Dcac9k Lab Guide 20160501

DCAC9K
Configuring Cisco
Nexus 9000 Series
Switches in ACI Mode
Version 1.2 Revision A
Lab Guide
DCAC9K
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this course.
Outline
This guide includes these activities:
Lab 0: Accessing the NterOne Lab Devices
Lab 1: Initial ACI Fabric Configuration Tasks
Lab 2: Configure a Tenant, VRF, and Bridge Domain
Lab 3: Configure Policy Filters and Contracts
Lab 4: Deploy a Three-Tier Application Profile
Lab 5: Configure a VMware VMM Domain
Lab 6: Configure Baseline Interface Policies
Lab 7: Configure VMware ESXi Hosts to Use the APIC DVS
Lab 8: Associate an EPG to a VMware vCenter Domain
Lab 9: Associate Virtual Machines with ACI DVS Port Groups
Lab 10: Configure the APIC Using the REST API (Postman)
Lab 11: Configure the APIC Using the ACI Cobra SDK (Python)
Lab 12: Configure the APIC Using the Cisco APIC REST to Python Adapter (ARYA)
Lab 13: Configure Inter-Tenant Connectivity
Lab 14: Configure External Layer 3 Connectivity using OSPF Routing
Lab 15: Configure External Layer 2 Connectivity - Extending a Bridge Domain
Lab 16: Configure External Layer 2 Connectivity - Extending an EPG
Lab 17: Configure a Service Graph in Managed Mode
Lab 18: Configure RBAC Using Local and RADIUS Accounts
Lab 19: Monitor and Troubleshoot ACI
Lab 0: Accessing the NterOne Lab Devices

The purpose of this lab exercise is to make you familiar with the NterOne lab environment and how to
successfully connect to the various devices that you will use during this class.
Task 1: Understanding your NterOne Lab Environment

Before you can begin configuring you lab devices you must understand how the NterOne lab environment is
constructed and how it is accessed.
Your Student Server

Before you can gain access to the NterOne lab devices you must first successfully log in to a Student Server.
Once you have successfully logged in to a Student Server you will be able to use the applications
installed on the Student Server to access the lab devices for your class.
Student Server names and account credentials will be given to you by your instructor.
Two students may log in to the same Student Server using different accounts; in this case each
student will have a unique Desktop which is not shared with the other student.
The Student Servers are often referred to by a one-digit number (the Student Server Number) which is part of
the DNS and IP address of the Student Server.
Lab Devices and Pods

During this class you will be using the ACI Lab Rack. The ACI Lab Rack contains the following equipment:
One (1) Cisco Application Policy Infrastructure Controllers (APICs)
One (1) Cisco Nexus C9336PQ Switch running in ACI mode (Spine switch)
Two (2) Cisco Nexus C9396PX Switches running in ACI mode (Leaf switches)
Eight (8) Cisco UCS C200 M3 C-Series Servers
You will have access to all of these devices; however you will be assigned a single Pod within the UCS Lab
Rack:
A Pod is a portion of the ACI Lab Rack that is configured by one or two students.
A Pod Number is used to uniquely identify each Pod. The Pod Number (##) is a value between 11
and 26.
You will be assigned to a Pod for a given lab exercise, possibly with another student depending on
the class size.
During the lab exercises you will be asked to configure the devices in your Pod. Do not configure
any devices outside your assigned Pod unless specifically instructed to do so.
Configuring Cisco Nexus 9000 Series Switches in ACI Mode (DCAC9K) Lab Guide v1.2 rev A
2016 NterOne Corporation
Page 3
Letter Variables
The Lab Guide for your class uses letter variables (similar to algebra) to represent digits within a command
or command output. Usually, whenever you see one of the capital letters in the following table you should
replace that letter with the correct value; the Lab Guide should also point out when a letter variable is being
used. The variables will be displayed with a font color of red.
For example, if you are currently assigned to Pod 23, and if you are instructed to configure an IP address of
192.168.1.##, the IP address that you should use would be 192.168.1.23. The following table lists all of the
letter variables that are commonly used in the Lab Guide.
Letter Variable
Possible Values
Description
1, 2, or 3
Your ACI Rack Number
##
11 through 26
Your Pod Number
A, B, C, or D
Your vCenter Server
@@
A1, A2, B1, B2, C1, C2, D1, or D2
Your ESXi Host
You should determine the value of each of these variables before you start each lab exercise. If you do not
use the correct values you may not be able to complete the lab exercise and you may also cause another
students lab devices to malfunction.
Remote Desktop Connection

The application that you must use to log in to your Student Server is Remote Desktop Connection (RDC).
This is the only application that can be used to log in to your Student Server.
The shortcut to RDC is typically found on Windows-based systems by clicking Start All
Programs Accessories Remote Desktop Connection. Another way to find RDC is to use the
Search programs and files function in the Windows Start menu.
or
Students using Apple-based computers can download the Microsoft Remote Desktop app from
https://itunes.apple.com/us/app/id715768417?mt=12 .
Students using Linux-based computers can download rdesktop from http://www.rdesktop.org/ .
Page 4
Task 2: Connect to your Assigned Student Server using Remote

Desktop Connection (RDC)
Follow the steps in this Task in order to log in to a Student Server.
Step 1
Your instructor will give you the information you need to log in to a Student Server. The following
table is provided for you to record these values.
Student Server Name / IP Address
User Name
Password
Step 2
Log in to your personal/work computer.
Step 3
Verify that your computer is able to access the Internet. A simple test to verify this would be to
use a browser to access www.nterone.com .
Step 4
Verify that your computer has a Remote Desktop Connection (RDC) client installed. Use the
information on the previous page if you are having difficulty finding RDC on your computer.
Step 5
Start the Remote Desktop Connection application. The following window should appear.
Note
The following steps use the Microsoft version of RDC; if you are using an Apple- or Linux-based
computer the screens that you will see will be different.
Step 6
In the Computer field enter the DNS name or IP address of the Student Server that has been
assigned to you.
Step 7
Click the Connect button. The Windows Security window should appear.
Note
If this step fails after several seconds, please contact your class instructor for assistance.
Note
If you are able to access the Internet but are unable to access any of the NterOne Student
Servers you will need to determine if there is a firewall somewhere preventing your computer
from accessing the NterOne Student Servers. This is a common problem for students who are
using a computer at their place of employment, in which case you may need to contact your
companys IT department for assistance.
Step 8
Click on the Use another account section of the window.
Step 9
Enter the User name and Password needed to connect to the Student Server.
Page 5
Step 10
Click the OK button. A window should appear which will look similar to the window below
Step 11
Click the check box next to Dont ask me again for connections to this computer and then
click Yes.
Step 12
After a few seconds the login process should finish and the desktop of your Student Server
should appear which will look similar to the window below.
Page 6
Step 13
The most commonly used applications such as Chrome will have shortcut to them on the
Desktop. Other applications may also be found using the Start menu.
Step 14
The process to connect to your Student Server is complete.
Task 3: Log In to the APIC-1 Management Application

This procedure details the steps you will use to start the APIC management application and log in to the
APIC-1. This procedure assumes that you have successfully accessed your Student Server.
Step 15
From the desktop of your Student Server start the Chrome application.
Step 16
Navigate to the following URL: https://192.168.R0.1 (replace R with your ACI Rack
Number).
Step 17
You will be warned by Chrome that the connection is not private.
Note
Please never worry if you see any message like this about your connection not being private in
these labs. Of course, click Proceed and agree with all browser security requests.
Step 18
Click the link labeled Advanced. Chrome will warn you that the security certificate provided by
the APIC is not trusted.
Page 7
Step 19
Click the link labeled Proceed to 192.168.R0.1 (unsafe). You should now see the APIC sign in
prompt.
Step 20
Login to the APIC with the credentials below:
Username: admin
Password: 1234QWer (note that QW is capitalized)
Mode: Advanced
Note
Only use the Advanced Mode throughout this class.
Step 21
You may see the warning message depicted below. If you do not see this warning message, skip
ahead to Step 25.
Page 8
Step 22
Click the YES button.
Step 23
The Deployment Warning Settings window will appear. Click the check box next at the end
of (Global) Show Deployment Warning on Delete/Modify.
Step 24
Click the SUBMIT button.
Step 25
Once you are logged in, you are presented with the Dashboard. You are logged in with global
administrative rights and your view includes all system components.
Note
The ACI Rack that you are using contains only one APIC, which is why the red warning message
is displayed at the top of the application. This warning message will be present throughout this
class.
Step 26
Note the layout of the GUI interface. The top portion is referred to as the Menu bar.
Step 27
Once a tab is selected from the Menu bar, a Submenu bar will appear below the Menu bar.
Page 9
Step 28
The Navigation pane displays on the left side of the APIC GUI, below the Submenu bar. This
pane provides centralized navigation to all elements of the submenu category. When you
choose a component in the Navigation pane, the object displays in the Work pane that displays
on the right side of the APIC GUI. This pane displays details about the component selected in
the Navigation pane.
Step 29
The upper right-hand corner of the APC GUI indicates the user account with which you logged
in to the APIC GUI. Click the down arrow next to the account name and select Settings from
the drop-down menu.
Step 30
The Application Settings window will appear. These settings affect how the APIC GUI
responds as you use it. Enter the values in the following table.
Field
Value
Remember Tree Selection
Checked
Preserve Tree Divider Position
Checked
Disable Notification on Success
Checked
Disable Deployment Warning at Login
Unchecked
Page 10
Step 31
Click the OK button.
Page 11
Lab 1: Initial ACI Fabric Configuration Tasks

Overview
The instructor will register the switches to the APIC controller and then discover the rest of the fabric. This
activity will guide you through this process, and then familiarize you with the fabric topology portion of the
APIC GUI. The instructor will also perform tasks that are typically performed when the ACI fabric is being
initially configured.
Upon completing this guided lab, you will be able to:
Register Nexus 9000 switches to the ACI fabric
Configure out-of-band (OOB) access to the fabric switches
Configure DNS
Configure NTP
Enable HTTP access to the APIC
Configure MP-BGP route reflectors
Task 0: Log in to the APIC Controller

In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
It is critical and important in every way to refer to the NterOne Resource Guide for this class
provided by your instructor. Study it. Use it. Refer to it. These labs demand you use the
Resource Guide. Again and again.
Activity Procedure
Complete these steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace R with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Username: admin
Mode: Advanced
Step 5
At this point you should see the APIC Dashboard.
Page 12
STOP!
This Task will be performed by the Instructor; students do NOT perform this Task.
Task 1: Register the Fabric Switches (Instructor Demo)

In this task, the instructor will register the Nexus 9000 Switches to the fabric managed by APIC-1.
Note
Tasks that are designated as Instructor Demo are only performed once per ACI fabric.
Activity Procedure
STOP!
The following steps will be performed by the Instructor; students do NOT perform this
Task.
Step 6
In the Menu bar, click Fabric.
Step 7
In the Submenu bar, click Inventory.
Step 8
Click the next to Fabric Membership in the Navigation pane to expand the view, and notice
the single switch entry under the Fabric Membership folder. This is the leaf switch that the
APIC is connected to, which is not yet registered.
Note
The APICs and the ACI switches use Link Layer Discovery Protocol (LLDP) to discover
connected devices. Devices that are discovered are not automatically added to the fabric; an
administrator must determine which devices should be added to the fabric and then manually
register them.
Step 9
Choose Fabric Membership by clicking on that entry. The Work pane will show a switch with
a serial number that starts with the letters SAL, and ID of 0. Observe that its role is leaf.
Note
Unregistered switches are assigned the Node ID of 0. By default, switches detected by the fabric
are not added to the fabric automatically, they must be added manually.
Step 10
To register this leaf switch, double-click the row in the Work pane; this will allow you to
modify the values of the row. Enter the values in the following table.
Field
Value
NODE ID
101
NODE NAME
Leaf-1
Page 13
Note
The Node ID has to be greater than 100 because the APIC reserves the node IDs 1 through 100
for future APICs that may be added to the fabric.
Step 11
Click the UPDATE button.
Step 12
The APIC will now begin discovering the fabric along with other APICs. Wait 30 to 60 seconds
for the APIC GUI to see other switches in the fabric. You should see an additional switch
appear in the Fabric Membership view.
Note
Observe that the Leaf switch now has a private (RFC 1918) IP address assigned. This address
range is configured on the APIC when first installed, and managed by the APIC for infrastructure
communication across the ACI fabric.
Note
The fabric will discover another switch. Notice under the ROLE that these are spine switches
with their Node ID set to 0.
Step 13
Register the Cisco Nexus 9336PQ spine switch. Enter the values in the following table.
Field
Value
NODE ID
102
NODE NAME
Spine-1
Step 14
With the spine switch now registered, please wait an additional 30 to 60 seconds for the fabric
to discover the second leaf switch.
Step 15
Register the Cisco Nexus 9396PX leaf switch. Enter the values in the following table.
Page 14
Field
Value
NODE ID
103
NODE NAME
Leaf-2
Step 16
In the Navigation pane, click the Topology folder. You should see the complete ACI fabric,
which includes one spine switch, two leaf switches, and one APIC.
Step 17
From your Student Server desktop, start a PuTTY session with APIC-1. There should be a
shortcut on the desktop for APIC-1.
Step 18
Log in to APIC-1 using the following information:
Login as: admin
login as: admin

Application Policy Infrastructure Controller
admin@192.168.30.1's password: 1234QWer
Last login: Sat Apr 16 11:59:49 2016
apic1#
Step 19
Execute the show switch command. This command will display a summary of the fabric
switches that are registered with the APIC. The output should show three fabric switches and
contain information similar to what was seen earlier in the GUI.
Page 15
Step 20
Execute the acidiag fnvread command. This command will display similar information about
the fabric switches.
apic1# acidiag fnvread

ID
Name
Serial Number
IP Address
Role
Pod ID
State
LastUpdMsgId
--------------------------------------------------------------------------------------------------------101
Leaf-1
SAL1944S69H
172.19.64.95/32
leaf
1
active
0
102
Spine-1
SAL18391DWR
172.19.64.94/32
spine
1
active
0
103
Leaf-2
SAL1947THQA
172.19.64.93/32
leaf
1
active
0
Total 3 nodes
Note
The acidiag command is useful troubleshooting command that allows you to gather information
about the entire ACI fabric from the APIC command line.
Step 21
Execute the show controller command. This command will display a summary of the APICs
that are connected to this fabric.
Note
The IP addresses assigned in your environment may not match the output. It is a pseudorandom assignment.
Step 22
Execute the show controller detail command. This command will display additional details
about the APIC.
apic1# show controller

ID
:
Name
:
UUID
:
Address
:
In-Band IPv4 Address :
In-Band IPv6 Address :
detail
1*
apic1
70987b86-02f6-11e6-b6f8-1516d7032dca
172.19.0.1
0.0.0.0
fc00::1
Page 16
OOB IPv4 Address

OOB IPv6 Address
Serial Number
Version
Commissioned
Registered
Valid Certificate
Validity Start
Validity End
Up Time
Health
STOP!
:
:
:
:
:
:
:
:
:
:
:
192.168.R0.1
fe80::fe5b:39ff:fe2d:4f5a
FCH1835V0RY
1.2(2h)
in-service
available
yes
2014-10-31T05:51:47.000+00:00
2024-10-31T06:01:47.000+00:00
01:01:39:51.000
fully-fit
Task 2: Configure Out-of-Band (OOB) Management (Instructor Demo)

In this task, the instructor will configure the out-of-band (OOB) management settings so that the Nexus
switches can be accessed directly via SSH.
Activity Procedure
STOP!
Task.
Step 23
Return to the APIC GUI running in your Chrome browser.
Step 24
In the Menu bar, click Tenants.
Step 25
In the Submenu bar, click mgmt.
Step 26
In the Navigation pane, expand Tenant mgmt > Security Policies > Out-Of-Band Contracts.
Step 27
Right-click the Out-Of-Band Contracts folder and then select Create Out-Of-Band Contract
from the context menu.
Step 28
The Create Out-Of-Band Contract wizard will appear. Enter the values in the following table;
do NOT change any of the values that are not listed in the following table.
Page 17
Field
Value
Name
OOB-CONTRACT
Scope
VRF
Step 29
In the Subjects subsection, click the plus sign to create a new entry.
Step 30
The Create Contract Subject wizard will appear. In the Name field, type SUBJECT-ANY.
Step 31
In the Filters subsection, click the plus sign to create a new entry.
Step 32
In the Name drop-down list, select common/default.
Step 33
Step 34
Click the OK button to complete the Create Contract Subject wizard.
Page 18
Step 35
Click the SUBMIT button to complete the Create Out-Of-Band Contract wizard.
Step 36
In the Navigation pane, expand Tenant mgmt > Node Management EPGs.
Step 37
Right-click the Node Management EPGs folder and then select Create Out-of-Band
Management EPG from the context menu.
Step 38
The Create Out-of-Band Management EPG wizard will appear. In the Name field, type
OOB-MGMT-EPG.
Step 39
In the Provided Out-of-Band Contracts subsection, click the plus sign to create a new entry.
Step 40
In the OOB Contract drop-down list, select OOB-CONTRACT.
Step 41
Page 19
Step 42
Click the SUBMIT button to complete the Create Out-of-Band Management EPG wizard.
Step 43
In the Navigation pane, expand Tenant mgmt > Node Management Addresses > Static Node
Management Addresses.
Step 44
Right-click the Static Node Management Addresses folder and then select Create Static
Node Management Addresses from the context menu.
Step 45
The Create Static Node Management Addresses wizard will appear. Enter the values in the
following table.
Field
Value
Node Range (From)
101
Node Range (To)
103
Config: Out-Of-Band Addresses
Checked
Out-Of-Band Management EPG
OOB-MGMT-EPG
Out-Of-Band Starting IP Address
192.168.R0.101/24 (replace R with your ACI Rack Number)
Out-Of-Band IPv4 Gateway
192.168.R0.254 (replace R with your ACI Rack Number)
Step 46
Click the SUBMIT button to complete the Create Static Node Management Addresses
wizard. A warning message will appear indicating that the management IP addresses of the
selected range of nodes will be changed.
Page 20
Step 47
Click the YES button.
Step 48
You should now see the IP addresses that have been assigned to the Nexus switches in the
Work pane.
Step 49
In the Navigation pane, expand Tenant mgmt > External Management Network Instance
Profiles.
Step 50
Right-click the External Management Network Instance Profiles folder and then select
Create External Management Network Instance Profile from the context menu.
Step 51
The Create External Management Network Instance Profile wizard will appear. In the
Name field, type EMNIP.
Step 52
In the Consumed Out-of-Band Contracts subsection, click the plus sign to create a new entry.
Step 53
In the Out-of-Band Contract drop-down list, select OOB-CONTRACT.
Step 54
Step 55
In the Subnets subsection, click the plus sign to create a new entry.
Step 56
In the IP field, enter 10.0.0.0/8.
Step 57
Step 58
In the Subnets subsection, click the plus sign to create a new entry.
Step 59
In the IP field, enter 192.168.R0.0/24 (replace R with your ACI Rack Number).
Step 60
Page 21
Step 61
Click the SUBMIT button to complete the Create External Management Network Instance
Profile wizard.
Step 62
At this point you have allowed access to the management ports of the Nexus switches from two
different subnets. Next, you will verify that you can connect directly to the Nexus switches.
Step 63
From your Student Server desktop, start a PuTTY session with the Leaf-1 switch. There should
be a shortcut on the desktop for Leaf-1.
Step 64
Log in to Leaf-1 using the following information:
Login as: admin
login as: admin

Using keyboard-interactive authentication.
Password: 1234QWer
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Leaf-1#
STOP!
Task 3: Configure DNS for the APIC (Instructor Demo)

In this task, the instructor will configure the APIC to use DNS for name resolution.
Page 22
Activity Procedure
STOP!
Task.
Step 65
Step 66
Step 67
In the Submenu bar, click Fabric Policies.
Step 68
In the Navigation pane, expand Global Policies > DNS Profiles > default.
Step 69
In the DNS Providers subsection, click the plus sign to create a new entry.
Step 70
In the ADDRESS field, type 192.168.R0.40 (replace R with your ACI Rack Number).
Step 71
Click the check box under Preferred.
Step 72
Step 73
In the DNS Domains pane click the plus sign to create a new entry.
Step 74
In the NAME field, type dc.local.
Step 75
Click the check box under Default.
Step 76
Step 77
Click the SUBMIT button at the bottom of the Work pane. A Policy Usage Warning will
appear indicating the other objects that will be affected by the changes.
Page 23
Step 78
Click the SUBMIT CHANGES button.
Step 79
Return to the PuTTY window containing your session to APIC.
Step 80
To verify that DNS name resolution is functioning properly enter the ping leaf-1.dc.local
command. After a few seconds press <Ctrl>+<C> to stop the ping.
apic1# ping leaf-1.dc.local

PING leaf-1.dc.local (192.168.30.101) 56(84) bytes of data.
64 bytes from 192.168.30.101: icmp_seq=1 ttl=64 time=0.220 ms
--- leaf-1.dc.local ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 13618ms
rtt min/avg/max/mdev = 0.111/0.155/0.220/0.038 ms
Step 81
Enter the ping leaf-1 command; make sure not to include the domain name. After a few
seconds press <Ctrl>+<C> to stop the ping.
apic1# ping leaf-1

PING Leaf-1 (172.19.64.95) 56(84) bytes of data.
64 bytes from Leaf-1 (172.19.64.95): icmp_seq=1 ttl=64
time=0.156
time=0.125
time=0.158
time=0.250
time=0.112
ms
ms
ms
ms
ms
--- Leaf-1 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 4060ms
rtt min/avg/max/mdev = 0.112/0.160/0.250/0.048 ms
Note
The APIC used the IP address of 192.168.R0.101 for leaf-1.dc.local, and it used 172.19.64.95
for leaf-1. The IP address 192.168.R0.101 is the out-of-band address, while 172.19.64.95 is the
infrastructure address assigned to leaf-1 when it was connected to the fabric.
STOP!
Task 4: Configure DNS for the Fabric Switches (Instructor Demo)

In this task, the instructor will configure the fabric switches to use DNS for name resolution.
Activity Procedure
Page 24

STOP!
Task.
Step 82
In the Navigation pane, expand Global Policies > DNS Profiles.
Step 83
Right-click the DNS Profiles folder and then select Create DNS Profile from the context
menu.
Step 84
The Create DNS Profile wizard will appear. Enter the values in the following table.
Field
Value
Name
DNS-PROFILE
Management EPG
OOB-MGMT-EPG (Out-of-Band)
Step 85
In the DNS Domains pane click the plus sign to create a new entry.
Step 86
In the NAME field, type dc.local.
Step 87
Click the check box under Default.
Step 88
Step 89
In the DNS Providers subsection, click the plus sign to create a new entry.
Step 90
In the ADDRESS field, type 192.168.R0.40 (replace R with your ACI Rack Number).
Step 91
Click the check box under Preferred.
Step 92
Page 25
Step 93
Click the SUBMIT button to complete the Create DNS Profile wizard.
Step 94
Step 95
In the Submenu bar, click mgmt.
Step 96
In the Navigation pane, expand Tenant mgmt > Networking > VRFs > oob.
Step 97
Near the bottom of the Work pane, in the DNS Labels field, type DNS-PROFILE.
Step 98
Step 99
Step 100
Return to the PuTTY window containing your session to Leaf-1.
Step 101
To verify that DNS name resolution is functioning properly enter the ping leaf-2.dc.local
command. After a few seconds press <Ctrl>+<C> to stop the ping.
Leaf-1# ping leaf-2.dc.local

PING leaf-2.dc.local (192.168.30.103): 56 data bytes
64 bytes from 192.168.30.103: icmp_seq=0 ttl=64 time=0.314
^C--- leaf-2.dc.local ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.182/0.235/0.314/0.044 ms
STOP!
ms
ms
ms
ms
ms
Task 5: Configure a RADIUS Provider (Instructor Demo)

In this task, the instructor will configure a RADIUS provider which will be used in future lab exercises.
Page 26
Activity Procedure
Note
Task.
Step 102
Step 103
In the Menu bar, click Admin.
Step 104
In the Submenu bar, click AAA.
Step 105
Navigate to RADIUS Management > RADIUS Providers.
Step 106
Right-click the RADIUS Providers folder and then select Create RADIUS Provider from the
context menu.
Step 107
The Create RADIUS Provider wizard will appear. Enter the values in the following table; do
NOT change any of the values that are not listed in the following table.
Field
Value
Host Name (or IP Address)
Key / Confirm Key
1234QWer
Step 108
Click the SUBMIT button to complete the Create RADIUS Provider wizard.
STOP!
Task 6: Configure a Local User Account (Instructor Demo)
Page 27
In this task, the instructor will configure a local user account to be used as a second account that has full
administrative privileges to the fabric.
Activity Procedure
STOP!
Task.
Step 109
Step 110
Step 111
Navigate to Security Management > Local Users.
Step 112
Right-click the Local Users folder and then select Create Local User from the context menu.
Step 113
The Create Local User wizard will appear. In STEP 1 > Security, in the Security Domain
subsection, click the checkbox next to all.
Step 114
Click the NEXT button. In STEP 2 > Roles, select Read Write for each of the roles listed.
Page 28
Step 115
Click the NEXT button. In STEP 3 > User Identity, enter the values in the following table; do
Field
Value
Login ID
admin2
Password / Confirm Password
1234QWer
Step 116
Click the FINISH button to complete the wizard.
STOP!
Task 7: Configure the Date and Time Format and NTP (Instructor
Demo)
In this task, the instructor will configure the date and time format of the clock and the NTP server used by the
fabric.
Activity Procedure
Page 29
STOP!
Task.
Step 117
Step 118
Step 119
Navigate to Pod Policies > Policies > Date and Time > default.
Step 120
In the Work pane, in the Time Zone drop-down list, select America/New_York.
Step 121
Step 122
Step 123
In the Navigation pane, right-click the Date and Time folder and then select Create Date and
Time Policy from the context menu.
Step 124
The Create Date and Time Policy wizard will appear. In STEP 1 > Identity, in the Name file,
type DATE-TIME-POLICY.
Page 30
Step 125
Click the NEXT button.
Step 126
In STEP 2 > NTP Servers, click the plus sign to create a new entry and enter the values in the
following table.
Field
Value
Name
Preferred
Checked
Management EPG
OOB-MGMT-EPG (Out-of-Band)
Step 127
Click the OK button to complete the Create Providers wizard.
Step 128
Click the FINISH button to complete the Create Date and Time Policy wizard.
Step 129
In the Navigation pane, expand the Pod Policies > Policies > Policy Groups folder.
Step 130
Right-click the Policy Groups folder and then select Create Pod Policy Group from the
context menu.
Page 31
Step 131
The Create Pod Policy Group wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD-POLICY-GROUP
Date Time Policy
DATE-TIME-POLICY
Step 132
Click the SUBMIT button to complete the Create Pod Policy Group wizard.
Step 133
Navigate to Pod Policies > Profiles > default.
Step 134
In the Work pane, in the Fabric Policy Group drop-down list, select POD-POLICY-GROUP.
Step 135
Step 136
Page 32
Step 137
The necessary date and time settings for the fabric are now configured. You can view the date
and time for the fabric at the bottom of the APIC GUI. It may take several seconds for the
correct time to be displayed.
Step 138
Return to the PuTTY window containing your session to Leaf-1.
Step 139
To verify that NTP is functioning properly on the switch enter the show ntp peer-status
command. You should see that there is a single peer, and the peer is selected for
synchronization.
Leaf-1# show ntp peer-status

Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote
local
st
poll
reach delay
vrf
------------------------------------------------------------------------------*192.168.R0.40
0.0.0.0
6
16
37
0.00043 management
Note
It may take a few minutes for the switch to synchronize with the peer.
Step 140
Use the show clock command to verify that the clock on the switch is set correctly.
Leaf-1# show clock

10:36:59.840334 EDT Thu Sep 03 2015
STOP!
Task 8: Enable HTTP Access for the XML API (Instructor Demo)
In this task, you will enable HTTP access to the APICs so that the XML API is accessible via HTTP.
Activity Procedure
Note
Task.
Step 141
Step 142
Step 143
Navigate to Pod Policies > Policies > Management Access > default.
Step 144
In the HTTP section, in the Admin State drop-down list, select Enabled.
Page 33
Step 145
Click the SUBMIT button to commit the configuration changes. A Policy Usage Warning will
Step 146
STOP!
Task 9: Configure MP-BGP Route Reflectors (Instructor Demo)

In this task, the instructor will configure MP-BGP Route Reflectors.
Internal to the ACI fabric, MP-BGP is implemented between leaf and spine switches to propagate external
routes within the ACI fabric; all the leaf and spine switches are in one single BGP AS. The border leaf uses
MP-BGP to advertise the external routes to the spine switches, which act as BGP route reflectors to avoid the
full mesh requirements of BGP. Routes are only propagated by spines to leaf switches where the Private
Networks are instantiated.
Note
Private Networks are only instantiated on a leaf when an EPG for that Private Network has
endpoints connected off the leaf.
MP-BGP is not enabled by default in ACI fabric. You will configure a BGP policy, specifying the BGP AS
number and specific spine nodes as BGP route reflectors. Once configured the APIC will automatically
configure iBGP peering between leaf and spine and specify leaf switches as route reflector clients. APIC also
automatically generates the required configuration for route redistribution on the border leaf.
Activity Procedure
STOP!
Task.
Step 147
Step 148
Step 149
In the Navigation pane, select Pod Policies > Policies > BGP Route Reflector default.
Page 34
Step 150
In the Work pane, set the Autonomous System Number to 100.
Note
The iBGP ASN must match the external router configuration if iBGP will be configured between
the ACI Fabric and an external network. If using static routes, OSPF, or EIGRP between the ACI
Fabric and an external network, the iBGP ASN value can be any valid value.
Step 151
In the Route Reflector Nodes subsection, click the plus sign to start the Create Route
Reflector Node Policy EP wizard.
Step 152
In the Spine Node drop-down menu, select 102 (Spine-1).
Step 153
Click the SUBMIT button to complete the wizard. Node ID 102 will now be listed in the Route
Reflector Nodes subsection.
Step 154
Click the SUBMIT button in the Work pane. A Policy Usage Warning will appear indicating
the other objects that will be affected by the changes.
Step 155
Note
This configuration applies to the entire fabric, and is not enforced per Tenant. BGP will be
automatically enabled on any leaf switch which has an external Layer 3 network attached, as
well as any leaf switch where the Private Network associated with the Layer 3 external network
are instantiated (leafs which do not have the Private Network associated preserve the hardware
resources by not running BGP or not storing the routes).
Note
Once the border leaf forms a neighbor relationship, it will propagate Tenant routes to the
external router. Users have control of which Tenant subnets to advertise to external routers.
When specifying subnets under the bridge domain for a given Tenant, the user has the choice to
specify the scope (private, public, or shared) of a subnet.
Page 35
Note
For security and separation, MP-BGP maintains separate BGP routing tables for each ACI
Private Network.
Step 156
To verify that the BGP route reflectors are functioning, navigate to Fabric > Inventory > Pod
1 > Spine-1 > Protocols > BGP > BGP for VRF overlay-1 > Sessions. You should see that
there are two established BGP sessions, one to each leaf switch.
Step 157
From your Student Server desktop, start a PuTTY session with Spine-1. There should be a
shortcut on the desktop for Spine-1.
Step 158
Log in to Spine-1 using the following information:
Login as: admin
Step 159
Verify that the BGP sessions to the leaf switches are established by entering the show bgp
sessions vrf overlay-1 command.
Spine-1# show bgp sessions vrf overlay-1

Total peers 2, established peers 2
ASN 100
VRF overlay-1, local ASN 100
peers 2, established peers 2, local router-id 172.19.208.94
State: I-Idle, A-Active, O-Open, E-Established, C-Closing, S-Shutdown
Neighbor
172.19.208.95
172.19.208.93
ASN
Flaps LastUpDn|LastRead|LastWrit St Port(L/R) Notif(S/R)
100 0
00:02:31|never
|never
E 179/48420 0/0
100 0
00:02:30|never
|never
E 179/52730 0/0
Page 36
Lab 2: Configure a Tenant, VRF, and Bridge

Domain
Overview
Complete this lab activity to create the basic network constructs to allow communication into the ACI Fabric.
All of the labs will leverage the multi-tenancy capabilities that allow ACI to scale. ACI is designed to scale
from smaller commercial environments, which may use a single Tenant to large cloud providers with support
for 64,000 Tenants and above. A single Enterprise can also leverage Tenants to enforce administrative and
operational separation between different internal businesses or processes.
Create a Tenant
Create a VRF
Create a Bridge Domain
Create Subnets

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Create a Tenant

In this task, you will create a Tenant using the APIC wizard. A tenant is a container for policies to exercise
domain-based access control. A tenant represents a unit of isolation from a policy perspective, but it does not
represent a private network. Tenants can represent a customer in a service provider setting, an organization, a
domain in an enterprise setting, or just a convenient grouping of policies.
Activity Procedure
Step 6
Note
By default there are three pre-existing tenants: common, infra, and mgmt.
The common tenant contains system generated pre-configured policies that govern the
operation of resources accessible to all tenants, such as firewalls, load balancers, Layer 4 to
Page 37
Layer 7 services, intrusion detection appliances, and so on. Common tenant polices are
configurable by the fabric administrator.
The infra (infrastructure) tenant contains policies that govern the operation of infrastructure
resources such as the fabric VXLAN overlay. It also enables a fabric provider to selectively
deploy resources to one or more user tenants.
The management tenant contains policies that govern the operation of fabric management
functions used for in-band and out-of-band configuration of fabric nodes. The management
tenant contains an out-of-bound address space for the APIC/fabric internal communications that
is outside the fabric data path that provides access through the management port of the
switches. The management tenant enables discovery and automation of communications with
virtual machine controllers.
Step 7
In the Submenu bar, click Add Tenant.
Step 8
The Create Tenant wizard will appear. Enter the values in the following table; do NOT change
any of the values that are not listed in the following table.
Field
Value
Name
POD## (replace ## with your assigned 2-digit Pod Number)
Description
(enter your name and/or nickname)
Note
Throughout all labs, ## refers to your pod, as assigned by your instructor. Pay very close
attention in all labs to be sure you in YOUR pod.
For all NterOne ACI labs, your Tenant = your Pod.
Step 9
Click the SUBMIT button to complete the Create Tenant wizard.
Step 10
The APIC GUI will take you to the Quick Start folder of the Tenant that you just created.
Page 38
Task 2: Create a VRF

In this task, you will create a VRF within your Tenant.
A VRF is a unique Layer 3 forwarding and application policy domain. One or more bridge domains are
associated with a VRF. All of the endpoints within the Layer 3 domain must have unique IP addresses.
In ACI nomenclature, the terms Context, Private Network, and VRF are synonymous. Just as a router can
have multiple VRFs configured, an ACI tenant can have multiple Contexts associated with it.
Activity Procedure
Step 11
In the Navigation pane, expand Tenant POD## > Networking > VRFs.
Step 12
Right-click the VRFs folder and then select Create VRF from the context menu.
Step 13
The Create VRF wizard will appear. In STEP 1 > VRF, enter the values in the following
table; do NOT change any of the values that are not listed in the following table.
Field
Value
Name
POD##-VRF (replace ## with your assigned 2-digit Pod Number)
Create a Bridge Domain
Unchecked
Page 39
Step 14
Click the FINISH button.
Note
What does Policy Enforcement mean? By default policy enforcement is enforced on a context,
and is performed by either the ingress or egress Leaf. As traffic enters the leaf switch the packet
fabric header is marked with the EPG of the source endpoint. The leaf switch then performs a
forwarding lookup on the packet destination IP address within the tenant space. A unicast (/32)
or subnet prefix (not /32) hit provides the EPG of the destination endpoint destination subnet
prefix, and either the local interface or the remote leaf switch VTEP IP address where the
destination endpoint subnet prefix is present.
Note
A miss causes the packet to be sent to the forwarding proxy in the spine switch, which performs
a forwarding table lookup. If this is a miss, the packet is dropped. If it is a hit, the packet is sent
to the egress leaf switch that contains the destination endpoint. Because the egress leaf switch
knows the EPG of the source and destination, it performs the security policy enforcement.
Note
On the egress leaf switch, the source IP address and source EPG information will be stored in
the local forwarding table through learning. Because most flows are bidirectional, a return packet
populates the forwarding table on both sides of the flow, which enables the traffic to be ingress
filtered in both directions
Task 3: Create a Bridge Domain

In this task, you will create a bridge domain.
Activity Procedure
Step 15
In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains.
Step 16
Right-click the Bridge Domains folder and then select Create Bridge Domain from the
context menu.
Page 40
Step 17
The Create Bridge Domain wizard will appear. In STEP 1 > Main, enter the values in the
following table; do NOT change any of the values that are not listed in the following table.
Field
Value
Name
POD##-BD (replace ## with your assigned 2-digit Pod Number)
VRF
POD##/POD##-VRF (replace ## with your assigned 2-digit Pod Number)
Step 18
Click the NEXT button. In STEP 2 > L3 Configurations, do not make any changes.
Step 19
Click the NEXT button. In STEP 3 > Advanced/Troubleshooting, do not make any changes.
Step 20
Click the FINISH button to complete the Create Bridge Domain wizard.
Task 4: Create Subnets within the Bridge Domain

In this task, you will create subnets within the bridge domain.
Activity Procedure
Step 21
In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains > POD##BD > Subnets.
Step 22
Right-click the Subnets folder and then select Create Subnet from the context menu.
Step 23
The Create Subnet wizard will appear. Enter the values in the following table; do NOT change
Field
Value
Name
10.##.1.254/24 (replace ## with your assigned 2-digit Pod Number)
Page 41
Note
Field
Value
Scope
Private to VRF
The Scope of a subnet defines the network visibility of the subnet. The scope can be:
Private to VRF Defines subnets under a BD to only be used in that Tenant (will not be leaked).
Advertised Externally Defines subnets under an endpoint group to route leak to other Tenants in the
Fabric.
Shared between VRFs Defines subnets under an endpoint group to route leak for shared services
(endpoint groups in a different VRF).
Step 24
Click the SUBMIT button. The subnet you just created will be visible in the Subnets
subsection.
Step 25
Repeat the previous three steps to create a subnet with the Gateway IP of 10.##.2.254/24
(replace ## with your assigned 2-digit Pod Number)
Step 26
Repeat the previous three steps to create a subnet with the Gateway IP of 10.##.3.254/24
Step 27
In the Navigation pane, in the Subnets folder, be sure you see the three Subnets listed. Make
sure the second octet of the IP address is your Pod ##, which is the same number as your
Tenant. The screen shot here is an example for pod 11.
Page 42
Lab 3: Configure Policy Filters and Contracts

Overview
To build the foundation of the Application Profile, it is necessary to create Filters within a Tenant that
Contracts will use. Those Contracts will then be associated with EPGs that will make up the Application
Profile.
Complete this lab activity to become familiar with the configuration of Filters that the Contracts will
consume.
Create Filters
Create Contracts

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Create Filters

In this task, you will create filters to be used in the various contracts that you will create in the next Task.
Activity Procedure
Step 6
Step 7
In the Submenu bar, click POD## (replace ## with your assigned 2-digit Pod Number).
Step 8
In the Navigation pane, expand Tenant POD## > Security Policies > Filters.
Step 9
Right-click the Filters folder and then select Create Filter from the context menu.
Page 43
Step 10
The Create Filter wizard will appear. In the Name field type POD##-FILTER-ANY (replace
## with your assigned 2-digit Pod Number).
Step 11
In the Entries subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field
Value
Name
ANY
EtherType
Unspecified
Step 12
Step 13
Click the SUBMIT button to complete the Create Filter wizard. You should now see the filters
you just created in the Filters folder.
Step 14
Step 15
The Create Filter wizard will appear. In the Name field type POD##-FILTER-PORT-80
(replace ## with your assigned 2-digit Pod Number).
Step 16
following table.
Field
Value
Name
PORT-80
EtherType
IP
IP Protocol
tcp
Match Only Fragment
Unchecked
Stateful
Checked
Source Port / Range From
1024
Source Port / Range To
65535
Destination Port / Range From
80
Destination Port / Range To
80
TCP Session Rules
Unspecified
Page 44
Step 17
Step 18
Step 19
Step 20
Step 21
following table.
Field
Value
Name
PORT-81
EtherType
IP
IP Protocol
tcp
Match Only Fragment
Unchecked
Stateful
Checked
1024
65535
81
81
TCP Session Rules
Unspecified
Step 22
Step 23
Step 24
Step 25
Step 26
following table.
Field
Value
Name
PORT-82
EtherType
IP
IP Protocol
tcp
Match Only Fragment
Unchecked
Stateful
Checked
1024
Page 45
Field
Value
65535
82
82
TCP Session Rules
Unspecified
Step 27
Step 28
Step 29
Step 30
The Create Filter wizard will appear. In the Name field type POD##-FILTER-ICMP (replace
## with your assigned 2-digit Pod Number).
Step 31
following table.
Field
Value
Name
ICMP
EtherType
IP
IP Protocol
icmp
Match Only Fragment
Unchecked
Step 32
Step 33
you just created in the Filters folder. At this point there should be five filters listed in the
Contracts folder.
Page 46
Task 2: Create Contracts

In this task, you will create Contracts that will use the Filters that you created in the previous task. You will
apply these contracts in the subsequent lab exercises.
Activity Procedure
Step 34
In the Navigation pane, expand Tenant POD## > Security Policies > Contracts.
Step 35
Right-click the Contracts folder and then select Create Contract from the context menu.
Step 36
The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-ANY
Step 37
In the Subjects subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Page 47
Field
Value
Name
SUBJECT-ANY
Apply Both Directions
Checked
Reverse Filter Ports
Checked
Step 38
In the Filter Chain subsection, click the plus sign to create a new entry. In the drop-down list,
select POD##-FILTER-ANY.
Step 39
Click the UPDATE button, and then click the OK button.
Step 40
Click the SUBMIT button to complete the Create Contract wizard. You should now see the
contract you just created in the Contracts folder.
Step 41
Step 42
The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-DBAPP (replace ## with your assigned 2-digit Pod Number).
Step 43
following table.
Field
Value
Name
SUBJECT-ANY
Page 48
Field
Value
Checked
Checked
Step 44
Step 45
Step 46
Step 47
Step 48
The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-APPWEB (replace ## with your assigned 2-digit Pod Number).
Step 49
following table.
Field
Value
Name
SUBJECT-ANY
Checked
Checked
Step 50
Step 51
Page 49
Step 52
Click the SUBMIT button to complete the Create Contract wizard. At this point there should
be three contracts listed in the Contracts folder.
Page 50
Lab 4: Deploy a Three-Tier Application Profile

Overview
With the Filters and Contracts from the previous lab, you can now build an Application Profile. The
Application Profile allows your environment to build a template of network attributes and policies that can be
dynamically instantiated and seamlessly inserted.
Application Profiles are a powerful tool for building out application connectivity and policy using repeatable
processes. Application connectivity is defined based on the services tiers or components provide and the tiers
they consume. Contracts define the policy for those connections and can be used for provider or consumer
relationships.
Complete this lab activity to become familiar with the configuration of an Application Profile.
Build an Application Profile for a Three-Tier Application

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Create Application Profile

In this task, you will create an Application Profile.
Activity Procedure
Step 6
Step 7
Step 8
In the Navigation pane, expand Tenant POD## > Application Profiles.
Step 9
Right-click the Application Profiles folder and then select Create Application Profile from
the context menu.
Page 51
Step 10
The Create Application Profile wizard will appear. In the Name field type POD##APPLICATION-PROFILE (replace ## with your assigned 2-digit Pod Number).
Step 11
In the EPGs subsection, click the plus sign to create a new EPG. Enter the values in the
Field
Value
Name
POD##-DB-EPG (replace ## with your assigned 2-digit Pod Number)
BD
Provided Contract
POD##-CONTRACT-DB-APP (replace ## with your assigned 2-digit Pod Number)
Step 12
Step 13
In the EPGs subsection, click the plus to create a new EPG. Enter the values in the following
Field
Value
Name
POD##-APP-EPG (replace ## with your assigned 2-digit Pod Number)
Page 52
Field
Value
BD
Provided Contract
POD##-CONTRACT-APP-WEB (replace ## with your assigned 2-digit Pod Number)
Consumed Contract
POD##-CONTRACT-DB-APP (replace ## with your assigned 2-digit Pod Number)
Step 14
Step 15
In the EPGs subsection, click the plus to create a new EPG. Enter the values in the following
Field
Value
Name
POD##-WEB-EPG (replace ## with your assigned 2-digit Pod Number)
BD
Consumed Contract
POD##-CONTRACT-APP-WEB (replace ## with your assigned 2-digit Pod Number)
Step 16
Click the OK button. You should now see three EPGs listed in the EPGs pane.
Step 17
Click the SUBMIT button to complete the Create Application Profile wizard.
Step 18
In the Navigation pane, expand the Application Profiles folder, and then click the POD##APPLICATION-PROFILE object. In the Work pane, the first tab that is presented is the
Topology tab. This tab displays a diagram that logically represents the application profile.
Note
You may need to drag-and-drop the various icons in order to create a diagram that is easier to
view.
Page 53
Step 19
In the Navigation pane, expand Tenant POD## > Security Policies > Contracts > POD##CONTRACT-APP-WEB. In the Work pane, the first tab that is presented is the Topology tab.
This tab displays a diagram that logically represents the contract and its relationship with the
end point groups.
Note
The arrows from an EPG to a Contract indicate a provided contract.

The arrows from a Contract to an EPG represent a consumed contract.
Page 54
Lab 5: Configure a VMware VMM Domain

Overview
The ACI is able to integrate with various hypervisor technologies. This lab demonstrates the capability of
integrating into VMware's vCenter technology and will allow the APIC to create policies that the VMware
virtual environment can use.
In this lab section, you will register the APIC to your virtual environment, which will be using VMware's
vCenter Server. This lab will walk you through this registration process, which will allow the APIC to push
application policies down to the virtual machines in your pod. This tight integration will be shown in another
lab; this lab will focus on building the connection between the APIC and VMware's vCenter Server.
Complete this lab activity to become familiar with registering a VMware domain in ACI.
Register APIC to VMware vCenter Server, creating a Distributed Virtual Switch inside VMware's
Network construct
Create vCenter Credentials and a Server object
Verify that the ACI DVS has been created and the connection between APIC and vCenter Server is
established
Task 0: Log in to the APIC Controller and the VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will log
in to your assigned VMware vCenter server using the VMware vSphere Client.
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
From your Student Server desktop, start the VMware vSphere Client. Log in to your assigned
vCenter server using the following credentials:
IP address / Name: vcenter-@.dc.local (replace @ with your assigned vCenter letter).
Username: root
Step 7
At this point you should see the vCenter-@ - vSphere Client window.
Task 1: Create a VLAN Pool

In this task, you will create VLAN pool that will be used by the VMM domain you will create in a
subsequent Task.
Page 55
Note
A VLAN pool specifies the VLAN IDs or ranges used for VLAN encapsulation that the VMM
domain consumes. Each time you associate an EPG to a VMM domain a VLAN ID is taken from
the VLAN pool and assigned to the virtual machine group that is created within the VMM domain
(e.g. a port group within the ACI DVS within a vCenter).
Activity Procedure
Step 8
Step 9
Step 10
In the Submenu bar, click Access Policies.
Step 11
In the Navigation pane, expand Pools > VLAN.
Step 12
Right-click the VLAN folder and then select Create VLAN Pool from the context menu.
Step 13
The Create VLAN Pool wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-VMM-VLAN-POOL (replace ## with your assigned 2-digit Pod Number)
Allocation Mode
Dynamic Allocation
Step 14
In the Encap Blocks subsection, click the plus sign to create a new VLAN range. Enter the
values in the following table.
Field
Value
Range (From)
3##0 (replace ## with your assigned 2-digit Pod Number)
Range (To)
3##9 (replace ## with your assigned 2-digit Pod Number)
Page 56
Step 15
Step 16
Click the SUBMIT button to complete the Create VLAN Pool wizard. You should now see the
VLAN you just created in the VLAN folder.
Task 2: Create a VMM Domain

In this task, you will create a VMM domain which will integrate the ACI fabric with your assigned vCenter
server.
Activity Procedure
Step 17
In the Menu bar, click VM Networking.
Step 18
In the Navigation pane, right-click the VMware folder, and then select Create vCenter
Domain from the context menu.
Step 19
The Create vCenter Domain wizard will appear. Enter the values in the following table; do
Page 57
Field
Value
Name
POD##-VMM-DOMAIN (replace ## with your assigned 2-digit Pod Number)
Virtual Switch
VMware vSphere Distributed Switch
VLAN Pool
POD##-VMM-VLAN-POOL (replace ## with your assigned 2-digit Pod Number)
Step 20
In the vCenter Credentials subsection, click the plus sign to create a new vCenter credential.
Enter the values in the following table.
Field
Value
Name
VCENTER-CREDENTIAL
Username
root
1234QWer
Step 21
Step 22
In the vCenter/vShield subsection, click the plus sign to create a new vCenter connection.
Enter the values in the following table; do NOT change any of the values that are not listed in
the following table.
Field
Value
Type
vCenter
Name
VCENTER-CONTROLLER
Host Name
vcenter-@.dc.local (replace @ with your assigned vCenter letter)
Datacenter
Datacenter-@ (replace @ with your assigned vCenter CAPITAL letter)
Associated Credential
VCENTER-CREDENTIAL
Page 58
Note
The name of the Datacenter must exactly match the name as it appears in the vSphere Client,
otherwise the APIC will not be able to locate and configure the correct Datacenter in the vCenter
Server. In this lab the D at the beginning of the name and the vCenter letter are capitalized; the
rest of the name is in lower case.
Step 23
Step 24
Click the SUBMIT button to complete the Create vCenter Domain wizard. You should now
see the VMM domain you just created in the VMware folder.
Task 3: Verify the APIC Connection to the vCenter Server

In this task, you will verify the APIC connection to your assigned vCenter server.
Activity Procedure
Note
The following steps demonstrate how you can also verify the connection between the APIC and
the vCenter server by using the vSphere client to view that the ACI DVS has been created.
Step 25
Return to the VMware vSphere Client application.
Step 26
Press Ctrl-Shift-N to shift to the Networking section.
Page 59
Step 27
Expand the Datacenter and POD##-VMM-DOMAIN folders. You will notice that a new DVS
has been created named POD##-VMM-DOMAIN and there are two default port groups: one
port group for DVS uplinks and another port group named quarantine.
Step 28
The APIC now has a connection to the VMware vCenter Server.
Page 60
Lab 6: Configure Baseline Interface Policies

Overview
In this lab, you will create interface policies that will be used by several of the subsequent lab exercises. The
interface policies are examples of baseline policies that you would use in a live ACI environment.
Note
The Instructor of the class should perform this lab exercise using Pod Number 00. The
policies will be used in subsequent lab exercises during instructor demonstrations.
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Create Link Level Interface Policies

In this task, you will create two Link Level Interface Policies:
A Link Level Policy for leaf switch interfaces that will be configured for a speed of 1 Gbps
A Link Level Policy for leaf switch interfaces that will be configured for a speed of 10 Gbps
Activity Procedure
Step 6
Step 7
Step 8
Navigate to Interface Policies > Policies > Link Level.
Step 9
Right-click the Link Level folder and then select Create Link Level Policy from the context
menu.
Page 61
Step 10
The Create Link Level Policy wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD##-1G-LINK-LEVEL-POLICY (replace ## with your assigned 2-digit Pod Number)
Auto Negotiation
Off
Speed
1 Gbps
Step 11
Click the SUBMIT button to complete the Create Link Level Policy wizard.
Step 12
Right-click the Link Level folder and then select Create Link Level Policy from the context
menu.
Step 13
The Create Link Level Policy wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD##-10G-LINK-LEVEL-POLICY (replace ## with your assigned 2-digit Pod Number)
Auto Negotiation
Off
Speed
10 Gbps
Step 14
Click the SUBMIT button to complete the Create Link Level Policy wizard.
Task 2: Create CDP Interface Policies

Page 62
In this task, you will create two CDP Interface Policies:
A CDP Interface Policy for leaf switch interfaces that will be configured to enable CDP
A CDP Interface Policy for leaf switch interfaces that will be configured to disable CDP
Activity Procedure
Step 15
Navigate to Interface Policies > Policies > CDP Interface.
Step 16
Right-click the CDP Interface folder and then select Create CDP Interface Policy from the
context menu.
Step 17
The Create CDP Interface Policy wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-ENABLE-CDP-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod Number)
Admin State
Enabled
Step 18
Click the SUBMIT button to complete the Create CDP Interface Policy wizard.
Step 19
Right-click the CDP Interface folder and then select Create CDP Interface Policy from the
context menu.
Step 20
The Create CDP Interface Policy wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-DISABLE-CDP-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod Number)
Admin State
Disabled
Page 63
Step 21
Click the SUBMIT button to complete the Create CDP Interface Policy wizard.
Task 3: Create LLDP Interface Policies

In this task, you will create two LLDP Interface Policies:
An LLDP Interface Policy for leaf switch interfaces that will be configured to enable LLDP
An LLDP Interface Policy for leaf switch interfaces that will be configured to disable LLDP
Activity Procedure
Step 22
Navigate to Interface Policies > Policies > LLDP Interface.
Step 23
Right-click the LLDP Interface folder and then select Create LLDP Interface Policy from
the context menu.
Step 24
The Create LLDP Interface Policy wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-ENABLE-LLDP-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod Number)
Receive
State
Enabled
Transmit
State
Enabled
Page 64
Step 25
Click the SUBMIT button to complete the Create LLDP Interface Policy wizard.
Step 26
Right-click the LLDP Interface folder and then select Create LLDP Interface Policy from
the context menu.
Step 27
The Create LLDP Interface Policy wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-DISABLE-LLDP-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod Number)
Receive
State
Disabled
Transmit
State
Disabled
Step 28
Click the SUBMIT button to complete the Create LLDP Interface Policy wizard.
Task 4: Create PortChannel Policies

In this task, you will create two PortChannel Policies:
A PortChannel Policy for leaf switch interfaces that will be added to a port channel that uses LACP
in active mode
A PortChannel Policy for leaf switch interfaces that will be added to a port channel that does not use
LACP (static mode)
Activity Procedure
Page 65
Step 29
Navigate to Interface Policies > Policies > PortChannel Policies.
Step 30
Right-click the PortChannel Policies folder and then select Create PortChannel Policy from
the context menu.
Step 31
The Create PortChannel Policy wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD##-ACTIVE-PORTCHANNEL-POLICY (replace ## with your assigned 2-digit Pod Number)
Mode
LACP Active
Step 32
Click the SUBMIT button to complete the Create PortChannel Policy wizard.
Step 33
Right-click the PortChannel Policies folder and then select Create PortChannel Policy from
the context menu.
Step 34
The Create PortChannel Policy wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD##-STATIC-PORTCHANNEL-POLICY (replace ## with your assigned 2-digit Pod Number)
Mode
Static Channel Mode On
Page 66
Step 35
Click the SUBMIT button to complete the Create PortChannel Policy wizard.
Page 67
Lab 7: Integrate VMware ESXi Hosts into the ACI

Fabric
Overview
In this lab, you will focus on adding the two ESXi hosts to the ACI DVS. This action will allow the APIC
EPG to be associated with VMware's virtual environment. This section will use the VMware vSphere client
to be able to add the host to the ACI DVS.
This lab will complete the foundation to allow the APIC to create EPGs, which will cause VMware portgroups to be created that the virtual machines can utilize. This setup will provide integration for the APIC to
distribute policies to the VMware virtual environment.
Complete this lab activity to become familiar with associating VMware ESXi hosts with ACI DVS.
Add an ESXi hosts to the ACI DVS
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Task 1: Create an Attachable Access Entity Profile

In this task, you will create an Attachable Access Entity Profile that will contain the VMM domain that you
created previously.
Note
An attachable entity profile (AEP) represents a group of external entities with similar
infrastructure policy requirements. The infrastructure policies consist of physical interface
policies, for example, Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP),
maximum transmission unit (MTU), and Link Aggregation Control Protocol (LACP). A VM
Page 68
Management (VMM) domain automatically derives the physical interfaces policies from the
interface policy groups that are associated with an AEP.
Activity Procedure
Note
WARNING: Only one student per vCenter server may perform the steps in this Task.
Note
WARNING: Identify which student will complete this Task. If you are not the student
selected to complete this Task, do not make any configuration changes in the APIC GUI.
Step 8
Step 9
Step 10
Navigate to Global Policies > Attachable Access Entity Profiles.
Step 11
Right-click the Attachable Access Entity Profiles folder and then select Create Attachable
Access Entity Profile from the context menu.
Step 12
The Create Attachable Access Entity Profile wizard will appear. In STEP 1 > Profile, enter
the values in the following table.
Field
Value
Name
VCENTER-@-AEP (replace @ with your assigned vCenter letter)
Enable Infrastructure VLAN
Checked
Step 13
Click the NEXT button. In STEP 2 > Association to Interfaces enter the values in the
Field
Value
vSwitch
Policies
Specify
Page 69
Field
Value
CDP Policy
POD##-ENABLE-CDP-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod

Number)
LLDP Policy
POD##-DISABLE-LLDP-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod

Number)
Step 14
Click the FINISH button to complete the Create Attachable Access Entity Profile wizard.
Task 2: Add the VMM Domain to the AEP

In this task, you will add the VMM domain that you created previously to the vCenter AEP.
Activity Procedure
Note
All students should perform this task.
Step 15
Navigate to Global Policies > Attachable Access Entity Profiles > VCENTER-@-AEP.
Step 16
In the Work pane, in the Domains (VMM, Physical or External) Associated to Interfaces
subsection, click the plus sign to associate your VMM domain.
Step 17
A Policy Usage Warning will appear indicating the other objects that will be affected by the
changes. Click the CONTINUE button.
Step 18
In the NAME drop-down list, select POD##-VMM-DOMAIN (replace ## with your

assigned two-digit Pod Number).
Page 70
Step 19
Task 3: Create an Interface Policy Group

In this task, you will create an Interface Policy Group that will be used in a subsequent Task.
Activity Procedure
Note
WARNING: Only one student per ESXi Host may perform the steps in this Task.
Note
Step 20
Navigate to Interface Policies > Policy Groups.
Step 21
Right-click the Policy Groups folder and then select Create Access Port Policy Group from
the context menu.
Step 22
The Create Access Port Policy Group wizard will appear. Enter the values in the following
Field
Value
Name
ESXI-@@-INTERFACE-POLICY-GROUP (replace @@ with your assigned ESXi

host ID)
Page 71
Field
Value
Link Level Policy
POD##-10G-LINK-LEVEL-POLICY (replace ## with your assigned 2-digit Pod

Number)
CDP Policy
POD##-ENABLE-CDP-INTERFACE-POLICY (replace ## with your assigned 2-digit

Pod Number)
LLDP Policy
POD##-DISABLE-LLDP-INTERFACE-POLICY (replace ## with your assigned 2digit Pod Number)
Attached Entity Profile
VCENTER-@-AEP (replace @ with your assigned vCenter letter)
Step 23
Click the SUBMIT button to complete the Create Access Port Policy Group wizard.
Task 4: Create an Interface Profile

In this task, you will create an Interface Profile that will be used in a subsequent Task.
Activity Procedure
Note
WARNING: Only one student per ESXi Host may perform the steps in this Task.
Note
Step 24
Navigate to Interface Policies > Profiles.
Step 25
Right-click the Profiles folder and then select Create Interface Profile from the context menu.
Page 72
Step 26
The Create Interface Profile wizard will appear. In the Name field, type ESXI-@@INTERFACE-PROFILE (replace @@ with your assigned ESXi host ID).
WARNING: Slow down and be VERY careful with the following entries. Follow the table exactly!
Step 27
In the Interface Selectors subsection, click the plus sign to create a new entry. The Create
Access Port Selector wizard will appear. Enter the values in the following table; do NOT
change any of the values that are not listed in the following table.
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
ESXi-A1: 1/33
ESXi-A2: 1/34
ESXi-B1: 1/35
ESXi-B2: 1/36
ESXi-C1: 1/37
ESXi-C2: 1/38
ESXi-D1: 1/39
ESXi-D2: 1/40
Interface Policy
Group
ESXI-@@-INTERFACE-POLICY-GROUP (replace @@ with your assigned ESXi host

ID)
Step 28
Click the OK button to complete the Create Access Port Selector wizard.
Step 29
Click the SUBMIT button to complete the Create Interface Profile wizard.
Task 5: Create a Switch Profile

Page 73
In this task, you will create a Switch Profile that will be used in a subsequent Task.
Activity Procedure
Note
Only one student per ESXi Host may perform the steps in this Task.
Note
Identify which student will complete this Task. If you are not the student selected to
complete this Task, do not make any configuration changes in the APIC GUI.
Step 30
Navigate to Switch Policies > Profiles.
Step 31
Right-click the Profiles folder and then select Create Switch Profile from the context menu.
Step 32
The Create Switch Profile wizard will appear. In STEP 1 > PROFILE, in the Name field,
type ESXI-@@-SWITCH-PROFILE (replace @@ with your assigned ESXi host ID).
WARNING: Slow down and be VERY careful with the following entries. Follow the table exactly!
Step 33
Step 34
In the Switch Selectors subsection, click the plus sign to create a new entry. Enter the values in
Field
Value
Name
SWITCH-SELECTOR
Blocks
ESXi-A1: 101
ESXi-A2: 103
ESXi-B1: 101
ESXi-B2: 103
ESXi-C1: 101
ESXi-C2: 103
ESXi-D1: 101
ESXi-D2: 103
Page 74
Step 35
Click the NEXT> button. In STEP 2 > Associations, in the Interface Selector Profiles pane,
select ESXI-@@-INTERFACE-PROFILE (replace @@ with your assigned ESXi host
ID).
Step 36
Click the FINISH button to complete the Create Switch Profile wizard.
Step 37
From your Student Server desktop, start a PuTTY session with Leaf-1. There should be a
shortcut on the desktop for Leaf-1.
Step 38
Login as: admin
Step 39
Step 40
Login as: admin
WARNING
Slow down and be VERY careful verifying the following entries. Be sure to review the NterOne
Resource Guide right now. Note the drawing that shows only one cable from each ESXi host to
a leaf switch, and that the other ESXi host connects to the other leaf switch.
Step 41
Execute the show interface e1/XX brief command using the interface number corresponding to
your ESXi host. This command will show you the status of the interface connected to your
ESXi host. The interface should be in the up state, however there will not be any traffic between
the leaf switch and the ESXi host until the ESXi host has been configured to use the interface.
Interface ID
ESXi-A1: Leaf-1 1/33

ESXi-A2: Leaf-2 1/34
ESXi-B1: Leaf-1 1/35
ESXi-B2: Leaf-2 1/36
ESXi-C1: Leaf-1 1/37
ESXi-C2: Leaf-2 1/38
ESXi-D1: Leaf-1 1/39
ESXi-D2: Leaf-2 1/40
Leaf-1# show interface e1/XX brief
Page 75
-------------------------------------------------------------------------------Ethernet
VLAN
Type Mode
Status Reason
Speed
Port
Interface
Ch #
-------------------------------------------------------------------------------Eth1/XX
0
eth trunk
up
none
10G(D)
--
Task 6: Add ESXi Hosts to the ACI DVS

In this task, you will add ESXi hosts to the ACI DVS that has been created by the APIC within the vCenter
server.
Activity Procedure
Note
All students should perform this Task.
Step 42
Step 43
Step 44
Navigate to vCenter-@ > Datacenter-@ > POD##-VMM-DOMAIN > POD##-VMMDOMAIN.
Step 45
Right-click the POD##-VMM-DOMAIN distributed switch and select Add Host from the
context menu.
Step 46
The Add Host to vSphere Distributed Switch wizard will appear. The first step of the wizard
is Select Host and Physical Adapters.
WARNING
Slow down and be VERY careful with the following entries. Follow the table exactly!
Step 47
You will be selecting one vmnic interface from both of the hosts listed; these vmnics will be
connected to your VMM domain distributed virtual switch. There will be several physical
adapters listed under each host. Use the following table to determine the vmnic interfaces that
you should select; select the same vmnic interface on both hosts.
Pod Number
First ESXi Host
Vmnic Interface
Second ESXi Host
Vmnic Interface
11
esxi-a1.dc.local
vmnic5
esxi-a2.dc.local
vmnic5
12
esxi-a1.dc.local
vmnic6
esxi-a2.dc.local
vmnic6
13
esxi-a1.dc.local
vmnic7
esxi-a2.dc.local
vmnic7
14
esxi-a1.dc.local
vmnic8
esxi-a2.dc.local
vmnic8
15
esxi-b1.dc.local
vmnic5
esxi-b2.dc.local
vmnic5
Page 76
Pod Number
First ESXi Host
Vmnic Interface
Second ESXi Host
Vmnic Interface
16
esxi-b1.dc.local
vmnic6
esxi-b2.dc.local
vmnic6
17
esxi-b1.dc.local
vmnic7
esxi-b2.dc.local
vmnic7
18
esxi-b1.dc.local
vmnic8
esxi-b2.dc.local
vmnic8
19
esxi-c1.dc.local
vmnic5
esxi-c2.dc.local
vmnic5
20
esxi-c1.dc.local
vmnic6
esxi-c2.dc.local
vmnic6
21
esxi-c1.dc.local
vmnic7
esxi-c2.dc.local
vmnic7
22
esxi-c1.dc.local
vmnic8
esxi-c2.dc.local
vmnic8
23
esxi-d1.dc.local
vmnic5
esxi-d2.dc.local
vmnic5
24
esxi-d1.dc.local
vmnic6
esxi-d2.dc.local
vmnic6
25
esxi-d1.dc.local
vmnic7
esxi-d2.dc.local
vmnic7
26
esxi-d1.dc.local
vmnic8
esxi-d2.dc.local
vmnic8
Step 48
Click the Next button.
Step 49
The Network Connectivity step will appear. Click the Next button.
Step 50
The Virtual Machine Networking step will appear. Click the Next button.
Step 51
The Ready to Complete step will appear.
Page 77
Step 52
Click the Finish button.
Step 53
Click the Hosts tab in the Work pane. You should see your ESXi hosts listed there and in a
connected state.
Step 54
Return to the PuTTY session to your leaf switch.
Step 55
Execute the show cdp neighbors command. You should see that the leaf switch is receiving
CDP information from the ESXi host. It may take a few minutes for the CDP entries to appear.
Leaf-1# show cdp neighbors

Capability Codes: R
S
V
s
Device-ID
esxi-@@.dc.local
Router, T - Trans-Bridge, B - Source-Route-Bridge

Switch, H - Host, I - IGMP, r - Repeater,
VoIP-Phone, D - Remotely-Managed-Device,
Supports-STP-Dispute
Local Intrfce
Eth1/??
Hldtme
143
Capability
S
Platform
VMware ESX
Port ID
vmnic?
Page 78
Lab 8: Associate EPGs to a VMware VMM Domain

Overview
With the ESXi hosts connected to the ACI DVS from the previous Lab, you can now associate the EPGs
created in you created to the VMware virtual environment, and the VMs can now fully utilize the ACI fabric
infrastructure.
Complete this lab activity to become familiar with configuring EPGs with a VMware vSphere domain.
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Task 1: Associate the vCenter Domain to the APP EPG

In this task, you will associate the vCenter Domain to the APP EPG.
Activity Procedure
Step 8
Step 9
Step 10
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-APP-EPG.
Step 11
Right-click the EPG POD##-APP-EPG folder and then select Add VMM Domain
Association from the context menu.
Page 79
Step 12
The Add VMM Domain Association wizard will appear. Enter the values in the following
Field
Value
VMM Domain Profile
VMware/POD##-VMM-DOMAIN (replace ## with your assigned 2-digit Pod Number)
Deploy Immediacy
Immediate
Resolution Immediacy
Immediate
Note
Resolution Immediacy controls when the policies are downloaded to the leaf. Immediate
specifies that EPG policies (including contracts and filters) are downloaded to the leaf upon
hypervisor attachment to VDS. LLDP or OpFlex permissions are used to resolve the hypervisor
to leaf node attachments. On Demand specifies that EPG policies are downloaded to the leaf
only when a pNIC attaches to the hypervisor connector and a VM is placed in the port group
(EPG).
Note
Deploy Immediacy controls when the policy is pushed into the hardware policy CAM. Immediate
specifies that the policy is programmed in the hardware policy CAM as soon as the policy is
downloaded in the leaf software. On Demand specifies that the policy is programmed in the
hardware policy CAM only when the first packet is received through the data path. This process
helps to optimize the hardware space.
Step 13
Click the SUBMIT button to complete the Add VMM Domain Association wizard.
Task 2: Associate the vCenter Domain to the DB EPG

In this task, you will associate the vCenter Domain to the DB EPG.
Activity Procedure
Page 80

Step 14
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG.
Step 15
Right-click the EPG POD##-DB-EPG folder and then select Add VMM Domain Association
Step 16
Field
Value
VMM Domain Profile
Deploy Immediacy
Immediate
Immediate
Step 17
Task 3: Associate the vCenter Domain to the WEB EPG

In this task, you will associate the vCenter Domain to the WEB EPG.
Activity Procedure
Step 18
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-WEB-EPG.
Step 19
Right-click the EPG POD##-WEB-EPG folder and then select Add VMM Domain
Association from the context menu.
Step 20
Field
Value
VMM Domain Profile
Deploy Immediacy
Immediate
Immediate
Step 21
Task 4: Verify the Creation of the ACI DVS Port Groups within vCenter
In this task, you will verify that the correct ACI DVS port groups were created within the vCenter.
Activity Procedure
Step 22
Step 23
Step 24
Navigate to vCenter-@ > Datacenter-@ > POD##-VMM-DOMAIN > POD##-VMMDOMAIN.
Step 25
There needs to be three new port groups listed under the ACI DVS, each of which will
correspond to the EPGs within your application profile. The name of each port group is a
Page 81
combination of the Tenant, Application Profile, and EPG names. If the port groups dont show
up, review your prior lab steps for any misconfigurations.
Step 26
Right-click one of the port groups that were created and then select Edit Settings from the
context menu.
Step 27
In the Settings window that appears, in the left-hand side click VLAN. You will see the VLAN
ID that was assigned to the port group by the APIC. The VLAN ID was taken from the VLAN
pool associated with the VMM domain associated with vCenter.
Step 28
Look at the other settings of the port group which were assigned by the APIC.
Step 29
Step 30
Page 82
Login as: admin
Step 31
Execute the show vrf command. You should now see that a VRF has been created in the fabric
corresponding to the VRF used by your application profile (within your pod). The name of the
VRF will be the combination of the names of the Tenant and Private Network (VRF).
Leaf-1# show vrf

VRF-Name
black-hole
management
overlay-1
POD11:POD11-VRF
POD12:POD12-VRF
<output omitted>
Step 32
VRF-ID State
3 Up
2 Up
4 Up
5 Up
6 Up
Reason
------
Execute the show vlan extended command. You should now see that VLANs have been
created corresponding to the EPGs that you have associated to the vCenter server.
Leaf-1# show vlan extended

VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------13
infra:default
active
Eth1/1, Eth1/33
14
POD11:POD11-BD
active
Eth1/33
15
POD11:POD11-APPLICATIONactive
Eth1/33
PROFILE:POD11-APP-EPG
16
Eth1/33
PROFILE:POD11-WEB-EPG
17
Eth1/33
PROFILE:POD11-DB-EPG
VLAN
---13
14
15
16
17
Type
----enet
enet
enet
enet
enet
Vlan-mode
---------CE
CE
CE
CE
CE
Encap
------------------------------vxlan-16777209, vlan-4093
vxlan-16646014
vlan-3117
vlan-3114
vlan-3111
Page 83
Lab 9: Associate Virtual Machines with ACI DVS

Port Groups
Overview
In this lab, you will convert the VMs from using the native vSwitch to the ACI DVS port-groups. This action
completes the integration of the APIC with the virtualized environment, providing full visibility and
manageability from the APIC to the virtualized environment. Insertion of services and policies can now be
dynamically provisioned seamlessly while being managed from a centralize management tool.
Complete this lab activity to become familiar with configuring a virtual machine with an EPG port group.
Associate virtual machines with ACI DVS port groups
Verify connectivity between virtual machines
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Task 1: Add the App Server VM to the ACI DVS

In this task, you will configure the network adapter within the App Server VM to use the correct ACI DVS
port group.
Activity Procedure
Step 8
Return to the VMware vSphere Client application. Be sure you are connected to your vCenter,
and not to any ESXi host directly.
Page 84
Step 9
Press Ctrl-Shift-H to shift to the Hosts section.
Step 10
Navigate to vCenter-@ > Datastore-@ > Cluster-@ (replace @ with your assigned vCenter
letter). You should see three virtual machines which are assigned to your Pod (replace ##
with your assigned Pod number):
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Step 11
Right-click the Pod##-App VM and then select Edit Settings from the context menu.
Step 12
The Virtual Machine Properties for Pod##-App will appear.
Step 13
In the left-hand side of the window select Network adapter 1.
Step 14
In the right-hand side of the window, click the Network label setting and then select
POD##|POD##-APPLICATION-PROFILE|POD##-APP-EPG from the drop-down list.
Page 85
Step 15
Click the OK button to save the changes to the properties of the virtual machine
Step 16
Right-click the Pod##-App VM and then select Power > Power On from the context menu.
Step 17
After a few seconds you should see the powered on icon next to the virtual machine. If you see
this, skip ahead to the next Task.
Step 18
In some cases it is possible that when you power on a virtual machine you will see a small i
appear on the virtual machine icon:
Step 19
If this occurs, select the virtual machine, and then select the Summary tab in the Work pane.
You will see a question presented to you regarding the state of the virtual machine.
Page 86
Step 20
Select I Moved It and then click the OK button. The VM will then complete the power on
process.
Task 2: Add the DB Server VM to the ACI DVS

In this task, you will configure the network adapter within the DB Server VM to use the correct ACI DVS
port group.
Activity Procedure
Step 21
Right-click the Pod##-DB VM and then select Edit Settings from the context menu.
Step 22
The Virtual Machine Properties for Pod##-DB will appear.
Step 23
Step 24
POD##|POD##-APPLICATION-PROFILE|POD##-DB-EPG from the drop-down list.
Step 25
Step 26
Right-click the Pod##-DB VM and then select Power > Power On from the context menu.
Task 3: Add the Web Server VM to the ACI DVS

In this task, you will configure the network adapter within the Web Server VM to use the correct ACI DVS
port group.
Activity Procedure
Step 27
Right-click the Pod##-Web VM and then select Edit Settings from the context menu.
Step 28
The Virtual Machine Properties for Pod##-Web will appear.
Step 29
Step 30
POD##|POD##-APPLICATION-PROFILE|POD##-Web-EPG from the drop-down list.
Step 31
Step 32
Right-click the Pod##-Web VM and then select Power > Power On from the context menu.
Page 87
Task 4: Verify Connectivity between the Pod Virtual Machines

In this task, you will verify that all of the steps necessary to configure network connectivity between the Pod
virtual machines have been taken.
Activity Procedure
Step 33
Right-click the Pod##-App VM and then select Open Console from the context menu.
Step 34
The console window for Pod##-App will appear. You will see the App servers desktop.
Step 35
Open a Command Prompt window.
Step 36
Verify that the App server can ping the DB server using the ping 10.##.2.1 command.
Step 37
Verify that the App server can ping the Web server using the ping 10.##.3.1 command.
Step 38
Step 39
Login as: admin
Page 88

Step 40

Execute the show mac address-table command. You should now see the MAC addresses for
the virtual machines in your Pod.
Leaf-1# show mac address-table

Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False
VLAN
MAC Address
Type
age
Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+-----------------* 14
0050.569a.456e
dynamic
F
F
eth1/33
* 15
0050.569a.5e25
dynamic
F
F
eth1/33
* 16
0050.569a.0a8a
dynamic
F
F
eth1/33
* 7
88f0.313c.97f2
dynamic
F
F
eth1/1
Step 41
The output of the show mac address-table command does not give you much information about
the virtual machines and the port groups (EPGs) to which they belong. Execute the show
endpoint detail command to see more information about the virtual machines. In the output
you can see the MAC address of each virtual machine, the name of the port group, and the
VLAN ID assigned to the port group to which it belongs.
Leaf-1# show endpoint detail

Legend:
O - peer-attached
H - vtep
a - locally-aged
S - static
V - vpc-attached
p - peer-aged
L - local
M - span
s - static-arp
B - bounce
+---------------+---------------+-----------------+--------------+-------------+-----------------------------+
VLAN/
Encap
MAC Address
MAC Info/
Interface
Endpoint Group
Domain
VLAN
IP Address
IP Info
Info
+---------------+---------------+-----------------+--------------+-------------+-----------------------------+
15
vlan-3117
0050.569a.456e O
eth1/34
POD11:POD11-APPLICATION-PROFILE:POD11-APP-EPG
POD11:POD11-VRF
vlan-3117
10.11.1.1 O
16
vlan-3114
0050.569a.0a8a L
eth1/33
POD11:POD11-APPLICATION-PROFILE:POD11-WEB-EPG
POD11:POD11-VRF
vlan-3114
10.11.3.1 L
17
vlan-3111
0050.569a.5e25 L
eth1/33
POD11:POD11-APPLICATION-PROFILE:POD11-DB-EPG
POD11:POD11-VRF
vlan-3111
10.11.2.1 L
overlay-1
172.19.16.95 L
13/overlay-1
vxlan-16777209
a0ec.f985.1a2f L
eth1/1
infra:default
Page 89
Lab 10: Configure the APIC Using the REST API

(Postman)
Overview
Complete this lab activity to become familiar with the ability to configure the APIC controller with the REST
API. The goal is to highlight the ease of ACI Programmability versus using a traditional GUI approach.
Use the Chrome plug-in Postman
Create a complete Tenant and Application Profile configuration using the REST API

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Open the Postman Plug-in for Google Chrome

In this task, you will open the Postman plug-in for Google Chrome and familiarize yourself with the Postman
application.
Activity Procedure
Step 6
In the Chrome browser, in the upper left-hand side of the window, click the Apps button.
Step 7
Icons for the Google plug-ins that have been installed in the Chrome browser will appear. Click
the Postman icon.
Page 90
Step 8
Item Number
The Postman application will start in another window. The following table describes the
important parts of the Postman interface.
Description
History Tab a running list of all REST commands sent during this session
Collections Tab a location where you can save REST commands for future use
HTTP Method type (POST, GET, DELETE, etc.)
URL of REST API call to the target device (e.g. the APIC)
Send button executes the configured REST command
Identifies how the data sent (in item 8) will be encoded
Identifies the type of data being sent (in item 8) in the REST command
Data to be sent within the REST command
Step 9
After you send a command to the REST API of the target device (e.g. the APIC), a response (or
error) is returned from the device and displayed in the lower half of the Postman interface.
Item Number
Description
Output style selector
Output format selector
Word Wrap toggle
HTML Return Code of the last REST command
Data returned by the device to Postman
Page 91
Task 2: Create a Login Request for the APIC REST API

Before you can interact with the APIC using the REST API you must be authenticated by the APIC. Once
you are authenticated then you can read information from or make changes to the configuration of the APIC.
In this task, you will configure a login request for the APIC.
Activity Procedure
Step 10
In the Postman interface, choose POST from the HTML Methods drop-down menu.
Step 11
In the URL field, type http://192.168.R0.1/api/aaaLogin.xml (replace R with your ACI

Rack Number).
Note
It may be simpler to enter this URL by copying and pasting it from this document into Postman.
Step 12
Click the Body tab; this is the location where the data that will be sent to the APIC will be
entered.
Step 13
Click the raw radio button to set the data encoding method.
Step 14
In the Data Type drop-down list, select XML (text/xml).
Step 15
Type the following in the text field under the raw button:
<aaaUser name="admin" pwd="1234QWer" />
Note
It may be simpler to enter this text by copying and pasting it from this document into Postman.
Page 92
Step 16
Click the blue Send button.
Step 17
You should see the following results, indicating a successful login to the APIC.
Note
You can reuse this login sequence by selecting the correct entry in the History tab and then
clicking Send again.
Note
If you incorrectly configure the login request you will see a response similar to the following
image:
Task 3: Create an Application Profile Using the REST API

In this task, you will create a complete Tenant and Application Profile configuration using the REST API.
Activity Procedure
Step 18
In the Postman window, click the plus sign to create a new tab.
Page 93
Step 19
In the new tab, choose POST from the HTML Methods drop-down menu.
Step 20
In the URL field, type http://192.168.R0.1/api/mo/uni.xml (replace R with your ACI Rack
Number).
Step 21
Click the Body tab; this is the location where the data that will be sent to the APIC will be
entered.
Step 22
Click the raw radio button to set the data encoding method.
Step 23
In the Data Type drop-down list, select XML (text/xml).
Step 24
On your Student Server, open the students file share by double-clicking the shortcut on the
desktop. This will map the S: drive to the students file share.
Step 25
Navigate to the S:\DCAC9K folder.
Step 26
Locate your pod-specific XML file, which is named POD##-REST (replace ## with your
assigned 2-digit Pod number).
Step 27
Right-click on your pod-specific XML file name, and then select Edit with Notepad++ from
the context menu.
Step 28
The Notepad++ application will start and display the contents of your pod-specific XML file.
Page 94
Step 29
Copy all of the XML in the file, and then paste it into the raw section in the Postman interface.
Step 30
Click the Send button.
Step 31
You should see the following return code in the Body section beneath the Send button:
Note
If you see the return code below, you need to re-authenticate to the APIC.
Page 95
Step 32
Step 33
Step 34
In the Submenu bar, click ALL TENANTS. You should see a new Tenant named POD##REST.
Note
The primary point here is to stress the benefit of the open API interface to ACI. Once you
understand the ACI dictionary tree and are comfortable with a programming interface such as
Postman, it will only take seconds to accomplish significant amounts of configuration.
Step 35
Double-click the tenant POD##-REST.
Step 36
In the Navigation pane, select Tenant POD##-REST > Application Profiles > 3-Tier_App.
You will find that a three-tier application similar to the one you created previously has been
created here.
Page 96
Step 37
Spend a few minutes examining the objects that were created in the POD##-REST tenant using
the REST API.
Page 97
Lab 11: Configure the APIC Using the ACI Cobra

SDK (Python)
Overview
The Python API provides a Python programming interface to the underlying REST API, allowing you to
develop your own applications to control the APIC and the network fabric, enabling greater flexibility in
infrastructure automation, management, monitoring, and programmability.
Complete this lab activity to become familiar with the ability to configure the APIC controller with the ACI
Cobra SDK using Python.
Configure the Communication Policy
Review a Python script
Use a Python Script to create a Tenant

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Configure the Communication Policy

In this task, you will configure the default Communication Policy to enable HTTP access to APIC.
Activity Procedure
Step 6
Step 7
Step 8
Navigate to Pod Policies > Policies > Management Access > default.
Step 9
In the Work pane, in the HTTP section, verify that the Admin State is set to Enabled and the
Redirect is set to Disabled.
Note
Within this ACI lab environment, if these settings are incorrect, this lab exercise will not function
properly. These settings are insecure and are not recommended for a production environment.
Page 98
Task 2: Review a Python Script

In this task, you will review a Python script that can be used to create a new Tenant configuration.
Activity Procedure
Step 10
Step 11
Navigate to the S:\DCAC9K folder.
Step 12
Locate your pod-specific Python script, which is named POD##-PYTHON (replace ## with
your assigned Pod number).
Step 13
Right-click on your pod-specific Python script, and then select Edit with Notepad++ from the
context menu.
Page 99
Step 14
The Notepad++ application will start and display the contents of your pod-specific Python
script.
Step 15
Review the opened Python script. This script will be used in the next Task to create a Tenant.
Task 3: Use a Python Script to Create a Tenant

In this task, you will use a Python script to create a Tenant.
Activity Procedure
Step 16
Return to the File Explorer window. Right-click on your pod-specific Python script, and then
select Open with > python from the context menu.
Step 17
The Python interpreter window will appear, and it will start the Python script.
Step 18
The script will prompt you to enter the information necessary to log in to the APIC. When
prompted, enter the following information:
APIC login username: admin
APIC URL: http://192.168.R0.1 (replace R with your ACI Rack Number)
Page 100
APIC Password: 1234QWer
Note
If you do not use http:// at the start of the APIC URL, the script will fail.
Step 19
The Python interpreter window will close after you enter the APIC password. This will occur
regardless of whether or not the script ran successfully.
Step 20
Step 21
Step 22
In the Submenu bar, click ALL TENANTS. You should see a new Tenant named
POD##-Python.
Note
The Python script that you used only creates a new Tenant and does not configure any other
objects or properties.
Page 101
Lab 12: Configure the APIC Using the Cisco APIC

REST to Python Adapter (ARYA)
Overview
The Cisco APIC REST to Python Adapter (ARYA) is a tool developed by Cisco Advanced Services. The
ARYA tool enables you to generate code directly from what resides in the object model.
Complete this lab activity to become familiar with the ability to use the ARYA to configure Cisco
Application Policy Infrastructure Controller (APIC).
Save configuration from Cisco APIC as an XML file
Use ARYA to create a Python script
Configure the Cisco APIC using a newly created Python script

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Save Configuration from APIC as an XML File

In this task, you will save configuration from Cisco APIC as an XML file, which you will later transform to
Python script.
Activity Procedure
Step 6
Step 7
Step 8
In the Navigation pane, select Tenant POD##.
Step 9
Right-click the Tenant POD## folder and then select Save as from the context menu.
Page 102
Step 10
The Save As wizard will appear. Enter the values in the following table.
Field
Value
Content
Only Configuration
Scope
Subtree
Export Format
XML
Step 11
Click the DOWNLOAD button. This will save a file named tn-POD##.xml to the Downloads
folder in the Student Server.
Step 12
Step 13
Drag and drop (move) the XML file you just created (tn-POD##.xml) from the Downloads
folder to the C:\arya folder.
Task 2: Use ARYA to Create a Python Script

In this task, you will use ARYA to create a Python script, which you will then use to configure a new tenant.
Page 103
Activity Procedure
Step 14
On your Student Server, open a Command Prompt window by double-clicking the shortcut on
the desktop.
Step 15
The Command Prompt window will appear. If the Command Prompt window does not open
to the C:\arya directory use the cd C:\arya command to change to that directory.
Step 16
You will now use Arya to create a Python script based on the XML file that you downloaded
from the APIC GUI. Enter the following command into the Command Prompt (replace ##
with your assigned 2-digit Pod Number and replace R with your ACI Rack Number).
python arya.py -f C:\arya\tn-POD##.xml -i 192.168.R0.1 -u admin -p 1234QWer >

C:\arya\pod##.py
Note
You may want to copy and paste the command to a text editor, modify the command, and then
copy and paste the edited command into the Command Prompt window.
Step 17
If the syntax of the command is correct, all that will happen is that you will see the command
prompt return after the Arya utility finishes running.
Note
The right angle bracket (>) between the password and pod##.py is used to pipe the Python file
that is generated by Arya. If you make a mistake on the command, it will still create a file that is
called pod##.py with zero bytes. Delete that file before troubleshooting your CLI input.
Step 18
Return to Windows Explorer. You should now see a file named pod## in the C:\arya
folder.
Step 19
Right-click the pod## file, and then select Edit with Notepad++ from the context menu.
Page 104
Step 20
The Notepad++ application will start and open the pod##.py file for editing.
Step 21
In the Menu bar select Search > Replace
Step 22
The Replace window will appear. Replace POD## with POD##-ARYA (replace ## with
your assigned 2-digit Pod Number).
Page 105
Step 23
Click the Replace All button, and then click the Close button.
Step 24
There are three lines of code that will prevent the script from running; these lines are inserted
by Arya to prevent accidental execution of the script. These three lines are near the top of the
script and start with raise RuntimeError Find these lines and delete them.
Step 25
Save the file by selecting File > Save from the Menu bar.
In Summary: You downloaded an XML encoded file with the configuration of the tenant name-GUI, where
name is your Pod airport name. You then converted this XML encoded file into a python (.py) file
using arya. Now you have customized this python file by replacing the existing tenant name
(name-GUI) with a new tenant name (name-arya). Next you will configure Cisco APIC with this
new Tenant using the Python SDK.
Task 3: Configure the APIC Using a Newly Created Python Script

In this task, you will configure and create a new tenant in the APIC using a Python script that you created in
the previous task.
Activity Procedure
Step 26
Return to Windows Explorer. Verify that you are viewing the contents of the C:\arya folder.
Step 27
Right-click the pod## file, and then select Open > python from the context menu. This will
cause the python interpreter to run the script you just edited and create a new tenant named
POD##-ARYA.
Page 106
Step 28
Step 29
Step 30
In the Submenu bar, click ALL TENANTS. You should see a new Tenant named
POD##-ARYA. This new tenant was created by the python script you just executed, and it
should be a duplicate of the tenant POD##, including all of the policies and settings of the
original tenant.
Page 107
Lab 13: Configure Inter-Tenant Connectivity

Overview
There may be times when the ACI administrator might need to allow traffic between two tenants. Interface
contracts are a special type of contract that an ACI administrator can use to allow specific traffic by using
contract export. The contract in essence is exported in the source tenant and imported into the target tenant.
Similar to traditional contracts, the source EPG will be of type provider. However, in the target tenant, the
contract is imported as type contract interface.
Complete this lab activity to become familiar with configuring Inter-Tenant communication.
Create and Export a Contract
Create a Host Subnet and add a Contract to EPG in the First Tenant
Confirm the Exported Contract, create a Host Subnet in the Second Tenant and add a Consumed
Contract Interface
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Task 1: Create a Global Contract to be Exported to the Other Tenant

In this task, you will create a Global Contract that will be exported to the Peer Pod Tenant in the next Task.
Activity Procedure
Step 8
Step 9
Page 108
Step 10
Step 11
Step 12
The Create Contract wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-GLOBAL-CONTRACT (replace ## with your assigned 2-digit Pod Number)
Scope
Global
Note
Make sure to change the scope to Global; only Global contracts may be exported to other
Tenants.
Step 13
In the Subjects subsection, click the plus sign to create a new entry. The Create Contract
Subject wizard will appear. Enter the values in the following table.
Step 14
Field
Value
Name
SUBJECT-ANY
Checked
Checked
select POD##/POD##-FILTER-ANY.
Page 109
Step 15
Step 16
Click the OK button to complete the Create Contract Subject wizard.
Step 17
Task 2: Export the Global Contract to the Other Tenant

In this task, you will create export the Global Contract that you just created to the Peer Pod Tenant.
Activity Procedure
Step 18
In some of the steps in this Task you will be asked to enter your Peer Pod Number. Your Peer
Pod Number is the number of the Pod that is interacting with your Pod during this lab exercise.
Use the following table to determine your Peer Pod Number.
If your Pod Number is
Then your PEER POD NUMBER is
11
12
12
11
13
14
Page 110
If your Pod Number is
Then your PEER POD NUMBER is
14
13
15
16
16
15
17
18
18
17
19
20
20
19
21
22
22
21
23
24
24
23
25
26
26
25
Step 19
Step 20
Right-click the Contracts folder and then select Export Contract from the context menu.
Step 21
The Export Contract wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-EXPORT-CONTRACT (replace ## with your assigned 2-digit Pod Number)
Global Contract
POD##-GLOBAL-CONTRACT (replace ## with your assigned 2-digit Pod Number)
Tenant
POD$$ (replace $$ with your 2-digit Peer Pod Number)
Step 22
Click the SUBMIT button to complete the Export Contract wizard.
Page 111
STOP!
Wait until the student configuring your Peer Pod has completed all steps up to this point
before proceeding.
Step 23
In the Navigation pane, expand Tenant POD## > Security Policies > Imported Contracts. If
the student configuring your Peer Pod has completed the steps in this lab exercise up to this
point you should see an Imported Contract named POD$$-EXPORT-CONTRACT.
Task 3: Create an EPG Subnet to be Leaked to the Other Tenant

In this task, you will create an EPG Subnet within your Web EPG that will be leaked into the routing table of
your Peer Pods VRF. This EPG Subnet must be configured in the EPG that will be providing the exported
contract to the other Tenant.
Activity Procedure
Step 24
Step 25
Right-click the EPG POD##-WEB-EPG folder and then select Create EPG Subnet from the
context menu.
Step 26
The Create EPG Subnet wizard. Enter the values in the following table; do NOT change any
of the values that are not listed in the following table.
Field
Value
Default Gateway IP
Scope Private to VRF
Checked
Scope Advertised Externally
Unchecked
Scope Shared between VRFs
Checked
Page 112
Step 27
Click the SUBMIT button to complete the Create EPG Subnet wizard.
Task 4: Configure Contracts between the Web EPGs of Each Tenant

In this task, you will configure contracts between your Web EPG and your Peer Pods Web EPG to allow
traffic to be passed between them.
Activity Procedure
Step 28
Step 29
Right-click the EPG POD##-WEB-EPG folder and then select Add Provided Contract from
the context menu.
Step 30
The Add Provided Contract wizard will appear. In the Name drop-down list select POD##/
POD##-GLOBAL-CONTRACT (replace ## with your assigned 2-digit Pod Number).
Page 113
Step 31
Click the SUBMIT button to complete the Add Provided Contract wizard.
Step 32
Right-click the EPG POD##-WEB-EPG folder and then select Add Consumed Contract
Interface from the context menu.
Note
Make sure to select Add Consumed Contract Interface, not Add Consumed Contract.
Step 33
The Add Consumed Contract Interface wizard will appear. In the Name drop-down list
select POD##/ POD$$-EXPORT-CONTRACT (replace ## with your assigned 2-digit Pod
Number and replace $$ with your Peer Pod Number).
Step 34
Click the SUBMIT button to complete the Add Consumed Contract Interface wizard. You
should now see two different types of Contract that are being used by the Web EPG: Contract
(used within the Application Profile) and Contract Interface (used between Tenants).
Page 114
Step 35
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE. You should see that the diagram representing the objects within
your Application Profile has been updated to include the new contracts.
STOP!
Wait until the student configuring your Peer Pod has completed all steps up to this point
before proceeding.
Task 5: Validate the Exported Contract Configuration

In this task, you will verify that traffic can successfully pass between the Web Server virtual machine in your
Pod and the Web Server virtual machine in your Peer Pod.
Activity Procedure
Step 36
Step 37
Step 38
Step 39
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Right-click the Pod##-Web VM and then select Open Console from the context menu.
Page 115
Step 40
The console window for Pod##-Web will appear. You will see the Web servers desktop.
Step 41
Step 42
Verify that your Web Server can ping the IP address of the Peer Pod Web Server using the ping
10.$$.3.1 command (replace $$ with your Peer Pod Number).
Step 43
Step 44
Login as: admin
Step 45
Execute the show endpoint command. You should not see any new entries in this table. The
endpoints themselves have not changed, only the traffic allowed between them has changed.
Leaf-1# show endpoint

Legend:
O - peer-attached
H - vtep
a - locally-aged
S - static
V - vpc-attached
p - peer-aged
L - local
M - span
s - static-arp
B - bounce
+-------------------------+---------------+-----------------+-----------+------+
VLAN/
Encap
MAC Address
MAC Info/ Interface
Domain
VLAN
IP Address
IP Info
+-------------------------+---------------+-----------------+-----------+------+
Page 116
POD11:POD11-VRF
16/POD11:POD11-VRF
19
POD11:POD11-VRF
89
POD11:POD11-VRF
POD12:POD12-VRF
POD12:POD12-VRF
22/POD12:POD12-VRF
22/POD12:POD12-VRF
25
POD12:POD12-VRF
overlay-1
7/overlay-1
7/overlay-1
<output omitted>
vxlan-15728622
vlan-3115
vlan-3115
vlan-3114
vlan-3114
vxlan-15761386
vxlan-15761386
vlan-3127
vlan-3127
vxlan-16777209
vxlan-16777209
10.11.1.1
0050.569a.456e
0050.569a.0a8a
10.11.3.1
0050.569a.5e25
10.11.2.1
10.12.2.1
10.12.3.1
0050.569a.8f07
0050.569a.8e9b
0050.569a.5479
10.12.1.1
172.19.104.95
88f0.313c.97f2
001a.6d03.0781
B
L
L
L
L
B
B
L
L
L
L
L
tunnel4
tunnel4
eth1/33
eth1/33
eth1/33
eth1/33
tunnel4
tunnel4
tunnel4
tunnel4
eth1/33
eth1/33
lo0
eth1/1
eth1/11
Step 46
Execute the show vrf command. Again, you should not see any new entries.
Note
The output of the show vrf command is useful when you need to copy and paste a VRF name
into another command.
Leaf-1# show vrf

VRF-Name
black-hole
overlay-1
POD11:POD11-VRF
POD12:POD12-VRF
<output omitted>
Step 47
VRF-ID
3
4
6
5
State
Up
Up
Up
Up
Reason
-----
Execute the show ip route vrf POD##:POD##-VRF command (replace ## with your
assigned 2-digit Pod Number). You should see routes to each of the subnets used by your
bridge domain as well as a route to the Peer Pod Web EPG, 10.$$.3.0/24. This prefix was
leaked into your Pod VRF by the imported global contract.
Leaf-1# show ip route vrf POD##:POD##-VRF

IP Route Table for VRF "POD##:POD##-VRF"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.##.1.0/24, ubest/mbest: 1/0, attached, direct, pervasive
*via 172.19.64.65%overlay-1, [1/0], 00:04:52, static
10.##.1.254/32, ubest/mbest: 1/0, attached
*via 10.##.1.254, vlan18, [1/0], 04:49:51, local, local
10.$$.3.0/24, ubest/mbest: 1/0, attached, direct, pervasive
Step 48
Execute the show ip route vrf POD$$:POD$$-VRF command (replace $$ with your Peer
Pod Number). You should see routes to each of the subnets used by your Peer Pods bridge
Page 117
domain as well as a route to your Pods Web EPG, 10.##.3.0/24. This prefix was leaked into
your Peer Pods VRF by the exported global contract.
Leaf-1# show ip route vrf POD$$:POD$$-VRF
IP Route Table for VRF "POD$$:POD$$-VRF"
10.$$.1.254/32, ubest/mbest: 1/0, attached
*via 10.$$.1.254, vlan14, [1/0], 04:51:17, local, local
Page 118
Lab 14: Configure External Layer 3 Connectivity

using OSPF Routing
Overview
Complete this lab activity to become familiar with configuring L3 communications to an external network.
L3 outside connections provide IP connectivity between a Private Network of a Tenant and an external IP
network. The physical connection to the ACI Fabric is via an ACI leaf (also called a border leaf in this
context). Tenant subnets are injected into the routing protocol running between the border leaf and external
router. Users have control of which Tenant subnets they want to advertise to external routers.
Configure External L3 network
Create Application Profile to propagate Internal Public Routes
Associate an L3 outside connection to a Bridge Domain
Verify that the Leaf is Learning OSPF Routes
Configure a contract between internal and external EPG
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Note
The first step in this configuration is to create an Attachable Access Entity Profile (AEP) for the
interface connected to the external switch. The AEP will be the point to which you connect the
external routed domain you will create later in this lab exercise.
Note
If you attempt to configure an external bridged or routed network without attaching it to an AEP
you will get inconsistent results as well as Faults generated within the APIC.
Page 119
STOP!

In this task, the Instructor will create an Attachable Access Entity Profile that will be used by each of the
students in a subsequent Task.
Activity Procedure
STOP!
Task.
Step 8
Step 9
Step 10
Field
Value
Name
L3-LAB-AEP
Checked
Step 11
Click the NEXT button. In STEP 2 > Association to Interfaces, do not make any changes.
Step 12
Note
The next step is to create an Interface Policy Group for each Fabric. The Interface Policy Group
defines how an interface on a leaf switch should operate (e.g. link speed), and the Interface
Policy Group is also the point where you indicate which AEP will use the interface.
Note
An Interface Policy Group may only include one AEP.
STOP!

In this task, the Instructor will create an Interface Policy Group that will be used by the leaf interface
connecting to the routed networks.
Activity Procedure
Page 120
STOP!
Task.
Step 13
Step 14
the context menu.
Step 15
Field
Value
Name
L3-LAB-INTERFACE-POLICY-GROUP
Link Level Policy

Number)
CDP Policy

Pod Number)
LLDP Policy
POD##-ENABLE-LLDP-INTERFACE-POLICY (replace ## with your assigned 2digit Pod Number)
L3-LAB-AEP
Step 16
Note
The next step is to create an Interface Profile for each Fabric. The Interface Profile will identify
the specific interface number(s) on the leaf switches that will use the associated Interface Policy
Group. The Interface Profile does not identify the leaf switches where the interfaces are located;
the leaf switches are identified in the Switch Profile (created later in this lab exercise).
STOP!

In this task, the Instructor will create an Interface Profile that will be used by the leaf interface connecting to
the routed networks.
Activity Procedure
Page 121
STOP!
Task.
Step 17
Step 18
Step 19
The Create Interface Profile wizard will appear. In the Name field, type L3-LABINTERFACE-PROFILE.
Step 20
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
1/6
Interface Policy Group
Step 21
Step 22
Note
The next step is to create a Switch Profile for each Fabric. The Switch Profile identifies the
specific nodes (leaf switches) to which the associated Interface Profile should be applied. At the
end of this step, assuming everything was configured properly, the physical interface on the leaf
switch should be in an up state.
STOP!
Page 122

In this task, the Instructor will create a Switch Profile that will be used by the leaf interface connecting to the
routed networks.
Activity Procedure
STOP!
Task.
Step 23
Step 24
Step 25
The Create Switch Profile wizard will appear. In STEP 1 > Profile, in the Name field, type
L3-LAB-SWITCH-PROFILE.
Step 26
Field
Value
Name
SWITCH-SELECTOR
Blocks
103
Step 27
Step 28
Click the NEXT button. In STEP 2 > Associations, in the Interface Selector Profiles pane,
select L3-LAB-INTERFACE-PROFILE.
Step 29
Task 5: Create a VLAN Pool for the External Routed Domain

In this task, you will create VLAN pool that will be used by the external routed domain you will create in the
next Task.
Page 123
Activity Procedure
Note
All students should perform this Task and all remaining Tasks in this lab exercise.
Step 30
Step 31
Step 32
Step 33
Step 34
Step 35
Field
Value
Name
POD##-EXTERNAL-ROUTED-DOMAIN-VLAN-POOL (replace ## with your assigned 2-digit

Pod Number)
Allocation
Mode
Static Allocation
Step 36
Field
Value
Range (From)
3## (replace ## with your assigned 2-digit Pod Number)
Range (To)
Page 124
Step 37
Step 38
Click the SUBMIT button to complete the Create VLAN Pool wizard.
Note
In this step you will create an External Routed Domain which will be used in subsequent lab
exercises. An External Routed Domain is required in order to configure layer 3 connectivity to
external networks.
Task 6: Create an External Routed Domain (Layer 3 Domain)

In this task, you will create an External Routed Domain that will use the VLAN Pool you created in the
previous Task.
Activity Procedure
Step 39
Step 40
Step 41
Navigate to Physical and External Domains > External Routed Domains.
Step 42
Right-click the External Routed Domains folder and then select Create Layer 3 Domain
Page 125
Step 43
The Create Layer 3 Domain wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD##-EXTERNAL-ROUTED-DOMAIN (replace ## with your assigned 2-digit

Pod Number)
Associated Attachable Entity

Profile
L3-LAB-AEP
VLAN Pool
POD##-EXTERNAL-ROUTED-DOMAIN-VLAN-POOL (replace ## with your

assigned 2-digit Pod Number)
Step 44
Click the SUBMIT button to complete the Create Layer 3 Domain wizard.
Note
At this point the physical interface of the leaf switch connected to the external network is ready
for use. Next, you will configure the policies necessary to route traffic through this interface.
Note
The next step is to configure an OSPF Interface Policy, which defines attributes of how an
interface should use OSPF. These attributes correspond to those you would configure on an
interface in IOS.
Task 7: Configure an OSPF Interface Policy

In this task, you will configure an OSPF Interface Policy which is used to specify the settings necessary to
bring up an OSPF adjacency.
Activity Procedure
Note
All students should perform this task.
Step 45
Step 46
Step 47
In the Navigation pane, expand Tenant POD## > Networking > Protocol Policies > OSPF
Interface.
Step 48
Right-click the OSPF Interface folder and then select Create OSPF Interface Policy from the
context menu.
Page 126
Step 49
The Create OSPF Interface Policy wizard will appear. Enter the values in the following table;
do NOT change any of the values that are not listed in the following table.
Field
Value
Name
POD##-OSPF-INTERFACE-POLICY (replace ## with your assigned

2-digit Pod Number)
Network Type
Broadcast
Interface Controls Advertise Subnet
Checked
Step 50
Click the SUBMIT button to complete the Create OSPF Interface Policy wizard.
Task 8: Create an External Routed Network

In this task, you will configure an External Routed Network, which will contain all of the necessary
information to create an OSPF connection between the leaf switch and an external router.
Activity Procedure
Step 51
In the Navigation pane, expand Tenant POD## > Networking >External Routed Networks.
Page 127
Step 52
Right-click the External Routed Networks folder and then select Create Routed Outside
Step 53
The Create Routed Outside wizard will appear. In STEP 1 > Identity, enter the values in the
Field
Value
Name
POD##-EXTERNAL-ROUTED-NETWORK (replace ## with your assigned 2-digit Pod

Number)
VRF
POD##-VRF (replace ## with your assigned 2-digit Pod Number)
External Routed
Domain
POD##-EXTERNAL-ROUTED-DOMAIN (replace ## with your assigned 2-digit Pod

Number)
OSPF
Checked
OSPF Area ID
## (replace ## with your assigned 2-digit Pod Number)
OSPF Area Type
NSSA area
Step 54
In the Nodes And Interfaces Protocol Profiles subsection, click the plus sign to create a new
entry. The Create Node Profile wizard will appear. In the Name field type POD##LOGICAL-NODE-PROFILE (replace ## with your assigned 2-digit Pod Number).
Step 55
In the Nodes subsection, click the plus sign to create a new entry. The Select Node wizard will
appear. Enter the values in the following table; do NOT change any of the values that are not
listed in the following table.
Page 128
Field
Value
Node ID
Leaf-2 (Node 103)
Router ID
##.##.##.## (replace ## with your assigned 2-digit Pod Number)
User Router ID as Loopback Address
Checked
Step 56
Click the OK button to complete the Select Node wizard
Step 57
In the OSPF Interface Profiles subsection, click the plus sign to create a new entry. The
Create Interface Profile wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-LOGICAL-INTERFACE-PROFILE (replace ## with your assigned 2-digit Pod

Number)
Authentication
Type
MD5
Authentication Key
1234QWer
OSPF Policy
POD##-OSPF-INTERFACE-POLICY (replace ## with your assigned 2-digit Pod Number)
Page 129
Step 58
In the Interfaces subsection, click the SVI Tab.
Step 59
In the SVI Interfaces subsection, click the plus sign to create a new entry. The Select SVI
Interface wizard will appear. Enter the values in the following table; do NOT change any of the
values that are not listed in the following table.
Field
Value
Path Type
Port
Path
Leaf-2 / Port 1/6
Encap
vlan-3## (replace ## with your assigned 2-digit Pod Number)
IP Address
172.16.##.2/24 (replace ## with your assigned 2-digit Pod Number)
MTU (bytes)
1500
Step 60
Click the OK button to complete the Select SVI Interface wizard.
Step 61
Click the OK button to complete the Create Interface Profile wizard.
Page 130
Step 62
Click the OK button to complete the Create Node Profile wizard.
Step 63
Step 64
In STEP 2 > External EPG Networks, in the External EPG Networks subsection, click the
plus sign to create a new entry. The Create External Network wizard will appear. In the
Name field type POD##-ROUTED-EXTERNAL-EPG (replace ## with your assigned 2digit Pod Number).
Page 131
Step 65
In the Subnet subsection, click the plus sign to create a new entry. The Create Subnet wizard
will appear. In the IP Address field type 10.1##.0.0/16 (replace ## with your assigned 2-digit
Pod Number).
Step 66
Click the OK button to complete the Create Subnet wizard.
Step 67
In the Subnet subsection, click the plus sign to create a new entry. The Create Subnet wizard
will appear. In the IP Address field type 172.16.##.0/24 (replace ## with your assigned 2digit Pod Number).
Step 68
Step 69
Click the OK button to complete the Create External Network wizard.
Step 70
Click the FINISH button to complete the Create Routed Outside wizard.
Task 9: Configure Contracts between the Web EPG and the External
Routed Network
In this task, you will configure Contracts to allow traffic to flow between the Web EPG and the External
Routed Network EPG
Activity Procedure
Page 132

Step 71
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-WEB-EPG > Contracts.
Step 72
Right-click the Contracts folder and then select Add Provided Contract from the context
menu.
Step 73
The Add Provided Contract wizard will appear. In the Contract field, select POD##/POD##CONTRACT-ANY from the drop-down list.
Step 74
Step 75
In the Navigation pane, expand Tenant POD## > Networking > External Routed Networks
> POD##-EXTERNAL-ROUTED-NETWORK > Networks > POD##-ROUTEDEXTERNAL-EPG.
Step 76
In the Work panel, click the Policy tab and then click the Contracts sub-tab.
Step 77
In the Consumed Contracts pane, click the plus sign to create a new entry. In the NAME field,
select POD##/POD##-CONTRACT-ANY from the drop-down list.
Page 133
Step 78
Task 10: Associate the External Routed Network to the Bridge Domain
In this task, you will configure the bridge domain within your Tenant to use the external routed network.
Activity Procedure
Step 79
In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains > POD##BD.
Step 80
In the Work panel, click the Policy tab and then click the L3 Configurations sub-tab.
Step 81
In the Work pane, in the Associated L3 Outs subsection, click the plus sign to create a new
entry. In the L3 OUT field, select POD##/POD##-EXTERNAL-ROUTED-NETWORK
from the drop-down list
Step 82
Click the UPDATE button. A Policy Usage Warning will appear indicating the other objects
that will be affected by the changes.
Step 83
Page 134
Step 84
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE and then click the Topology tab in the Work pane. You should
now see the updated diagram for the application profile and that it includes the new
connectivity to the external routed network.
Task 11: Advertise Subnets to the External Routed Network

In this task, you will configure the bridge domain within your Tenant to advertise routes to the external
routed network.
Activity Procedure
Step 85
In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains > POD##BD > Subnets > 10.##.1.254/24.
Step 86
In the Work pane, change the Scope setting to Advertised Externally.
Step 87
Click the SUBMIT button. A Policy Usage Warning will appear indicating the other objects
that will be affected by the changes.
Step 88
Step 89
Repeat the previous four steps to change the scope to Advertised Externally for the subnet
10.##.2.254/24.
Step 90
Repeat the previous four steps to change the scope to Advertised Externally for the subnet
10.##.3.254/24.
Task 12: Verify That the Leaf Is Learning OSPF Routes

In this task, you will verify what you have configured for OSPF and check the OSPF adjacency and routes on
the ACI border leaf.
Activity Procedure
Step 91
In the Navigation pane, expand Tenant POD## > Networking > External Routed Networks
> POD##-EXTERNAL-ROUTED-NETWORK > Logical Node Profiles > POD##LOGICAL-NODE-PROFILE > Configured Nodes > topology/pod-1/node-103 > OSPF for
VRF POD##:POD##-VRF. You should see one OSPF neighbor to the external router listed.
Page 135
Step 92
In the Navigation pane, expand OSPF for VRF POD##:POD##-VRF > Routes. You
should see several routes being advertised by the external routers, which include the following:
10.1##.7.1/32
10.1##.8.1/32
10.1##.9.1/32
Step 93
Step 94
Login as: admin
Step 95
Execute the show vrf command.
Page 136
Note
Leaf-2# show vrf

VRF-Name
black-hole
overlay-1
POD11:POD11-VRF
POD12:POD12-VRF
<output omitted>
Step 96
VRF-ID
3
4
6
5
State
Up
Up
Up
Up
Reason
-----
Execute the show ip route ospf vrf POD##:POD##-VRF command (replace ## with your
assigned 2-digit Pod Number). You should see routes to the following subnets:
10.1##.7.1/32
10.1##.8.1/32
10.1##.9.1/32
Leaf-2# show ip route ospf vrf POD##:POD##-VRF

IP Route Table for VRF "POD11:POD11-VRF"
10.1##.7.1/32, ubest/mbest: 1/0
*via 172.16.##.1, vlan21, [110/5], 00:39:52, ospf-default, inter
10.1##.8.1/32, ubest/mbest: 1/0
10.1##.9.1/32, ubest/mbest: 1/0
Step 97
Execute the iping V POD##:POD##-VRF 10.1##.7.1 command (replace ## with your

assigned 2-digit Pod Number). The ping should be successful.
Note
When testing connectivity through the fabric, the iping command will generate traffic and use the
VXLAN overlay as needed; the ping command does not use the VXLAN overlay.
Leaf-2# iping -V POD##:POD##-VRF 10.1##.7.1

PING 10.1##.7.1 (10.1##.7.1) from 172.16.##.2: 56 data bytes
64 bytes from 10.1##.7.1: icmp_seq=0 ttl=255 time=0.842 ms
--- 10.1##.7.1 ping statistics --5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.829/0.852/0.902 ms
Step 98
Execute the show endpoint vrf POD##:POD##-VRF detail command (replace ## with your
assigned 2-digit Pod Number). This command will display the endpoints identified by the APIC
within your VRF. You should see an entry with the IP address of ##.##.##.## ; this indicates
that the external devices are identified as a single endpoint.
Leaf-2# show endpoint vrf POD##:POD##-VRF detail

Legend:
O - peer-attached
H - vtep
a - locally-aged
S - static
Page 137
V - vpc-attached
p - peer-aged
L - local
M - span
s - static-arp
B - bounce
+---------------+---------------+-----------------+--------------+-------------+-----------------------------+
VLAN/
Encap
MAC Address
MAC Info/
Interface
Endpoint Group
Domain
VLAN
IP Address
IP Info
Info
+---------------+---------------+-----------------+--------------+-------------+-----------------------------+
POD##:POD##-VRF
##.##.##.## L
19
vlan-3101
0050.568c.a008 LV
po1
POD##:POD##-APPLICATION-PROFILE:POD##-APP-EPG
POD##:POD##-VRF
vlan-3101
10.##.1.1 LV
20
vlan-3102
0050.568c.a369 LpV
po1
POD##:POD##-APPLICATION-PROFILE:POD##-DB-EPG
POD##:POD##-VRF
vlan-3102
10.##.2.1 LV
21
vlan-3134
0050.568c.e660 LpV
po1
POD##:POD##-APPLICATION-PROFILE:POD##-WEB-EPG
POD##:POD##-VRF
vlan-3134
10.##.3.1 LV
+------------------------------------------------------------------------------+
Endpoint Summary
+------------------------------------------------------------------------------+
Total number of Local Endpoints
: 4
Total number of Remote Endpoints
: 0
Total number of Peer Endpoints
: 0
Total number of vPC Endpoints
: 3
Total number of non-vPC Endpoints
: 1
Total number of MACs
: 3
Total number of VTEPs
: 0
Total number of Local IPs
: 4
Total number of Remote IPs
: 0
Total number All EPs
: 4
Step 99
Step 100
Login as: admin
Step 101
Execute the show ip route ospf vrf POD##:POD##-VRF command (replace ## with your
assigned 2-digit Pod Number). You will not see any routes as OSPF is not running on Leaf-1.
Leaf-1# show ip route ospf vrf POD##:POD##-VRF

IP Route Table for VRF "POD11:POD11-VRF"
Step 102
Execute the show ip route bgp vrf POD##:POD##-VRF command (replace ## with your
assigned 2-digit Pod Number). You will see the routes to the external networks as prefixes that
have been redistributed into the BGP routing process.
Leaf-1# show ip route bgp vrf POD##:POD##-VRF

IP Route Table for VRF "POD##:POD##-VRF"
Page 138

10.##1.7.1/32, ubest/mbest: 1/0
*via 172.19.216.95%overlay-1,
10.##1.8.1/32, ubest/mbest: 1/0
*via 172.19.216.95%overlay-1,
10.##1.9.1/32, ubest/mbest: 1/0
*via 172.19.216.95%overlay-1,
##.##.##.##/32, ubest/mbest: 1/0
*via 172.19.216.95%overlay-1,
172.16.##.0/24, ubest/mbest: 1/0
*via 172.19.216.95%overlay-1,
[200/41], 01:02:45, bgp-100, internal, tag 100

[200/41], 01:02:45, bgp-100, internal, tag 100
[200/41], 01:02:45, bgp-100, internal, tag 100
[0/0], 01:03:38, bgp-100, internal, tag 100
[200/0], 01:03:32, bgp-100, internal, tag 100
Step 103
Step 104
Step 105
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Step 106
Step 107
Step 108
Step 109
Verify that your Web Server can ping the IP address of the first route learned via OSPF using
the ping 10.1##.7.1 command (replace ## with your assigned 2-digit Pod Number).
Step 110
Verify that your Web Server can ping the IP address of the second route learned via OSPF
using the ping 10.1##.8.1 command (replace ## with your assigned 2-digit Pod Number).
Step 111
Verify that your Web Server can ping the IP address of the third route learned via OSPF using
the ping 10.1##.9.1 command (replace ## with your assigned 2-digit Pod Number).
Page 139
Lab 15: Configure External Layer 2 Connectivity Extending a Bridge Domain

Overview
Complete this lab activity to become familiar with configuring an L2 connection to an external network.
A L2 outside connection is associated with a bridge domain and it is designed to extend the whole bridge
domain.
Create an External Bridged Network
Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Note
The first step in this configuration is to create an Attachable Access Entity Profile (AEP) for the
interface connected to the external switch. The AEP will be the point to which you connect the
external bridged domain you will create later in this lab exercise.
Note
If you attempt to configure an external bridged or routed network without attaching it to an AEP
you will get inconsistent results as well as Faults generated within the APIC.
STOP!

In this task, the Instructor will create an Attachable Access Entity Profile that will be used by each of the
students in a subsequent Task.
Page 140
Activity Procedure
STOP!
Task.
Step 8
Step 9
Step 10
Field
Value
Name
L2-LAB-AEP
Checked
Step 11
Step 12
Note
The next step is to create an Interface Policy Group for each Fabric. The Interface Policy Group
defines how an interface on a leaf switch should operate (e.g. link speed), and the Interface
Policy Group is also the point where you indicate which AEP will use the interface.
Note
An Interface Policy Group may only include one AEP.
STOP!

In this task, the Instructor will create an Interface Policy Group that will be used by the leaf interface
connecting to the bridged networks.
Activity Procedure
STOP!
Task.
Step 13
Step 14
the context menu.
Page 141
Step 15
Field
Value
Name
Link Level Policy

Number)
CDP Policy

Pod Number)
LLDP Policy
L2-LAB-AEP
Step 16
Note
The next step is to create an Interface Profile for each Fabric. The Interface Profile will identify
the specific interface number(s) on the leaf switches that will use the associated Interface Policy
Group. The Interface Profile does not identify the leaf switches where the interfaces are located;
the leaf switches are identified in the Switch Profile (created later in this lab exercise).
STOP!

In this task, the Instructor will create an Interface Profile that will be used by the leaf interface connecting to
the bridged networks.
Activity Procedure
STOP!
Task.
Step 17
Step 18
Page 142
Step 19
The Create Interface Profile wizard will appear. In the Name field, type L2-LABINTERFACE-PROFILE.
Step 20
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
1/5
Interface Policy Group
Step 21
Step 22
Note
The next step is to create a Switch Profile for each Fabric. The Switch Profile identifies the
specific nodes (leaf switches) to which the associated Interface Profile should be applied. At the
end of this step, assuming everything was configured properly, the physical interface on the leaf
switch should be in an up state.
STOP!

In this task, the Instructor will create a Switch Profile that will be used by the leaf interface connecting to the
bridged networks.
Page 143
Activity Procedure
STOP!
Task.
Step 23
Step 24
Step 25
L2-LAB-SWITCH-PROFILE.
Step 26
Field
Value
Name
SWITCH-SELECTOR
Blocks
103
Step 27
Step 28
select L2-LAB-INTERFACE-PROFILE.
Step 29
Step 30
Step 31
Login as: admin
Step 32
Execute the show interface e1/6 brief command. You should see that your assigned interface is
in an up state.
Page 144
Leaf-2# show interface e1/5 brief

-------------------------------------------------------------------------------Ethernet
VLAN
Type Mode
Status Reason
Speed
Port
Interface
Ch #
-------------------------------------------------------------------------------Eth1/5
0
eth trunk
up
none
1000(D)
--
Task 5: Create a VLAN Pool for the External Bridged Domain

In this task, you will create VLAN pool that will be used by the external bridged domain you will create in
the next Task.
Activity Procedure
Note
All students should perform this Task and all remaining Tasks in this lab exercise.
Step 33
Step 34
Step 35
Step 36
Step 37
Step 38
Field
Value
Name
POD##-EXTERNAL-BRIDGED-DOMAIN-VLAN-POOL (replace ## with your assigned 2-digit

Pod Number)
Allocation
Mode
Static Allocation
Page 145
Step 39
Field
Value
Range (From)
Range (To)
Step 40
Step 41
Note
In this step you will create an External Bridged Domain which will be used in subsequent lab
exercises. An External Bridged Domain is required in order to configure layer 2 connectivity to
external networks.
Task 6: Create an External Bridged Domain (Layer 2 Domain)

In this task, you will create an External Bridged Domain that will use the VLAN Pool you created in the
previous Task.
Activity Procedure
Step 42
Step 43
Step 44
Navigate to Physical and External Domains > External Bridged Domains.
Step 45
Right-click the External Bridged Domains folder and then select Create Layer 2 Domain
Page 146
Step 46
The Create Layer 2 Domain wizard will appear. Enter the values in the following table; do
Field
Value
Name
POD##-EXTERNAL-BRIDGED-DOMAIN (replace ## with your assigned 2-digit

Pod Number)
Associated Attachable Entity

Profile
L2-LAB-AEP
VLAN Pool
POD##-EXTERNAL-BRIDGED-DOMAIN-VLAN-POOL (replace ## with your

Step 47
Click the SUBMIT button to complete the Create Layer 2 Domain wizard.
Task 7: Create an External Bridged Network

In this task, you will configure an External Bridged Network, which will contain all of the necessary
information to create a layer 2 connection between the leaf switch and an external VLAN.
Activity Procedure
Step 48
In the Navigation pane, expand Tenant POD## > Networking >External Bridged Networks.
Step 49
Right-click the External Bridged Networks folder and then select Create Bridged Outside
Page 147
Step 50
The Create Bridged Outside wizard will appear. In STEP 1 > Identity, enter the values in the
Field
Value
Name
POD##-EXTERNAL-BRIDGED-NETWORK (replace ## with your assigned 2-digit

Pod Number)
External Bridged Domain
POD##-EXTERNAL-BRIDGED-DOMAIN (replace ## with your assigned 2-digit

Pod Number)
Bridge Domain
Encap
Path Type
Port
Path
Node-103/eth1/5
Note
Make sure to click the ADD button after you select the path; the path you select must appear in
the lower portion of the wizard.
Step 51
Step 52
In STEP 2 > External EPG Networks, in the External EPG Networks subsection, click the
plus sign to create a new entry.
Step 53
The Create External Network wizard will appear. In the Name field type POD##EXTERNAL-BRIDGED-EPG (replace ## with your assigned 2-digit Pod Number).
Step 54
Click the SUBMIT button to complete the Create External Network wizard.
Page 148
Step 55
Click the FINISH button to complete the Create Bridged Outside wizard.
Task 8: Configure Contracts between the Web EPG and the External
Bridged Network
In this task, you will configure Contracts to allow traffic to flow between the Web EPG and the External
Bridged Network EPG.
Activity Procedure
Step 56
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-WEB-EPG > Contracts.
Step 57
menu.
Step 58
The Add Provided Contract wizard will appear. In the Contract field, select POD##/POD##CONTRACT-ANY from the drop-down list.
Step 59
Step 60
In the Navigation pane, expand Tenant POD## > Networking > External Bridged Networks
> POD##-EXTERNAL-BRIDGED-NETWORK > Networks > POD##-EXTERNALBRIDGED-EPG.
Step 61
In the Work panel, click the Policy tab.
Step 62
In the Consumed Contracts pane, click the plus sign to create a new entry. In the NAME field,
select POD##-CONTRACT-ANY from the drop-down list.
Page 149
Step 63
Step 64
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE.
Step 65
In the Work pane, click the Policy tab. You should see that the diagram representing the objects
within your Application Profile has been updated to include the new contracts.
Task 9: Verify That the Web EPG Can Communicate with the External
Bridged Domain
In this task, you will verify that the Web Server in your Web EPG can successfully communicate with a
device in the External Bridged Domain.
Activity Procedure
Step 66
Step 67
Step 68
Step 69
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Page 150
Step 70
Step 71
Step 72
There is a device in the external bridged network that is configured to use VLAN ##1 with the
IP address 10.##.3.2 (this is the same subnet used by your Web Server virtual machine). Verify
that your Web Server can ping this IP address using the ping 10.##.3.2 command (replace ##
with your assigned 2-digit Pod Number).
Step 73
Step 74
Login as: admin
Step 75
Note
Leaf-2# show vrf

VRF-Name
black-hole
overlay-1
POD11:POD11-VRF
POD12:POD12-VRF
<output omitted>
Step 76
VRF-ID
3
4
6
5
State
Up
Up
Up
Up
Reason
-----
Execute the show endpoint vrf POD##:POD##-VRF command (replace ## with your
within your VRF. You should see an entry with the IP address of 10.##.3.2 .
Leaf-2# show endpoint vrf POD##:POD##-VRF

Legend:
O - peer-attached
H - vtep
a - locally-aged
S - static
V - vpc-attached
p - peer-aged
L - local
M - span
s - static-arp
B - bounce
+---------------+---------------+-----------------+--------------+-------------+-----------------------------+
VLAN/
Encap
MAC Address
MAC Info/
Interface
Endpoint Group
Domain
VLAN
IP Address
IP Info
Info
Page 151
+---------------+---------------+-----------------+--------------+-------------+-----------------------------+
POD##:POD##-VRF
##.##.##.## L
15
vlan-3##7
0050.569a.456e L
eth1/34
POD##:POD##-VRF
vlan-3##7
10.##.1.1 L
16
vlan-3##4
0050.569a.0a8a O
eth1/33
POD##:POD##-VRF
vlan-3##4
10.##.3.1 O
17
vlan-3##1
0050.569a.5e25 O
eth1/33
POD##:POD##-VRF
vlan-3##1
10.##.2.1 O
24
vlan-2##
0018.1987.1d42 L
eth1/5
POD##:POD##-VRF
vlan-2##
10.##.3.2 L
+------------------------------------------------------------------------------+
Endpoint Summary
+------------------------------------------------------------------------------+
: 3
: 0
: 2
: 0
: 3
: 4
: 0
: 3
: 2
: 5
Step 77
Execute the show vlan extended command. You should see a new fabric VLAN that has been
created that is associated with the port connected to the external bridge domain VLAN.

VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------24
-active
Eth1/5
<output omitted>
VLAN Type Vlan-mode Encap
---- ----- ---------- ------------------------------24
enet CE
vlan-2##
<output omitted>
Page 152
Lab 16: Configure External Layer 2 Connectivity Extending an EPG

Overview
There are a variety of methods to configure network connectivity between devices integrated into the ACI
fabric and devices in a layer 2 network that is external to the ACI fabric. This lab exercise will focus on the
method that is referred to as extending an end point group (EPG).
When the extending an EPG method is used network connectivity is configured so that the external device is
able to be added to an application EPG within the fabric. The external device is treated as an endpoint in the
same way a virtual machine within an integrated host is treated. Policies and contracts applied to the EPG are
also applied to traffic to and from the external device.
In this lab exercise you will be configuring connectivity between your assigned interface on Leaf-1 and a
device that is reachable via layer 2. You will also be creating a new bridge domain and EPG within which
you will place the external device. This is not necessary in general, however additional functionality will be
demonstrated during the lab exercise. At the end of the lab exercise your assigned DB server VM should be
able to communicate with the external device.
Note
To distinguish the extending an EPG method from the extending the bridge domain method
the terms bare metal network and bare metal server will be used in this lab exercise. These
terms refer to devices that are directly or indirectly connected to a leaf switch at layer 2. The
term bare metal indicates that the server is not a hypervisor/host (no virtualization is present)
and the Windows/Linux/UNIX operating system is installed directly onto the hardware. These
terms are found in many of the Cisco ACI documents.

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Step 6
Username: root
Step 7
Task 1: Create a VLAN Pool

Page 153
In this task, you will create VLAN pool that will be used by the physical domain you will create in a
subsequent Task.
Activity Procedure
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Field
Value
Name
POD##-BARE-METAL-VLAN-POOL (replace ## with your assigned 2-digit Pod Number)
Allocation Mode
Static Allocation
Step 14
Field
Value
Range (From)
Range (To)
Page 154
Step 15
Step 16
Task 2: Create a Physical Domain

The next step in configuring an external bridged network is to create a Physical Domain. The physical
domain contains the VLAN Pool containing the external VLANs, and it must be added to the correct
Attachable Access Entity Profile (AEP) that is used by the correct leaf switch interface.
In this task, you will create a Physical Domain that will used by the application EPG that you will create in a
subsequent task.
Activity Procedure
Step 17
Step 18
Step 19
Navigate to Physical and External Domains > Physical Domains.
Step 20
Right-click the Physical Domains folder and then select Create Physical Domain from the
context menu.
Step 21
The Create Physical Domain wizard will appear. Enter the values in the following table; do
Page 155
Field
Value
Name
POD##-BARE-METAL-PHYSICAL-DOMAIN (replace ## with your assigned 2-digit Pod Number)
VLAN Pool
POD##-BARE-METAL-VLAN-POOL (replace ## with your assigned 2-digit Pod Number)
Step 22
Click the SUBMIT button to complete the Create Physical Domain wizard.

In this task, you will create an Attachable Access Entity Profile that will contain the physical domain that you
created previously.
Activity Procedure
Step 23
Step 24
Step 25
Step 26
Step 27
The Create Attachable Access Entity Profile wizard will appear. In STEP 1 > PROFILE,
enter the values in the following table.
Field
Value
Name
POD##-BARE-METAL-AEP (replace ## with your assigned 2-digit Pod Number)
Checked
Page 156
Step 28
In the Domains (VMM, Physical or External) To Be Associated to Interfaces subsection,

click the plus sign to associate your physical domain. In the NAME drop-down list, select
POD##-BARE-METAL-PHYSICAL-DOMAIN (replace ## with your assigned two-digit
Pod Number).
Step 29
Step 30
Step 31

In this task, you will create an Interface Policy Group that will be used in a subsequent Task.
Activity Procedure
Step 32
Step 33
the context menu.
Step 34
Page 157
Field
Value
Name
POD##-BARE-METAL-INTERFACE-POLICY-GROUP (replace ## with your

Link Level Policy

Number)
CDP Policy

Pod Number)
LLDP Policy
POD##-BARE-METAL-AEP (replace ## with your assigned 2-digit Pod Number)
Step 35

In this task, you will create an Interface Profile that will be used in a subsequent Task.
Activity Procedure
Step 36
Step 37
Step 38
The Create Interface Profile wizard will appear. In the Name field, type POD##-BAREMETAL-INTERFACE-PROFILE (replace ## with your assigned two-digit Pod Number).
Page 158
Step 39
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
1/## (replace ## with your assigned 2-digit Pod Number)
Interface Policy
Group
POD##-BARE-METAL-INTERFACE-POLICY-GROUP (replace ## with your assigned 2digit Pod Number)
Step 40
Step 41

In this task, you will create a Switch Profile that will be used in a subsequent Task.
Activity Procedure
Step 42
Step 43
Page 159
Step 44
POD##-BARE-METAL-SWITCH-PROFILE (replace ## with your assigned two-digit
Pod Number).
Step 45
Field
Value
Name
SWITCH-SELECTOR
Blocks
101
Step 46
Step 47
select POD##-BARE-METAL-INTERFACE-PROFILE (replace ## with your assigned
two-digit Pod Number).
Step 48
Task 7: Create a Bridge Domain

In this task, you will create a new Bridge Domain that will eventually contain the bare metal server
connected to Leaf-2. You will also create a new Subnet that will be used to communicate with the bare metal
server.
Activity Procedure
Step 49
Page 160
Step 50
Step 51
In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains.
Step 52
Right-click the Bridge Domains folder and then select Create Bridge Domain from the
context menu.
Step 53
The Create Bridge Domain wizard will appear. In STEP 1 > Main, enter the values in the
Field
Value
Name
POD##-BARE-METAL-BD (replace ## with your assigned 2-digit Pod Number)
VRF
POD##/POD##-VRF (replace ## with your assigned 2-digit Pod Number)
Step 54
Click the NEXT button. In STEP 2 > L3 Configurations, in the Subnets subsection, click the
plus sign to start the Create Subnet wizard.
Step 55
The Create Subnet wizard will appear. Enter the values in the following table; do NOT change
Field
Value
Gateway IP
Scope Private Subnet
checked
Page 161
Step 56
Step 57
Click the NEXT button. In STEP 3 > Advanced/Troubleshooting, do not make any changes.
Step 58
Click the FINISH button to complete the Create Bridge Domain wizard.
Task 8: Create a Bare Metal EPG

In this task, you will create a Bare Metal EPG within the Bare Metal bridge domain. You will also configure
the Bare Metal EPG with the settings necessary to include the bare metal server within the EPG.
Activity Procedure
Step 59
Step 60
Step 61
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs.
Step 62
Right-click the Application EPGs folder and then select Create Application EPG from the
context menu.
Page 162
Step 63
The Create Application EPG wizard will appear. In STEP 1 > Identity, enter the values in the
Field
Value
Name
POD##-BARE-METAL-EPG (replace ## with your assigned 2-digit Pod

Number)
Bridge Domain
POD##/POD##-BARE-METAL-BD (replace ## with your assigned 2-digit Pod

Number)
Statically Link with

Leaves/Paths
Checked
Step 64
Click the NEXT button. In STEP 2 > Leaves/Paths, in the Physical Domain drop-down list,
select POD##-BARE-METAL-PHYSICAL-DOMAIN (replace ## with your assigned twodigit Pod Number).
Step 65
Click the FINISH button to complete the Create Application EPG wizard.
Step 66
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-BARE-METAL-EPG >
Static Bindings (Paths).
Step 67
Right-click the Static Bindings (Paths) folder and then select Deploy Static EPG on PC,
VPC, or Interface from the context menu.
Page 163
Step 68
The Deploy Static EPG on PC, VPC, or Interface wizard will appear. Enter the values in the
following table.
Field
Value
Path Type
Port
Path
Node 101/eth1/## (replace ## with your assigned 2-digit Pod Number)
Encap
Deployment Immediacy
Immediate
Mode
Trunk
Step 69
Click the SUBMIT button to complete the Deploy Static EPG on PC, VPC, or Interface
wizard.
Task 9: Create a New Contract

In this task, you will create a new Contract that will be used (in the following Task) to allow communications
between the DB EPG and the Bare Metal EPG.
Activity Procedure
Step 70
Step 71
Step 72
The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-DBBARE-METAL (replace ## with your assigned 2-digit Pod Number).
Page 164
Step 73
following table.
Field
Value
Name
SUBJECT-ANY
Checked
Checked
Step 74
Step 75
Page 165
Step 76
Task 10: Configure Contracts between the DB EPG and the Bare Metal
EPG
In this task, you will apply the Bare Metal Contract to allow traffic to flow between the DB EPG and the
Bare Metal EPG.
Activity Procedure
Step 77
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-BARE-METAL-EPG >
Contracts.
Step 78
menu.
Step 79
The Add Provided Contract wizard will appear. In the Contract field, select POD##/POD##CONTRACT-DB-BARE-METAL from the drop-down list.
Page 166
Step 80
Step 81
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG > Contracts.
Step 82
Right-click the Contracts folder and then select Add Consumed Contract from the context
menu.
Step 83
The Add Consumed Contract wizard will appear. In the Name drop-down list select POD##/
POD##-CONTRACT- BARE-METAL (replace ## with your assigned 2-digit Pod
Number).
Step 84
Click the SUBMIT button to complete the Add Consumed Contract wizard.
Step 85
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE.
Step 86
In the Work pane, click the Policy tab. You should see that the diagram representing the objects
within your Application Profile has been updated to include the new contracts.
Task 11: Verify Connectivity to the Bare Metal File Server

Page 167
In this task, you will verify that your Pod DB server can communicate with the bare metal file server
connected to the leaf switch.
Activity Procedure
Step 87
Step 88
Step 89
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Step 90
Right-click the Pod##-DB VM and then select Open Console from the context menu.
Step 91
The console window for Pod##-DB will appear. You will see the DB servers desktop.
Step 92
Step 93
Verify that your DB Server can ping the bare metal file server using the ping 10.##.4.1
command (replace ## with your assigned 2-digit Pod Number).
Step 94
Step 95
Login as: admin
Step 96
Note
Leaf-1# show vrf

VRF-Name
black-hole
overlay-1
POD11:POD11-VRF
POD12:POD12-VRF
<output omitted>
Step 97
VRF-ID
3
4
6
5
State
Up
Up
Up
Up
Reason
-----
Execute the show endpoint vrf POD##:POD##-VRF command (replace ## with your
within your VRF. You should see an entry with the IP address of 10.##.4.1 .
Leaf-1# show endpoint vrf POD##:POD##-VRF

Legend:
O - peer-attached
H - vtep
a - locally-aged
S - static
V - vpc-attached
p - peer-aged
L - local
M - span
s - static-arp
B - bounce
+-----------------------------------+---------------+-----------------+-------------+-------------+
Page 168
VLAN/
Encap
MAC Address
MAC Info/
Interface
Domain
VLAN
IP Address
IP Info
+-----------------------------------+---------------+-----------------+-------------+-------------+
15
vlan-3##4
0050.569a.5e25 L
eth1/33
POD##:POD##-VRF
vlan-3##4
10.##.2.1 L
16
vlan-3##0
0050.569a.0a8a L
eth1/33
POD##:POD##-VRF
vlan-3##0
10.##.3.1 L
17
vlan-3##5
0050.569a.456e O
eth1/34
POD##:POD##-VRF
vlan-3##5
10.##.1.1 O
23
vlan-4##
0016.c714.6b52 L
eth1/##
POD##:POD##-VRF
vlan-4##
10.##.4.1 L
+------------------------------------------------------------------------------+
Endpoint Summary
+------------------------------------------------------------------------------+
: 3
: 0
: 1
: 0
: 3
: 4
: 0
: 3
: 1
: 4
Step 98
Execute the show vlan extended command. You should see a new fabric VLAN that has been
created that is associated with the port connected to the bare metal server.

VLAN Name
Status
Ports
---- -------------------------------- --------- ------------------------------23
POD##:POD##-APPLICATIONactive
Eth1/##
PROFILE:POD##-BM-EPG
<output omitted>
VLAN Type Vlan-mode Encap
---- ----- ---------- ------------------------------23
enet CE
vlan-4##
<output omitted>
Page 169
Lab 17: Configure a Service Graph in Managed

Mode
Overview
With the open architecture of the ACI solution, you can seamlessly insert any vendor's service solution such
as firewall, load-balancers, and so on into the APIC application profile.
The ACI solution from Cisco provides a powerful tool to insert any services that includes an open API to
communicate with the APIC. With the ease of scripting, deployments of any object within the APIC can now
be done in minutes (in some cases seconds), thus reducing the amount of time to deploy your application
network.
Complete this lab activity to become familiar with configuring a Service Graph to insert an ASAv in
managed mode.
Import Device Packages (demo)
Create Device Cluster for the ASA
Create a Service Graph
Create Logical Device Context for ASA
Attach Service Graph to Contracts
Cisco ASAv Attributes / L4-L7 Device Attributes

The following table contains information related to the configuration of the Cisco ASAv virtual machine
during this lab exercise.
ASAv
Physical
Interface
ASAv
Security
Level
IP Address
Contract
Type
L4-L7
Device
Interface
Name
Network
Adapter 1
Management0/0
192.168.R0.<##+50>
N/A
N/A
Network
Adapter 2
GigabitEthernet0/0
50
10.##.4.254
Consumer
Outside
Network
Adapter 3
GigabitEthernet0/1
100
10.##.2.254
Provider
Inside
ASAv VM
Network
Adapter
Function
Profile
Interface
Name
N/A
externalIf
internalIf

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Page 170
Step 5
Note
Task 1: Import Device Packages (Instructor Demo)

In this Task documents the instructor will import a Device Package that contains the files necessary to
integrate the Cisco ASAv firewall virtual machine.
Activity Procedure
Note
Step 6
In the Menu bar, click L4-L7 Services.
Step 7
In the Submenu bar, click Packages.
Step 8
In the Navigation pane, right-click the L4-L7 Service Device Types folder, and then select
Import Device Package from the context menu.
Step 9
The Import Device Package dialog window will appear. Click the BROWSE button.
Step 10
The Open window will appear. Navigate to the S:\DCAC9K folder.
Step 11
Select the Device Package, which is named asa-device-pkg-1.2.5.5.zip.
Step 12
Click the Open button.
Page 171
Step 13
Click the SUBMIT button. It will take a few seconds for the Device Package to be imported.
Step 14
When the import process is complete you will see a new entry under the L4-L7 Services
Device Types folder named CISCO-ASA-1.2
Step 15
In the Navigation pane, click the CISCO-ASA-1.2 object. The Work pane will display general
information about the Device Package.
Step 16
In the Navigation pane, expand L4-L7 Service Device Types > CISCO-ASA-1.2 > L4-L7
Service Functions > Firewall. The Work pane will display the two types of connectors that
will need to be used to implement a service graph that utilizes the ASAv (you will use these in a
subsequent Task).
Step 17
In the Navigation pane, expand L4-L7 Service Device Types > CISCO-ASA-1.2 > L4-L7
Service Function Profiles > WebPolicyForRoutedMode. The Work pane will display the
Page 172
specific properties of the firewall configuration when it is used in routed mode. You will be
using this service function profile in a subsequent Task.
Step 18
Step 19
Step 20
Right-click the Pod##-ASAv VM and then select Power > Power On from the context menu.
Step 21
After a few seconds you should see the powered on icon next to the virtual machine.
Task 2: Modify the Bare Metal Bridge Domain

In this task, you will modify the Bare Metal Bridge Domain so that traffic will flow through the Cisco ASAv
properly. Currently the Bare Metal Bridge Domain is providing an SVI (default gateway) via the fabric for
the bare metal server and the DB server; this must be modified so that the ASAv is now the default gateway
for these devices.
Activity Procedure
Step 22
Return to the APIC GUI.
Step 23
Step 24
Step 25
In the Navigation pane, expand Tenant POD## >Networking > Bridge Domains > POD##BARE-METAL-BD.
Step 26
In the Work pane, click the L3 Configurations tab.
Step 27
In the Work pane, remove the check mark next to Unicast Routing.
Note
Unchecking the Unicast Routing setting causes the APIC to disable the anycast gateway (SVI)
function for the subnets within the bridge domain.
Page 173
Step 28
Step 29
Step 30
In the Navigation pane, expand Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG.
Step 31
In the Work pane, change the Bridge Domain to POD##/POD##-BARE-METAL-BD

Step 32
Step 33
Task 3: Create a Services Function Profile Group

In this task, you will create a Services Function Profile Group that will contain the Services Function Profile
that you will create in the following Task.
Activity Procedure
Page 174
Step 34
In the Navigation pane, expand Tenant POD## > L4-L7 Services > Function Profiles.
Step 35
Right-click the Function Profiles folder and then select Create Profile Group from the
context menu.
Step 36
The Create L4-L7 Services Function Profile Group wizard will appear. In the Name field
type POD##-SERVICES-FUNCTION-PROFILE-GROUP (replace ## with your assigned
2-digit Pod Number).
Step 37
Click the SUBMIT button to complete the Create L4-L7 Services Function Profile Group
wizard.
Task 4: Create a Services Function Profile

In this task, you will create a Services Function Profile that will define how your Pods Cisco ASAv virtual
machine will be configured.
Activity Procedure
Step 38
In the Navigation pane, expand Tenant POD## > L4-L7 Services > Function Profiles >
POD##-SERVICES-FUNCTION-PROFILE-GROUP.
Step 39
Right-click the POD##-SERVICES-FUNCTION-PROFILE-GROUP folder and then select

Create L4-L7 Services Function Profile from the context menu.
Page 175
Step 40
The Create L4-L7 Services Function Profile wizard will appear. Enter the values in the
following table.
Field
Value
Name
POD##-SERVICES-FUNCTION-PROFILE (replace ## with your assigned 2-digit

Pod Number)
Copy Existing Profile

Parameters
Checked
Profile
CISCO-ASA-1.2/WebPolicyForRoutedMode
Step 41
The lower portion of the wizard is where you define how the ASAv will behave when it is
deployed. In the next few steps you will configure the IP addresses that will be applied to the
interfaces of the ASAv.
Step 42
In the Features and Parameters section, under Features, make sure that Interfaces is
selected.
Page 176
Step 43
Under the Basic Parameters tab, expand Device Config > Interface Related Configuration
(externalIf) > Interface Specific Configuration (externalIfCfg) > IPv4 Address
Configuration.
Step 44
Double-click the parameter named IPv4 Address; this will allow you to edit the IP address.
Step 45
In the Value field, type 10.##.4.254/255.255.255.0 (replace ## with your assigned 2-digit
Pod Number).
Step 46
Step 47
Under the Basic Parameters tab, expand Device Config > Interface Related Configuration
(internalIf) > Interface Specific Configuration (internalIfCfg) > IPv4 Address
Configuration.
Step 48
Double-click the parameter named IPv4 Address; this will allow you to edit the IP address.
Step 49
In the Value field, type 10.##.2.254/255.255.255.0 (replace ## with your assigned 2-digit
Pod Number).
Step 50
Step 51
Click the SUBMIT button to complete the Create L4-L7 Services Function Profile wizard.
Note
In the Navigation pane, select POD##-SERVICES-FUNCTION-PROFILE. In the Work pane,

look to see if any alarms were raised after you completed the Create L4-L7 Services Function
Profile wizard. If there are faults present, DELETE the POD##-SERVICES-FUNCTION-
Page 177
PROFILE and re-create it. If there are any faults present and you continue to the next Task the
lab exercise will fail.
Task 4: Create a L4-L7 Device

In this task, you will create a L4-L7 Device which contains the information required by the APIC to log in to
the Cisco ASAv and configure it.
Activity Procedure
Step 52
In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Devices.
Step 53
Right-click the L4-L7 Devices folder and then select Create L4-L7 Devices from the context
menu.
Step 54
The Create L4-L7 Devices wizard will appear. In STEP 1 > General, enter the values in the
Field
Value
General Section:
Managed
Checked
Page 178
Field
Value
Name
POD##-MANAGED-ASAv (replace ## with your assigned 2-digit Pod

Number)
Service Type
Firewall
Device Type
Virtual
VMM Domain
POD##-VMM-DOMAIN (replace ## with your assigned 2-digit Pod Number)
Mode
Single Node
Device Package
CISCO-ASA-1.2
Model
ASAv
Function Type
Go To
Connectivity Section:
APIC to Device Management
Connectivity
Out-Of-Band
Credentials Section:
Username
admin (make sure to use all lower-case characters)
1234QWer
Device 1:
Management IP Address
192.168.R0.<##+50> (Add 50 to your assigned 2-digit Pod Number and

replace ## with the sum)
Management Port
https
VM
POD##-VMM-DOMAIN/Pod##-ASAv (replace ## with your assigned 2-digit

Pod Number)
Step 55
In the Devices Interfaces subsection, click the plus sign to create a new entry. Enter the values
in the following table.
Field
Value
Name
GigabitEthernet0/0
vNIC
Network adapter 2
Page 179
Step 56
Step 57
In the Devices Interfaces subsection, click the plus sign to create a new entry. Enter the values
in the following table.
Field
Value
Name
GigabitEthernet0/1
vNIC
Network adapter 3
Step 58
Step 59
In the Cluster subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field
Value
Type
Consumer
Name
Outside
Concrete Interfaces
Device1/GigabitEthernet0/0
Step 60
Step 61
In the Cluster subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Page 180
Field
Value
Type
Provider
Name
Inside
Concrete Interfaces
Device1/GigabitEthernet0/1
Step 62
Step 63
Click the NEXT button. Do not make any changes in STEP 2 > Device Configuration.
Step 64
Click the FINISH button to complete the Create L4-L7 Devices wizard.
Step 65
In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Devices > POD##MANAGED-ASAv. You can see the state of the ASAv virtual machine as seen by the APIC.
Note
The key field in this object is the Configuration State/Configuration Issues/Devices State field. At
this point the Device State should be stable. If the Device state is not stable this means the
APIC cannot communicate with the ASAv virtual machine via the ASAv management interface.
Verify that the ASAv is online and that you can SSH to it. If you can SSH to the ASAv and the
Device State is not stable the quickest path forward is to delete POD##-MANAGED-ASAv and
recreate it following the steps in this Task.
Note
At this point it is likely that you will see faults raised in this object; that is normal (as long as the
Device State is stable). The faults will be cleared once the virtual machine is incorporated into a
service graph.
Page 181
Note
At this point, nothing has occurred in the ASAv virtual machine, you have just created a device
definition that will be used in a subsequent Task.
Task 5: Create a Service Graph Template

In this task, you will create a Service Graph Template, which is an object that helps define how the traffic
should flow to the Cisco ASAv.
Activity Procedure
Step 66
In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Service Graph
Templates.
Step 67
Right-click the L4-L7 Service Graph Templates folder and then select Create a L4-L7
Service Graph Template from the context menu.
Step 68
The Create a L4-L7 Service Graph Template wizard will appear. In the Graph Name field,
type POD##-SERVICE-GRAPH-TEMPLATE (replace ## with your assigned 2-digit Pod
Number).
Step 69
In the Device Clusters section you should see one entry for the POD##-MANAGED-ASAv
firewall that you created in the previous Task. Drag and drop the firewall into the center of the
window.
Note
The name under the firewall object will be highlighted and have the value N1. Do not change
this value.
Page 182
Step 70
Enter the values in the following table.
Field
Value
Firewall
Routed
Profile
POD##-SERVICES-FUNCTION-PROFILE (replace ## with your assigned 2-digit Pod Number)
Step 71
Click the SUBMIT button to complete the Create a L4-L7 Service Graph Template wizard.
Task 6: Apply the Service Graph Template

In this task, you will apply the Service Graph Template to the contract between the DB EPG and the Bare
Metal EPG.
Activity Procedure
Step 72
In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Service Graph
Templates > POD##-SERVICE-GRAPH-TEMPLATE.
Step 73
Right-click the POD##-SERVICE-GRAPH-TEMPLATE folder and then select Apply L4L7 Service Graph Template from the context menu.
Page 183
Step 74
The Apply L4-L7 Service Graph Template To EPGs wizard will appear. In STEP 1 >
Contract, enter the values in the following table.
Field
Value
Consumer EPG /
External Network
POD##/POD##-APPLICATION-PROFILE/epg-POD##-BARE-METAL-EPG (replace
## with your assigned 2-digit Pod Number)
Provider EPG / External

Network
POD##/POD##-APPLICATION-PROFILE/epg-POD##-DB-EPG (replace ## with

your assigned 2-digit Pod Number)
Contract
Choose an Existing Contract Subject
Existing Contract With

Subjects
POD##-CONTRACT-DB-BARE-METAL/SUBJECT-ANY (replace ## with your

Step 75
Click the NEXT button. In STEP 2 > Graph, do not make any changes.
Step 76
Click the NEXT button. In STEP 3 > POD##-MANAGED-ASAv Parameters, do not make
any changes.
Step 77
Click the FINISH button to complete the Apply L4-L7 Service Graph Template To EPGs
wizard.
Task 7: Verify the Configuration
Page 184
In this task, you will verify that the ASAv firewall has been reconfigured by the APIC, and you will verify
that the service graph is functioning by opening an SSH session from the DB server to the bare metal switch.
Activity Procedure
Step 78
From your Student Server desktop, start a PuTTY session with Pod##-ASAv using the
following credentials:
IP Address: 192.168.R0.<##+50>
Login as: admin
Step 79
Execute the enable command to enter enable mode.
login as: admin

admin@192.168.30.61's password: 1234QWer
Type help or '?' for a list of available commands.
Pod11-ASAv> enable
Password: 1234QWer
Pod11-ASAv#
Step 80
Execute the show interface ip brief command. This command will indicate the interfaces
present in the firewall, the state of each interface, and the IP address of each interface. You
should see that the IP address of GigabitEthernet0/0 has been set to 10##.4.254 and the IP
address of GigabitEthernet0/1 has been set to 10##.2.254 (the Management0/0 interface is the
out-of-band management interface and is part of the lab baseline).
Pod11-ASAv# show interface

Interface
Protocol
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
GigabitEthernet0/4
GigabitEthernet0/5
GigabitEthernet0/6
GigabitEthernet0/7
GigabitEthernet0/8
Management0/0
ip brief
IP-Address
OK? Method Status
10.11.4.254
10.11.2.254
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
unassigned
192.168.30.61
YES
YES
YES
YES
YES
YES
YES
YES
YES
YES
manual
manual
unset
unset
unset
unset
unset
unset
unset
manual
up
up
administratively
administratively
administratively
administratively
administratively
administratively
administratively
up
down
down
down
down
down
down
down
up
up
up
up
up
up
up
up
up
up
Step 81
Execute the show nameif command. This command will show you the security levels assigned
to the interfaces within the firewall.
Note
The Cisco ASA series of firewalls uses the concept of a security level to help determine traffic
flows from one interface to another. By default, traffic is allowed to flow from an interface with a
higher security level to an interface with a lower security level. In order to allow traffic to flow
from an interface with a lower security level to an interface with a higher security level an access
list must be configured to allow the traffic.
Pod11-ASAv# show nameif

Interface
GigabitEthernet0/0
GigabitEthernet0/1
Management0/0
Name
externalIf
internalIf
management
Security
50
100
0
Page 185
Step 82
Execute the ping 10.##.2.1 command. This command will verify that the inside interface of the
firewall can communicate with the DB server.
Pod11-ASAv# ping 10.11.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Step 83
Execute the ping 10.##.4.1 command. This command will verify that the outside interface of
the firewall can communicate with the DB server.
Pod11-ASAv# ping 10.11.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Step 84
Execute the show arp command. This command will list all of the IP address to MAC address
mappings present in the firewalls memory.
Pod11-ASAv# show arp

management 192.168.30.1 fc5b.392d.4f5a 2739
management 192.168.30.254 001b.0de3.895c 5648
externalIf 10.11.4.1 0050.56ad.a5b3 119
internalIf 10.11.2.1 0050.569a.5e25 123
Step 85
Step 86
Step 87
letter).
Step 88
At the bottom of the window is the Recent Tasks pane. You should see three entries there:
One entry indicating that the POD##-VMM-DOMAIN DVS has been modified and now has two
additional port groups created by the APIC
Two entries indicating that the Pod##-ASAv virtual machine has been modified to use these two
new port groups
Step 89
Right-click the Pod##-ASAv VM and then select Edit Settings from the context menu.
Page 186
Step 90
The Virtual Machine Properties window will appear. You should see that network adapters 2
and 3 have been reconfigured to use port groups in the Pod VMM Domains distributed virtual
switch.
Step 91
Click the Cancel button to close the Virtual Machine Properties window.
Step 92
Right-click the Pod##-DB VM and then select Open Console from the context menu.
Step 93
The console window for Pod##-DB will appear. You will see the DB servers desktop.
Step 94
Note
At this point the configuration of the service graph is complete. Next, you will use PuTTY to verify
that you can open a TCP/IP session from the DB Server, which is inside the firewall, to the
bare metal server, which is outside the firewall.
Step 95
From your DB Server desktop, start a PuTTY session.
Step 96
Open an SSH session to the bare metal server using the following information:
IP Address: 10.##.4.1 (replace ## with your assigned 2-digit Pod Number)
Login as: student
Page 187
Step 97
If you are able to start an SSH session that indicates the service graph is functioning properly.
Note
Actually, there is no bare metal server, a virtual router has been configured to duplicate the
network connectivity of a bare metal server.
Page 188
Lab 18: Configure RBAC Using Local and

RADIUS Accounts
Overview
Complete this lab activity to become familiar with configuring role-based access control and integration with
AAA services.
Configure a local security domain
Configure local users and roles for your tenant security domain
Create a RADIUS security domain and map to your tenant
Create an AAA login domain for RADIUS authentication
Test RADIUS authentication and authorization

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: Create a Security Domain and Map It to Your Tenant

In this task, you will configure a new security domain and map it to your tenant.
Activity Procedure
Step 6
Step 7
Step 8
Navigate to Security Management > Security Domains.
Step 9
Right-click the Security Domains folder and then select Create Security Domain from the
context menu.
Page 189
Step 10
The Create Security Domain wizard will appear. In the Name field type POD##-SD-LOCAL
Step 11
Click the SUBMIT button to complete the Create Security Domain wizard.
Step 12
Step 13
Step 14
In the Navigation pane, click Tenant POD##, and then click the POLICY tab in the Work
pane.
Step 15
In the Security Domains subsection, select POD##-SD-LOCAL.
Step 16
Click the SUBMIT button at the bottom of the Work pane.
Page 190
Task 2: Configure Local Users and Roles for your Tenant Security
Domain
In this task, you will create tenant-specific admin and audit users with the appropriate roles and map them to
your tenant security domain.
Activity Procedure
Step 17
Step 18
Step 19
Navigate to Security Management > Local Users.
Step 20
Step 21
subsection, click the checkbox next to POD##-SD-LOCAL.
Step 22
Click the NEXT button. In STEP 2 > Roles, select READ WRITE for each of the roles listed.
Page 191
Step 23
Field
Value
Login ID
POD##-ADMIN-LOCAL (replace ## with your assigned 2-digit Pod Number)
1234QWer
Step 24
Click the FINISH button to complete the Create Local User wizard.
Step 25
Page 192
Step 26
subsection, click the checkbox next to POD##-SD-LOCAL.
Step 27
Click the NEXT button. In STEP 2 > Roles, select READ ONLY for each of the roles listed.
Step 28
Field
Value
Login ID
POD##-AUDIT-LOCAL (replace ## with your assigned 2-digit Pod Number)
1234QWer
Page 193
Step 29
Click the FINISH button to complete the Create Local User wizard.
Task 3: Verify the Configuration of the Local User Accounts

In this task, you will log in to the APIC GUI using the accounts that you just created in order to verify that
the correct rights have been granted to each account.
Activity Procedure
Step 30
In the upper right-hand corner of the APIC GUI, click the down arrow to the right of welcome,
admin, and then select Logout from the drop-down menu.
Step 31
Username: POD##-ADMIN-LOCAL (replace ## with your assigned 2-digit Pod Number)
Mode: Advanced
Step 32
The first screen that you will see is the Dashboard. Notice how there is nothing visible; the
POD##-ADMIN-LOCAL account does not have system-wide rights. Also notice how many of
the Menu bar selections are greyed out.
Step 33
Page 194
Step 34
In the Submenu bar, click ALL TENANTS. Notice how there are only two Tenants listed,
common and POD##.
Step 35
Double-click POD## (replace ## with your assigned 2-digit Pod Number).
Step 36
Navigate to various portions of your Tenant. Notice how you have the ability to change the
configuration of your Tenant.
Step 37
POD##-ADMIN-LOCAL, and then select AAA > View My Permissions from the drop-down
menu.
Step 38
The User Permissions window will appear. This window will display all of the permissions
that have been granted to the user account with which you are currently logged in.
Step 39
Click the CLOSE button.
Step 40
Log out of the APIC GUI.
Step 41
Page 195
Username: POD##-AUDIT-LOCAL (replace ## with your assigned 2-digit Pod Number)
Mode: Advanced
Step 42
POD##-AUDIT-LOCAL account does not have system-wide rights. Also notice how many of
Step 43
Step 44
In the Submenu bar, click ALL TENANTS. Notice how there are only two Tenants listed,
common and POD##.
Step 45
Step 46
Navigate to various portions of your Tenant. Notice how you have the ability to view the
configuration of your Tenant, however you cannot make any changes to the configuration.
Step 47
POD##-AUDIT-LOCAL, and then select AAA > View My Permissions from the drop-down
menu.
Page 196
Step 48
Step 49
Step 50
Task 4: Create a RADIUS Security Domain and Map It to your Tenant

In this task, you will configure a new RADIUS security domain and map it to your tenant. The cisco-av-pair
that is configured in Cisco ISE references this security domain to apply permissions to the remote RADIUS
user on a tenant-by-tenant basis.
Activity Procedure
Step 51
Log in to the APIC GUI using the admin account.
Step 52
Step 53
Step 54
Navigate to RADIUS Management > RADIUS Provider Groups.
Step 55
Right-click the RADIUS Provider Groups folder and then select Create RADIUS Provider
Group from the context menu.
Page 197
Step 56
The Create RADIUS Provider Group wizard will appear. In the Name field, type
POD##_RADIUS_PROVIDER_GROUP (replace ## with your assigned 2-digit Pod
Number).
Note
The name of the RADIUS Provider Group may not use the dash character; however you may
use the underscore character.
Step 57
In the Providers subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field
Value
Name
Priority
Step 58
Step 59
Click the SUBMIT button to complete the Create RADIUS Provider Group wizard.
Step 60
Navigate to AAA Authentication > Login Domains.
Step 61
Right-click the Login Domains folder and then select Create Login Domain from the context
menu.
Step 62
The Create Login Domain wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##_RADIUS_LOGIN_DOMAIN (replace ## with your assigned 2-digit Pod

Number)
Realm
RADIUS
Page 198
Field
Value
RADIUS Provider Group
POD##_RADIUS_PROVIDER_GROUP (replace ## with your assigned 2-digit Pod

Number)
Note
The name of the Login Domain may not use the dash character; however you may use the
underscore character.
Step 63
Click the SUBMIT button to complete the Create Login Domain wizard.
Step 64
Navigate to Security Management > Security Domains.
Step 65
Right-click the Security Domains folder and then select Create Security Domain from the
context menu.
Step 66
The Create Security Domain wizard will appear. In the Name field type POD##-SDRADIUS (replace ## with your assigned 2-digit Pod Number).
Note
It is important that you enter this value correctly because it is a value that is used by the RADIUS
server to assign av pairs to the login account.
Page 199
Step 67
Click the SUBMIT button to complete the Create Security Domain wizard.
Step 68
Step 69
Step 70
In the Navigation pane, click Tenant POD##, and then click the POLICY tab in the Work
pane.
Step 71
In the Security Domains subsection, select POD##-SD-RADIUS.
Step 72
Click the SUBMIT button at the bottom of the Work pane.
Task 5: Verify the Configuration of the RADIUS User Accounts

In this task, you will log in to the APIC GUI using the RADIUS accounts in order to verify that the correct
rights have been granted to each account.
Activity Procedure
Step 73
admin, and then select Logout from the drop-down menu.
Step 74
Username: POD##-ADMIN-RAD (replace ## with your assigned 2-digit Pod Number)
Page 200
Domain: POD##_RADIUS_LOGIN_DOMAIN (replace ## with your assigned 2-digit Pod

Number)
Mode: Advanced
Step 75
The first screen that you will see is the DASHBOARD. Notice how there is nothing visible; the
POD##-ADMIN-RAD account does not have system-wide rights. Also notice how many of the
Menu bar selections are greyed out.
Step 76
Step 77
In the Submenu bar, click ALL TENANTS. Notice how there is only one Tenant listed,
POD##.
Step 78
Step 79
Navigate to various portions of your Tenant. Notice how you have the ability to change the
configuration of your Tenant.
Page 201
Step 80
POD##-ADMIN-RAD, and then select AAA > View My Permissions from the drop-down
menu.
Step 81
Step 82
Step 83
Step 84
Username: POD##-AUDIT-RAD (replace ## with your assigned 2-digit Pod Number)
Domain: POD##_RADIUS_LOGIN_DOMAIN (replace ## with your assigned 2-digit Pod

Number)
Mode: Advanced
Page 202
Step 85
POD##-AUDIT-LOCAL account does not have system-wide rights. Also notice how many of
Step 86
Step 87
In the Submenu bar, click ALL TENANTS. Notice how there is only one Tenant listed,
POD##.
Step 88
Step 89
Navigate to various portions of your Tenant. Notice how you have the ability to view the
configuration of your Tenant, however you cannot make any changes to the configuration.
Step 90
POD##-AUDIT-RAD, and then select AAA > View My Permissions from the drop-down
menu.
Page 203
Step 91
Step 92
Step 93
Page 204
Lab 19: Monitor and Troubleshoot ACI

Overview
Complete this lab activity to become familiar with monitoring and troubleshooting tools in the Cisco
Application Policy Infrastructure Controller (APIC) GUI.
View faults using the Cisco APIC GUI
View events using the Cisco APIC GUI
Use the API Inspector
Use the Managed Object Browser (Visore)
Configure Syslog Monitoring
Use the Operations tab in the Cisco APIC GUI

Activity Procedure
Step 1
Step 2
Step 3
Step 4
Username: admin
Step 5
Task 1: View Faults Using the Cisco APIC GUI

In this task, you will view faults using the Cisco APIC GUI.
When troubleshooting issues with Cisco Application Centric Infrastructure (ACI), the first step will be to
inspect any faults recorded in the Cisco ACI. The logged faults are presented in many places in the GUI.
They are filtered to show only those faults that are relevant to the current GUI context. Wherever a Faults tab
appears in the GUI Work pane, you can view the relevant entries from the fault log.
A fault object is placed in the Management Information Tree (MIT) as a child of the port object. If the same
condition is detected multiple times, no additional instances of the fault object are created. Fault records are
never modified after they are created and they are deleted only when their number exceeds the maximum
value that is specified in the fault retention policy.
Activity Procedure
Step 6
To view a summary of fault statistics for the overall system, click SYSTEM from the main
menu.
Step 7
In the Dashboard, the dashboard tables display the fault counts by domain and by type.
Page 205
Note
This is just an example. Your Fault Counts output will be different.
Step 8
Next, you will view the faults that are related to a Tenant. In the Menu bar, click Tenants.
Step 9
Step 10
In the Navigation pane, select Tenant POD##. The Work pane will display a Dashboard
specific to the Tenant.
Step 11
In the Work pane, click the FAULTS tab. Take a moment to review any recorded faults.
Note
If you have performed all of the previous lab exercises properly there should not be any faults
listed
Page 206
Step 12
By clicking specific ACI constructs (e.g. Application Profiles, Bridge Domains, etc.), in the
Navigation pane, you will have access to the Faults tab which records all faults that are specific
to the current GUI context.
Step 13
Step 14
In the Submenu bar, click Historical Record Policies.
Step 15
In the Navigation pane, select Controller Policies.
Step 16
In the Work pane, retention policy settings appear for the following logs:
Audit Logs Retention Policy
Events Retention Policy
Fault Records Retention Policy
Health Records Retention Policy
Note
The Controller Policies folder is the location where you manage the sizes of the different
controller policies. These policies are for issues that are specific to the controller.
Note
The maximum size range is 1,000 to 500,000 records; the default is 100,000 records. The Purge
Window Size is the maximum number of records to be deleted in a single swipe once the
number of records in the log is greater than the Maximum Size. The Purge Window Size default
is designed to minimize impact on performance when records are purged.
Step 17
In the Navigation pane, expand Switch Policies. This is the location where you can manage the
size of the various switch log retention policies.
Page 207
Task 2: View Events Using the Cisco APIC GUI

In this task, you will view events using the Cisco Application Policy Infrastructure Controller (APIC) GUI.
The APIC maintains a comprehensive, up-to-date, run-time representation of the administrative and
operational state of the Cisco ACI Fabric in the form of a collection of managed objects (MOs). Any
configuration or state change in any MO is considered an event. Most events are part of the normal workflow
and there is no need to record their occurrence or to bring them to the attention of the user unless they meet
one of the following criteria:
The event is an anomaly, such as a fault being raised
The event is defined in the model as requiring notification
The event follows a user action that needs to be auditable
Many places in the GU present the logged events. The events are filtered to show only those events that are
relevant to the current GUI context. Wherever a History tab appears in the GUI work pane, you can view the
relevant log entries from the event log, health log, or audit log.
Activity Procedure
Step 18
In the Menu bar, click Admin, and then in the Submenu bar, click AAA.
Step 19
In the Navigation pane, click the AAA Authentication folder.
Step 20
In the Navigation pane, expand the Security Management folder.
Step 21
In the Work pane, click the HISTORY tab.
Step 22
Under the HISTORY tab, click the AUDIT LOG subtab to view the audit log.
Step 23
Double-click a log entry to view more details about the event if an entry exists.
Step 24
By clicking specific ACI constructsfor example, Application Profiles, Bridge Domains,

Private Networksin the Navigation pane, you will have access to the History tab. This tab
records the history that is specific to the current GUI context.
Task 3: Using the API Inspector

In this task, you will use the API Inspector. By using the built-in API Inspector tool, you can capture API
messaging as you perform tasks in the Cisco Application Policy Infrastructure Controller (APIC) GUI. The
captured messages provide examples of the API operation that you can use to develop external applications
that will use the API.
Activity Procedure
Step 25
In the upper right corner of the APIC window, click the welcome, admin message to view the
drop-down menu.
Page 208
Step 26
In the drop-down menu, choose the Show API Inspector. The API Inspector opens in a new
browser window.
Step 27
Arrange the APIC browser window side-by-side with the API Inspector window, and then click
the Newest at the top check box.
Note
This action allows you to interact with the APIC GUI and simultaneously observe the API calls
that are made in reaction to your interactions with the GUI.
Step 28
In the Filters toolbar of the API Inspector window, choose the types of API log messages to
display.
The displayed messages are color-coded according to the selected message types. This table shows the
available message types:
Log
Type
Description
debug
Displays debug messages. This type includes most API commands and responses.
info
Displays informational messages.
warn
Displays warning messages.
error
Displays error messages.
fatal
Displays fatal messages.
all
Checking this check box causes all other check boxes to become checked. Unchecking any other check
box causes this check box to be unchecked.
Step 29
In the APIC GUI, click Tenants from the Menu bar, and then click the common Tenant.
Step 30
In the Navigation pane, right-click Application Profiles, and then choose Create Application
Profile from the context menu.
Step 31
In the Name field, type POD##-TEMP, and then click SUBMIT.
Step 32
In the API Inspector, observe that there is a POST method request that instructs the API to
create a new application profile in the Common Tenant. That the request will be in the JSON
format. The JSON format is not obvious in the API Inspector window. The following is an
example of the request:
01:44:49 DEBUG - method: POST url:

https://apic1.dc.local/api/node/mo/uni/tn-common/ap-ATL-TEMP.json
payload{"fvAp":{"attributes":{"dn":"uni/tn-common/ap-ATL-TEMP",
Page 209
"name":"ATL-TEMP","rn":"ap-ATL-TEMP","status":"created"},"children":[]}}
response: {"imdata":[]}
Step 33
Open the Notepad++ application on your desktop. Copy and paste the payload into a new
document.
Step 34
Press and hold down the Ctrl key followed by the A key to select all.
Step 35
Click the Plugins menu.
Step 36
Click JSON Viewer, and then Format JSON. Your output should now appear in JSON array
format.
You can use the URL and JSON array that are recovered from the API Inspector to make REST calls to
configure the fabric.
Task 4: Use the Managed Object Browser (Visore)

In this task, you will use the Managed Object Browser to validate the AAA configuration.
The Managed Object Browser, or Visore, is a utility that is built into the Cisco Application Policy
Infrastructure Controller (APIC). It provides a graphical view of the managed objects (MOs) using a browser.
The Visore utility uses the APIC REST API query methods to browse MOs that are active in the ACI Fabric,
allowing you to see the query that was used to obtain the information.
You cannot use the Visore utility to perform configuration operations.
Note
Only the Firefox, Chrome, and Safari browsers are supported for Visore access.
Activity Procedure
Step 37
Step 38
Open another tab Navigate to https://192.168.R0.1/visore.html (replace R with your ACI

Rack Number).
Step 39
Username: admin
Page 210
Step 40
The APIC Object Store Browser will appear. In the Class or DN field, type
aaaProviderGroup, and then click the Run Query button.
Note
If a window pops up saying You did not specify a property name, click OK.
Step 41
The query results show a number of AAA Provider Groups that are named
aaaRadiusProviderGroup with the format POD##_RADIUS_PROVIDER_GROUP. These
are the RADIUS Provider Groups that were created in the previous lab exercise.
Step 42
Click the green > symbol at the end of the dn field. This action will take you to the details of
that DN, if it exists in the object tree.
Page 211
Note
Clicking > sends a query to the APIC for the children of the MO (managed object).
Clicking < sends a query for the parent of the MO.
Step 43
In the dn field of the MO description table, click the icons to display statistics, faults, or health
information for the MO.
Step 44
Click the Display URI of last query link to display the API call that executed the query.
Step 45
Click the Display last response link to display the API response data structure from the query.
Task 5: Configuring Syslog Monitoring

In this task, you will configure syslog monitoring.
Activity Procedure
Step 46
On your Student Server desktop, start the 3CDaemon application. You will be using this later in
this lab exercise.
Step 47
Step 48
Step 49
In the Submenu bar, click External Data Collectors.
Step 50
In the Navigation pane, expand Monitoring Destinations > Syslog.
Step 51
Right-click the Syslog folder and then select Create Syslog Monitoring Destination Group
from the context menu
Page 212
Step 52
The Create Syslog Monitoring Destination Group wizard will appear. In STEP 1 > Profile,
in the Name field type POD##-SYSLOG-GROUP (replace ## with your assigned 2-digit
Pod Number).
Step 53
Click the NEXT button. In STEP 2 > Remote Destinations, in the Create Remote
Destinations subsection, click the plus sign to create a new entry.
Step 54
The Create Syslog Remote Destination wizard will appear. Enter the values in the following
table.
Field
Value
IP Address To NterOne Lab (this can be found on your Student Server desktop in
the upper right-hand corner)
Host
Name
POD##-SYSLOG-SERVER (replace ## with your assigned 2-digit Pod Number)
Admin State
Enabled
Management EPG
default (Out-of-Band)
Page 213
Step 55
Click the OK button to complete the Create Syslog Remote Destination wizard.
Step 56
Click the FINISH button to complete the Create Syslog Monitoring Destination Group wizard.
Note
In the previous steps, you configured the syslog server. In the next steps, you will configure a
syslog policy that will result in the generation of syslog messages to the syslog server.
Step 57
Step 58
Step 59
In the Navigation pane, expand Monitoring Policies > default > CallHome/SNMP/Syslog.
Note
You can also access Monitoring Policies under individual tenants and Fabric Access Policies.
Step 60
In the Work pane, in the Source Type setting, choose Syslog.
Step 61
In the far right-hand side of the Work pane click the plus sign to create a new entry.
Page 214
Step 62
The Create Syslog Source wizard will appear. Enter the values in the following table.
Field
Value
Name
POD##-SYSLOG-SOURCE (replace ## with your assigned 2-digit Pod Number)
Min Severity
debugging
Include
(check all boxes)
Dest. Group
POD##-SYSLOG-GROUP (replace ## with your assigned 2-digit Pod Number)
Step 63
Click the OK button to complete the Create Syslog Source wizard.
Step 64
Return to the 3CDaemon window.
Step 65
Click the Syslog Server tab to display syslog messages from the APIC.
Note
It may take some time for syslog messages to appear.
Task 6: Using the Operations Tab in APIC

In this task, you will use the Operations tab in Cisco Application Policy Infrastructure Controller (APIC).
Activity Procedure
Step 66
Page 215
Step 67
In the Menu bar, click Operations.
Step 68
In the Submenu bar, click Visibility and Troubleshooting.
Step 69
In the Session Name field type POD##-SESSION (replace ## with your assigned 2-digit
Pod Number).
Step 70
In the Source field, enter 10.##.1.1 (the IP address of Pod##-App) and then click the Search
button.
Step 71
You should see a single search result. Click it, which will cause the row to turn grey.
Step 72
In the Destination field, enter 10.##.3.1 (the IP address of Pod##-Web) and then click the
Search button.
Step 73
You should see a single search result. Click it, which will cause the row to turn grey.
Step 74
Click START in the lower right side of the page.
Step 75
After a few seconds, the Faults screen appears. Observe any possible faults on the system.
Page 216
Step 76
Click Drops/Stats in the Navigation Pane. Observe that there have been some drops in the
system due to you changing the configuration of the fabric.
Step 77
Click Contracts in the Navigation Pane. You should see packets from pinging between the
virtual machines from the previous lab exercises.
Step 78
Click Traceroute in the Navigation Pane. From the Protocol drop-down menu, choose icmp.
Press the Play button in the top left part of the window.
Step 79
Click OK if a warning pops up.
Page 217
Step 80
After a few seconds, the interface will display the result of a traceroute. Observe that the
Traceroute Status is complete and that the arrows in the screen are green.
Step 81
Click the Stop button to end the traceroute.
Page 218

Dcac9k Lab Guide 20160501

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dcac9k Lab Guide 20160501

Uploaded by

Copyright:

Available Formats

DCAC9K

Lab 0: Accessing the NterOne Lab Devices

Lab 1: Initial ACI Fabric Configuration Tasks

Lab 2: Configure a Tenant, VRF, and Bridge Domain

Lab 3: Configure Policy Filters and Contracts

Lab 4: Deploy a Three-Tier Application Profile

Lab 5: Configure a VMware VMM Domain

Lab 6: Configure Baseline Interface Policies

Lab 7: Configure VMware ESXi Hosts to Use the APIC DVS

Lab 8: Associate an EPG to a VMware vCenter Domain

Lab 9: Associate Virtual Machines with ACI DVS Port Groups

Lab 13: Configure Inter-Tenant Connectivity

Lab 14: Configure External Layer 3 Connectivity using OSPF Routing

Lab 15: Configure External Layer 2 Connectivity - Extending a Bridge Domain

Lab 16: Configure External Layer 2 Connectivity - Extending an EPG

Lab 17: Configure a Service Graph in Managed Mode

Lab 18: Configure RBAC Using Local and RADIUS Accounts

Lab 19: Monitor and Troubleshoot ACI

Lab 0: Accessing the NterOne Lab Devices

Task 1: Understanding your NterOne Lab Environment

Your Student Server

Lab Devices and Pods

One (1) Cisco Application Policy Infrastructure Controllers (APICs)

Eight (8) Cisco UCS C200 M3 C-Series Servers

Your ACI Rack Number

Your Pod Number

Your vCenter Server

A1, A2, B1, B2, C1, C2, D1, or D2

Your ESXi Host

Remote Desktop Connection

Students using Linux-based computers can download rdesktop from http://www.rdesktop.org/ .

Task 2: Connect to your Assigned Student Server using Remote

Student Server Name / IP Address

Log in to your personal/work computer.

Click on the Use another account section of the window.

The process to connect to your Student Server is complete.

Task 3: Log In to the APIC-1 Management Application

You will be warned by Chrome that the connection is not private.

Login to the APIC with the credentials below:

Password: 1234QWer (note that QW is capitalized)

Only use the Advanced Mode throughout this class.

Click the YES button.

Click the SUBMIT button.

Remember Tree Selection

Preserve Tree Divider Position

Disable Notification on Success

Disable Deployment Warning at Login

Click the OK button.

Lab 1: Initial ACI Fabric Configuration Tasks

Register Nexus 9000 switches to the ACI fabric

Configure out-of-band (OOB) access to the fabric switches

Enable HTTP access to the APIC

Configure MP-BGP route reflectors

Task 0: Log in to the APIC Controller

Verify that you are currently logged in to your Student Server.

From your Student Server desktop, start the Chrome browser.

Navigate to https://192.168.R0.1 (replace R with your ACI Rack Number).

Log in to the APIC using the following credentials:

Password: 1234QWer (note that QW is capitalized)

At this point you should see the APIC Dashboard.

Task 1: Register the Fabric Switches (Instructor Demo)

In the Menu bar, click Fabric.

In the Submenu bar, click Inventory.

Click the UPDATE button.