Appendix

Classes

The Application Policy Infrastructure Controller (APIC ) classes are crucial from an operational perspective to understand how system events and faults relate to objects within the object model. Each event and/or fault in the system is a unique object that can be accessed for configuration, health, fault, and/or statistics.

All the physical and logical components that comprise the Application Centric Infrastructure fabric are represented in a hierarchical management information tree (MIT). Each node in the tree represents a managed object (MO) or group of objects that contains its administrative state and its operational state.

The programmatic REST API uses a REST architecture. The API accepts and returns HTTP or HTTPS messages that contain JSON or XML documents. You can use any programming language to generate the messages, and the JSON or XML documents that contain the API methods or managed object (MO) descriptions.

You can invoke an API function by sending an HTTP/1.1 or HTTPS POST, GET, or DELETE message to the APIC. The HTML body of the POST message contains a JSON or XML data structure that describes an MO or an API method. The HTML body of the response message contains a JSON or XML structure that contains requested data, confirmation of a requested action, or error information.

To access the complete list of classes, point to the APIC and reference the doc/html directory at the end of the URL:

https://apic_ip_address/doc/html/

Fabric Monitoring

topSystem

Name: top:System

Description: Provides a list of all the devices within the fabric, including controllers, leafs and spines.

Usage: The topSystem class can be used to derive object properties including inb/oob management details, current time, system uptime and current state.

topSystem REST :: https://172.16.96.2/api/node/class/topSystem.json

fabricNode

Name: fabric:Node

Description: Provides a list of all the nodes that are part of the fabric, including controllers, leafs and spines.

Usage: The fabricNode class can be used to derive object properties including node serial numbers, assigned node ids, node model numbers and device roles.

fabricNode REST :: https://172.16.96.2/api/node/class/fabricNode.json

faultInst

Name: fault:Inst

Description: Contains detailed information of the fault. This object is attached as a child of the object on which the fault condition occurred. One instance object is created for each fault condition of the parent object. A fault instance object is identified by a fault code.

Usage: The faultInst class can be used to derive all faults associated with the fabric, tenant or individual managed objects within the APIC.

 faultInst REST :: https://172.16.96.2/api/node/class/faultInst.json

fabricHealthTotal

Name: fabric:HealthTotal

Description: The fabric total health score instance.

Usage: The fabricHealthTotal class can be used to derive the overall system health.

 fabricHealthTotal REST :: https://172.16.96.2/api/node/class/fabricHealthTotal.json

fvCEp

Name: fv:CEp

Description: A client endpoint attaching to the network.

Usage: The fvCEp class can be used to derive a list of end points attached to the fabric and the associated ip/mac address and encapsulation for each object.

 fvCEp REST :: https://172.16.96.2/api/node/class/fvCEp.json

fvRsCEpToPathEp

Name: fv:RsCEpToPathEp

Description: This is an internal object that provides a relation to a path endpoint.

Usage: The fvRsCEpToPathEp class can be used to derive path fabric details such as the node and port as well as the tenant details such as the tenant name, application profile and end point group.

 fvRsCEpToPathEp REST :: https://172.16.96.2/api/node/class/fvRsCEpToPathEp.json

eqptFabP

Name: eqpt:FabP

Description: Fabric port, the fabric facing external IO port.

Usage: The eqptFabP class can be used to derive a list of fabric port and the associated details such as the line card and chassis placement.

 eqptFabP REST :: https://172.16.96.2/api/node/class/eqptFabP.json

eqptLeafP

Name: eqpt:LeafP

Description: Fabric port, the non-fabric facing external leaf IO port.

Usage: The eqptFabP class can be used to derive a list of non-fabric port and the associated details such as the line card and chassis placement.

 eqptLeafP REST :: https://172.16.96.2/api/node/class/eqptLeafP.json

eqptCh

Name: eqpt:ChA

Description: The hardware chassis container.

Usage: The eqptCh class can be used to derive a chassis list and the associated details such as the operational state, serial number and model number.

 eqptCh REST :: https://172.16.96.2/api/node/class/eqptCh.json

eqptLC

Name: eqpt:LCA

Description: The line card (IO card), containing IO ports.

Usage: The eqptLC class can be used to derive a list of line cards deployed within the fabric and the associated details such as the redundancy state, model, serial numbers and the number of ports.

 eqptLC REST :: https://172.16.96.2/api/node/class/eqptLC.json

eqptFt

Name: eqpt:Ft

Description: The inventoried fan tray.

Usage: The eqptFt class can be used to derive a list of fan trays and the associated details such as the operational status, model number, serial number and hardware version.

 eqptFt REST :: https://172.16.96.2/api/node/class/eqptFt.json

eqptPsu

Name: eqpt:Psu

Description: The power supply unit.

Usage: The eqptFt class can be used to derive a list of power supplies within the fabric and the associated details such as the model number, serial number, operational status, and the voltage source.

 eqptPsu REST :: https://172.16.96.2/api/node/class/eqptPsu.json

eqptSupC

Name: eqpt:SupC

Description: The supervisor card, which contains the CPU running control plane.

Usage: The eqptFt class can be used to derive a list of supervisor cards deployed within the fabric and the associated details such as the model number, serial number, operational status and redundancy state.

 eqptSupC REST :: https://172.16.96.2/api/node/class/eqptSupC.json

ethpmPhysIf

Name: ethpm:PhysIf

Description: The physical interface information holder.

Usage: The ethpmPhysIf class can be used to derive a list of physical interfaces in the fabric and the associated details such as a the speed, duplex, operational status, and usage state.

 ethpmPhysIf REST :: https://172.16.96.2/api/node/class/ethpmPhysIf.json

dbgAcTrail

Name: dbg:AcTrail

Description: The atomic counter trail.

Usage: The dbgAcTrail class can be used to derive a list of the atomic counters deployed within the fabric and the associated details such as dropped packet statistics and packet counts.

 dbgAcTrail REST :: https://172.16.96.2/api/node/class/dbgAcTrail.json

dbgEpgToEpgRslt

Name: dbg:EpgToEpgRslt

Description: The endpoint group to endpoint group atomic counter, on-demand, entry.

Usage: The dbgEpgToEpgRsIt class can be used to derive a list of the EPG to EPG atomic counters deployed within the fabric, and the associated details such as dropped packet statistics and packet counts.

 dbgEpgToEpgRsIt REST :: https://172.16.96.2/api/node/class/dbgEpgToEpgRslt.json

dbgEpToEpRslt

Name: dbg:EpToEpRslt

Description: The endpoint to endpoint atomic counter, On-demand, Entry.

Usage: The dbgEpToEpTsIt class can be used to derive a list of the endpoint to endpoint atomic counters deployed within the fabric and the associated details such as dropped packet statistics and packet counts.

 dbgEpToEpTsIt REST :: https://172.16.96.2/api/node/class/dbgEpToEpRslt.json

VM_Monitoring

compVm

Name: comp:Vm

Description: The Virtual machine object.

Usage: The compVm class can be used to derive a list of virtual machines deployed within the fabric and the associated details such as the name and state.

 compVm REST :: https://172.16.96.2/api/node/class/compVm.json

compHv

Name: comp:Hv

Description: An object representing the compute hypervisor.

Usage: The compVm class can be used to derive a list of compute hypervisor deployed within the fabric and the associated details such as the name and status.

 compHv REST :: https://172.16.96.2/api/node/class/compHv.json

fvRsVm

Name: fv:RsVm

Description: A relation to a virtual machine connected to a hypervisor. This is an internal object.

Usage: The fvRsVm class can be used to derive the relationship of the virtual machines connected to the hypervisor.

 vRsVm REST :: https://172.16.96.2/api/node/class/fvRsVm.json

fvRsHyper

Name: fv:RsHyper

Description: A relation to the hypervisor that controls and monitors the APIC VMs. This is an internal object.

Usage: The fvRsHyper class can be used to derive the relationship of the hypervisor that controls and monitors the APIC VMs.

 fvRsHyper REST :: https://172.16.96.2/api/node/class/fvRsHyper.json

vmmCtrlrP

Name: vmm:CtrlrP

Description: The VMM controller profile, which specifies how to connect to a single VM management controller that is part of containing policy enforcement domain. For example, the VMM controller profile could be a policy to connect a VMware vCenter that is part a VMM domain.

Usage: The vmmCtrlrP class can be used to derive the ip address and the datacenter name of the connected VM domain.

 vmmCtrlrP REST :: https://172.16.96.2/api/node/class/vmmCtrlrP.json

Layer 4 to Layer 7 Monitoring

vnsAbsGraph

Name: vnsAbsGraph

Description: The abstract graph is made up of abstract nodes and used to define the traffic flow through a service function such as load balancing, SSL offload, or firewall. Abstract nodes are comprised of service nodes such as a service node balancer (SLB) or firewall (FW), abstract term nodes (the nodes that are connected to endpoint groups), and connections.

Usage: The class vnsAbsGraph can be used to derive a list of service graph templates configured on the APIC, along with their properties.

 vnsAbsGraph  REST :: https://172.16.96.2/api/node/class/vnsAbsGraph.json

vnsLDevVip

Name: vnsLDevVip

Description: An L4-L7 device cluster, which is represented by a single virtual IP (VIP). The configuration is pushed down to the VIP address.

Usage: The class vnsLDevVip can be used to derive all the VIPs configured for the logical device clusters in the fabric

 vnsLDevVip  REST :: https://172.16.96.2/api/node/class/vnsLDevVip.json

vnsCDev

Name: vnsCDev

Description: The individual service device, which is used to define a concrete l4-l7 service device.

Usage: The class vnsCDev can be used to derive a list of concrete devices configured as part of the L4-7 service integration

 vnsCDev  REST :: https://172.16.96.2/api/node/class/vnsCDev.json

vnsLif

Name: vnsLif

Description: The logical interface, which is associated with a set of concrete interfaces from the L4-L7 device cluster.

Usage: The class vnsLif can be used to derive the connection between a service graph and device interfaces.

 vnsLif  REST :: https://172.16.96.2/api/node/class/vnsLIf.json

vnsLDevCtx

Name: vnsLDevCtx

Description: A device cluster context, which points to the device cluster used to pick a specific device based on contract, subject, and function label or names. To specify a wild card, set the name to Any.

Usage: The class vnsLDevCtx can be used to derive the node and contract name.

 nsLDevCtx  REST :: https://172.16.96.2/api/node/class/vnsLDevCtx.json

vnsRsLDevCtxToLDev

Name: vnsRsLDevCtxToLDev

Description: A source relation to the abstraction of a service device cluster or of a proxy object for a logical device cluster in the tenant.

Usage: The class vnsRsLDevCtxToLDev can be used to derive the relationship between vnsLDevCtx and vnsLDev.

 vnsRsLDevCtxToLDev  REST :: https://172.16.96.2/api/node/class/vnsRsLDevCtxToLDev.json

Statistics

compHostStats1h

Name: comp:HostStats1h

Description: A class that represents the most current statistics for host in a 1 hour sampling interval. This class updates every 15 minutes.

Usage: The compHostStats1h class can be used to derive the statistics associated with the compute hypervisor.

 compHostStats1h REST :: https://172.16.96.2/api/node/class/compHostStats1h.json

compRcvdErrPkts1h

Name: comp:RcvdErrPkts1h

Description: A class that represents the most current statistics for received error packets in a 1 hour sampling interval. This class updates every 15 minutes.

Usage: The compRcvdErrPkts1h class can be used to derive the most current statistics for received error packets.

 compRcvdErrPkts1h REST :: https://172.16.96.2/api/node/class/compRcvdErrPkts1h.json

compTrnsmtdErrPkts1h

Name: comp:TrnsmtdErrPkts1h

Description: A class that represents the most current statistics for transmitted error packets in a 1 hour sampling interval. This class updates every 15 minutes.

Usage: The compTrnsmtdErrPkts1h class can be used to derive the most current statistics for transmitted error packets.

 compTrnsmtdErrPkts1h REST :: https://172.16.96.2/api/node/class/compTrnsmtdErrPkts1h.json

Authentication, Authorization, and Accounting

aaaModLR

Name: aaa:ModLR

Description: The AAA audit log record. A log record is automatically generated whenever a user modifies an object.

Usage: The aaaModLR class can be used to derive a fabric based audit log for all changes and events.

 aaaModLR REST :: https://172.16.96.2/api/node/class/aaaModLR.json

aaaUser

Name: aaa:User

Description: A locally-authenticated user account.

Usage: The aaaUser class can be used to derive a list of user accounts deployed within the fabric.

 aaaUser REST :: https://172.16.96.2/api/node/class/aaaUser.json

aaaRemoteUser

Name: aaa:RemoteUser

Description: A remote user login account.

Usage: The aaaUser class can be used to derive a list of remote user accounts deployed within the fabric.

 aaaRemoteUser REST :: https://172.16.96.2/api/node/class/aaaRemoteUser.json

Fabric Capacity

Policy TCAM

Name: eqptcapacityPolEntry5min

Description: Policy CAM entry statistics. A class that represents the most current statistics for policy entry in a 5 minute sampling interval. This class updates every 10 seconds.

Usage: The eqptcapacityPolEntry5min class can be used to derive the current value associated with the Policy TCAM usage.

 eqptcapacityPolEntry5min REST :: https://172.16.96.2/api/class/eqptcapacityPolEntry5min.json

Prefix TCAM

Name: eqptcapacityL3Entry5min

Description: Layer3 entry statistics. A class that represents the most current statistics for layer3 entry in a 5 minute sampling interval. This class updates every 10 seconds.

Usage: The eqptcapacityL3Entry5min class can be used to derive the current value associated with the Prefix TCAM usage.

 eqptcapacityL3Entry5min  REST :: https://172.16.96.2/api/class/eqptcapacityL3Entry5min.json

SNMP and Syslog

SNMP Trap Destination

Name: snmpTrapDest

Description: "background-color:rgb(255, 255, 255); color:rgb(51, 51, 51)">A destination to which traps and informs are sent.

Usage: The snmpTrapDest class can be used to derive the current list of snmp trap destinations implemented within the fabric.

 snmpTrapDest REST :: https://172.16.96.2/api/node/class/snmpTrapDest.json

Syslog Remote Destination Host

Name: syslogRemoteDest

Description: The syslog remote destination host enables you to specify syslog servers to which messages from the APIC and fabric nodes should be forwarded.

Usage: The syslogRemoteDest class can be used to derive the current list of syslog remote destinations implemented within the fabric.

 syslogRemoteDest REST :: https://172.16.96.2/api/node/class/syslogRemoteDest.json

Use Cases

The class faultInst used in Use Case #1 and Use Case #2 below can be replaced with any of the managed object classses discussed above or specified within the APIC documentation. The Cisco APIC Command-Line Interface User Guide may also be helpful for understanding the following sections.

Case 1: Creating an application script to retrieve the current list of faults in the fabric.

This use case may be typical for environments where an ACI administrator wishes to obtain the list of current faults in the fabric. The user has the option of collecting the results via CLI, Visore, POSTMAN and/or Cobra. Please refer to the section above for application specific access and explantions.

From a CLI perspective, use the following command to perform the query:

 admin@apic1:~> moquery -c faultInst

From a Visore perspective, use the following parameters to perform the query.:

 
  Class or DN    :: faultInst
  Property       ::  n/a
  Op             :: n/a
  Value          ::  n/a

From a POSTMAN perspective, user the following REST GET to perform the query:

 GET http://<your apic ip address>/api/node/class/faultInst.xml

From a Cobra perspective, use the following class query:

 
# Class Query
  classQuery= ClassQuery(' faultInst')
  for fault in md.query(classQuery):
         print fault.name

Sample Cobra script to capture faults within the fabric:

 
#!/usr/bin/env python
  import cobra.mit.access
  import cobra.mit.session
  from cobra.mit.session import LoginSession
  from cobra.mit.request import ClassQuery
  ls = cobra.mit.session.LoginSession('https://'<your apic ip address>,  <username>, 
<password>, secure=False)
  md = cobra.mit.access.MoDirectory(ls)
  md.login()
  # Class Query
  classQuery= ClassQuery(' faultInst')
  for fault in md.query(classQuery):
         print fault.name

Case 2: Creating an application script to retrieve the current list of faults in the fabric that have been caused by a failed configuration.

This use case may be typical for environments where an ACI administrator wishes to cobtain the list of current faults in the fabric. The user has an option of collecting the results via CLI, Visore, POSTMAN and/or Cobra. Please refer to the section above for application specific access and explantions.

From a CLI perspective, use the following command to perform the query:

 admin@apic1:~> moquery -c faultInst -f 'fv.faultInst.cause=="config-failure"'

From a Visore perspective, use the following parameters to perform the query:


  Class or DN    :: faultInst
  Property       ::  cause
  Op             :: ==
  Value          ::  config-failure

From a POSTMAN perspective, use the following REST GET to perform the query:

 GET http:// <your apic ip address>/api/node/class/faultInst.xml?
query-target-filter=and(eq(faultInst.cause,"config-failure"))

From a Cobra perspective, use the following class query:

 
# Class Query
  classQuery= ClassQuery(' faultInst')
  classQuery.propFilter = 'wcard(faultInst. cause, "{0}")'.format(' config-failure')
  for fault in md.query(classQuery):
         print fault.name

Cobra Script to capture faults casued by configuration failures.

 
#!/usr/bin/env python
  import cobra.mit.access
  import cobra.mit.session
  from cobra.mit.session import LoginSession
  from cobra.mit.request import ClassQuery
  ls = cobra.mit.session.LoginSession('https://'<your apic ip address>,  <username>, 
<password>, secure=False)
  md = cobra.mit.access.MoDirectory(ls)
  md.login()
  # Class Query
  classQuery= ClassQuery(' faultInst')
  for fault in md.query(classQuery):
         print fault.name

Case 3: Creating an application script to retrieve the properties for a specific managed object, DN

This use case may be typical for environments where an ACI administrator wishes to obtain the properties of the tenant name Common. The user has an option of collecting the results via CLI, Visore, POSTMAN and/or Cobra. Please refer to the section above for application specific access and explantions.

From a CLI perspective, use the following command to perform the query:

 admin@apic1:~> moquery -d uni/tn-common

From a Visore perspective, use the following parameters to perform the query:


  Class or DN    :: uni/tn-common
  Property       ::  n/a
  Op             :: n/a
  Value          ::  n/a

From a POSTMAN perspective, use the following REST GET to perform the query:

 GET http://<your apic ip address>/api/node/mo/uni/tn-common.xml?query-target=self

From a Cobra perspective, use the following class query:

 
# DN Query  
  dnQuery= DnQuery(' uni/tn-common')  
  for results in md.query(dnQuery):         
    print results.dn

Cobra Script to capture faults casued by configuration failures.


#!/usr/bin/env python
  import cobra.mit.access
  import cobra.mit.session
  from cobra.mit.session import LoginSession
  from cobra.mit.request import DnQuery
  ls = cobra.mit.session.LoginSession('https://'<your apic ip address>, <username>,
<password>, secure=False)
  md = cobra.mit.access.MoDirectory(ls)
  md.login()
  # DN Query
  dnQuery= DnQuery('uni/tn-common')
  for results in md.query(dnQuery):
    print results.dn

Case 4: Creating an application script to retrieve the current list of endpoints (mac-addresses) attached to the fabric

This use case may be typical for environments where an ACI administrator wishes to create an application script to capture the list of current endpoints attached to the fabric along with the node details pertaining to each endpoint.

Cobra Script to capture faults caused by configuration failures.

 
#!/usr/bin/env python
  from cobra.mit.access import MoDirectory
  from cobra.mit.session import LoginSession
  from cobra.mit.request import ClassQuery
  lls = cobra.mit.session.LoginSession('https://'<your apic ip address>, <username>,
<password>, secure=False)
  md = MoDirectory(ls)
  md.login()
  q = ClassQuery('fvCEp')
  q.subtree = 'children'
  q.subtreeClassFilter = 'fvRsCEpToPathEp'
  mos = md.query(q)
  for mo in mos:
    for child in mo.rscEpToPathEp:
      print child.dn

Package Decoder

There are several abbreviations used in the names of classes in the ACI object model. Here are some descriptions of commonly used abbreviations, which may help when deciphering what class objects are when using them with REST calls.

aaa: authentication, authorization, accounting

ac: atomic counters

actrl: access control

actrlcap: access control capability

adcom: appliance director communication

aib: adjacency information base

arp: address resolution protocol

bgp: border gateway protocol

callhome: Cisco smart call home services

cap: capability

cdp: Cisco discovery protocol

cnw: node cluster

comm: communication policy

comp: compute

compat: compatibility

condition: health policy

config: configuration policy

coop: Council of Oracles protocol

copp: control plane policing policy: contains set of rules describing policer rates

ctrlr: controller

ctx: context

datetime: date/time policy

dbg: debug

dbgac: debug atomic counters

dbgexp: debug export policy

dhcp: dynamic host configuration protocol

dhcptlv: dynamic host configuration protocol type length value

dhcptlvpol: dynamic host configuration protocol type length value policy

dns: domain name service

draw: graph visualization for GUI

epm: endpoint manager

eqpt: equipment

eqptcap: equipment capability

eqptcapacity: equipment capacity

eqptdiag: equipment diagnostics

eqptdiagp: equipment diagnostics policy

ethpm: ethernet policy manager

event: event policy

extnw: external network

fabric: fabric

fault: fault policy, counters

file: file path, config import/export policy

firmware: firmware

fmcast: fabric multicast

fsm: finite state machine

fv: fabric virtualization

fvns: fabric virtualization namespace

fvtopo: fabric virtualization topology

geo: geolocation

glean: glean adjacency

ha: high availability

health: health score

hvs: hypervisors virtual switch

icmp: internet control protocol

icmpv4: internet control protocol version 4

icmpv6: internet control protocol version 6

ident: identity

igmp: internet group management protocol

igmpsnoop: internet group management protocol snooping

im: interface manager module

imginstall: image install

infra: infrastructure

ip: internet protocol

ipv4: internet protocol version 4

ipv6: internet protocol version 6

isis: intermediate system to intermediate system

isistlv: intermediate system to intermediate system type length value

l1: layer 1

l1cap: layer 1 capability

l2: layer 2

l2cap: layer 2 capability

l2ext: layer 2 external

l3: layer 3

l3cap: layer 3 capability

l3ext: layer 3 external

l3vm: Layer 3 Virtual Machine

lacp: link aggregation protocol

lbp: load balancing policy

leqpt: loose equipment (unmanaged nodes, not in the fabric)

lldp: link layer discovery protocol

lldptlv: link layer discovery protocol type length value

lldptlvpol: link layer discovery protocol type length value policy

maint: maintenance

mcast: multicast

mcp: master control processor

memory: memory statistics

mgmt: management

mo: managed object

mock: mock (objects used on the simulator mostly for showing stats/faults/etc)

mon: monitoring

monitor: monitor (SPAN)

naming: abstract for objects with names

nd: neighbor discovery

nw: network

oam: ethernet operations, administrations and management

observer: observer for statistics, fault, state, health, logs/history

opflex: OpFlex

os: operating system

ospf: open shortest path first

pc: port channel

pcons: **generated and used by internal processes**

phys: physical domain profile

ping: ping execution and results

pki: public key infrastructure

pol: policy definition

policer: traffic policing (rate limiting)

pool: object pool

pres: **generated and used by internal processes**

proc: system load, cpu, and memory utilization statistics

psu: power supply unit policy

qos: quality of service policy

qosm: qos statistics

qosp: qos/ 802.1p

rbqm: debugging

regress: regression

reln: **generated and used by internal processes**

repl: **generated and used by internal processes**

res: **generated and used by internal processes**

rib: routing information base

rmon: remote network monitoring/ interface stats/counters

rpm: route policy map

rtcom: route control community list

rtctrl: route control

rtextcom: router extended community

rtflt: route filter

rtleak: route leak

rtmap: RPM route map

rtpfx: route prefix list

rtregcom: route regular community list

rtsum: route summarization address/policy

satm: satellite manager

snmp: simple network management protocol

span: switched port analyzer

stats: statistics collection policies

statstore: statistics data holders

stormctrl: storm control (traffic suppression) policy

stp: spanning tree protocol definitions and policy

sts: Service Tag Switching (used for services insertion)

svccore: core policy

svi: switched virtual interface/ routed VLAN interface

synthetic: synthetic objects (for testing)

sysdebug: system debug

sysfile: system files

syshist: system cards reset records/history

syslog: syslog policy

sysmgr: system manager (firmware, supervisor, system states, etc)

sysmgrp: container for cores policy & abstract class for all qos policy definitions

tag: alias (use descriptive name for dn), tags (group multiple objects by a descriptive name)

task: task execution, instance, and result

test: abstract class for test rule, subject, and result

testinfralab: test infrastructure

tlv: type, length, value system structures

top: system task manager for processor activity

topoctrl: topology control policy (sharding, fabric LB, fabric VxLan, etc)

traceroute: traceroute execution and results

traceroutep: traceroute end points

trig: triggering policy

tunnel: tunneling

uribv4: ipv4 unicast routing information base entity

vlan: vlan instances

vlanmgr: vlan manager control plane

vmm: virtual macine manager (controller, vmm policy and definitions)

vns: virtual network service (L4-L7 policy and definitions)

vpc: virtual port channel (vpc policy and definitions)

vsvc: service labels (provider/consumer)

vtap: translated address of external node (NATed IP of service node)

vxlan: Virtually extensible LAN definitions

vz: virtual zones (former name of the policy controls) i.e. Contracts

Model Naming Schemes

Rs: Relationship source

Rt: Relationship target

Ag: Aggregated stats

BrCP: Binary Contract Profile

Acronyms and Definitions

This section is designed to provide a high level description of terms and concepts that get brought up in this book. While ACI does not change how packets are transmitted on a wire, there are some new terms and concepts employed, and understanding those new terms and concepts will help those working on ACI communicate with one another about the constructs used in ACI to transmit those bits. Associated new acronyms are also provided.

This is not meant to be an exhaustive list nor a completely detailed dictionary of all of the terms and concepts, only the key ones that may not be a part of the common vernacular, or which would be relevant to the troubleshooting exercises that were covered in the troubleshooting scenarios discussed.

AAA

Acronym for Authentication, Authorization, and Accounting.

Access Encapsulation

Since EPGs follows the "VLAN as an EPG" model, having multiple EPGs out a single port on a Leaf switch creates issues. When selecting which encapsulation type will be operating on the port, you must know if any other EPGs will be accessible through the port that your EPG is on. The port can have 3 different modes:

Tagged (default)—Select this mode if the traffic from the host is tagged with a VLAN ID. This tags all packets with an 802.1Q header leaving the port, including VLAN 0, and allows the user to add multiple EPGs to connect to the port without deciding which EPG will be using a native (untagged) VLAN.
Untagged—Select this mode if the traffic from the host is untagged (without VLAN ID or 802.1Q header). This requires that any endpoints in your EPG not come in on a port with any other endpoints from another EPG.
802.1P—Select this mode if the traffic from the host is tagged with an 802.1P tag. This allows multiple EPGs to come in on a single port while allowing a single EPG to not 802.1Q tag their traffic.

ACI External Connectivity

Any connectivity to and from the fabric that uses an external routed or switched intermediary system, where endpoints fall outside of the managed scope of the fabric.

ACID transactions

ACID is an acronym for Atomicity, Consistency, Isolation, Durability - properties of transactions that ensure consistency in database transactions. Transactions to APIC devices in an ACI cluster are considered ACID, to ensure that database consistency is maintained. This means that if one part of a transaction fails the entire transaction fails.

Action

Action to be taken on the filtered traffic. For example, Permit, Deny, Log, and Mark. The following actions are supported:

Permit the traffic [Regular Contracts Only]
Mark the traffic (DSCP/CoS) [Regular Contract Only]
Redirect the traffic [Regular Contract Only via Service Graph]
Copy the traffic [Regular Contract Only via Service Graph, SPAN]
Block the traffic [Taboo Contracts Only]

Log the traffic

[Taboo Contracts Only]

ALE

ACI Leaf Engine.

Anycast Gateway

Provides the same gateway IP address on each leaf switch where an endpoint resides if "Unicast Routing" is checked. A pervasive SVI provides a distributed default gateway across all leaf switches. Allows all off subnet packets to be routed directly from the originating leaf switch.

APIC

Application Policy Infrastructure Controller is a centralized policy management controller cluster. The APIC configures the intended state of the policy to the fabric. Originally called the Insieme Fabric Controller (IFC).

API

Application Programming Interface used for programmable extensibility.

Application-Centric Virtual Switch (AVS)

Originally a Nexus 1000 reprogrammed to work with ACI and VXLAN.

Application Profile

Term used to reference an application profile-managed object reference that models the logical components of an application and how those components communicate. The application profile is the key object used to represent an application and is also the anchor point for the automated infrastructure management in an ACI fabric.

In a simplified way, application profiles are a collection of different endpoint groups and the policies needed to communicate between them. Each Application Profile may contain one or more Application endpoint groups. At the application profile level, you set the QoS classification for the Applications endpoint groups defined under it. At the Application endpoint group level, you define the bridge domain. The bridge domain under Networks links to the VRF.

ASE

ACI Spine Engine.

Atomic Counters

Atomic counters detect drops and misrouting in the fabric, which enables quick debugging and isolation of application connectivity issues. Use of atomic counters is not supported when the endpoints are in different tenants or in different contexts (VRFs) within the same tenant.

Attachable Entity Profile (AEP)

This is a configuration profile of the interface that gets applied when an entity attaches to the fabric. An AEP represents a group of external entities with similar infrastructure policy requirements. AEPs are also the mechanism that ties the physical port to the domain (physical or virtual) to a switch policy. The AEP links the domain (which links the VLAN from the VLAN pool) to the switch port policy group (configuration) in the MIT. The second use of the AEP is it allows the tenant to access VMM policies that were configured by the administrator without direct access.

AV

Appliance vector.

BD-VLAN

BD-VLAN is used to represent a bridge domain and can link multiple FD-VLANs (encap VLANs) together with multiple hardware VLANs and internal VLANs. It is one forwarding aspect used by the broadcom ASIC to determine if traffic should be locally switched or forwarded to the Northstar ASIC for processing. The BD-VLAN connects different local FD-VLANs to a single bridge domain, and is used on the Broadcom ASIC to determine the layer 2 broadcast domain which might contain multiple subnets or ACCESS_ENC.

Bounce Entry

When an Endpoint moves to a different leaf switch, the leaf switch which previously had the endpoint will install a bounce entry to ensure that any traffic in transit at the time the endpoint moved continues on towards the endpoint in its new location. This occurs when a leaf forwards a packet directly to another leaf but that EP has moved to another leaf. The middle leaf will bounce the packet to the new leaf where the endpoint actually resides.

Bridge Domain (BD)

An ACI construct that defines Layer 2 forwarding behaviors (Broadcast, ARP flooding, etc.) for each unique Layer 2 forwarding domain (flood domain). Bridge domains are also a container for IP subnets and are where fabric Layer 3 gateway functionality is configured. Bridge domains can emulate the behavior of a traditional VLAN but are not constrained by forwarding scale limitations. In the ACI object model, a bridge domain is a child of a Private Layer 3 or context. Endpoint groups can only be a member of a single bridge domain. MAC addresses MUST BE unique per bridge domain (across subnets).

CLOS fabric

A multi-tier nonblocking leaf-spine architecture network.

Cluster

Set of devices that work together as a single system to provide an identical or similar set of functions. It can be a set of APICs communicating to provide a scalable, distributed controller. The cluster size is used in the sharing of the MIT database. A cluster is a set of appliances running controller applications and communicating with each other forming a single logical view to the fabric.

Concrete Model

The concrete model is rendered by logic running on the APIC and the policy element running on the switch. The concrete model is used by the switch's software to orchestrate programming of the switch data plane for services. It contains configuration as well as operational managed objects. This model is also user-visible, but is not configurable.

Consumer

The consumer is the "sender" of the traffic in the contract. When an EPG consumes a contact, all endpoints in the consuming EPG may initiate communication with any endpoint in any EPG that is providing that contract.

Context

A Layer 3 forwarding domain, equivalent to a VRF, and in ACI vernacular a Private Layer 3.

Contract

A logical container for the subjects which relate to the filters that govern the rules for communication between endpoint groups. ACI works on a white list policy model. Without a contract, the default forwarding policy is to not allow any communication between endpoint groups, but communication within an endpoint group is allowed.

Contract Scope

The contract scope is the level of enforcement of the contract between two or more EPGs. The states are:

Application Profile—Endpoint groups can only communicate with other endpoint groups that are located within the same application profile (AEP).
Private Network (default)—Endpoint groups can only communicate with other endpoint groups located within the same private network (VRF).
Tenant—Endpoint groups can only communicate with other endpoint groups located within the same tenant.
Global—Endpoint groups can communicate with other endpoint groups located throughout the fabric.

The contract scope essentially restricts which hosts can communicate with the EPG whether they are within the same application profile, within the same VRF (Private Network), within the same Tenant, or anywhere in the fabric.

Council of Oracles Protocol (COOP)

COOP is used to communicate the mapping information (location and identity) to the spine proxy. An iLeaf will forward endpoint address information to spine 'Oracle' using ZeroMQ (Zero Message Queue). COOP running on the spine nodes will ensure all spine nodes maintain a consistent copy of end point address and location information and additional maintain the DHT repository of endpoint identity to location mapping database.

Data Management Engine (DME)

A service that runs on the APIC that manages data for the data model. DMEs communicate using message entities called "stimulus", which usually have a request and response. Each service on the APIC or switch is built over a library or framework called DME.

DLB

Dynamic Load Balancing - a network traffic load-balancing mechanism in the ACI fabric based on flowlet switching.

dMIT

distributed Management Information Tree, a representation of the ACI object model with the root of the tree at the top and the leaves of the tree at the bottom. The tree contains all aspects of the object model that represent an ACI fabric.

Dn

Distinguished name - a unique fully qualified name that represents a specific managed object within the ACI management information tree (MIT) as well as the specific location information in the tree. It is made up of a concatenation of all of the relative names from itself back to the root of the tree. As an example, if policy object of type Application Profile is created, named commerce workspace within a Tenant named Prod, the dn would be expressed as uni/tn-Prod/ap-commerceworkspace.

Encap

The encapsulation (VLAN or VXLAN) of the virtual machine manager (VMM) for the associated endpoint group. This is the VLAN assigned to the endpoint group that the attached endpoint is in.

Endpoint (EP)

Also called a host or Layer 2/Layer 3 addressable entity. Any logical or physical device connected directly or indirectly to a port on a leaf switch that is not a fabric facing port. Endpoints have specific properties such as an address or location, which is used to identify the endpoint. All addressable MAC entities (virtual NIC interfaces, physical NIC interfaces, switch CPU interfaces, and so on) are considered endpoints. Endpoints are grouped together into endpoint groups.

Endpoint Group (EPG)

A collection of endpoints that can be grouped based on common requirements for a common policy or requiring the same policy treatment. Endpoint groups can be dynamic or static. The ACI fabric commonly uses an 802.1Q VLAN tag to represent the endpoint group. This is often referred to as the "VLAN as an EPG" model. The following types of endpoint groups are defined:

Application endpoint group (fvAEPg)
Layer 2 external outside network instance endpoint group (L2extinstP)
Layer 3 external outside network instance endpoint group (L3extinstP)
Management endpoint groups for out-of-band (mgmtOoB) or in-band (mgmtInB) access

Endpoint group membership is defined in the fabric by:

Ingress physical port (leaf or FEX)
Ingress logical port (VM port group)
VLAN ID
VXLAN (VNID)
IP address (only applicable to external/border leaf connectivity at FCS)
IP prefix/subnet (only applicable to external/border leaf connectivity at FCS)

Policies only apply to endpoint groups, never to individual endpoints. An endpoint group can be statically configured by an administrator in the APIC, or dynamically configured by an automated system such as vCenter or OpenStack.

An endpoint group is associated with the following things:

A single Layer 2 virtual network (bridge group) or a single Layer 3 virtual network (VRF or private network)
A single security group (contracts)

Error

Errors occur only on the APIC. They describe events where there are duplicate MOs or errors reaching a radius server.

Ethertype

The EtherType of the filter entry. The current EtherTypes are:

Unspecified [default] (all protocols)
ipv4
ipv6
lldp
8021ad
8021q
arp
fcoe
flow_control
mac_ or VMMrity
mpls_mcast
mpls_ucast
ptp
qinq
rarp
slow_protocols
trill
wake_on_lan

Event

Events are not errors nor faults. They indicate step-by-step information as something occurs. For example, as an interface comes up, it provides events indicating what is occurring while the interface comes up. Event records are never modified after creation and are deleted only when their number exceeds the maximum value specified in the event retention policy.

Fault

When a failure occurs or an alarm is raised, the system creates a fault-managed object for the fault. A fault contains the conditions, information about the operational state of the affected object and potential resolutions for the problem. Faults are errors that are produced on the APIC, fabric, and hosts.

Fabric

The collective endpoints associated with an ACI solution (Leaf, Spine and Virtual Switches plus APICs). The fabric decouples the tenant end-point address, it's "identifier", from the location of that end-point which is defined by it's "locator" or VTEP address. Forwarding within the Fabric is between VTEPs (ACI VXLAN tunnel endpoints) and leverages an extender VXLAN header format referred to as the ACI VXLAN policy header. The mapping of the internal tenant MAC or IP address to location is performed by the VTEP using a distributed mapping database. The fabric:

Leverages IS-IS for infrastructure topology. IS-IS is responsible for identifying the TEPs and announce the creation of tunnels from every leaf node to all other nodes in the fabric.
Advertises loopback and VTEP addresses.
Responsible for generating the multicast FTAG trees in the fabric using vendor TLVs.

All Tenant traffic within the fabric is tagged with an ACI VXLAN (VXLAN) header that identifies the policy attributes of the application end point within the fabric.

Policy Group (source group)
Forwarding Group (Tenant, VRF, Bridge Domain)
Load Balancing Policy
Telemetry Policy

At the ingress port, the fabric translates an external identifier that can be used to distinguish different application endpoints using the internal VXLAN tagging format

The fabric uses encapsulation where a Layer 2 ethernet packet is encapsulated to traverse the fabric. The default MTU across the fabric is 9150 bytes.

FCAPS

The ISO model defines network management tasks. FCAPS is n acronym for fault, configuration, accounting, performance, security, the management categories

FD_VLAN

Flood domain VLAN. The FD-VLAN is the forwarding VLAN used to forward traffic on the Broadcom ASIC. The FD_VLAN is directly linked to the ACCESS_ENC and is also referred to as the internal VLAN. The FD_VLAN is used to represent the ACCESS_ENC instead of linking it directly to the BD_VLAN. The FD_VLAN allows the BD_VLAN to link to different ACCESS_ENCs and treat all of them as if they were all in the same 802.1Q VLAN on a NX-OS switch. When a broadcast packet comes into the leaf switch from the ACI fabric, the BD_VLAN can map to several FD_VLANs to allow the packet to be forwarded out different ports using different ACCESS_ENCs. The FD_VLAN is used to learn Layer 2 MAC addresses.

Filters

Filters define the rules outlining the Layer 2 to layer 4 fields that will be matched by a contract. All contracts consists of 1 or more subjects, where each subject contains 1 or more filters and each filter contains 1 or more entries. Each entry is equivalent to a line in an ACL applied on the leaf switch that the EP (within the EPG) is attached to. Filters do not define whether the entries are PERMIT or DENY statements in contracts. The contract type the filters are associated with determines this.

Flowlet switching

An optimized, multipath, load-balancing methodology based on research from MIT in 2004. Flowlet Switching is a way to use TCP's own bursty nature to more efficiently forward TCP flows by dynamically splitting flows into flowlets, and splitting traffic across multiple parallel paths without requiring packet reordering.

FNV

Fabric Node Vector.

GUI

Graphical User Interface.

Health Score

Health scores indicate if there are any faults within the different system views. ACI fabric health information is available for the following views of the system:

System—Aggregation of system-wide health, including pod health scores, tenant health scores, system fault counts by domain and type, and the APIC cluster health state.
Pod—Aggregation of health scores for a pod (a group of spine and leaf switches), and pod-wide fault counts by domain and type.
Tenant—Aggregation of health scores for a tenant, including performance data for objects such as applications and EPGs that are specific to a tenant, and tenant-wide fault counts by domain and type.
Managed Object—Health score policies for managed objects (MOs), which includes their dependent and related MOs. These policies can be customized by an administrator.

Health scores change color at different set point percentages.

66%—Health score displays in yellow when it drops below this percentage.
33%—Health score displays in red when it drops below this percentage.

HTML

HyperText Markup Language, a markup language that focuses on the formatting of web pages.

Hypervisor

Software that abstracts the hardware on a host machine and allows the host machine to run multiple virtual machines.

Hypervisor integration

Extension of ACI Fabric connectivity to a virtual machine manager to provide the APIC with a mechanism for virtual machine visibility and policy enforcement.

Intra-Fabric Messages (IFM)

Used for communication between different devices on the ACI fabric. The software layer that tries to deliver messages between the various DME addresses for each agent is called a "identity". An identity has the following format:

system-type:system-id:service:slot

For example, the policy element in switch 119 is represented as follows:

1:119:5:0

IFM uses SSL over TCP for remote communication. It uses different ports for different processes:

eventmgr   12119	Alerts, Faults, Health Scores
nginx   	         	12151
policyelem        	12183
policymgr          12215	processes policy addition/deletion/modification events and
                         converts the policy into ppf representation and distributes the
                         policies to policy clients using PPF library. It uses 2-pass
                         verify-commit model to get the policy programmed in the
                         hardware. 
reader   	        	12247
ae   	             12279
topomgr            12311
observer           12343 Roll up various HW faults
dbgr    	          12375 Atomic Counters
observerelem   	   12407
dbgrelem          	12439
vmmmgr           	 12471 VM manager interactions
nxosmock         	 12503
bootmgr            12535       
appliancedirector  12567 Clustering, Sharding, Syncing of replicas
dhcpd              12695 DHCP addressing
scripthandler     	12727
idmgr              12759

Inband Management (INB)

Connectivity using an inband management configuration. This uses a front panel (data plane) port of a leaf switch for external management connectivity for the fabric and APICs. Uses the fabric for management connectivity. Applies a second VTEP address to the switch.

iPing

Fabric-aware ping. iPing is designed to work with:

Pervasive fabric interfaces (Gateway IP addresses on each Leaf switch)
Multi-Tenant and Overlay

The issue with normal ping is that with pervasive IP gateways on the fabric, the originating leaf may not receive the ping reply since the gateway IP address is on multiple leaf switches. iPing allows the originating leaf switch to receive the ping reply even if it is forwarded to another leaf switch by including fabric information in the payload.

IS-IS

Link local routing protocol leveraged by the fabric for infrastructure topology. Loopback and VTEP addresses are internally advertised over IS-IS. IS-IS announces the creation of tunnels from leaf nodes to all other nodes in fabric.

iTraceroute

Fabric-aware traceroute. iTraceroute has many unique features, including:

Discovers and reports multiple paths
Transits only a single probe packet per path
Reports detailed node information
Simulates tenant traffic, exploring paths under the applied policies

JSON

JavaScript Object Notation, a data encapsulation format that uses human readable text to encapsulate data objects in attribute and value pairs.

Layer 2 Out (l2out)

Layer 2 connectivity to an external network that exists outside of the ACI fabric.

Layer 3 Out (l3out)

Layer 3 connectivity to an external network that exists outside of the ACI fabric.

L4-L7 Service Insertion

The insertion and stitching of VLANs/Layer 3 constructs of virtual or physical service appliances (Firewall, IDS/IPS, Load Balancers, DLP, etc....) into the flow of traffic. Service nodes operate between Layers 4 and Layer 7 of the OSI model, where as networking elements (i.e. the fabric) operate at layers 1-3).

Label

Used for classifying which objects can and cannot communicate with each other.

Leaf

Network node in fabric providing host and border connectivity. Leafs connect only to hosts and spines. Leafs never connect to each other. All devices are connected to the leaf switches including any external routers or hosts.

Legacy Mode

When created under a bridge domain, contracts are not enforced for the bridge domain, and the encap will be applied to all EPGs on this bridge domain. In this case, a bridge domain, endpoint group, and VLAN all have a one to one mapping.

Life Cycle

Lifecycle describes a day in the life of a fault. It includes specific time intervals that must pass before transitioning to the next state. The entire idea behind lifecycle is to allow the administrator to see transient errors that do not last very long.

The lifecycle describes which time interval the fault MO is in: SOAKING, RAISED, or RETENTION.

The lifecycle also describes the severity: INITIAL, TARGET, or CLEAR.

Link Layer Discovery Protocol (LLDP)

LLDP is used by the APIC to discover leaf switches and used by the leaf switches to discover spine switches for fabric discovery.

Logical Model

Model configured by the user in the APIC using the GUI or XML/JSON API. The logical model is located under /aci->/.aci/viewfs.

Managed Object (MO)

Every configurable component of the ACI policy model managed in the MIT is called a MO. A managed object represents a configuration or state. Some managed objects and properties are read/writeable, whereas others are read-only. In the case of policy resolution-based on named relations:

If a target managed object with a matching name is not found in the current tenant, the ACI fabric tries to resolve the name in the common tenant. For example, if the user tenant EPG contained a relationship managed object targeted to a bridge domain that did not exist in the tenant, the system tries to resolve the relationship in the common tenant.
If a named relation cannot be resolved in either the current tenant or the common tenant, the ACI fabric attempts to resolve to a default policy. If a default policy exists in the current tenant, it is used.
If it does not exist in the current tenant, the ACI fabric looks for a default policy in the common tenant.

NOTE: Bridge domain, context, and contract (security policy) named relations do not resolve to a default.

Management Information Tree (MIT)

A hierarchical management information tree containing all of the managed objects of the fabric. Also called the Management Information Model (MIM).

Match Type

Labels can be applied to a variety of provider and consumer managed objects, including EPGs, contracts, bridge domains, DHCP relay policies, and DNS policies. When checking for a match of provider labels and consumer labels, the setting is determined by the provider EPG. The types can be:

AtleastOne (default)—At least 1 label matches on Provider and Consumer EPGs. Blank labels are considered a match.
AtmostOne—Matches only when all labels on the EPGs are exactly the same. Blank labels are considered a match.
None-None of the subject labels match.
All—Only matches when both EPGs have all labels, excluding blank labels.

Model

A model is a concept which represents entities and the relationships that exist between them.

Multi-tier Application

Client-server architecture in which presentation, application logic, and database management functions require physical or logical separation and require networking functions to communicate with the other tiers for application functionality.

NginX

NginX (pronounced "engine x") is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP proxy server, originally written by Igor Sysoev. All APIC input methods (REST API, Web GUI, and CLI) send their input to NginX. The GUI in particular gets its status code from NginX and does not validate any commands with the switch receiving the commands. Faults are sent back from the switches if the commands cannot be applied. Always check the Faults tab after applying a configuration.

Northstar ASIC

Cisco ACI ASIC. 24x40G port wire-speed. Provides routing between VXLAN segments, larger buffers, policy enforcement, advanced dynamic load-balancing, multicast forwarding and bridging between EPGs within a bridge domain, QoS, atomic counters, and latency measurements. NorthStar also provides a loopback path that will allow some of these value added features to be applied to local traffic as well as the uplink. On egress from the fabric out the front ports, the NorthStar provides the following functions:

VxLAN termination
Station lookup
Policy lookup
Egress port selection

On ingress to the fabric from the front ports, the NorthStar provides the following functions:

Derive EPG
Station lookup
Policy lookup
Encap (proxy and non-proxy)
Bounce

Object Model

A collection of objects and classes are used to examine and manipulate the configuration and running state of the system that is exposing that object model. In ACI the object model is represented as a tree known as the distributed management information tree (dMIT).

OpFlex

OpFlex is an open and extensible policy protocol for transferring abstract policy in XML or JavaScript Object Notation (JSON) between a network policy controller such as the Cisco APIC and any device, including hypervisor switches, physical switches, and Layer 4 through Layer 7 network services.

Out-of-Band management (OOB management)

External connectivity using a specific out-of-band management interface on every switch and APIC.

Overlay-1

The VRF (context) used by the fabric switches and APICs.

Physical Domain

Endpoint used for bare metal hosts or when the APIC does not have a VMM defined but it is connected

Policy Control (PC) Tag

A policy control tag is assigned to the endpoint group to identify it numerically instead of by name. Also called the "source ID" or "destination ID" in literature.

Port Channel

A Port link aggregation technology that binds multiple physical interfaces into a single logical interface and provides more aggregate bandwidth and link failure recovery without a topology change.

Prefix

Prefixes control which external subnets are allowed into the fabric. When the fabric is peered with an external router, the subnet prefix is considered to be the endpoint.

Private Network

Equivalent to a VRF, separates routing instances, can be used as an administrative separation. Used to define a non-overlapping IP address space within the tenant. An endpoint group can only be associated with a single private network.

Provider

The provider is the "receiver" of the traffic in the contract.

Privilege

Privileges determine what tasks a role is allowed to perform.

Policy

Named entity that contains generic specifications for controlling some aspect of system behavior. For example, a Layer 3 Outside Network Policy would contain the BGP protocol to enable BGP routing functions when connecting the fabric to an outside Layer 3 network.

Policy Group

A grouping of policies and profiles.

Raised

If the fault condition persists beyond the soaking time interval, the fault MO enters the Raised state. Initial severity goes to target severity. One state might be RAISED-CLEARING indicating the fault was active throughout the soaking interval and into the raised interval but is now clearing.

Resolved Model

The resolved model defines a mapping from the logical model to the concrete model where the logical model contains the intended state and the concrete model contains the actual state. This occurs on the APIC. This model is user-visible, but not configurable. The resolved model is implicitly configured by the APIC under /mit ->/.aci/mitfs.

Retaining

When the fault condition is absent for the duration of the clearing interval in either the Raised-Clearing or Soaking-Clearing state, the fault MO enters the Retaining state with the severity level cleared. A retention interval begins, during which the fault MO is retained for a length of time specified in the fault policy. This interval ensures that the fault reaches the attention of an administrator even if the condition that caused the fault has been alleviated, and that the fault is not deleted prematurely.

Role-Based Access Control (RBAC)

A method of managing secure access to infrastructure by assigning roles to users, then using those roles in the process of granting or denying access to devices, objects and privilege levels. RBAC enables a fabric-wide administrator to provide access across security domains (tenants) that would otherwise be blocked. Use RBAC rules to expose physical resources or share services that otherwise are inaccessible because they are in a different security domain (tenant). RBAC rules provide read access only to their target resources.

Representational State Transfer (REST)

a stateless protocol usually run over HTTP that allows a client to access a server-side or cloud-based API without having to write a local client for the host accessing the API. The location that the client accesses usually defines the data the client is trying to access from the service. Data is usually accessed and returned in either XML or JSON format. All ways of configuring ACI lead to the REST API. The CLI, GUI, Python (cobra) API, as well as the XML API use the REST API for configuration.

RESTful

An API that uses REST, or Representational State Transfer.

Rn

Relative name, a name of a specific object within the ACI management information tree that is not fully qualified. A Rn is significant to the individual object, but without context, it's not very useful in navigation. A Rn would need to be concatenated with all the relative names from itself back up to the root to make a distinguished name, which then becomes useful for navigation. As an example, if an Application Profile object is created named "commerceworkspace", the Rn would be "ap-commerceworkspace" because Application Profile relative names are all prefaced with the letters "ap-". See also the Dn definition.

Role

Each role has privileges assigned to it. The privileges allow the administrator to have finer granularity within the tenant for restricting access.

RV

Replica Vector.

Security Domain

Security Domains restrict a user to a certain tenant or the MIT under that tenant or VMM.

Security Domain (per tenant or VMM)
  |-------------------|------------------|
Role1           	   Role 2             role 3
priv1             	 priv3             	priv1
priv2             	 priv4             	priv4

Segment ID

Numerical representation of the private network name.

Service graph

A mechanism within ACI that automates redirection of traffic and VLAN stitching based on defined parameters. Any services that are required are treated as a service graph that is instantiated on the ACI fabric from the APIC. Service graphs identify the set of network or service functions that are needed by the application, and represent each function as a node.

Shard

A shard is a portion of a database. It allows for replication of the database across multiple physical devices. Each shard has 3 replicas across the 3 APICs. Although each APIC has a complete copy of the database, the APIC can only update its portion (or shard) of the database assigned to it. The other shards stored on the APIC are read only until the APIC owning the shard sends a notification changing it. If the APIC cluster loses an APIC, another APIC still active in the cluster will assume control of its shards in the database.

Soaking

Soaking describes the first time interval created when a fault condition is detected. Its initial severity is set. One state might be SOAKING-CLEARING, indicating that the fault cleared within the soaking interval.

Spine

Network node in fabric carrying aggregate host traffic from leafs, connected only to leafs in the fabric and no other device types.

Spine/Leaf topology

A CLOS-based fabric topology in which spine nodes connect to leaf nodes, leaf nodes connect to hosts and external networks.

Static Binding Path

Under normal circumstances, ACI will automatically generate a VLAN on the leaf switch to put the EP (in the EPG) traffic in. With a static path binding, you assign the VLAN that the port on the leaf switch should configure for the EPG. When an EPG uses a static binding path, the encapsulation VLAN associated with this EPG must be part of a defined static VLAN pool. This follows the "VLAN as an EPG" model. This is a simple way to make the anycast gateway appear on the leaf switch for routing without having an EP deployed on the switch or having the port up.

Subject

Contained by contracts and create the relationship between filters and contracts. Multiple subjects can be in a single contract. The subjects are like templates when applied to the contracts and provide for a certain service to be passed unidirectionally to the EPG. Subjects are a combination of a filter, an action, and a (optional) label.

Filter           Action   	    Label
----------------	---------    	-----------------
TCP Port 80      Permit   	    Web Access
Any              Permit   	    common/default

If Apply Both Directions is selected, then both EPGs will be able to send traffic in one direction to the other EPG. Any return traffic, including ACKs in TCP, is blocked unless Reverse Filter Ports is checked. Reverse Filter Ports requires Apply Both Directions be checked first. Even with Reverse Filter Ports checked, only the consumer of the contract may initiate traffic.

Subnet

Contained by a bridge domain or an endpoint group, a subnet defines the IP address range that can be used within the bridge domain. Subnets are defined under the bridge domain, and are the same as "subnet" in OpenStack. The different types of subnets are:

Shared—Defines subnets under an endpoint group to route leak for shared services to endpoint groups in a different VRF.
Public—Defines subnets under an endpoint group to route leak to other Tenants in the Fabric or advertised externally outside of the fabric. For example, public subnets under a bridge domain configuration are announced to external networks through routing protocols.
Private—(Default) Defines subnets under a bridge domain to be used only in that tenant, meaning that the subnets will not be leaked to other tenants.

Supervisor

Switch module that provides the control plane for the 95xx switches.

tDN

Target DN (Distinguished Name). An explicit reference defines a relationship between a source MO (managed Object) and a specific instance of a target MO. The target instance is identified by a target DN (tDn) property that is explicitly set in the relationship source (Rs) MO.

Tenant

The logical container to group all policies for application policies. Each tenant has a separate Layer 3 address space or VRF (private network). A tenant is similar to the "project/tenant" concept in OpenStack. There are 3 pre-defined tenants in ACI:

Common—Defines ACI structures that can be used by all tenants
mgmt—Configures inband and out-of-band management of the APIC, leaf, and spine switches
infra—Configures fabric policy between spines and leafs

A tenant is the highest level managed object in the Management Information Tree (MIT) model. The primary elements that the tenant contains are contracts, bridge domains, private networks, and application profiles that contain endpoint groups.

Virtual eXtensible LAN (VXLAN)

A Layer 2 overlay scheme over a Layer 3 network. A 24-bit VXLAN Segment ID or VXLAN Network Identifier (VNI) is included in the encapsulation to provide up to 16M VXLAN segments for traffic isolation/segmentation, in contrast to the 4K segments achievable with VLANs alone. Each of these segments represents a unique Layer 2 broadcast domain, and can be administered in such a way that it can uniquely identify a given tenant's address space or subnet. VXLAN is an extension of the Layer 2 LISP protocol (draft-smith-lisp-layer2-01) with the additional of policy group, load and path metric, counter and ingress port and encapsulation information.

Virtual Network ID (VNID)

Used for forwarding the packets in different ways for different cases.

Case 1: Layer 2, the VLAN dot1q or VXLAN VNID identifies the 'Bridge Domain'.
Case 2: VRF-Lite, the VLAN dot1q tag identifies the VRF (Private Network).
Case 3: mBGP EVPN, the VXLAN VNID identifies the VRF, or in the case of Layer 2, the Bridge Domain.

In the case of ACI, the VLAN/VXLAN on the outside identifies the EPG (endpoint group). On the inside, the S-Class in the VXLAN header identifies the EPG, VNID, and VRF/bridge domain.

Virtual Routing and Forwarding (VRF)

A Layer 3 namespace isolation methodology to allow for multiple contexts to be deployed on a single device or infrastructure.

Virtual Zone (vZ)

Contracts in the Management Information Tree start with vZ, such as the vzAny contract. vzAny means any IP address in the VRF can reach this EPG and even includes unknown prefixes.

Virtualization

Technology used to abstract hardware resources into virtual representations and allowing software configurability.

Visore

An application built into APIC to see the resolved model. Used to verify configuration in the MIT. To access Visore, use the following URL:

https://your_apic/visore.html

VNI

VXLAN Network Identifier.

vPC

virtual Port Channel, in which a port channel is created for link aggregation, but is spread across no more or less than 2 physical switches.

VXLAN Tunnel Endpoint (VTEP)

Each fabric switch and APIC is assigned a VTEP from the subnet given in the startup script.

XML

eXtensible Markup Language, a markup language that focuses on encoding data for documents rather than the formatting of the data for those documents.

Zones and Zoning Rules

A contract for an EPG is pushed out to the switches in the form of rules within a zone or zoning rules. Each zoning rule is equivalent to a single NX-OS ACL line. DME/PE (policy element) pushes the zoning configuration to leaf switches based on contracts that are provided or consumed by the EPG that the EP attached to the Leaf switch is associated to. Two EPGs that communicate with each other are grouped together inside a single zone. An EPG can be associated with multiple zones, if it communicates with multiple EPGs. For contracts and rules, the policy interaction and flow is:

Policy Manager on APIC communicates with Policy Element Manager on the switch.
Police Element Manager on switch programs the Object Store on switch
Policy Manager on switch communicates with ACLQOS client on the switch
ACLQOS client programs the hardware (TCAM)

Zoning Rules are specified in terms of contract:

Scope (Application, Private Network, Tenant, Global)
Source class ID or SRC EPG
Destination class ID or DST EPG
Filter

Rules are derived from contracts applied to the EPGs. There are 2 types of rules:

actrlRules—Rules programmed by PE as EPGs/bridge domains get deployed on a leaf switch.
MgmtRules—Rules for traffic which is destined to hit the Supervisor of the switch.

Zoning Rules can be seen on a leaf switch with the following command:

show zoning-rule [src-epg sclassID] [dst-epg dclassID]

A '0' in the classID is used to indicate 'any'.

The following command shows which rules in a zone are being hit by packets:

show logging ip access-list internal packet-log

Reference Material

Topics that are outside of the scope of this operations guide may be documented in other places. This section includes links to other helpful reference documentation for further reading and viewing.