ACI Design Recommendations. - Page 2

NETAD · ‎10-20-2016

Hi guys, we decided to deploy ACI for our dev/qa/stg environment and possibly roll it out to prod. I'm new to the concepts but I'm trying to get up to speed with it.

here's an overview of what we currently have.

3 /16 subnets one for each of dev, qa, and stg Plus a DB subnet

dev/qa/stg L3 SVI's are on a virtual domain on a fortigate and the DB's are on a different vdom on the same firewall. So pretty much access and policy is controlled on the firewalls.

Security policy allows dev to dev qa to qa and stg to stg communication no inter communications between the 3

the problem that arised was the amount of policies that we had to create on the firewall because unlike an ASA a Fortigate doesn't allow communication between vlan interfaces and a policy is needed everytime connection is needed. This became a nightmare and so we got thr ACI

2 9336 for spine

2 9372 for leafs and of course 3 APIC controllers

what I have in my head is to create 3 tenant for each of dev/qa/stg

create an EPGs for lets say the websevers within dev tenant as well as for apps and DBs and set contracts between

And in case of a layer 4 or 7 device inspection or load balancing is needed we can accomplish that using a service graph.

Not sure on how to used bridge domains, should I use them one per vlan per EPG or put multiple vlans in it.

note that I will be grouping vlans in the EPGs. And a UCS chassis will be hosting the vms.

I dont know how clear I made this but please let me know if you need clarifications.

Thanks

Robert Burns · ‎11-02-2016

Depending on the cluster discovery, you may or may not be able to login with the "admin" account. If the cluster can't sync together, you might have to login with "rescue-user" and troubleshoot further. Usually its a date/time mismatch causing cluster convergence issues.

From the CLI get the output of "acidiag verifyapic" also

Robert

Tomas de Leon · ‎11-02-2016

Sleiman,

Default gateway could possibly be an issue or a misconfiguration when going thru the setup script.

Other possibilities are:

1. You do not have an OOB contract configured and applied to the External Instance profile in tenant management,

2. Configure Static Node management addresses for APICs and Switch Nodes

3. By chance did you configure INBAND management in addition to OOB mgmt. Contracts will be necessary for communication via the external INB EPG and the fabric nodes.

4. Is there a firewall between you OOB mgmt network and the rest of the network. If so you may want to check that.

5. Can you HTTPS or HTTP to the GUI of the APIC from Outside the OOB network? From the inside the OOB Network? If so check the management access settings in the Fabric Pod Policies configuration.

Access to the APIC Console is accomplished by using the console port using the micro adapter on the front of the APIC (not the console connection on the back). Also, CIMC access either KVM or SOL (serial over lan) is the best method for console access when having issue like this. If you have CIMC configured, I would recommend accessing by those means.

If you continue to experience issues, Please open a Cisco TAC Case so that an ACI engineer can assist you with your issues.

Thank you for using the Cisco Support Community for ACI!

T.

NETAD · ‎11-02-2016

Thanks for your answer. I will update you with my findings.