operation that you can use to develop external applications that will use the API.

Figure 169: API Inspector

Click on the welcome, admin on the far right hand side of the GUI A drop-down menu will appear, please select Show API Inspector

Another pop-up window will appear that provides information of the objects of the ACI APIC

Figure 170: API Inspector Window

You can filter what you want to view and if you like to start cleanly, click on the Clear button. Once the window is clear, you can execute an action on the GUI and the API Inspector will provide the output that is executed. By default the API Inspector views everything and from there you can also do searches as well.

Using the Managed Object Browser The Managed Object Browser, or Visore, is a utility built into the APIC that provides a graphical view of the managed objects (MOs) using a browser. The Visore utility uses the APIC REST API query methods to browse MOs active in the Application Centric Infrastructure Fabric, allowing you to see the query that was used to obtain the information. The Visore utility cannot be used to perform configuration operations.

Note - Only the Firefox, Chrome, and Safari browsers are supported for Visore access.

Accessing Visore To access the visore, open another tab on your browser and type in the following link:

https://192.168.1.11/visore.html

Figure 171: Visore Access

A pop-up window will appear for a login access. This is the same login to the APIC, which should be:

Username: admin

Password: cisco123

Running a Query in Visore We will run a quick example query on the visore to provide some insights on how to navigate through the APIC object tree.

Figure 172: Visore Query

1. In the Class or DN window, type in fvTenant 2. In the Property window, type in name 3. In the Val1 window, type in ACILab 4. Click on Run Query

A window will appear that will display this object class for Tenant ACILab. The output is shown below.

Figure 173: Visore Query Output

nexus 9000 aci boot camp lab guide v 1.19

Documents

register nexus

familiarizing fabric

virtual lab topology

virtual lab access

register spine1

spine2 switches

fabric discovery

register leaf1 switch