Step 1 |
In the AWS site, get the Cloud APIC IP address.
|
Step 2 |
Open a browser window and, using the secure version of HTTP (https://), paste the IP address into the URL field, then press Return to access this Cloud APIC.
For example, https://192.168.0.0.
If you see a message asking you to Ignore Risk and Accept Certificate, accept the certificate to continue.
|
Step 3 |
Enter the following information in the login page for the Cloud APIC:
-
Username: Enter admin for this field.
-
Password: Enter the password that you provided on the Specify Details page from Step 12 in the Deploying the Cloud APIC in AWS procedures.
-
Domain: If you see the Domain field, leave the default Domain entry as-is.
|
Step 4 |
Click Login at the bottom of the page.
Note
|
If you see an error message when you try to log in, such as REST Endpoint user authentication datastore is not initialized - Check Fabric Membership Status of this fabric node, wait for several minutes, then try again after a few minutes. You might also have to refresh the page in order to log in.
|
The Welcome to Cloud APIC setup wizard page appears.
|
Step 5 |
Click Begin Set Up.
The Let's Configure the Basics page appears, with these areas to be configured:
-
DNS Servers
-
Region Management
-
Smart Licensing
|
Step 6 |
In the DNS Servers row, click Edit Configuration.
The DNS and NTP page appears.
|
Step 7 |
In the DNS and NTP page, add the DNS, if necessary, and NTP servers.
-
A DNS server is already configured by default. Add a DNS server if you want to use a specific DNS server.
-
An NTP server is not configured by default, however, so we recommend that you configure an NTP server. Skip to 7.d if you want to configure an NTP server and you do not want to configure a DNS server.
-
If you want to use a specific DNS server, under the DNS Servers area, click +Add DNS Provider.
-
Enter the IP address for the DNS servers and, if necessary, check the box next to Preferred DNS Provider.
-
Click the check mark next to the DNS server, and repeat for any additional DNS servers that you want to add.
-
Under the NTP Servers area, click +Add Providers.
-
Enter the IP address for the NTP servers and, if necessary, check the box next to Preferred NTP Provider.
-
Click the check mark next to the NTP server, and repeat for any additional NTP servers that you want to add.
|
Step 8 |
When you have finished adding the DNS and NTP servers, click Save and Continue.
The Let's Configure the Basics page appears again.
|
Step 9 |
In the Region Management row, click Begin.
The Region Management page appears.
|
Step 10 |
Determine if you want to use AWS Transit Gateway.
|
Step 11 |
In the Regions to Manage area, verify that the Cloud APIC home region is selected.
The region that you selected in Step 2 in Deploying the Cloud APIC in AWS is the home region and should be selected already in this page. This is the region where the Cloud APIC is deployed (the region that will be managed by Cloud APIC), and will be indicated with the text cAPIC deployed in the Region column.
|
Step 12 |
Select additional regions if you want the Cloud APIC to manage additional regions, and to possibly deploy CCRs to have inter-VPC communication and Hybrid-Cloud, Hybrid Multi-Cloud,
or Multi-Cloud connectivity on those other regions.
The CCR can manage four regions, including the home region where Cloud APIC is deployed.
A Cloud APIC can manage multiple cloud regions as a single site. In a typical Cisco ACI configuration, a site represents anything that can be managed by an APIC cluster. If a Cloud APIC cluster manages two regions, those two regions are considered a single site by Cisco ACI.
|
Step 13 |
To deploy cloud routers locally to this region, click to place a check mark in the Cloud Routers check box for that region.
|
Step 14 |
When you have selected all the appropriate regions, click Next at the bottom of the page.
The General Connectivity page appears.
|
Step 15 |
Enter the following information on the General Connectivity page.
-
If you enabled the AWS Transit Gateway Connect feature in Step 10, then the Hub Network fields will be available in this window. Go to 15.a.
-
If you did not enable the AWS Transit Gateway Connect feature in Step 10, skip to 15.e.
-
In the Hub Network area, click Add Hub Network.
The Add Hub Network window appears.
-
In the Name field, enter a name for the hub network.
-
In the BGP Autonomous System Number field, enter a zero for AWS to choose a number, or enter a value between 64512 and 65534, inclusive, for each hub network,
and then click the check mark next to the field.
To configure your own BGP autonomous number, enter a value between 64512 and 65534 for each hub network.
We recommend that you use different numbers for different instances of AWS Transit Gateway.
-
In the CIDRs area, click Add CIDR.
This will be the AWS Transit Gateway Connect CIDR block, which will be used as the connect peer IP address (the GRE outer
peer IP address) on the Transit Gateway side.
-
In the Region field, select the appropriate region.
-
In the CIDR Block Range field, enter the CIDR block that will be used as the connect peer IP address on the Transit Gateway side.
-
Click the checkmark to accept these values for this CIDR block.
-
For every managed region that will be using the AWS Transit Gateway Connect feature, repeat these steps to add CIDR blocks
to be used for each of those managed regions.
-
To add a subnet pool for the CCRs, click Add Subnet Pool for Cloud Routers and enter the subnet in the text box.
The first subnet pool for the first two regions is automatically populated. If you selected more than two regions, you will
need to add a subnet for the cloud router to the list for the additional two regions. Addresses from this subnet pool will
be used for inter-region connectivity for any additional regions that are added that need to be managed by the Cloud APIC
after the first two regions. This must be a valid IPv4 subnet with mask /24.
Note
|
The /24 subnet provided during the Cloud APIC deployment would be sufficient for up to two cloud sites. If you need to manage
more than two cloud sites, you need to add more subnets.
|
-
In the IPSec Tunnel Subnet Pool area, click Add IPSec Tunnel Subnet Pools.
The Add IPSec Tunnel Subnet Pools window appears.
-
Enter the subnet pool to be used for IPSec tunnels, if necessary.
This subnet pool is used to create an IPSec tunnel between your cloud router and the router on the branch office or external
network. This subnet will be used to address the IPSec tunnel interfaces and loopbacks of the cloud routers used for external
connectivity.
You can add more subnets to be used for IPSec tunnels in this area, or delete entries in this area if subnets are not used
by any tunnels.
Click the check mark after you have entered in the appropriate subnet pools.
-
In the CCRs area, enter a value in the BGP Autonomous System Number for CCRs field.
The BGP ASN can be in the range of 1 - 65534.
Note
|
Do not use 64512 as the autonomous system number in this field.
|
-
In the Assign Public IP to CCR Interface field, determine if you want to have a public or a private IP address assigned to the CCR interfaces.
-
To have a public IP address assigned to the CCR interfaces, leave the check in the Enabled check box. By default, the Enabled check box is checked.
-
To have public IP disabled to the CCR interfaces, uncheck the Enabled check box. A private IP address is used for connectivity in this case.
Note
|
Disabling or enabling a public IP address is a disruptive operation and can result in traffic loss.
|
Beginning with release 5.2(1), both the public and private IP addresses assigned to a CCR are displayed with the other details
of the router in the Cloud Resources area. If a public IP is not assigned to a CCR, only the private IP is displayed.
-
In the Number of Routers Per Region field, choose the number of CCRs that will be used in each region.
-
In the Username, enter the username for the CCR.
-
In the Password field, enter the password for the CCR.
-
In the Pricing Type field, select one of the two types of licensing models:
Note
|
There are two PAYG options for consuming licenses in the AWS marketplace: Catalyst 8000V Cisco DNA Essentials and Catalyst 8000V Cisco DNA Advantage . Cisco Cloud APIC will make use of Catalyst 8000V Cisco DNA Advantage.
|
For the BYOL Pricing Type, the steps are as follows:
-
In the Throughput of the routers field, choose the throughput of the CCR.
Changing the value in this field changes the size of the CCR instance that is deployed. Choosing a higher value for the throughput
results in a larger VM being deployed.
Note
|
If you wish to change this value at some point in the future, you must delete the CCR, then repeat the processes in this chapter
again and select the new value that you would like in the same Throughput of the routers field.
|
In addition, the licensing of the CCR is based on this setting. You will need the equivalent or higher license in your Smart
account for it to be compliant. See Requirements for the AWS Public Cloud for more information.
Note
|
Cloud routers should be undeployed from all regions before changing the router throughput or login credentials.
|
-
Enter the necessary information in the TCP MSS field, if applicable.
Beginning with Release 5.0(2l), the TCP MSS option is available to configure the TCP maximum segment size (MSS). This value will be applied all cloud router interfaces,
including VPN tunnels towards the cloud and external tunnels towards the on-premises site or other cloud sites. For VPN tunnels
towards the cloud, if the cloud provider's MSS value is less than the value that you enter in this field, then the lower value
is used; otherwise, the value that you enter in this field is used.
The MSS value affects only TCP traffic, and has no impact on other types of traffic, such as ping traffic.
-
In the License Token field, enter the license token for the CCR.
This is the Product Instance Registration token from your Cisco Smart Software Licensing account. To get this license token,
go to http://software.cisco.com, then navigate to to find the Product Instance Registration token.
Note
|
If the public IP addresses are disabled to the CCRs in 15.i, the only supported option is AWS Direct Connect or Azure Express Route to Cisco Smart Software Manager (CSSM) when registering smart licensing for CCRs with private IP addresses (available by navigating to ). You must provide reachability to the CSSM through AWS Direct Connect or Azure Express Route in this case. When the public
IP addresses are disabled, public internet cannot be used because private IP addresses are being used. The connectivity should
therefore use Private Connection, which is AWS Direct Connect or Azure Express Route.
|
For the PAYG Pricing Type, the steps are as follows:
-
In the VM Type field, select one of the AWS EC2 Instances as per your requirement.
Cisco Cloud APIC supports a range of AWS EC2 instances for cloud networking needs powered by Cisco’s Catalyst 8000V virtual
router. The table below shows the cloud instance type supported by Cisco Cloud APIC on AWS.
AWS EC2 Instance
|
CCR Throughput
|
vCPUs
|
Memory
|
c5.xlarge
|
up to 5 Gigabit throughput
|
4
|
8 GiB
|
c5.2xlarge
|
up to 10 Gigabit throughput
|
8
|
16 GiB
|
c5.4xlarge
|
up to 10 Gigabit throughput
|
16
|
32 GiB
|
c5.9xlarge
|
up to 10 Gigabit throughput
|
36
|
72 GiB
|
c5n.xlarge
|
up to 25 Gigabit throughput
|
4
|
10.5 GiB
|
c5n.2xlarge
|
up to 25Gigabit throughput
|
8
|
21 GiB
|
c5n.4xlarge
|
up to 25 Gigabit throughput |
16
|
42 GiB
|
c5n.9xlarge
|
up to 50 Gigabit throughput
|
36
|
96 GiB
|
Changing the value in this field changes the other factors of the CCR as listed in the table above. Choosing a higher value
for the VM size results in higher throughput.
-
Enter the necessary information in the TCP MSS field, if applicable.
Beginning with Release 5.0(2l), the TCP MSS option is available to configure the TCP maximum segment size (MSS). This value will be applied all cloud router interfaces,
including VPN tunnels towards the cloud and external tunnels towards the on-premises site or other cloud sites. For VPN tunnels
towards the cloud, if the cloud provider's MSS value is less than the value that you enter in this field, then the lower value
is used; otherwise, the value that you enter in this field is used.
The MSS value affects only TCP traffic, and has no impact on other types of traffic, such as ping traffic.
Note
|
User need not provide the License token on selecting PAYG.
|
Note
|
All the features supported in BYOL will be supported by PAYG.
|
|
Step 16 |
Click Save and Continue.
The Let's Configure the Basics page appears again.
|
Step 17 |
In the Smart Licensing row, click Register.
The Smart Licensing page appears.
|
Step 18 |
Enter the necessary information in the Smart Licensing page.
Cisco Smart Licensing is a unified license management system that manages software licenses across Cisco products. To register
your Cloud APIC with Cisco Smart Software Licensing, do the following
-
Ensure that this product has access to the internet or a Smart Software Manager satellite installed on your network.
-
Log in to Smart Account:
-
Navigate to the Virtual Account containing the licenses to be used by this Product Instance.
-
Generate a Product Instance Registration Token (this identifies your Smart Account) and copy or save it.
To learn more about Smart Software Licensing, visit https://www.cisco.com/go/smartlicensing.
|
Step 19 |
Click Register at the bottom of the page if you entered the necessary licensing information on this page, or click Continue in Evaluation Mode if you want to continue in evaluation mode instead.
The Summary page appears.
|
Step 20 |
Verify the information on the Summary page, then click Close.
At this point, you are finished with the internal network connectivity configuration for your Cloud APIC.
If this is the first time that you are deploying your Cloud APIC, this process might take quite a bit of time, possibly 30 minutes or so before the process is successfully completed.
|