Labsdn 2331

What is the most important in todays Data Center ?
The Application !!!
It MUST be SIMPLE to deploy it…
LABSDN-2331 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
What Should I Expect from this Lab?
You will provision 3-Tier application with below labs in ACI:
Module 1
• Lab 1 – Deploying Basic ACI functions
• Lab 2 – L2out – Creating L2 Extension
• Lab 3 – L3out – Creating an L3 Extension with OSPF/iBGP
• Lab 4 – Associate a VMM Domain to the EPG’s in Application Profile
Module 2
• Lab 5 – L4-7 Services Integration and Python Automation
LABSDN-2331 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ACI hands on Lab
LABSDN-2331
Vasil Yordanov – SVS NCE

Minhaj Uddin – SVS NCE
Agenda
• Introduction
– What to expect from this session
• What is Application Centric Infrastructure (ACI) ?
– Review of ACI Policy Model
– ACI Fabric Components
• Lab Module 1 - Deploying ACI Network Constructs and
Hypervisor Integration
• Integrating L4-L7 Services with ACI
• Lab Module 2 – Integrating L4-L7 Services with ACI
• Conclusion
• Q&A
What is Application Centric Infrastructure ?
Cisco ACI
Logical Network Provisioning of Stateless Hardware
Web App DB
QoS QoS QoS

Outside
(Tenant VRF) Filter Service Filter
APIC
ACI Fabric Application Policy

Infrastructure
Scale-Out Penalty Free Overlay Controller
ACI Network Profile
Policy-Based Fabric Management Application
 Extend the principle of Cisco UCS® Storage Storage
Manager service profiles to the

Web Tier App Tier DB Tier
entire fabric
 Network profile: stateless definition The network profile fully describes the application connectivity
requirements
of application requirements ## Network Profile: Defines Application Level Metadata (Pseudo Code Example)
- Application tiers
<Network-Profile = Production_Web>
- Connectivity policies <App-Tier = Web>
- Layer 4 – 7 services <Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
- XML/JSON schema <Connected-To = Application_Tier>
<Connection-Policy = Secure_Firewall_Internal & High_Priority>
 Fully abstracted from the ...
<App-Tier = DataBase>
infrastructure implementation <Connected-To = Storage>
<Connection-Policy = NFS_TCP & High_BW_Low_Latency>
- Removes dependencies of the infrastructure ...
- Portable across different data center fabrics
Opflex: AN OPEN, extensible policy protocol
Policies:
OPFLEX WAS • Who can talk to whom
DESIGNED TO OFFER: • What about

• Ops requirements
APIC
Abstract policies rather than
1. device-specific configuration
Flexible, extensible definition

2. of using XML / JSON
Support for any device including virtual

3. switches, physical switches, network OPFLEX OPFLEX OPFLEX
services with strong interoperability OPFLEX AGENT AGENT AGENT
PROXY
across vendors
HYPERVISOR
Open, standardized API with an open FIREWALL SWITCH ADC
4. source reference implementation
Multi-Hypervisor-Ready Fabric
Network
Admin
Virtual Integration APIC
APIC
ACI Fabric
 Integrated gateway for VLAN,
VxLAN, and NVGRE networks
from virtual to physical
VLAN VLAN VLAN VLAN
VXLAN NVGRE VXLAN
 Normalization for NVGRE,
VXLAN, and VLAN networks ESX Hyper-V KVM
VMware Microsoft Red Hat
 Customer not restricted by a VMware
Microsoft PHYSICAL
choice of hypervisor SERVER
Red Hat
 Fabric is ready for multi- XenServer
Application Hypervisor
hypervisor Admin Management
Review of the ACI Policy Model
End-points
 Things that connect to the fabric and use it to interface with other things
 A compute, storage or service instance attaching to a fabric
NIC
vNIC
. end-points [ EP ]
.
.
ACI Fabric
End-points
 Things that connect to the fabric and use it to interface with other things
 A compute, storage or service instance attaching to a fabric
EP A collection of end-points with

EP identical network behaviour form a
EP … End Point Group (EPG)
.
.
.
End-point Groups (EPGs)
EPG APP SERVER Allows to specify rules and policies on
groups of physical or virtual end-points
without understanding of specific
identifiers and regardless of physical
policies location.
EPG WEB Can flexibly map into

EP application tier of multi-tier app
EP segmentation construct (ala VLAN)
EP a security construct
. ESX port group, SCVMM VMNetwork
. …
… end-point group [ EPG ]
Application Network Profiles (ANP) – what’s that ?
Application Network profiles are a group of EPGs and the
policies that define the communication between them.
Application Network Profile

EPG - WEB EPG - APP EPG - DB
Inbound/Outbound Inbound/Outbound
Policies Policies
Applying Policy between EPGs: ACI contracts
Contracts define the way in which EPGs interact.
Unidirectional
Communication
EPG EPG
B Contract 02
C
Bidirectional
Contract 01 Communication
Ex: ACI Logical Model applied to the “3-Tier App” ANP

EPG The policy model allows for
A both unidirectional and
bidirectional policies.
ACI Logical Model
Tenant
Context Context
Application Network Profile A Application A
EPG EPG EPG

Application Network Profile (ANP) - B
EPG EPG EPG
EPG EPG EPG

Application Network Profile B Application B
EPG EPG EPG EPG EPG EPG
Application Network Profile C Policy

Application C Policy
EPG EPG EPG EPG EPG EPG
Tenant L3, L2 Isolation
EPG … Tenant self-contained

tenant definition
subnet outside representable as a
recursive
EPG APP SERVER structured text
BD document
subnet
EPG WEB
subnet
EP
EP BD
With or
EP. without
. flooding
semantics
.
L3 context
network profile (isolated tenant VRF)
ACI Fabric Components
ACI – Components
A Policy Based IP Network IP Network & Integrated
VXLAN
APIC - Policy Controller &
Proxy (Directory)
Distributed Management
Services
Information Tree (DMIT)
VTEP VTEP VXLAN IP Payload VTEP
VTEP
Physical and Virtual VTEP’s VTEP
VTEP
(Policy & Forwarding Edge AVS
Nodes) AVS
WAN/DCI
Services
Physical and Virtual L4-7

Physical and Virtual Endpoints
Service Nodes
(Servers) & VMM (Hypervisor vSwitch)
Lab-Session: Module 1
What equipment do we have? OOB mgmt WS-C3750G
Spine 1 Spine 2
APIC 1 APIC
APIC 2 APIC Nexus 9336PQ Nexus 9336PQ
APIC 3 APIC
Leaf 1 Leaf 2
Nexus 9396PX Nexus 9396PX
UCS 6248UP UCS 6248UP

Nexus 3172PQ
Internet
UCS -B UCS -B
Windows 2008
RDP Server
Now lets translate to a logical model
APIC
Application Network Profile

EPG EPG EPG
F/W WEB APP DB
WEB PORT GROUP APP PORT GROUP DB PORT GROUP
VM VM VM
ACI Fabric per POD
Tenants, Private Networks,
Tenant “customerX”
Bridge Domains, EPGs…
Infrastructure
PN “CTX1”
X - POD number
BD1 BD2
Subnet 10.X.10.1/24
Subnet 10.X.20.1/24 101.X.90.1/24
Subnet 10.X.30.1/24
EPG VMs
DB
Apps
EPG EPG
WEB
Services
inside outside
EPG
APP ASAv
Timelines
ACI Hand-on-Lab Session
Lecture 1 – Introduction to Application Centric Infrastructure (ACI) – ( 09:30 – 10:00 )
Lab Module 1 - Deploying ACI Network Constructs ( 10:00 – 12:00 )
Lecture 2 - Integration and Automation of L4-7 Services ( 12:15 – 12:30 )
Lab Module 2 – Integrating L4-7 Services with ACI ( 12:30 – 01:30 )
Conclusion
Q&A
Integrating L4-7 Services with ACI
ACI Layer 4 - 7 Service Integration
Centralized, Automated, And Supports Existing Model
• Elastic service insertion architecture for physical Policy Redirection
Web Tier App Tier
and virtual services
A B
Web
Web Web
App
• Helps enable administrative separation between Server
Server
Server
Server
Application
application tier policy and service definition Admin Chain
“Security 5”
• APIC as central point of network control with
policy coordination
• Automation of service bring-up/tear-down through “Security 5” Chain Defined

programmable interface
Service
…..
Graph
begin Stage 1 Stage N end
• Supports existing operational model when
Service Profile
integrated with existing services inst inst
Providers
…
…
Service ……..
• Service enforcement guaranteed, regardless of Admin inst inst
endpoint location Firewall Load Balancer
Device Definition and Package
Device Specification
Device <dev type= “f5”>
Package <service type= “slb”>
• Securely upload Device Package zip file to APIC <param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
• Device Package consists of <hidden=“no”>
<locked=“yes”>
– DeviceSpecification (xml): The configuration of the APIC is
represented as an object model consisting of a large number
of Managed Objects (MOs). A Device type is defined by a tree
of MOs with a Meta Device (MDev) at the root. DeviceScript DeviceSpec
– DeviceScript (py): The integration between the APIC and a
Device is performed by a DeviceScript, which maps APIC
events to Device interactions.
• The Device Package should be created by a 3rd party vendor,
ACI, advanced services, the customer, etc.
• Interactions are Device Attachment, Endpoint Attachment,
Service Graph Rendering, Health Monitoring, Faults, Counters Partner
Rest/CLI
DevicePartner Device
Key Concepts in Service Insertion
• Concrete Device: it represents a service device, e.g. one load balancer, or one firewall
• Logical Device: represents a cluster of 2 devices that operate in active/standby mode for instance.
• Abstract Service Graph: defines a sequence of “functions” connected: e.g. a firewall followed by a load
balancing.
• Abstract Node: it is an element in the Abstract Graph. The Abstract node is mapped to the logical
devices via the Logical device Context
• Device Package: defines things such as how to label “connectors” for a function, and how to translate
“names” from ACI to the specific device.
• Device Types:
GoTo – L3 mode
GoThrough – L2 mode
Initial steps
• First you need to configure the management IP address for the pair of load
balancers or firewalls
• Also add a license to the device
• The management interface connects to a Management EPG that you need to
configure or it connects out of band
• And you need to configure them in active/standby or active/active mode
• Connect them to a leaf or
• install the virtual appliance on a virtualized servers
• Make sure the device package is installed on the APIC
Configuration steps
• Split the bridge domain as needed and associate subnets with it - BD1 and BD2
• Create Logical Device, and Concrete Device
• Create Service Graph
• Create Selection Criteria (Logical Device Context) to render the service graph
• Associate Service Graph with a contract
Lab-Session: Module 2
What we will do in this Module
Single node service graph
contract: WEB_FW
subject: web_fw
BD2 BD1
101.X.90.3 101.X.90.1 Policy Redirection
10.X.10.1
Web
L2OUT Web
EPG
Server Server
Services Service Graph WEB
200.X.1.1
Firewall
200.X.1.200 10.X.10.198
101.X.90.198
outside inside
ASAv WebServer
GoTo mode 10.X.10.200
X - pod number
http://10.X.10.200
Timelines
ACI Hand-on-Lab Session
Lecture 1 – Introduction to Application Centric Infrastructure (ACI) – ( 09:30 – 10:00 )
Lab Module 1 - Deploying ACI Network Constructs ( 10:00 – 12:00 )
Lecture 2 - Integration and Automation of L4-7 Services ( 12:15 – 12:30 )
Lab Module 2 – Integrating L4-7 Services with ACI ( 12:30 – 01:30 )
Conclusion
Q&A
Call to Action
• Visit the World of Solutions for
– Cisco Campus
– Walk in Labs
– Technical Solution Clinics
• Meet the Engineer
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan 2015
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations
ACI hands on Lab
LABSDN-2331
Vasil Yordanov (vyordano@cisco.com)

Minhaj Uddin (miuddin@cisco.com)
1 of 125
© LABSDN-2331 ACI hands on Lab - Cisco Systems, Inc. All rights reserved
Table of Contents
Introduction to the Lab--------------------------------------------------------------------------- 3
Module 1 ------------------------------------------------------------------------------------------- 5
Lab 0 – Lab Topology, Components and Connectivity ------------------------------------- 5
Remote Desktop Connection and APIC / vCenter / N3K / Application servers login access
and credentials ------------------------------------------------------------------------------------------------- 8
Table 1 - RDP/VM IP address per assigned POD---------------------------------------------------- 9
Remote Lab Access Instructions ------------------------------------------------------------------------ 11
Table 2 – Naming convention used in Module 1 and 2 -------------------------------------------- 17
Table 3 – L2out (Vlan ID) / L3out (Router ID/ SVI IP/ VLAN ID) -------------------------------- 19
Lab 1 – Deploying Basic ACI functions ----------------------------------------------------- 21
Lab 2 – L2out - Creating L2 extension ------------------------------------------------------- 48
Lab 3 – L3out - Creating an external OSPF/iBGP connections --------------------------- 56
Lab 4 – Associate a VMM Domain to the EPGs in Application Profiles ---------------- 85
Module2: ------------------------------------------------------------------------------------------ 93
Lab5 - L4-L7 Services integration------------------------------------------------------------ 93
Appendix A------------------------------------------------------------------------------------- 120
Appendix B ------------------------------------------------------------------------------------- 124
2 of 125
Introduction to the Lab
The lab has two modules.
Module 1 – This Module is divided into five lab sections.
Lab 0: Lab Topology and connectivity information
Lab 1: Deploying Basic ACI functions
Lab 2: L2out - Creating an L2 extension
Lab 3: L3out - Creating an external OSPF/iBGP connections
Lab 4: Associate a VMM Domain to the EPGs in Application Profile
Module 2 – This Module is divided in to 1 lab section.
Lab 5: L4-L7 Services integration
Appendix A – What was already preconfigured for Module 1.
Appendix B – What was already preconfigured for Module 2.
In this lab, all the configuration tasks will focus on the basic ACI features. You will not
configure the AVS integration with ACI. It is already preconfigured for you. All VMs are
deployed and preconfigured with the needed IPs – you will have to assign the proper port
group which is explained in details later in this manual.
This lab is not a design guide. The purpose of this lab is to teach and experiment with
certain elements of ACI fabric.
3 of 125
Prerequisites:
• Familiarity with NX-OS or Cisco IOS and VMware vCenter

• Knowledge of Routing and Switching
Notes:
• You do not have to save your configuration as APIC is doing automatically for you
• Much of the screen shoots in the diagram used in this lab guide are from tenant
“customer1”
YOU DO NOT HAVE TO SAVE YOUR WORK
4 of 125
Module 1
Lab 0 – Lab Topology, Components and
Connectivity
Objective:
• Briefly introduce each component in the topology
• Remote connection information to the lab pod.
• Explains how to open HTTPS/ssh/telnet sessions that you will use through the lab.
Physical Topology Diagram:
5 of 125
Logical Topology Diagram:
• The lab contains 1 ACI fabric shared by all pods according to the diagram above.
• The UCS Servers are shared by all pods.
• Nexus 3172 is shared by all pods – only view access as it is already preconfigured for
you.
• VMs will be used for Remote Desktop that will allow you to access your assigned
POD devices. 3 VMs WEB/APP/DB will be used as application VMs. There is also 1
“ubuntu-python” VM shared by all pods for running a Python script in Module 2
• Please do not change any configuration at the VMs except changing the port groups
in vCenter as per the instructions later in the lab guide.
6 of 125
Addressing and naming scheme:
“X” in this Lab Guide represents the POD number. You will be required to
substitute the “X” with your assigned POD number throughout the lab.
For RDP to the Student Desktop(Windows 2008 Server) and VMs access check Table 1.
For naming scheme for configuring APIC tasks in Module 1 and 2 check Table 2. Please
use the exact naming scheme as per Table 2 as this is very important to completing the
whole lab where all the names need to much and especially for the L4-L7 Service Graph
part. We are using a Python script to shorten and ease the configuration so this names need
to much exactly as per Table 2.
For L2out (VLAN ID) - in module 1 check Table 3 - (VLAN ID)
For L3out (Router ID/ SVI IP/ VLAN ID) in module 1 check Table 3 (Router ID/ SVI IP/ VLAN
ID).
For ASAv MGMT IP please check Table 4 . Please Do not change any configuration at
the ASAv – only APIC will do the needed configuration !
7 of 125
Remote Desktop Connection and APIC / vCenter / N3K / Application
servers login access and credentials
Please use your POD in “POD number and corresponding RDP IP table” below and use
ONLY the assigned IP to connect to your POD devices with the instruction below.
RDP: (see the IPs from Table 1 below)

Please use Username: aci-user-podX
Please use Password: ( Proctors will provide )
X is the pod number.
APIC: 10.15.27.221, 10.15.27.222, 10.15.27.223

Please use Username: studentX
Please use Password: ciscolabX
vCenter: 10.15.27.150
Please use Password: Password!
WEB/APP/DB/ (see the IPs from Table 1 below) (only non root access is needed)
Please use Username: student
Please use Password: student
ubuntu-python server: 10.15.27.251 (only non root access is needed)

Please use username: studentX
Please use password: Password!
Nexus 3000 : 10.15.27.10 (only view access is needed)

ASAv : (see the IPs per POD from the Table 4 below) – please do not change the
config.
Please use Username: cisco
Please use Password: cisco123
8 of 125
The following are the IPs and the instructions how to access the Lab, which is based in San
Jose, CA , USA
Table 1 - RDP/VM IP address per assigned POD
POD RDP IP address WEB / APP / DB VMs Mgmt IP

Number
POD 1 173.36.249.89 10.15.28.81 / 10.15.28.131 / 10.15.28.171
POD 2 173.36.249.90 10.15.28.82 / 10.15.28.132 / 10.15.28.172
POD 3 173.36.249.91 10.15.28.83 / 10.15.28.133 / 10.15.28.173
POD 4 173.36.249.92 10.15.28.84 / 10.15.28.134 / 10.15.28.174
POD 5 173.36.249.93 10.15.28.85 / 10.15.28.135 / 10.15.28.175
POD 6 173.36.249.94 10.15.28.86 / 10.15.28.136 / 10.15.28.176
POD 7 173.36.249.95 10.15.28.87 / 10.15.28.137 / 10.15.28.177
POD 8 173.36.249.96 10.15.28.88 / 10.15.28.138 / 10.15.28.178
POD 9 173.36.249.97 10.15.28.89 / 10.15.28.139 / 10.15.28.179
POD 10 173.36.249.98 10.15.28.90 / 10.15.28.140 / 10.15.28.180
POD 11 173.36.249.99 10.15.28.91 / 10.15.28.141 / 10.15.28.181
POD 12 173.36.249.100 10.15.28.92 / 10.15.28.142 / 10.15.28.182
POD 13 173.36.249.101 10.15.28.93 / 10.15.28.143 / 10.15.28.183
POD 14 173.36.249.102 10.15.28.94 / 10.15.28.144 / 10.15.28.184
POD 15 173.36.249.103 10.15.28.95 / 10.15.28.145 / 10.15.28.185
POD 16 173.36.249.104 10.15.28.96 / 10.15.28.146 / 10.15.28.186
POD 17 173.36.249.105 10.15.28.97 / 10.15.28.147 / 10.15.28.187
POD 18 173.36.249.106 10.15.28.98 / 10.15.28.148 / 10.15.28.188
POD 19 173.36.249.107 10.15.28.99 / 10.15.28.149 / 10.15.28.189
POD 20 173.36.249.108 10.15.28.100 / 10.15.28.150 / 10.15.28.190
9 of 125
POD 21 173.36.249.109 10.15.28.101 / 10.15.28.151 / 10.15.28.191
POD 22 173.36.249.110 10.15.28.102 / 10.15.28.152 / 10.15.28.192
POD 23 173.36.249.111 10.15.28.103 / 10.15.28.153 / 10.15.28.193
POD 24 173.36.249.112 10.15.28.104 / 10.15.28.154 / 10.15.28.194
POD 25 173.36.249.113 10.15.28.105 / 10.15.28.155 / 10.15.28.195
POD 26 173.36.249.114 10.15.28.106 / 10.15.28.156 / 10.15.28.196
POD 27 173.36.249.115 10.15.28.107 / 10.15.28.157 / 10.15.28.197
POD 28 173.36.249.116 10.15.28.108 / 10.15.28.158 / 10.15.28.198
POD 29 173.36.249.117 10.15.28.109 / 10.15.28.159 / 10.15.28.199
POD 30 173.36.249.118 10.15.28.110 / 10.15.28.160 / 10.15.28.200
POD 31 173.36.249.119 10.15.28.111 / 10.15.28.161 / 10.15.28.201
POD 32 173.36.249.120 10.15.28.112 / 10.15.28.162 / 10.15.28.202
10
10 of 125
Remote Lab Access Instructions
In case of AnyConnect VPN session is needed first (this info will be provided from the Lab
Proctors) please do:
Step 1 Step 2
Click on the icon on your Desktop
Connect to IP 173.36.255.218
Once connected select:

Group: ACI-1
Username: aci-1-userX
X – is the your POD number
Password: Proctor’s will provide
Click on Yes on the ‘Security Alert’:
Now you can do RDP to the Jump Server explained

in the next page.
11
11 of 125
LAB Testbed can be remotely accessed using Remote Desktop Connection.
A Windows 2008 Terminal Server is used as a Student Desktop that has access to the
Cisco DMZ lab network. PuTTY client will provide a preconfigured database with all the lab
management IP addresses. APIC and vCenter are reachable via a web browser from it.
Step 1 Step 2
On the Computer name use: '<Your

assigned POD RDP IP' as per Table 1>
Open Remote Desktop Connect from

your desktop computer:
StaràProgramsàAccessoriesàRemote
Desktop Connection
Please use Username: aci-user-podX

Please use Password: (Proctors will provide)
12
12 of 125
Step 3 Step 4
From this Jump Server you will be able to

access APIC/vCenter/Application
servers/Nexus 3000/ASAv described
below.
The username/password uses the following

format:
Username: aci-user-podX
Password: (Proctors will provide)
Example: If you are in POD1 your username

will be 'aci-user-pod1'.
13
13 of 125
How to access APIC via HTTPS
Step1: Click on the icon on the Step3: Click on “Advanced”

Desktop named “APIC”
On the desktop there is an icon named

APIC. Double click on this icon in order
to access the APIC.
You can also open a Google Chrome

browser and use one of the 3 APIC
controllers IP to login:
Step4: Use the credentials below
https://10.15.27.221
https://10.15.27.222
https://10.15.27.223
Step2: Click on the following:
Use the following credentials to login:
Username: studentX
Password: ciscolabX
14
14 of 125
How to access WEB/APP/DB via SSH
Click on the icon on the Desktop named PuTTY

“putty”
For SSH access to WEB/APP/DB

servers we will use the Putty client. On
the desktop there is an icon named
“putty”. Double click on this icon in order
to open the putty SSH client.
Click and load one of the saved session to

the corresponding WEB/APP/DB servers
Step3 Step 4 - login screen
Use the following credentials to login:

Click and load one of the saved session Username: student
to the corresponding WEB/APP/DB Password: student
servers
15
15 of 125
How to access vCenter
Step1: Click on the icon on the Desktop Step : vSphere WebClient

named “vSphere Web Client”
For access to vCenter Double click on this

icon “vSphere Web Client”. It is reachable
over Out-Of-Band Management network.
Step3:
For login credentials use:

Step4:
16
16 of 125
Table 2 – Naming convention used in Module 1 and 2
Tenant customerX
Network (Context) CTX1
Bridge Domain 1 BD1

Public Subnet
10.X.10.1/24
Public Subnet
10.X.20.1/24
Private Subnet
10.X.30.1/24
Bridge Domain 2 BD2
Private Subnet
101.X.90.1/24
Application1 APP1
EPG1 WEB
EPG2 APP
EPG3 DB
Contract 1 APP-‐to-‐WEB
Subject 1 All
Contract 2 DB-‐to-‐APP
Subject 2 All
Contract 3 Internet-‐to-‐APP
Subject 3 All
Contract (L4-‐L7) WEB_FW_contract
Subject (L4-‐L7) web_fw
External Bridged Network (Bridged Outside -‐ L2out) L2out_Services
Logical Node profile L2out_node_profile
17
17 of 125
Interface Profile L2out_interface_profile
Networks L2out_ext_network

External Routed Network (Routed Outside – L3out) Internet_access

Logical Node profile to_N3K

Logical Interface Profile SVI_to_N3K

Networks Internet

L4-‐L7 Devices (ASAv) ASAv-‐customerX
Service Graph Web_Services

18
18 of 125
Table 3 – L2out (Vlan ID) / L3out (Router ID/ SVI IP/ VLAN ID)
POD L2out L3out L3out

Number VLAN ID Router ID SVI IP Address / ENCAP Vlan
POD 1 801 100.11.0.1 -leaf1 10.11.0.2/24 / vlan-1100

100.11.0.2 -leaf2 10.11.0.3/24 / vlan-1100
POD 2 802 100.11.1.1 -leaf1 10.11.1.2/24 / vlan-1101

100.11.1.2 -leaf2 10.11.1.3/24 / vlan-1101
POD 3 803 100.11.2.1 -leaf1 10.11.2.2/24 / vlan-1102

100.11.2.2 -leaf2 10.11.2.3/24 / vlan-1102
POD 4 804 100.11.3.1 -leaf1 10.11.3.2/24 / vlan-1103

100.11.3.2 -leaf2 10.11.3.3/24 / vlan-1103
POD 5 805 100.11.4.1 -leaf1 10.11.4.2/24 / vlan-1104

100.11.4.2 -leaf2 10.11.4.3/24 / vlan-1104
POD 6 806 100.11.5.1 -leaf1 10.11.5.2/24 / vlan-1105

100.11.5.2 -leaf2 10.11.5.3/24 / vlan-1105
POD 7 807 100.11.6.1 -leaf1 10.11.6.2/24 / vlan-1106

100.11.6.2 -leaf2 10.11.6.3/24 / vlan-1106
POD 8 808 100.11.7.1 -leaf1 10.11.7.2/24 / vlan-1107

100.11.7.2 -leaf2 10.11.7.3/24 / vlan-1107
POD 9 809 100.11.8.1 -leaf1 10.11.8.2/24 / vlan-1108

100.11.8.2 -leaf2 10.11.8.3/24 / vlan-1108
POD 10 810 100.11.9.1 -leaf1 10.11.9.2/24 / vlan-1109

100.11.9.2 -leaf2 10.11.9.3/24 / vlan-1109
POD 11 811 100.11.10.1 -leaf1 10.111.10.2/24 / vlan-1110

100.11.10.2 -leaf2 10.111.10.3/24 / vlan-1110
POD 12 812 100.11.11.1 -leaf1 10.11.11.2/24 / vlan-1111

100.11.11.2 -leaf2 10.11.11.3/24 / vlan-1111
POD 13 813 100.11.12.1 -leaf1 10.11.12.2/24 / vlan-1112

100.11.12.2 -leaf2 10.11.12.3/24 / vlan-1112
POD 14 814 100.11.13.1 -leaf1 10.11.13.2/24 / vlan-1113

100.11.13.2 -leaf2 10.11.13.3/24 / vlan-1113
POD 15 815 100.11.14.1 -leaf1 10.11.14.2/24 / vlan-1114

100.11.14.2 -leaf2 10.11.14.3/24 / vlan-1114
POD 16 816 100.11.15.1 -leaf1 10.11.15.2/24 / vlan-1115

100.11.15.2 -leaf2 10.11.15.3/24 / vlan-1115
POD 17 817 100.11.16.1 -leaf1 10.11.16.2/24 / vlan-1116

100.11.16.2 -leaf2 10.11.16.3/24 / vlan-1116
POD 18 818 100.11.17.1 -leaf1 10.11.17.2/24 / vlan-1117

100.11.17.2 -leaf2 10.11.17.3/24 / vlan-1117
POD 19 819 100.11.18.1 -leaf1 10.11.18.2/24 / vlan-1118

100.11.18.2 -leaf2 10.11.18.3/24 / vlan-1118
19
19 of 125
POD 20 820 100.11.19.1 -leaf1 10.11.19.2/24 / vlan-1119
100.11.19.2 -leaf2 10.11.19.3/24 / vlan-1119
POD 21 821 100.11.20.1 -leaf1 10.11.20.2/24 / vlan-1120

100.11.20.2 -leaf2 10.11.20.3/24 / vlan-1120
POD 22 822 100.11.21.1 -leaf1 10.11.21.2/24 / vlan-1121

100.11.21.2 -leaf2 10.11.21.3/24 / vlan-1121
POD 23 823 100.11.22.1 -leaf1 10.11.22.2/24 / vlan-1122

100.11.22.2 -leaf2 10.11.22.3/24 / vlan-1122
POD 24 824 100.11.23.1 -leaf1 10.11.23.2/24 / vlan-1123

100.11.23.2 -leaf2 10.11.23.3/24 / vlan-1123
POD 25 825 100.11.24.1 -leaf1 10.11.24.2/24 / vlan-1124

100.11.24.2 -leaf2 10.11.24.3/24 / vlan-1124
POD 26 826 100.11.25.1 -leaf1 10.11.25.2/24 / vlan-1125

100.11.25.2 -leaf2 10.11.25.3/24 / vlan-1125
POD 27 827 100.11.26.1 -leaf1 10.11.26.2/24 / vlan-1126

100.11.26.2 -leaf2 10.11.26.3/24 / vlan-1126
POD 28 828 100.11.27.1 -leaf1 10.11.27.2/24 / vlan-1127

100.11.27.2 -leaf2 10.11.27.3/24 / vlan-1127
POD 29 829 100.11.28.1 -leaf1 10.11.28.2/24 / vlan-1128

100.11.28.2 -leaf2 10.11.28.3/24 / vlan-1128
POD 30 830 100.11.29.1 -leaf1 10.11.29.2/24 / vlan-1129

100.11.29.2 -leaf2 10.11.29.3/24 / vlan-1129
POD 31 831 100.11.30.1 -leaf1 10.11.30.2/24 / vlan-1130

100.11.30.2 -leaf2 10.11.30.3/24 / vlan-1130
POD 32 832 100.11.31.1 -leaf1 10.11.31.2/24 / vlan-1131

100.11.31.2 -leaf2 10.11.31.3/24 / vlan-1131
20
20 of 125
Module 1
Lab 1 – Deploying Basic ACI functions
Objective:
• Creating a Private Network (context) for the tenant
• Creating two Bridge Domains
• Creating Subnets
• Creating one Application profiles
• Creating Contracts and Filters
NOTE:
Tenant is already created for you.
21
21 of 125
NOTE: All the below screenshots, except explicitly mentioned are taken
from tenant “customer1” for your reference.
Tenant’s for everyone is already pre-configured, Steps are shown in
Appendix A.
1. At the APIC GUI, navigate to customerX Tenant , by typing your tenant name
customerX in the search window and then click it.
X is the POD number
22
22 of 125
2. Expand the Networking folder, then right-click on the Bridge Domains and select
Create Bridge Domain
23
23 of 125
3. On the CREATE BRIDGE DOMAIN screen:
a. Give the Bridge Domain a name BD1
b. Click on the Networking drop-down menu
c. Select Create Private Network.
4. On the CREATE PRIVATE NETWORK screen:

a. Give a Network name CTX1
b. Click SUBMIT
24
24 of 125
5. Back on the CREATE BRIDGE DOMAIN screen:
a. On the Subnets Window, Click on the “+” sign
6. On the CREATE SUBNET screen:

a. Add a Subnet Gateway IP ( 10.X.10.1/24) - X is the POD number
b. Select the Scope as Public Subnet
c. Click OK
25
25 of 125

b. Select the Scope as Public Subnet
c. Click OK
26
26 of 125

b. Select the Scope as Private Subnet
c. Click OK
27
27 of 125
a. Click SUBMIT
28
28 of 125
12. Create a Second Bridge Domain by following step 7-11 with following:
a. Name the Bridge Domain as BD2
b. Use the previously created Network CTX1
c. Add the Subnets Gateway IP 101.X.90.1/24 (X is the POD number)
d. Select the Scope as Private Subnet
e. Finish it by clicking on the SUBMIT
13. Now:
a. In the left-hand pane, expand the Networking folder, and expand the Bridge
Domains folder. Here you will see the name of the Bridge Domain you just created.
Now expand the name of the Bridge Domain folder, and you will see the Subnet you
have created.
b. Expand the Private Networks folder. Here you will see the Context you just
created.
29
29 of 125
Add an Application Profile to ‘customerX’ Tenant (X – pod number)
1. On the TENANTS screen for your tenant:

a. Right-click on the Application Profiles folder, and select Create Application
Profile.
2. On the next screen:

a. Give the application a name (APP1)
b. Click on the “+” to create an EPG
30
30 of 125
3. On the CREATE APPLICATION EPG screen:
a. Give the EPG a name APP
b. Select the Bridge Domain BD1 which you created above
c. Click OK.
4. Back on the CREATE APPLICATION PROFILE screen, create another EPG by

clicking on the “+” of the EPGs window.
31
31 of 125
5. Again on the CREATE APPLICATION EPG screen:
a. Give the second EPG a name WEB
c. Click OK.
6. Back on the CREATE APPLICATION PROFILE screen, create another EPG.
32
32 of 125
7. Again on the CREATE APPLICATION EPG screen:
a. Give the third EPG a name DB
c. Click OK.
8. Now, back on the CREATE APPLICATION PROFILE screen:

a. Make sure DB EPG is selected, then
b. Click the “+” under Provided Contracts
33
33 of 125
9. On the ADD PROVIDED CONTRACT screen:
a. Select the drop down menu for Name
b. Select Create New Contract.
10. On the CREATE CONTRACT screen:

a. Give the contract a name DB-to-APP
b. Click the “+” under Subjects
34
34 of 125
11. On the CREATE CONTRACT SUBJECT screen:
a. Give the Subject a name ALL
b. Click the “+” under Filter Chain
c. Select “arp” under Tenant:common
35
35 of 125
d. Then click “update”
e. Click on “+” on the FILTERS window and select another filter “icmp”
under Tenant:common
36
36 of 125
f. Then click “update”
g. Click “OK”
37
37 of 125
h. On the next screen, click SUBMIT
12. Back on the ADD PROVIDED CONTRACT screen:

a. Select the contract you just created above
b. Click OK.
38
38 of 125
13. Back on the CREATE APPLICATION PROFILE screen:
Notice the graphic at the bottom now shows DB EPG with an arrow to the contract you just
created, indicating that DB EPG is providing that contract.
a. Now, select APP EPG

b. Then click the “+” under Consumed Contracts
14. On the ADD CONSUMED CONTRACT screen:

a. For Name, select the contract you created above.
b. Click OK.
39
39 of 125
Notice now that the graphic at the bottom shows an arrow from the contract to APP EPG,
indicating that APP EPG is consuming the contract provided by DB EPG.
a. Now, select APP EPG

b. Then click the “+” under Provided Contracts
16. On the ADD PROVIDED CONTRACT screen:

a. Select the drop down menu for Name
b. Select Create New Contract.
40
40 of 125
17. On the CREATE CONTRACT screen:
a. Give the contract a name APP-to-WEB
b. Click the “+” under Subjects
18. On the CREATE CONTRACT SUBJECT screen:

a. Give the Subject a name ALL
b. Click the “+” under Filter Chain
41
41 of 125
c. Select “arp” under Tenant:common
d. Then click “update”
42
42 of 125
e. Click on “+” on the FILTERS window and select another filter “icmp”
under Tenant:common
f. Then click “update”
43
43 of 125
g. Click “OK”
h. On the next screen, click SUBMIT
44
44 of 125
19. Back on the ADD PROVIDED CONTRACT screen:
a. Select the contract you just created above
b. Click OK.
Notice the graphic at the bottom now shows APP EPG with an arrow to the contract you
just created, indicating that APP EPG is providing that contract.
a. Now, select WEB EPG

b. Then click the “+” under Consumed Contracts
45
45 of 125
21. On the ADD CONSUMED CONTRACT screen:
a. For Name, select the contract you created above.
b. Click OK.
Notice now that the graphic at the bottom shows an arrow from the contract to WEB EPG,
indicating that WEB EPG is consuming the contract provided by APP EPG.
a. Click SUBMIT.
46
46 of 125
NOTE: the graphic of the EPG to Contract relationships can be seen at any time by
selecting the Application EPGs folder under the Application Profile name.
47
47 of 125
Module 1
Lab 2 – L2out – Creating L2 extension
Objective:
• Creating L2out for Extending the layer 2 domain beyond the ACI Fabric
48
48 of 125
L2 OUT – Extending L2 out to the Nexus 3k
Extending the layer 2 domain beyond the ACI Fabric is to create layer 2 outside connections.
Below configuration will extend the whole bridge domain ( not an individual EPG under
bridge domain) to the outside network. In our topology we are extending the layer 2 Bridge
domain outside to the Nexus 3K environment.
1. At the APIC GUI, navigate to “customerX” Tenant (X is the POD number)
2. Expand the Networking folder, then right-click on External Bridged Networks and select
Create Bridged Outside.
49
49 of 125
3. On the CREATE BRIDGE OUTSIDE screen:
a. Give the connection a name L2out_Services
b. For Bridge Domain, Select the “BD2” you created in previous sections, this is
the bridge which is being extended.
c. For Encap, give the value as “ vlan-8XX” – XX is the POD number and please
refer to Table 3 according to your POD (This VLAN is already configured in N3K).
Example: POD1 will use VLAN 801
The layer 2 outside connection will put this VLAN and the BD2 of the ACI fabric
under the same layer 2 domain.
d. Click the “+” to add a node profile
2
1
1
4
3 – for VLAN ID
please refer to
Table 3
50
50 of 125
4. On the CREATE NODE PROFILE screen:
a. Give the profile a name L2out_node_profile
b. Click the “+” to add interface profiles
2
1
5. On the CREATE INTERFACE PROFILE screen:

a. Give the profile a name L2out-interface_profile
b. Click the “+” to add interfaces.
51
51 of 125
a. Select Path Type as “Virtual Port Channel”
b. And select the path topology/pod-1/protpaths-101-102/pathep-[VPC_N3k_VPC]
c. Click OK
7. Back on the CREATE INTERFACE PROFILE screen:

a. Click OK
52
52 of 125
8. Back on the CREATE NODE PROFILE screen:
a. Click OK
9. Back on the CREATE BRIDGED OUTSIDE screen:

a. Click NEXT.
53
53 of 125
10. On the CREATE BRIDGED OUTSIDE screen:
a. Click the “+” on the Configure External EPG Networks window
11. On the CREATE EXTERNAL NETWORK screen:

a. Give the External Network a name L2out_ext_network
b. Click OK
2
1
54
54 of 125
To test if the configuration is successful from N3K:
ping 101.X.90.1 (pervasive SVI IP on BD2 ) , X is the POD number.
Nexus 3000 : 10.15.27.10 (accessible via Putty from the Windows 2008 Desktop )
55
55 of 125
Module 1
Lab 3 – L3out - Creating an external
OSPF/iBGP connections
Objective:
• Creating L3out for L3 External Connection beyond the ACI Fabric
56
56 of 125
L3 External Connection
1. At the APIC GUI, navigate to customerX Tenant, X is the POD number
2. Expand the Networking folder, then right-click on External Router Networks and select
Create Routed Outside.
57
57 of 125
3. On the CREATE ROUTED OUTSIDE screen:
a. Give the connection a name Internet_access
b. For Private Network, select the network you created CTX1
c. Check the box for OSPF and BGP
d. Give a value of 1 for the OSPF Area ID
e. Click the “+” to add a node profile
58
58 of 125
4. On the CREATE NODE PROFILE screen:
a. Give the profile a name to_N3K
b. Click the “+” to add a node.
5. On the SELECT NODE screen:

a. Select Node Id topology/pod-1/node-101
b. And give it a Router ID from Table 3 per POD
c. Click OK
59
59 of 125
a. Click the “+” again to add a 2nd node.
7. On the SELECT NODE screen:

a. Select Node Id topology/pod-1/node-102
b. And give it a Router ID from Table 3 per POD
c. Click OK
60
60 of 125
a. Click on the “+” under BGP Peer Connectivity Profiles, to add a profile
9. On the Create Peer Connectivity Profile screen:

a. Add the Peer Address of N3K as “100.100.100.100” (same for all PODs)
b. Click OK
61
61 of 125
a. Click on the “+” under OSPF INTERFACE PROFILES, to add a profile
62
62 of 125
a. Give the profile a name SVI-to-N3K
b. Down in the INTERFACES section, select the SVI tab.
c. Then click on the “+” to add SVI INTERFACES
63
63 of 125
12. On the SELECT SVI INTERFACE
a. For Path type, select “Port”
b. For Path, select eth1/48 on Leaf-101
c. For Encap, type vlan-XXXX , where XXXX is the VLAN number and please
refer to it from Table 3 according to your POD
d. For IP, type IP according to Table 3
e. Click OK.
64
64 of 125
13. Back on the CREATE INTERFACE PROFILE screen, click the “+” to add another
SVI Interface
14. On the SELECT SVI INTERFACE

a. For Path type, select “Port”
b. For Path, select eth1/48 on Leaf-102
c. For Encap, type vlan-XXXX , where XXXX is the VLAN number and
please refer to Table 3 according to your POD
d. For IP, type IP according to Table 3
e. Click OK.
65
65 of 125
15. Back on the CREATE INTERFACE PROFILE screen, click OK.
16. Back on the CREATE NODE PROFILE screen, click OK.
66
66 of 125
17. Back on the CREATE ROUTED OUTSIDE screen, click NEXT.
18. On the CREATE ROUTED OUTSIDE screen, click the “+” to add EXTERNAL EPG
NETWORK.
67
67 of 125
19. On the CREATE EXTERNAL NETWORK screen:
a. Give it a name Internet
b. Click “+” to add a SUBNET
20. On the CREATE SUBNET screen, enter 0.0.0.0/0 as the External Subnet.
68
68 of 125
21. Back on the CREATE EXTERNAL NETWORK screen, click OK.
22. Back on the CREATE ROUTED OUTSIDE screen, click FINISH.
69
69 of 125
After this step your configuration should looks exactly like the screenshot below:
Example from tenant4:
70
70 of 125
Now, we need to associate the BD1 ( which was created earlier ) with the
L3 out created earlier in order to advertise the subnets. The subnets will
be advertised only when we associate VMM domain in EPG later in this
lab.
1. Expand the Networking Folder and then expand the Bridge Domains Folder:
a. Click on the BD1 folder
b. Click the “+” on the Associated L3 Out Window
c. Select the “ cutsomerX/Internet_access “ (X – pod number ) which was created in
previous steps
71
71 of 125
d. Click “ update “
e. Click SUBMIT
72
72 of 125
Now lets create Internet Contract (this will allow APP VM to be accessible from
Internet)
This contract will be b/n L3out EPG and APP EPG , which will allow ARP,ICMP and TCP
port 443.
L3out EPG will consume this contract and APP EPG will provide this contract:
Step1: Expand the Application EPGs Folder and right-click on the EPG APP Folder
a. Click on the Add Provided Contract icon
Step2: On the ADD PROVIDED CONTRACT screen:

a. Click on the drop-down button
b. Select “ Create Contract”
73
73 of 125
Step 3: On the CREATE CONTRACT screen
a. Provide a name “Internet-to-APP”
b. Click on the “+” icon on the Subjects Window
Step 4: On the CREATE CONTRACT SUBJECT screen

a. Provide a name “Internet-to-APP”
b. Click on the “+” icon on the Filter Chain FILTERS
74
74 of 125
Step 5: On the FILTERS window:
a. Click the drop-down icon and select “arp”
b. After selecting “arp”, click UPDATE
75
75 of 125
c. Click on the “+” icon on the FILTERS window again and select “icmp”
d. After selecting “icmp”, click UPDATE
76
76 of 125
e. Click on “+” on the FILTERS window again and then click on second “+” for
adding a new filter
Step 6: On the CREATE FILTER screen:

a. Give a name “ Port-443”
b. Click on the “+” on the Entries Window
77
77 of 125
c. On the Entries window:
1. Give a name “ Port-443”
2. Select the EtherType as IP
3. Select the IP Protocol as tcp
4. Select the Destination Port / Range as https
5. Click UPDATE
d. On the CREATE FILTER screen, Click SUBMIT
78
78 of 125
Step 7: Back on the CREATE CONTRACT SUBJECT screen:
a. Click UPDATE on the filter you created in the above step
b. Click OK
79
79 of 125
Step 8: Back on the CREATE CONTRACT screen:
a. Click SUBMIT
Step 9: Back on the ADD PROVIDED CONTRACT screen:

a. Click SUBMIT
80
80 of 125
Step 10: To add consumer a consumer for the provided contract created above,
a. Expand the “External Routed Networks” folder
b. Expand the Internet_access folder
c. Click the Internet folder
d. Click the “+” on the Consumed Contracts Window
e. Click on the drop-down under the Name column
f. Select the contract name created above “ Internet-to-APP”
g. Click UPDATE
h. Click SUBMIT
81
81 of 125
When done it should looks exactly like this:
82
82 of 125
Check if the OSPF/BGP sessions are UP with N3K.
Check from N3K for your POD IPs. There should be 2x OSPF and 2x iBGP (1 per leaf)
sessions from each tenant established with N3K and 0 networks announced from ACI at
this point over iBGP (N3K is already preconfigured for all PODs):
Nexus 3000 : 10.15.27.10 (accessible via Putty from the Windows 2008 Desktop )
Example for POD4 – tenant4:
Checking from the APIC controller:
Example iBGP for POD4 – tenant4:
83
83 of 125
Example OSPF for POD4 – tenant4:
84
84 of 125
Module 1
Lab 4 – Associate a VMM Domain to the
EPGs in Application Profiles
Objective:
• Associate an existing VMM Domain to the EPGs that were created for APP1
85
85 of 125
Associate a VMM Domain to the EPGs in Application Profiles
In this section, we will now associate an existing VMM Domain to the EPGs that were
created for APP1. Once this association is done, we will then place VM’s in to these EPG’s.
Note: A brief summary of how the VMM Domain was created is shown in Appendix A.
Associate a VMM Domain to the EPGs in APP1
First, notice that under the Distributed Port Groups at the Vsphere Web Client for the
CiscoLiveAVS , that currently there are no Port Groups shown for customer1. Once you add
the VMM Domain to the EPGs, a Port Group corresponding to your tenant customer(pod
number) with that name will show up on the AVS.
a. Login to the vSphere Web Client with your credentials which is present on your machine.
b. Once logged in, Click on the
vCenter>Networking>CiscoLiveDC>CiscoLiveAVS>CiscoLiveAVS
vCenter: 10.15.27.150
86
86 of 125
Now lets associate the VMM Domain with the EPGs we created for APP1 in CustomerX
Tenant
1. Go back to customerX:
a. Click on TENANTS at the top menu
b. Select your tenant from the submenu (if you do not see your tenant, then select the
ALL TENANTS submenu all the way on the left hand side)
c. Expand the EPG’s
d. Then right-click on the Domains folder, and select Add VMM Domain Association
1. On the ADD VMM DOMAIN ASSOCIATION screen:

a. For the VMM Domain Profile, select CiscoLiveAVS
b. Select Immediate for both Deploy Immediacy and Resolution Immediacy.
87
87 of 125
2. Perform the above two steps for DB and WEB EPGs also.
88
88 of 125
3. Now go back to the vSphere Web Client, and under
Networking>CiscoLiveAVS>Distributed Port Groups, view that there are now three Port
Groups that have been created, one for each EPG, using a naming standard of
{TenantName|ApplicationProfileName|EpgName}
vCenter: 10.15.27.150
89
89 of 125
4. THIS STEP IS JUST FOR A REFERENCE – IT IS ALREADY PRECONFIGURED
The VLAN ID assigned to each port group comes from the vlan_200_400 pool that was
defined under the Fabric Access Policies. ( Already Pre-Configured – below
configuration is just for your reference):
a. Click on FABRIC from the main menu items
b. Click on ACCESS POLICES submenu
c. Expand the Pools folder
d. Expand the VLAN folder
Here you see the Encap Blocks set to range of [200-400], and the Domains using this
pool is set to the CiscoLiveAVS VMM Domain.
90
90 of 125
Place VM’s on EPG Port Groups
Now lets place a VM in each of the three EPGs we created.
1. Go to the vSphere Web Client

a. Click on the VMs and Templates tab
b. Locate the VMs for customerX (they should start with APP-#,WEB-#,DB-# , where
‘#’ is the POD number)
c. Select the APP-#, then click Edit Settings.
d. Place Network adapter 1 on the customer1|APP1|APP port group, and click OK
e. Select the DB-1, then click Edit Settings.
f. Place Network adapter 1 on the customer1|APP1|DB port group, and click OK
g. Select the WEB-1, then click Edit Settings.
h. Place Network adapter 1 on the customer1|APP1|WEB port group, and click OK
vCenter: 10.15.27.150
91
91 of 125
Lets check again from N3K for your POD IPs . There are 2x iBGP (1 per leaf) sessions
from each tenant established with N3K and now you should see 2 networks
announced from ACI at this point to N3K from each leaf.
Now lets verify VM-to-VM policy across the different EPGs:

Nexus 3000 : 10.15.27.10
a. Verify WEB-X VM can ping its default GW in BD1 (10.X.10.1) username: student
password: Password!
b. Verify APP-X VM can ping its default GW in BD1 (10.X.20.1)
c. Verify DB-X VM can ping its default GW in BD1 (10.X.30.1)
WEB/APP/DB VMs:
d. Verify APP-X VM can ping N3k Loopback IP -100.100.100.100 username: student
e. Verify WEB-X VM can ping APP-X password: student
f. Verify DB-X VM can ping APP-X VM
X is the POD number
Note: WEB/APP/DB virtual machines are accessible via Putty from the Student
Desktop.
Congratulations you have successfully created 3 Tier APP in ACI and

finished Module1.
92
92 of 125
Module2:
Lab5 - L4-L7 Services integration
Objective:
• ASAv will be used for service interstation
• In this module you will be creating a Service Graph between two EPGs
93
93 of 125
Create a Service Graph between EPG‐L2out_Services and EPG‐WEB
using an ASAv
In this lab we will insert an ASAv firewall between EPG‐L2out_Services and EPG‐WEB. We
will use previously created Bridge Domain: BD1 and BD2 and EPG: L2out_Services and
WEB. ASAv VM is deployed in routed‐mode. Please see the diagram below.
Service Graph Diagram:
In this lab, we will be deploying an ASAv in L3‐mode (aka: Goto‐mode). The verification will
be to Access the Web Server as per the diagram above from the RDP Desktop.
NOTE: Adding Device Package to L4‐L7 Services as well as deploying

the ASAv OVA is already done . A brief summary of what was done prior
to creating a Service Graph for you is provided in Appendix B.
94
94 of 125
1. Create a new contract to be used between EPG‐L2out_Services and EPG‐WEB:
a. Navigate to Security Policies > Contracts
b. Right‐click on Contracts
c. Select Create Contract.
2. Create a contract with name WEB_FW_contract and subject named web_fw which allows
HTTP/ICMP/ARP:
a. Name: WEB_FW_contract
b. Scope: Private Network
c. QOS Class: Unspecified
95
95 of 125
d. Create Subject: click the plus sign “+” under Subjects
e . On the CREATE CONTRACT SUBJECT screen name it: web_fw
f. Click the “+” under Filer Chain in order to add icmp/arp filters and create http filter:
96
96 of 125
Select arp, icmp and http(if it was created before if not follow step g.) under
Tenant: common
g. Create HTTP filter by clicking the plus sign “+” if it was not previously created:
97
97 of 125
h. Name it http and by clicking on the plus sign, add Entries with also name http with
parameters as per the screenshot , click on update when you done:
3 4 5 6 7
i. After adding all 3 filters and it will looks like this you can click OK button:
98
98 of 125
j. On the following screen, click SUBMIT
3. Add the contract to WEB EPG as a Provided contract (procedure described in more
details in Module 1)
99
99 of 125
4. Add the contract to L2out_Services EPG as a Consumed contract (procedure described
in more details in Module 1)
At this point, the contract for EPGs WEB and L2out_Services EPGs for APP1 should look
like the diagram below.
Navigate to Application Profile > APP1 > OPERATIONAL menu in the right:
100
100 of 125
5. Creating Device Cluster. Under Tenant CustomerX > L4‐L7 Services > Device Clusters
right click and choose Create L4-L7 Devices
Note: Please use exact names as per the instructions below to fill this wizard; there
will be a Python script later using this names. Please do not change anything on the
ASAv VMs.
X – pod number
GENERAL:
Name: ASAv-customerX
Device Package: CISCO-ASA-1.1
Model: ASAv
Mode: Single Node
Function Type: GoTo
CONNECTIVITY:
VMM Domain: CiscoLiveAVS
APIC to Device Management cConnectivity: Out-Of-Band
CREDENTIALS:
Username: cisco
Password: cisco123
Device 1:
Management IP Address: “please check Table 4 bellow ”
Management Port: https
VM: ASAv-customerX
Virtual Interfaces: (create two)
1) Name: GigabitEthernet0/0
vNIC: Network adapter 2
Directtion: provider
2) Name: GigabitEthernet0/1
vNIC: Network adapter 3
Directtion: consumer
101
101 of 125
Please the Management IPs of the ASAv from table bellow.
Table 4 – ASAv Management IPs
POD ASAv Management IP Address

Number
POD 1 10.15.27.11
POD 2 10.15.27.12
POD 3 10.15.27.13
POD 4 10.15.27.14
POD 5 10.15.27.15
POD 6 10.15.27.16
POD 7 10.15.27.17
POD 8 10.15.27.18
POD 9 10.15.27.19
POD 10 10.15.27.20
POD 11 10.15.27.21
POD 12 10.15.27.22
POD 13 10.15.27.23
POD 14 10.15.27.24
POD 15 10.15.27.25
POD 16 10.15.27.26
POD 17 10.15.27.27
POD 18 10.15.27.28
POD 19 10.15.27.29
POD 20 10.15.27.30
POD 21 10.15.27.31
POD 22 10.15.27.32
POD 23 10.15.27.33
POD 24 10.15.27.34
POD 25 10.15.27.35
POD 26 10.15.27.36
POD 27 10.15.27.37
POD 28 10.15.27.38
POD 29 10.15.27.39
102
102 of 125
POD 30 10.15.27.40
POD 31 10.15.27.41
POD 32 10.15.27.42
Click Next when you fill it according to the instructions above.
103
103 of 125
Without changing anything on the next screen click Finish.
It should looks like the following with Device state: stable
104
104 of 125
6. Deploy ASAv Service Graph
Now lets deploy the ASAv Service Graph for Tenant
a. right‐click on the L4-L7 Service Graph Templates folder, and select Create L4‐L7
Service Graph Template (Advanced).
105
105 of 125
b. give a name Web_Services - you have to use the exact name:
c. Drag and drop the Firewall to the right‐hand side and choose after:
Profile: WebPolicyForRoutedMode
Function Type: GoTo
106
106 of 125
d. Drag and drop the connection b/n Consumer/Provider EPG to the Firewall ext/int
interfaces
Leave the defaults as per the screenshot and click ok for both connections:
107
107 of 125
Click submit when done with the connections:
It should looks like this:
108
108 of 125
e. Config Parameters
The Config Parameters are used to configure the ASAv. For this guide, to save time,
we will configure these parameters using Python script.
From the Desktop click on the PyTTY icon. Open SSH connection to the ubuntu-
python server in order to run a Python script which will configure the parameters that
APIC will configure on the ASAv
ubuntu-python server credentials:
username: studentX
password: Password!
109
109 of 125
navigate to /home/cisco/AbsNode-python
NOTE:
!!!!!! Run ONLY the script which coresponding to your POD - AbsNode-
customerX.py where X is the POD number !!!!!!
After successfully executing the script you should see the following CONFIG
PARAMETERS populated and updated via the script:
110
110 of 125
f. Configure a Device Selection Policy for the Service Graph
A device cluster can be selected based on a contract name, a graph name, or the
function node name inside the graph. After you create a device cluster, you create a
device cluster context, which provides a selection criteria policy for a
device cluster. A device cluster context specifies the policy for selecting a device
cluster for a service graph. This allows an administrator to have multiple device
clusters and then be able to use them for different service graphs.
Expand the L4‐L7 Services folder under the Tenant heading

Right‐click on the Device Selection Policies folder
Select Create Logical Device Context
111
111 of 125
On the CREATE LOGICAL DEVICE CONTEXT screen:
Contract name: WEB_FW_contract

Graph Name: Web_Services
Node Name: N1
Devices: customerX/ASAv-customerX , where X is the POD number
Logical Interfaces Context: (create two)
1) Connector name: internal
Logical interface: internal
Bridge Domain: BD1
2) Connector name: external
Logical interface: external
Bridge Domain: BD2
112
112 of 125
When done it must look exactly like the following:
113
113 of 125
Check the configuration at the ASAv before applying the Service Graph.
Click on the PuTTY icon on your Desktop and open ssh session to the ASAv.
Use username cisco , password cisco123.
Execute the command “ show ip” and you will see only the management IP address:
114
114 of 125
Open the vCenter with vSphere Web Client and the corresponding credentials (how
to access it was explained earlier in this lab). Do not change anything!!!
Pease just check from the ASAv VM what port groups are assigned. They will look
exactly like the following:
vCenter: 10.15.27.150
115
115 of 125
Now lets Apply the Service Graph
Now we will actually deploy the Service Graph that was configured. A Service Graph
is deployed by selecting the Service Graph in a contract. Since we want to apply the
graph between WEB and L2out_Services EPGs, we will need to add the graph to the
contract WEB_FW_contract.
1. Go to TenantX (X is the POD number):

a. Expand Security Policies
b. Expand Contracts
c. Expand the contract WEB_FW_contract
d. Select web_fw
e. In the right‐hand pane, for Service Graph select Web_Services
f. Then click SUBMIT .
116
116 of 125
Check the configuration at the ASAv after applying the Service Graph.
APIC configured inside/outside IPs and all needed ACLs:
APIC creates inside/outside interface port groups on the AVS and assigns to the
proper port groups accordingly (DO NOT CHANGE ANYTHING HERE!!!! – Please
just verify that this is already done):
117
117 of 125
Test from the Desktop if you can reach the web server :
1) ping from the WEB server ASAv inside interface
Also ping from ASAv BD1(10.X.10.1) and BD2(101.X.90.1) IPs (X is the POD number).
Because ARP Flooding is disabled by default. We need to present the end-points in
the fabric.
118
118 of 125
2) Open a web browser and navigate to http://10.X.10.200 , where X is the POD
number. You should see web page with your POD number.
Congratulations you have successfully finished this Module.
119
119 of 125
Appendix A
Module 1
How Tenant was created:
Note: Below steps from 1 to 5 are already configured for you. The steps
below show how it was done. It is just for your reference.
1. Using Chrome, connect to the APIC at the following URL:
https://10.15.27.221
2. At the login prompt type use the corresponding credentials
3. Click on TENANTS, and then click on ADD TENANT
120
120 of 125
4. On the CREATE TENANT screen:
a. Give the Tenant a name ( student1)
b. Select a Security Domain for the Tenant
c. then click Next.
5. On the next screen:

a. click on finish for creating the tenant.
121
121 of 125
VMM Networking Setup
Before associating the VMM Domain, we will briefly review the VMM setup (which is already
preconfigured for you!)
1. From the top menu, select VM NETWORKING
2. Then select POLICIES from the submenu.

a. Expand the VM Provider VMware folder
b. Expand the CiscoLiveAVS folder
c. Select VMM Controller CiscoLiveVCenter
122
122 of 125
3. Now, click on the INVENTORY submenu item, and expand the folders until you can
view the listed Hypervisors, and the listed Portgroups under the AVS folder. You can also
log into the vSphere Web Client and view that the information is correct.
123
123 of 125
Appendix B
Module 2
Device Package Installation (this is just an explanation - no configuration is needed
at this point as it is already done for you !!!!!):
1. Device Package for the L4‐L7 Device you will be using was downloaded from
www.cisco.com. Device Packages from partners, like Citrix or F5, are available from the
partner web site)
2. right‐click Under the L4‐L4 SERVICES main menu option, under the PACKAGES
submenu option on the L4‐L7 Service Device Types folder and select Import Device
Package.
After the installation of the Device Package:
124
124 of 125
ASAv was deploy from OVA file at the vSphere Client. ASAv OVF file can be
downloaded from www.cisco.com
125
125 of 125

Labsdn 2331

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Labsdn 2331

Caricato da

Copyright:

Formati disponibili

What is the most important in todays Data Center ?

The Application !!!

It MUST be SIMPLE to deploy it…

Vasil Yordanov – SVS NCE

QoS QoS QoS

ACI Fabric Application Policy

 Extend the principle of Cisco UCS® Storage Storage

Manager service profiles to the

DESIGNED TO OFFER: • What about

Flexible, extensible definition

Support for any device including virtual

EP A collection of end-points with

EPG WEB Can flexibly map into

Application Network Profile

Ex: ACI Logical Model applied to the “3-Tier App” ANP

Application Network Profile A Application A

EPG EPG EPG

EPG EPG EPG

EPG EPG EPG EPG EPG EPG

Application Network Profile C Policy

EPG EPG EPG EPG EPG EPG

EPG … Tenant self-contained

VTEP VTEP VXLAN IP Payload VTEP

Physical and Virtual L4-7

APIC 2 APIC Nexus 9336PQ Nexus 9336PQ

Nexus 9396PX Nexus 9396PX

UCS 6248UP UCS 6248UP

Application Network Profile

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

Lecture 1 – Introduction to Application Centric Infrastructure (ACI) – ( 09:30 – 10:00 )

Lab Module 1 - Deploying ACI Network Constructs ( 10:00 – 12:00 )

Lecture 2 - Integration and Automation of L4-7 Services ( 12:15 – 12:30 )

Lab Module 2 – Integrating L4-7 Services with ACI ( 12:30 – 01:30 )

• Automation of service bring-up/tear-down through “Security 5” Chain Defined

• Supports existing operational model when

Lecture 1 – Introduction to Application Centric Infrastructure (ACI) – ( 09:30 – 10:00 )

Lab Module 1 - Deploying ACI Network Constructs ( 10:00 – 12:00 )

Lecture 2 - Integration and Automation of L4-7 Services ( 12:15 – 12:30 )

Lab Module 2 – Integrating L4-7 Services with ACI ( 12:30 – 01:30 )

• All surveys can be completed via

Vasil Yordanov (vyordano@cisco.com)

Introduction to the Lab--------------------------------------------------------------------------- 3

Lab 0 – Lab Topology, Components and Connectivity ------------------------------------- 5

Lab 1 – Deploying Basic ACI functions ----------------------------------------------------- 21

Lab 2 – L2out - Creating L2 extension ------------------------------------------------------- 48

Lab 3 – L3out - Creating an external OSPF/iBGP connections --------------------------- 56

Lab 4 – Associate a VMM Domain to the EPGs in Application Profiles ---------------- 85

Lab5 - L4-L7 Services integration------------------------------------------------------------ 93

Appendix A------------------------------------------------------------------------------------- 120

Appendix B ------------------------------------------------------------------------------------- 124

Module 1 – This Module is divided into five lab sections.

Lab 0: Lab Topology and connectivity information

Lab 1: Deploying Basic ACI functions

Lab 2: L2out - Creating an L2 extension

Lab 3: L3out - Creating an external OSPF/iBGP connections

Lab 4: Associate a VMM Domain to the EPGs in Application Profile

Module 2 – This Module is divided in to 1 lab section.

Lab 5: L4-L7 Services integration

Appendix A – What was already preconfigured for Module 1.

Appendix B – What was already preconfigured for Module 2.

• Familiarity with NX-OS or Cisco IOS and VMware vCenter

YOU DO NOT HAVE TO SAVE YOUR WORK

Physical Topology Diagram:

Contract (L4-‐L7) WEB_FW_contract

Subject (L4-‐L7) web_fw

External Bridged Network (Bridged Outside -‐ L2out) L2out_Services