网络管理 : Cisco Application Policy Infrastructure Controller (APIC)

验证合同和规则在ACI结构

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 6 月 29 日) | 反馈

简介

本文描述如何验证合同在应用程序中心基础设施(ACI)结构配置和适当地正常运行。

注意:逻辑和具体型号的验证,以及编程的硬件,在本文描述。

贡献用保罗Raytick和罗伯特Correiro, Cisco TAC工程师。

拓扑

在使用在本文中的示例中,虚拟计算机(VM)附加对Leaf1和合同到位允许它通信与VM-B,附加对Leaf2。合同允许互联网控制消息协议(ICMP)和HTTP。

此镜像说明拓扑:

进程概述

这是策略交互作用和流合同和规则的:

  1. 应用程序策略基础设施控制器的(APIC) Policy Manager通信与在交换机的策略网元管理。

  2. 在交换机的策略网元管理编程交换机的对象存储。

  3. 交换机的Policy Manager通信与交换机的访问控制表服务质量(ACLQOS)客户端。

  4. ACLQOS客户端程序硬件。

识别使用的合同/区域规则

这是示例显示从分支的区域规则命令输出,在合同为两端点组前(EPGs)被添加。

fab1_leaf1# show zoning-rule

Rule ID  SrcEPG  DstEPG  FilterID  operSt   Scope     Action

=======  ======  ======  ========  ======   =====     ======

4096     0       0       implicit  enabled  16777200  deny,log

4097     0       0       implicit  enabled  3080192   deny,log

4098     0       0       implicit  enabled  2686976   deny,log

4099     0       49154   implicit  enabled  2686976   permit

4102     0       0       implicit enabled  2097152   deny,log

4103     0       32771   implicit  enabled  2097152   permit

4117     16387   16386   12        enabled  2097152   permit

4116     16386   16387   13        enabled  2097152   permit

4100     16386   49154   default   enabled  2097152   permit

4101     49154   16386   default   enabled  2097152   permit

4104     0       32770   implicit  enabled  2097152   permit

4105     49155   16387   13        enabled  2097152   permit

4112     16387   49155   13        enabled  2097152   permit

4113     49155   16387   12        enabled 2097152   permit

4114     16387   49155   12        enabled  2097152   permit

[snip]

这是同一命令输出,在合同被添加后,以便两个EPGs能与彼此联络:

fab1_leaf1# show zoning-rule

Rule ID  SrcEPG  DstEPG  FilterID  operSt   Scope   Action

=======  ======  ======  ========  ======   ========  ========

4096     0       0       implicit  enabled  16777200  deny,log

4097     0       0       implicit  enabled  3080192   deny,log

4098     0       0       implicit  enabled  2686976   deny,log

4099     0       49154   implicit  enabled  2686976   permit

4131     49155   32771   7         enabled  2686976   permit

4132     32771   49155   6         enabled  2686976   permit

4102     0       0       implicit  enabled  2097152   deny,log

4103     0       32771   implicit  enabled  2097152   permit

4117     16387   16386   12        enabled  2097152   permit

4116     16386   16387   13        enabled  2097152   permit

4100     16386   49154   default   enabled  2097152   permit

4101     49154   16386   default   enabled  2097152   permit

4104     0       32770   implicit  enabled  2097152   permit

4105     49155   16387   13        enabled  2097152   permit

4112     16387   49155   13        enabled  2097152   permit

4113     49155   16387   12        enabled  2097152   permit

4114     16387   49155   12        enabled  2097152   permit

[snip]

注意:注意新规则ID (41314132)被添加,过滤器ID 76和范围2686976

警告:此命令输出允许您容易地找出您在实验室系统必须检查的规则;然而,这可以是笨重的在与发生的动态更改的一个生产环境。

您能使用为了找出规则利益的另一个方法将使用Visore。执行在上下文托管对象(MO)的一搜索fvCtx的。您在该屏幕能然后搜索您的特定上下文特有名(DN),如显示此处:

注意到该上下文的范围。您能使用此为了映射到SHOW区域规则命令输出,以便您能找出您必须查询的规则:

您能也识别上下文的分段ID/scope从用户界面(UI),如显示此处:

此范围匹配在显示区域规则命令输出中显示的那:

一旦让范围ID信息和您识别规则和过滤ID,您能使用下一条命令为了验证您点击新的过滤器(在EPGs之间的而不是隐式拒绝消息)。隐式拒绝消息包括,以便默认情况下, EPGs不能通信。

公告在此命令输出中Leaf1, Filter-6 (f-6)增加:

fab1_leaf1# show system internal policy-mgr stats | grep 2686976

Rule (4098) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-any-f-implicit)
Ingress: 0, Egress: 81553

Rule (4099) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-49154-f-implicit)
Ingress: 0, Egress: 0

Rule (4131) DN (sys/actrl/scope-2686976/rule-2686976-s-49155-d-32771-f-7)
Ingress: 0, Egress: 0

Rule (4132) DN (sys/actrl/scope-2686976/rule-2686976-s-32771-d-49155-f-6)
Ingress: 1440, Egress: 0
fab1_leaf1# show system internal policy-mgr stats | grep 2686976

Rule (4098) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-any-f-implicit)
Ingress: 0, Egress: 81553

Rule (4099) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-49154-f-implicit)
Ingress: 0, Egress: 0

Rule (4131) DN (sys/actrl/scope-2686976/rule-2686976-s-49155-d-32771-f-7)
Ingress: 0, Egress: 0

Rule (4132) DN (sys/actrl/scope-2686976/rule-2686976-s-32771-d-49155-f-6)
Ingress: 1470, Egress: 0

公告在此命令输出中Leaf2, Filter-7 (f-7)增加:

fab1_leaf2# show system internal policy-mgr stats | grep 268697

Rule (4098) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-any-f-implicit)
Ingress: 0, Egress: 80257

Rule (4099) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-49153-f-implicit)
Ingress: 0, Egress: 0

Rule (4117) DN (sys/actrl/scope-2686976/rule-2686976-s-32771-d-49155-f-6)
Ingress: 0, Egress: 0

Rule (4118) DN (sys/actrl/scope-2686976/rule-2686976-s-49155-d-32771-f-7)
Ingress: 2481, Egress: 0
fab1_leaf2# show system internal policy-mgr stats | grep 268697

Rule (4098) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-any-f-implicit)
Ingress: 0, Egress: 80257

Rule (4099) DN (sys/actrl/scope-2686976/rule-2686976-s-any-d-49153-f-implicit)
Ingress: 0, Egress: 0

Rule (4117) DN (sys/actrl/scope-2686976/rule-2686976-s-32771-d-49155-f-6)
Ingress: 0, Egress: 0

Rule (4118) DN (sys/actrl/scope-2686976/rule-2686976-s-49155-d-32771-f-7)
Ingress: 2511, Egress: 0

提示:范围的知识、规则ID、目的地和来源pcTags和过滤器是重要与尝试进一步排除故障此问题。有之间规则ID存在EPGs的知识在也是有用的。

您可执行在MO的一搜索与DN名称fvAEPggrep特定的pcTag的通过moquery命令,如显示此处:

admin@RTP_Apic1:~> moquery -c fvAEPg | grep 49155 -B 5

dn : uni/tn-Prod/ap-commerceworkspace/epg-Web
lcOwn : local
matchT : AtleastOne
modTs : 2014-10-16T01:27:35.355-04:00
monPolDn : uni/tn-common/monepg-default
pcTag : 49155

您能以moquery命令也使用过滤器选项,如显示此处:

admin@RTP_Apic1:~> moquery -c fvAEPg -f 'fv.AEPg.pcTag=="49155"'
Total Objects shown: 1

# fv.AEPg
name : Web
childAction :
configIssues :
configSt : applied
descr :
dn : uni/tn-Prod/ap-commerceworkspace/epg-Web
lcOwn : local
matchT : AtleastOne
modTs : 2014-10-16T01:27:35.355-04:00
monPolDn : uni/tn-common/monepg-default
pcTag : 49155
prio : unspecified
rn : epg-Web
scope : 2523136
status :
triggerSt : triggerable
uid : 15374

验证硬件编程

现在您能验证规则的硬件条目。为了查看硬件信息,进入显示平台内部ns表mth_lux_slvz_DHS_SecurityGroupStatTable_memif_data入口命令(这是vsh_lc命令) :

在本例中,硬件条目41 (条目[000041])增加。

注意:使用此命令不是实用的在生产环境,但是您能使用在此部分描述的其他命令。

切记规则(4132)和范围(268976) :

输入此命令为了确定规则ID到三重内容可编址存储器硬件索引条目根据规则ID和过滤器ID的映射和过滤器:

module-1# show system internal aclqos zoning-rules

[snip]

===========================================
Rule ID: 4131 Scope 4 Src EPG: 49155 Dst EPG: 32771 Filter 7

Curr TCAM resource:
=============================
   unit_id: 0
   === Region priority: 771 (rule prio: 3 entry: 3)===
       sw_index = 62 | hw_index = 40
   === Region priority: 772 (rule prio: 3 entry: 4)===
       sw_index = 63 | hw_index = 45

===========================================
Rule ID: 4132 Scope 4 Src EPG: 32771 Dst EPG: 49155 Filter 6

Curr TCAM resource:
=============================
   unit_id: 0
   === Region priority: 771 (rule prio: 3 entry: 3)===
       sw_index = 66 | hw_index = 41
   === Region priority: 771 (rule prio: 3 entry: 3)===
       sw_index = 67 | hw_index = 42

[snip]

对于此示例,源和目的EPG组合利益是32771=0x8003, 49155=0xC003。所以,您应该考虑所有匹配规则ID的这些源和目的类的TCAM条目(41314132)并且过滤ID (67)

在本例中,其中一些TCAM条目被转存。供参考,这是允许ping和Web流量这些EPGs的合同配置:

module-1# show platform internal ns table mth_lux_slvz_DHS_SecurityGroupKeyTable0
_memif_data 41


=======================================================================
                         TABLE INSTANCE : 0
=======================================================================
ENTRY[000041] =
               sg_label=0x4           

               sclass=0x8003           

               dclass=0xc003           

               prot=0x1 (IP Protocol 0x01 = ICMP)

sup_tx_mask=0x1            
               src_policy_incomplete_mask=0x1          

               dst_policy_incomplete_mask=0x1           

               class_eq_mask=0x1

               aclass_mask=0x1ff

               port_dir_mask=0x1           

               dport_mask=0xffff           

               sport_mask=0xffff          

               tcpflags_mask=0xff
           
               ip_opt_mask=0x1
           
               ipv6_route_mask=0x1
           
               ip_fragment_mask=0x1
           
               ip_frag_offset0_mask=0x1           

               ip_frag_offset1_mask=0x1           

               ip_mf_mask=0x1
           
               l4_partial_mask=0x1           

               dst_local_mask=0x1           

               routeable_mask=0x1           

               spare_mask=0x7ff           

               v4addr_key_mask=0x1           

               v6addr_key_mask=0x1           

               valid=0x1


module-1# show platform internal ns table mth_lux_slvz_DHS_SecurityGroupKeyTable0
_memif_data 42


=======================================================================
                         TABLE INSTANCE : 0
=======================================================================
ENTRY[000042] =

               sg_label=0x4           

               sclass=0x8003           

               dclass=0xc003           

               prot=0x6 <--           

               dport=0x50 <--

sup_tx_mask=0x1
           
               src_policy_incomplete_mask=0x1           

               dst_policy_incomplete_mask=0x1           

               class_eq_mask=0x1           

               aclass_mask=0x1ff           

               port_dir_mask=0x1           

               sport_mask=0xffff           

               tcpflags_mask=0xff           

               ip_opt_mask=0x1           

               ipv6_route_mask=0x1           

               ip_fragment_mask=0x1           

               ip_frag_offset0_mask=0x1           

               ip_frag_offset1_mask=0x1           

               ip_mf_mask=0x1           

               l4_partial_mask=0x1           

               dst_local_mask=0x1

提示:您能验证其中每一个与同一个方法的TCAM条目。

排除故障硬件编程的问题

此部分提供一些有用的故障排除命令和提示。

有用的故障排除命令

这是您能使用为了查出分支Policy Manager错误的一些有用的命令,当问题遇到时:

fab1_leaf1# show system internal policy-mgr event-history errors


1) Event:E_DEBUG, length:84, at 6132 usecs after Mon Sep 8 13:15:56 2014

   [103] policy_mgr_handle_ctx_mrules(779): ERROR: Failed to process prio(1537):
(null)


2) Event:E_DEBUG, length:141, at 6105 usecs after Mon Sep 8 13:15:56 2014

   [103] policy_mgr_process_mrule_prio_aces(646): ERROR: Failed to insert iptables
rule for rule(4120) , fentry(5_0) with priority(1537): (null)


[snip]


fab1_leaf1# show system internal policy-mgr event-histor trace

[1409945922.23737] policy_mgr_ppf_hdl_close_state:562: Got close state callback

[1409945922.23696] policy_mgr_ppf_rdy_ntf_fun:239: StatStoreEnd returned: 0x0(SU

CCESS)

[1409945922.23502] policy_mgr_ppf_rdy_ntf_fun:208: ppf ready notification: sess_

id: (0xFF0104B400005B51)

[1409945922.23475] policy_mgr_ppf_rdy_ntf_fun:205: Got ready notification callba

ck with statustype (4)

[1409945921.983476] policy_mgr_gwrap_handler:992: Dropped...now purging it...

[1409945921.982882] policy_mgr_ppf_goto_state_fun:481: Sess id (0xFF0104B400005B


[snip]


module-1# show system internal aclqos event-history trace

T [Fri Sep 5 13:18:24.863283] ============= Session End ============

T [Fri Sep 5 13:18:24.862924] Commit phase: Time taken 0.62 ms, usr 0.00 ms,

sys 0.00 ms

T [Fri Sep 5 13:18:24.862302] ppf session [0xff0104b410000087] commit ... npi

nst 1

T [Fri Sep 5 13:18:24.861421] Verify phase: Time taken 0.77 ms, usr 0.00 ms,

sys 0.00 ms

T [Fri Sep 5 13:18:24.860615] ============= Session Begin ============

T [Fri Sep 5 13:18:24.830472] ============= Session End ============

T [Fri Sep 5 13:18:24.830062] Commit phase: Time taken 0.98 ms, usr 0.00 ms,

sys 0.00 ms

T [Fri Sep 5 13:18:24.829085] ppf session [0xff0104b410000086] commit ... npi

nst 1

T [Fri Sep 5 13:18:24.827685] Verify phase: Time taken 2.04 ms, usr 0.00 ms,

sys 0.00 ms

T [Fri Sep 5 13:18:24.825388] ============= Session Begin ============

T [Fri Sep 5 12:32:51.364225] ============= Session End ============

T [Fri Sep 5 12:32:51.363748] Commit phase: Time taken 0.64 ms, usr 0.00 ms,


[snip]

提示:某些文件大,因此发送他们到Bootflash和检查他们在编辑器是更加容易的。

module-1# show system internal aclqos ?

asic           Asic information

brcm           Broadcam information

database       Database

event-history   Show various event logs of ACLQOS

mem-stats       Show memory allocation statistics of ACLQOS

prefix         External EPG prefixes

qos             QoS related information

range-resource Zoning rules L4 destination port range resources

regions         Security TCAM priority regions

span           SPAN related information

zoning-rules   Show zoning rules


module-1# show system internal aclqos event-history ?

errors       Show error logs of ACLQOS

msgs         Show various message logs of ACLQOS

ppf          Show ppf logs of ACLQOS

ppf-parse    Show ppf-parse logs of ACLQOS

prefix       Show prefix logs of ACLQOS

qos          Show qos logs of ACLQOS

qos-detail   Show detailed qos logs of ACLQOS

span         Show span logs of ACLQOS

span-detail  Show detailed span logs of ACLQOS

trace        Show trace logs of ACLQOS

trace-detail Show detailed trace logs of ACLQOS

zoning-rules Show detailed logs of ACLQOS

故障排除提示

这是一些有用故障排除提示:

  • 如果您似乎遇到TCAM耗尽问题,请检查UI或CLI关联与有问题的规则的故障。此故障也许报告:
    Fault F1203 - Rule failed due to hardware programming error.
    一个规则也许采取超过在Application-specific integrated circuit (ASIC)的一个TCAM条目。为了查看条目数量在ASIC的,输入这些命令:
    fab1-leaf1# vsh_lc

    module-1# show platform internal ns table-health
    VLAN STATE curr usage: 0 - size: 4096
    QQ curr usage: 0 - size: 16384
    SEG STATE curr usage: 0 - size: 4096
    SRC TEP curr usage: 0 - size: 4096
    POLICY KEY curr usage: 0 - size: 1
    SRC VP curr usage: 0 - size: 4096
    SEC GRP curr usage: 43 - size: 4096

    注意:在本例中,有现在43个的条目。此使用情况也报告对在eqptCapacity类的APIC。

  • 当有多匹配时, TCAM查找返回更低HW索引。为了验证索引,请输入此命令:
    show system internal aclqos zoning-rule
    当排除故障时,是由任何任何implict规则造成的您也许观察丢弃。此规则总是在底部,因此意味着数据包丢弃,因为规则不存在。这或者归结于误配置,或者策略网元管理不编程它正如所料。

  • pcTags能有一个本地全局范围:

    • 全局scoped pcTag –此pcTag通常有一个较低值(少于十进制形式的四个位)。

    • 本地scoped pcTag –此pcTag使用大价值(十进制形式的五个位)。

  • 当您排除故障时,在值的长度的快速查找指示其范围。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 119023