Introduction
This document describes the configuration of Access Policies, Static Binding (Paths) or Layer 2 Outside (L2Out) using the Static Binding method, L2Out using the Routed Bridged Network method, Layer 3 Outside (L3Out), and Virtual Machine Manager (VMM) Integration with a vSphere Distributed Switch (vDS) from bottom-up starting with the Interface Selector via the Application Policy Infrastructure Controller (APIC) GUI without using the QuickStart wizards.
However, this document is valid as of 2.0(1q); there are some differences in the configuration for 2.1(1h).
Prerequisites
Requirements
Cisco recommends that you has knowledge of these topics:
- Basic knowledge of Cisco Application Centric Infrastructure (ACI) technology
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Application Policy Infrastructure Controller (APIC) Image Release 2.0(1q)
- Cisco Nexus 9000 Series ACI Mode Switch Software Release 12.0(1q)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Sample Topology
This topology is used for all these examples. The External Device can be the external switch, bare-metal server, external router, or vDS.
Access Policies for Connectivity via Physical Domain
Note: The example names for the policies are named after the purpose of the connection. For example, if N3K physically connects to a Nexus 3000 (N3K) switch. The naming convention does not have to be strictly followed.
High Level Instructions
- Configure Interface Profile and Interface Selectors.
- Configure Interface Policy Group.
- Configure Switch Profile and associate Interface Selector to Switch Profile.
- (Optional) Configure Virtual Port Channel Security Policy if configuring a virtual port-channel (vPC).
- Configure Attachable Access Entity Profile and associate Attachable Access Entity Profile to Interface Policy Group.
- Configure Domain and VLAN Pool and associate with Attachable Access Entity Profile to Domain.
Detailed Instructions
- Navigate to Fabric > Access Policies.
- Navigate to Interface Policies > Profiles > Leaf Profiles.
- Right click on Leaf Profiles and click Create Leaf Interface Profile. Now enter a name (ex. N3K).
- Click + sign, next to Interface Selectors. Now enter a name (ex. N3K) and the Interface IDs (ex. 1/1).
- Click OK, then Submit.
- Navigate to Interface Policies > Policy Groups > Leaf Policy Groups.
- Right click on Leaf Policy Groups and click on the appropriate option for an individual, port-channel, or vPC interface; enter a name (ex. N3K) and select or create the appropriate policies.
- Click Submit.
- Navigate back to Interface Policies > Profiles > Leaf Profiles > N3K (Leaf Interface Profile) > N3K (Access Port Selector).
- Use the drop down to select the Policy Group to associate (eg. N3K).
- Click Submit.
- Navigate to Switch Policies > Profiles > Leaf Profiles.
- Right click on Leaf Profiles and click Create Leaf Profile. Now enter a name (ex. Leaf101).
- Click + sign next to Leaf Selectors. Now enter a name (eg. Leaf101) and use the drop down under Blocks to select the switch(es) to associate.
- Click Update, then Next and then Finish.
- Steps 17 and 19 are only required if configuring a vPC.
- (Optional) Navigate to Switch Policies > Policies > Virtual Port Channel default.
- (Optional) Click + sign next to Explicit VPC Protection Groups. Now enter a name (ex. Leaf101-Leaf102), ID (eg. 100), and use the drop downs to select Switch 1 (eg. 101) and Switch 2 (eg.102).
- (Optional) Click Submit.
- Select Leaf101 (Leaf Profile).
- Click + sign next to Associated Interface Selector Profiles; use the drop down to select the Interface Profile to associate (eg. N3K).
- Click Submit.
- Navigate to Global Policies > Attachable Access Entity Profiles.
- Right click on Attachable Access Entity Profiles and click Create Attachable Access Entity Profile. Now enter a name (eg. N3K).
- Click Next, and then Finish
.
- Navigate back to Interface Policies > Policy Groups > Leaf Policy Groups > N3K (Policy Group).
- Use the drop down under Attached Entity Profile and select the Attachable Access Entity Profile to associate (ex. N3K).
- Click Submit.
- Navigate to Physical and External Domains > Physical Domains.
- Right click Physical Domains and then click in Create Physical Domain; enter a name (ex. N3K), use the drop down to associate the Associated Attachable Entity Profile (eg. N3K), use the drop down to Create VLAN Pool.
- Enter a name (eg. N3K) and choose the appropriate dynamic/static allocation.
- Click + sign next to Encap Blocks. Now enter the VLAN numbers and choose the appropriate dynamic/static allocation.
- Click OK, then Submit, and then Submit.
Static Binding (Paths) for Bare-Metal Server(s) or L2Out Configuration using the Static Binding Method
L2Out Configuration using the Static Binding Method Prerequisites
The assumption is that the Endpoint Group (EPG), Bridge Domain (BD), and VRF have been created and that the BD is set to Layer 2 (L2) mode (uncheck Unicast Routing under L3 Configurations and set all options in Main to Flood).
High Level Instructions
- Configure Access Policies.
- Associate Domain to EPG.
- Configure Static Binding (Paths) to Bare-Metal Server(s) or L2Out switch.
Detailed Instructions
- Complete Access Policies for Connectivity via Physical Domain instructions above.
- Navigate to the EPG to add the static binding to (eg. Tenants > Tenant1 > Application Profiles > AP1 > Application EPGs > EPG1).
- Select to Domains (VMs and Bare-Metals).
- Navigate to ACTIONS > Add Physical Domain Association. Now use drop down to select the Physical Domain to associate (eg. N3K), and choose the appropriate immediacy (eg. Immediate/Immediate).
- Click Submit.
- Select Static Bindings (Paths).
- Navigate to ACTIONS > Deploy Static EPG on PC, VPC, or Interface. Now select the appropriate path type and path, enter the Encap VLAN, and choose the appropriate immediacy (eg. Immediate) and mode (eg. Trunk).
- Click Submit.
L2Out Configuration using the Routed Bridged Network Method
High Level Instructions
- Configure Access Policies.
- Configure External Bridged Network.
- Apply appropriate Contracts.
Detailed Instructions
- Complete Access Policies for Connectivity via Physical Domain instructions above, except replace step 29 with External Bridged Domains and step 30 with Create Layer 2 Domain.
- Navigate to the appropriate Tenant (eg. Tenant1) > Networking > External Bridged Networks.
- Right click on External Bridged Networks and then click Created Bridged Outside. Now enter a name (ex. L2Out), use the drop down to select the External Bridged Domain to associate (ex. N3K), use the drop down to select the Bridge Domain to associate (ex. BD1), and enter the VLAN for this L2Out.
- Click Next and then Finish.
- Navigate to L2Out (L2 Outside) > Node Profiles.
- Right click on Node Profiles and then click Create Node Profile. Now enter a name (eg. Leaf101).
- Click + sign next to Interface Profiles. Now enter a name (eg. eth1_1).
- Click + sign next to Interfaces. Now select the appropriate path type and path.
- Click OK, then OK and then Submit.
- Navigate to Networks.
- Right click on Networks and click Create External Network; enter a name (eg. L2Out-EPG).
- Click Submit.
- Apply contracts appropriately between the L2Out EPG (eg. L2Out-EPG) and the Application EPG (eg. EPG1) for communication.
L3Out Configuration
Prerequisites
The assumption is that routing is done via static routes using a single Tenant and VRF, the EPG, BD, and VRF is created, and BD is set to Layer 3 (L3) mode (check Unicast Routing under L3 Configurations).
High Level Instructions
- Configure Access Policies.
- Configure External Routed Network.
- Associate the L3Out to Bridge Domain.
- Apply appropriate Contracts.
Detailed Instructions
- Complete Access Policies for Connectivity via Physical Domain instructions above, except replace step 25 with External Routed Domains and step 26 with Create Layer 3 Domain.
- Navigate to the appropriate Tenant (ex. Tenant1) > Networking > External Routed Networks.
- Right click on External Routed Networks and click on Create Routed Outside; enter a name (eg. L3Out), use the drop down to select the VRF to associate (eg. VRF1), and use the drop down to select the External Routed Domain to associate (eg. N3K).
- Click Next and then Finish.
- Navigate to L3Out (L3 Outside) > Logical Node Profiles.
- Right click Logical Node Profiles and click Create Node Profile. Now enter a name (eg. Leaf101).
- Click + sign next to Nodes. Now select the appropriate node and enter a Router ID.
- Click + sign next to Static Routes. Now enter the route prefix.
- Click + sign next to Next Hop Addresses. Now enter the Next Hop IP.
- Click Update, then OK, and then OK.
- Repeat steps 7 and 10 as needed for each node to add.
- Click Submit.
- Navigate to Leaf101 (Logical Node Profile) > Logical Interface Profiles.
- Right click on Logical Interface Profiles and click Create Interface Profile. Now enter a name (eg. eth1_1).
- Click Submit.
- Select eth1_1 (Logical Interface Profile).
- Click + sign next to Routed Interfaces, SVI, or Routed Sub-Interfaces depending on the desired configuration. Now select the appropriate path type and path, and assign the appropriate IP addresses for the interface(s).
- Click Submit.
- Select Networks.
- Right click on Networks and click Create External Network. Now enter a name (ex. L3Out-EPG).
- Click Submit.
- Select L3Out-EPG (External Network Instance Profile).
- Click + sign next to Subnets. Now enter external subnet behind this L3Out and check External Subnets for the External EPG.
- Click Submit.
- Repeat step 23 and 24 as needed for each subnet to add.
- Click Submit.
- Navigate to the BD of the Application EPG (eg. BD1) > L3 Configurations.
- Click + sign next to Associated L3 Outs. Now use drop down to select the L3Out to associate (ex. Tenant1/L3Out).
- Click Update.
- Apply contracts appropriately between the L3Out EPG (eg. L3Out-EPG) and the Application EPG (eg. EPG1) for communication.
VMM Integration with a vDS Configuration
Note: The vCenter instructions assume familiarity with vCenter, so they are brief; the names under the Access Policies have been changed from N3K to DVS (Distributed Virtual Switch) in this example. The terms vSphere Distributed Switch (vDS) and Distributed Virtual Switch (DVS) are used interchangeably as they are referring to the same thing.
High Level Instructions
- Configure Access Policies.
- Configure VMM Domain.
- Add uplinks to vDS.
- Associate VMM Domain to EPG.
- Add VMs to portgroup.
- Verify Connectivity.
Detailed Instructions
- Complete Access Policies for Connectivity via Physical Domain instructions above, except stop after completing step 24.
- Navigate to VM Networking > Inventory > VMWare.
- Right click on VMWare and click Create vCenter Domain.
- Enter a name (eg. DVS), use the drop down to select the Attachable Entity Profile to associate (ex. DVS), and use the drop down to select Create VLAN Pool to create the VLAN pool to be used with the DVS.
- Enter a name (ex. DVS), and choose the appropriate dynamic/static allocation (ex. Dynamic Allocation).
- Click + sign next to Encap Blocks. Now enter the VLAN numbers and choose the appropriate dynamic/static allocation (ex. Inherit allocMode from parent).
- Click OK, then Submit.
- Click + sign next to vCenter Credentials. Now enter a name (eg. vCenter-6), username (eg. root), and password.
- Click OK.
- Click + sign next to vCenter/vShield. Now enter a name (ex. vCenter-6), IP address, select the appropriate DVS version (ex. vCenter Default), enter the Datacenter name as it appears on vCenter (ex. DC), and use the drop down to select the Associated Credential.
- Click OK and then Submit.
- Navigate to DVS (Domain), scroll down to the vSwitch Policies and select the appropriate vSwitch Policies.
- Click Submit.
- Switch over to vCenter; the new vDS should be created (eg. DVS) under a folder in the Datacenter (eg. DC).
- Right click the vDS and add the hosts and appropriate uplinks to the vDS.
- Switch back to the APIC GUI.
- Navigate to the appropriate EPG (eg. Tenant1 > AP1 > EPG1) > Domains (VMs and Bare-Metals).
- Click ACTIONS > Add VMM Domain Association.Now use the drop down to select the VMM Domain to associate (eg. DVS), and choose the appropriate immediacy (eg. Immediate/Immediate).
- Click Submit.
- Switch over to vCenter; the new portgroup should be created under the vDS (eg. Tenant1|AP1|EPG1).
- Select a VM; edit settings for the NIC to be associated to this portgroup.
Verify Connectivity
- Switch back to the APIC GUI.
- Navigate to the appropriate EPG (eg. EPG1) > Operational.
- The VM should be learned in this tab (vmm = vCenter knows about the IP; learned = ACI leaf sees traffic from this IP).