New and Changed Information

The following table provides an overview of the significant changes up to this current release, it does not provide an exhaustive list of all changes.

Table 1. New Features and Changed Behavior in Cisco APIC

Cisco APIC Release Version

Feature

Description

Release 2.3(1)

Support for DNS server groups.

DNS server groups associate the IP address of a DNS server with a fully qualified domain name(s) (FQDNs).

Support for DNS attribute for microsegmentation (uSeg) EPGs.

The DNS attribute enables you to match VMs to uSeg EPGs using FQDN(s).

DNS-Based Microsegmentation

Microsegmentation (uSeg) with the Cisco Application Centric Infrastructure (ACI) enables you to automatically assign endpoints to logical security zones called endpoint groups (EPGs). These EPGs are based on various network-based or virtual machine (VM)-based attributes.

Beginning with Cisco APIC Release 2.3(1), domain name servers (DNS) can be used to configure uSeg EPGs to filter for VMs using FQDN(s). This DNS-based microsegmentation allows you to apply forwarding and security policies to entire groups of VMs based on their IPs, which are read and cached from the DNS server by the APIC.

This chapter contains information specific to using DNS-based microsegmentation, for a complete overview of microsegmentation with Cisco ACI, see Microsegmentation with Cisco ACI

Keep in mind, before your configure DNS-based uSeg in APIC, you must have a DNS server already set up.


Note

Configuring a DNS server group and a uSeg EPG with the DNS attribute are beta features in this release of Cisco APIC.

DNS Server Groups

Domain Name System (DNS) server groups associate a DNS with a Fully Qualified Domain Name (FQDN) or multiple FQDNs.

You can use APIC GUI, the NX-OS style CLI, or REST API to configure DNS groups. To configure a DNS server group, you first provide the IP address of the DNS server and then identify the domain. Cisco APIC caches the mapping between the DNS server and the domain. DNS server groups are available only for out-of-band management access.

DNS groups can be configured on any bare-metal or virtual switch. However, the DNS server must be Linux-based.


Note

Ensure to configure your DNS server to allow zone transfers (AXFR) requests from APIC IP addresses.

Configuring a DNS Server Group Using the GUI

You can use the APIC GUI to configure a DNS server group.

Before you begin

You must have a tenant configured. For tenant configuration information, see the Cisco APIC Basic Configuration Guide.

Procedure

Step 1

Log in to the Cisco APIC.

Step 2

Click Tenants and then click the tenant where you plan to use the DNS attribute for a micro-segmentation (uSeg) EPG.

Step 3

In the tenant navigation pane, select Services, then right-click DNS Server Groups (Beta) and choose Create DNS Server Group (Beta).

Step 4

In the Create DNS Server Group (Beta) dialog box, read and accept the user agreement for the beta feature.

Step 5

Enter a name for the DNS server group in the Name field.

Step 6

In the DNS Servers area, click the plus icon, and then enter the IP address of the Linux-based DNS server.

Step 7

Click Update and then click Submit.

Step 8

In the tenant navigation pane, open the DNS Server Group → DNS Server that you just created.

Step 9

In the central DNS Server work pane, click the plus sign on the right side of the Domain area.

Step 10

In the text-entry field that appears, enter an FQDN.

If you are entering a website the begins with www. such as www.example.com, you do not need to enter www.

Step 11

Click Update.

What to do next

If you want to define a DNS attribute for a uSeg EPG, follow the instructions in the section Microsegmentation EPGs with DNS Attribute in this document.

Configuring a DNS Server Group Using the NX-OS Style CLI

Before you begin

You must have a tenant configured. For tenant configuration information, see the Cisco APIC Basic Configuration Guide.

Procedure

Configure a DNS server group.

Example:

apic1# configure
apic1(configure)# tenant ?
apic1(configure)# tenant T1
tenant# dnssvrgrp dnsgrp1
tenant-dnssvrgrp# dnssvr 209.165.200.252
tenant-dnssvrgrp-dnssvr# domain www.example.com

What to do next

If you want to define a DNS attribute for a uSeg EPG, follow the instructions in the section Microsegmentation EPGs with DNS Attribute in this document.

Configuring a DNS Server Group Using REST API

Before you begin

You must have a tenant configured. For tenant configuration information, see the Cisco APIC Basic Configuration Guide.

Procedure

Configure a DNS server group.

POST: <host info>/api/node/mo/uni.xml

Example:

<fvTenant dn="uni/tn-Coke" name="Coke" status="">
    <fvCtx name="CokeCtx" />
    <dnsepgSvrGrp name="dns-cluster" nw="0">
    <dnsepgSvr ip=" dnssvr 209.165.200.252">
        <dnsepgDomain domain="example.com" />
    </dnsepgSvr>
    <dnsepgRsSvrEpg tDn="uni/tn-Coke/ap-InsiemePortal/epg-DNS" />
</dnsepgSvrGrp>

What to do next

If you want to define a DNS attribute for a uSeg EPG, follow the instructions in the section Microsegmentation EPGs with DNS Attribute in this document.

Microsegmentation EPGs with DNS Attribute

Defining a DNS attribute for a uSeg EPG enables you to put VMs matching DNS zones, or domains, that you previously identified into the uSeg EPG. You define a DNS attribute for a uSeg EPG in the APIC GUI, NX-OS style CLI, or REST API.


Note
You cannot choose Match All when using the DNS or other network-based attributes (IP and MAC).

When you configure a filter for VMs, you can enter the FQDN or a wildcard with part of the FQDN to include FQDNs with similar names. In addition to helping you filter, using wildcards enables you to categorize endpoints and store them on Cisco APIC. Categorization is dynamic: The filter will include any VMs added to the domain and will no longer include VMs removed from them.

Configuring a uSeg EPG with the DNS Attribute Using the GUI

Before you begin

Read and understand the guidelines and fulfill the prerequisites in the "Microsegmentation with Cisco ACI" chapter of the Cisco ACI Virtualization Guide.

Procedure

Step 1

Follow the procedure "Configuring Microsegmentation with Cisco ACI Using the GUI" in the "Microsegmentation with Cisco ACI" chapter of the Cisco ACI Virtualization Guide through Step 11.

Step 2

Instead of Step 12, perform the following steps:

  1. From the Select a type... drop-down list, choose DNS (Beta).

  2. In the text-entry field at the right, enter the FQDN of the VM or VMs that you want to put into a uSeg EPG.

    You can enter the FQDN or a wildcard with part of the FQDN to filter for VMs with similar FQDNs. For example, you can enter *example.com.

  3. Click SUBMIT.

Step 3

Complete Step 13 and the rest of the procedure, including the instructions for IP and MAC attributes in the section “What to do Next.”

Configuring a uSeg EPG with the DNS Attribute Using the NX-OS Style CLI

Before you begin

Read and understand the guidelines and fulfill the prerequisites in the "Microsegmentation with Cisco ACI" chapter of the Cisco ACI Virtualization Guide.

Procedure

Step 1

Configure a uSeg EPG with the DNS attribute

Example:

(config-tenant-app)# epg DNS2 type micro-segmented 
tenant-app-uepg# attribute <> match dns <example> <”*”.example.com>
Step 2

Create the relation between the DNS server and the uSeg EPG:

Example:

AVS3-APIC1(config)# tenant T1 
AVS3-APIC1(config-tenant)# dnssvrgrp DNS 
AVS3-APIC1(config-tenant-dnssvrgrp)# application AP1 
AVS3-APIC1(config-tenant-dnssvrgrp-app)# epg MS2WEB

Configuring a uSeg EPG with the DNS Attribute Using REST API

Before you begin

Read and understand the guidelines and fulfill the prerequisites in the "Microsegmentation with Cisco ACI" chapter of the Cisco ACI Virtualization Guide.

Procedure

Configure a uSeg EPG with the DNS attribute.

Example:

<fvAEPg name="DNS" isAttrBasedEPg="true">
    <fvRsBd tnFvBDName="CokeBD" />
    <vnsAddrInst name="ifc" addr="172.23.141.1/24">
        <fvnsUcastAddrBlk from="172.23.141.2/24" to="172.23.141.16/24" />
    </vnsAddrInst>
    <fvRsDomAtt tDn="uni/phys-mininet" />
    <fvRsDomAtt tDn='uni/vmmp-VMware/dom-dom9' status='created,modified'
                resImedcy='pre-provision' encap="vlan-105" />
    <fvRsNodeAtt tDn="topology/pod-1/node-101" instrImedcy='1' status="" />
    <fvCrtrn name="d2">
        <fvDnsAttr name="dns" filter="observer.shuchi.com" />
    </fvCrtrn>
</fvAEPg>