Operating Cisco Application Centric Infrastructure

TONYJBOYLE Cisco ACI , , ,

New logical concepts from the Operating Cisco Application Centric Infrastructure paper
Fabric – Access Policies

Domains

Endpoint groups are considered the “who” in ACI; contracts are considered the “what/when/why”; AEPs can be considered the “where” and domains can be thought of as the “how” of the fabric. Different domain types are created depending on how a device is connected to the leaf switch. There are four different domain types: physical domains, external bridged domains, external routed domains, and VMM domains. 

* Physical domains are generally used for bare metal servers or servers where hypervisor integration is not an option.

* External bridged domains are used for Layer 2 connections. For example, an external bridged domain could be used to connect an existing switch trunked-up to a leaf switch.

* External routed domains are used for Layer 3 connections. For example, an external routed domain could be used to connect a WAN router to the leaf switch.

* Domains act as the glue between the configuration done in the fabric tab to the policy model and endpoint group configuration found in the tenant pane. The fabric operator creates the domains, and the tenant administrators associate domains to endpoint groups.

Ideally, policies should be created once and reused when connecting new devices to the fabric. Maximizing the reusability of policy and objects makes day-to-day operations exponentially faster and easier to make large-scale changes. The usage of these policies can be viewed by clicking the Show Usage button in the Application Policy Infrastructure Controller (APIC) GUI. Use this to determine what objects are using a certain policy to understand the impact when making changes. 

For an in-depth whiteboard explanation on domains, watch the following video titled “How Devices Connect to the Fabric: Understanding Cisco ACI Domains”: https:/ / http://www.youtube.com/ watch?v=_ iQvoC9zQ_ A. 
VLAN Pools

VLAN pools contain the VLANs used by the EPGs the domain will be tied to. A domain is associated to a single VLAN pool. VXLAN and multicast address pools are also configurable. VLANs are instantiated on leaf switches based on AEP configuration. Allow/deny forwarding decisions are still based on contracts and the policy model, not subnets and VLANs. 
Attachable Access Entity Profiles

Attachable Access Entity Profiles (AEPs) can be considered the “where” of the fabric configuration, and are used to group domains with similar requirements. AEPs are tied to interface policy groups. One or more domains can be added to an AEP. By grouping domains into AEPs and associating them, the fabric knows where the various devices in the domain live and the Application Policy Infrastructure Controller (APIC) can push the VLANs and policy where it needs to be. AEPs are configured under the global policies section.

Cisco 6500 – Failed supervisor

TONYJBOYLE Cisco R&S ,

Recently we completed a relocation of 2 x 6500 switches. When powering on one of the 6500 switches, it booted into rommon. We discovered that the supervisor had failed. The supervisor was under maintenance and Cisco TAC sent a new SUP card. The switch loaded with the IOS that was shipped with the supervisor. 

To transfer the original IOS and running configuration we setup a TFTP server and setup a temporary VLAN on the switch to transfer the files. The newer IOS was removed. The switch loaded with the correct IOS. The original running config was copied to startup configuration. 

The switch was reloaded and we confirmed the configuration loaded fine. A maintenance was scheduled to connect the switch to the other 6500. There were no issues when connecting the switch back into the network.

Cisco ISE – TACACS authentication

TONYJBOYLE Cisco ISE , , , ,

TACACS authentication in Cisco ISE was released in version 2.0. The feature requires a device administration license for the feature to be enabled.

Once the device administration license has been applied, select the checkbox for it under Administration – Deployment and select the ISE nodes.

 
The next step would be to import your network devices. In particular, Cisco ISE requires the hostname, IP address and TACACS shared secret. There is a template for bulk importing.

Now to tell your network devices to use TACACS authentication for authentication and/or authorisation. Use the TACACS host command and point to ISE servers and configure network devices for the TACACS shared secret.

You must now create a device administration policy which should consist of who can authenticate e.g. Internal/Active directory users and what those users are permitted to access in regards to authorisation. This can be found under Work Centre.

Real time TACACS authentication and authorisation can be viewed and monitored by selecting Operations – TACACS live log.

Incomplete hardware address

TONYJBOYLE Cisco R&S , , , , ,

Recently I was working on an issue where a VM with a load balancing function would lose network connectivity consistently every 10-15mins for approx. 5-10mins.

I traced the mac address entry back to the core which consisted of a set of 6500 switches.

The ARP table on the core showed an Incomplete hardware address. This generally occurs for one of two reasons – the host doesn’t exist or the switch is receiving packets for that IP address on another interface.

To get this to work I had to set a static ARP entry on the core with the configured IP address and the hardware address for the VM load balancer.

Migrating to Cisco ACI from a traditional network

TONYJBOYLE Cisco ACI , , , , ,

When migrating from a traditional network to Cisco ACI, the following parameters were created and configured;

 
1. Allow/create the vlan – Fabric – Access policies – Pools – Create the vlan ID and set as a static allocation

2. Create Bridge Domain – Tenants – Tenant x – Bridge Domains – create and set the following parameters; BD and Gateway Address

3. Create EPG – Tenants – Tenant x – Application profiles – EPG – create and set the following parameters; BD, Domains, Static Bindings (Paths) and Contracts