I have an issue when creating L3out with interface type of virtual port channel, the path box is empty, although I created interface policy group of type vpc.
The same issue when adding static port of type vpc for application EPG
Accepted Solutions
Hi @most_ahdy ,
OK. A couple of things.
Firstly, kudos for such a detailed answer! (BTW - answering your question inspired me to write this). I just LOVE picture - you've told me so many things with your screendumps!
- I did notice that there were more than one Interface Profile in Step 1- However, the descriptions seem to indicate that someone knew what they were doing, so no problem there
- I see there is an error showing in step 2 - it would be good to see what that is
- There is also a fault showing in step 3 - but it is likely to be the same fault as Step 2
- I've noticed something in you Domain configuration which I'll I'll discuss later
So thanks for going through that process. Let's discuss
Bug CSCvn15506
That bug DOES look suspiciously like your problem. I think the following will help determine if the Wizard was to blame:
From the APIC, issue the following commands: - note that that is TWO underscore characters before "ui" in the 2nd command
apic1# cd /mit/uni/infra
apic1# find *__ui*
zsh: no matches found: *__ui*
IF ANY objects are found, we'll go down the path of deleting them - hopefully you'll get the same output as above
Security Domains
I noticed that the L3 Domain was assigned to a Security Domain. So I have a question
Were you logged in as THE admin user when the drop-down didn't appear?
If not, can you please try again logged in as admin
The reason being is that IF you create a security domain, say Tenant1 Security Domain, and then assign that security domain to a user, say User1 and to a tenant, say Tenant_1 (to avoid confusion with the security domain name), and then you log in as User1 then you are seeing EXACTLY WHAT I'D EXPECT you to see when editing Tenant_1
I know that is a poor explanation, and if it does turn out to be the cause of your problem, I'll write a blog post about the Incredible Inadequacies of the ACI RBAC System
Hi @most_ahdy ,
Check that your VPC Interface Policy Group is linked to an AAEP that is linked to your L3 Domain that is tied to your L3Out.
The easiest way to to this is to navigate to Fabric > Access Policies > Physical and External Domains > L3 Domains > YourL3Domain and then click the Show Usage button. From there, you show see Nodes using this policy - and you should see both nodes that make up your VPC, and if you click on ONE of those nodes, you should see the interface numbers of your VPC.
If you DON'T see the correct ports, you have a problem with your Ascess Policy Chain
Hi RedNectar,
Thanks for your help, the VPC Interface Policy Group is already linked to an AAEP that is linked to a L3 Domain that is tied to a L3Out, as below, and I can see both vpc nodes and the interfaces used in vpc, but still the path box is not including any thing.
is there is a way I can write it in the box, instead of selecting the interface policy group?
The vpc is ok as below
show vpc extended:
# show vpc extended
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 101
Peer status : peer adjacency formed ok
vPC keep-alive status : Disabled
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : primary, operational secondary
Number of vPCs configured : 2
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Enabled (timeout = 240 seconds)
Operational Layer3 Peer : Disabled
vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 up -
vPC status
-------------------------------------------------------------------------------- -
id Port Status Consistency Reason Active vlans Bndl Grp Name
-- ---- ------ ----------- ------ -------------------- --------------- -
345 Po5 down* success success - Core-PG
7 Po7 down* success success - VxrailTierPG
Hi @most_ahdy ,
Good morning. Seems there's been a bit more discussion overnight. While @Sergiu.Daniluk seems to be concentrating on the physical side of things, I'm still not 100% convinced that it is not an Access Policy Chain issue, especially since you say you are having problems with EPG assignment as well.
Random thought: You haven't upgraded your system to APIC v6.0 have you? We tried that, strange things happened (we lost sight of FEX ports in ND) so we rolled back.
Back to TS. from the APIC, can you run this command: (it's a reallllllly wide output, so make sure you set your terminal width to at least 176 chars before running the command - and as well as pasting the output, attach it as a text file as well [=I'm really p...d off that Cisco has removed the ability to paste pre-formatted code with horizontal scroll])
apic1# show vpc map
This will prove that your VPC Interface Policy Group has been applied to both Leaf 101 and Leaf 103
Again from the APIC
apic1# fabric 101,103 show port-channel summary
This will prove that your VPC is up on both leaves - you are looking for the (P) after the interface names.
However these commands are just the beginning - and really just re-enforcing @Sergiu.Daniluk's line of thinking.
To follow the FULL ACCESS POLICY CHAIN, you need the GUI
- Locate the Leaf Profile for leaf 101 and 103 [I HOPE there is a single leaf profile for both switches]
- In the work pane, double-click the listed Associated Interface Selector Profile (which will actually be a Leaf Profile - there is NO SUCH OBJECT IN ACI CALLED Interface Selector Profile) [I HOPE there is a single Interface Profile listed]
- When the Interface Profile opens, locate the Interface Selector that represents your port-channel, and double-click it. This will take you to the Access Port Selector page (don't you just love Cisco's naming consistency?)
- In the Access Port Selector page, locate the Policy Group, and click the external link button
- This will open a pop-up for your VPC Interface Policy group. On this screen, verify:
- The Link Aggregation Type is indeed Virtual Port Channel (VPC)
- The Port Channel Policy is a policy that sets LACP to Active (use the external link button to check)
[Actually, this step has already been verified by the CLI commands, but I'm leaving it here for future readers] - There is indeed a value in the Attached Entity Profile (even though there is NO SUCH OBJECT IN ACI CALLED Attached Entity Profile - instead what you SHOULD see there is an Attachable Access Entity Profile)
- Click on the external-link button next to the Attachable Access Entity Profile name. This will open a pop-up page for the Attachable Access Entity Profile
- In the Attachable Access Entity Profile page, locate your L3 Domain in the list of Domains for this AAEP. You can identify that it is a L3 dDomain because it will have (L3) after the name. Double-click on the L3 Domain name. This will open the page for your L3 Domain Profile
- In the L3 Domain Profile page, locate the VLAN Pool and click the external-link icon next to it. This will open a pop-up page showing your VLAN Pool values
- In the VLAN Pool page, validate that
- The Allocation Method is Static (although with v5.2 onwards it doesn't matter)
- The VLANs you wish to use are listed.
If all of the above works as expected, then I'm stumped.
[Edit: 7:38am] Is this related to your issue you had connecting a VPC to an ESXi? If so, in my step 5.2 above (The Port Channel Policy is a policy that sets LACP to Active) should probably be
The Port Channel Policy is a policy that sets the policy to MAC Pinning
[/Edit]
@RedNectar Thanks for your detailed information.
I haven't upgraded to APIC v6.0. my version is 5.1(4c)
For CLI output I would not be able to send them this week, I'll send them when available.
- Locate the Leaf Profile for leaf 101 and 103 [I HOPE there is a single leaf profile for both switches --> yes
2. In the work pane, double-click the listed Associated Interface Selector Profile (which will actually be a Leaf Profile - there is NO SUCH OBJECT IN ACI CALLED Interface Selector Profile) [I HOPE there is a single Interface Profile listed] there is more than one interface profile listed
3. When the Interface Profile opens, locate the Interface Selector that represents your port-channel, and double-click it. This will take you to the Access Port Selector page (don't you just love Cisco's naming consistency?) No
4. In the Access Port Selector page, locate the Policy Group, and click the external link button
This will open a pop-up for your VPC Interface Policy group. On this screen, verify:
- The Link Aggregation Type is indeed Virtual Port Channel (VPC): yes ok
- The Port Channel Policy is a policy that sets LACP to Active (use the external link button to check) yes ok
Click on the external-link button next to the Attachable Access Entity Profile name. This will open a pop-up page for the Attachable Access Entity Profile
In the Attachable Access Entity Profilepage, locate your L3 Domain in the list of Domainsfor this AAEP. You can identify that it is a L3 dDomain because it will have (L3)after the name. Double-click on the L3 Domainname. This will open the page for yourL3 Domain Profile Ok
In the L3 Domain Profile page, locate the VLAN Pool and click the external-link icon next to it. This will open a pop-up page showing your VLAN Pool values
- In the VLAN Pool page, validate that
- The Allocation Method is Static (although with v5.2 onwards it doesn't matter) OK
- The VLANs you wish to use are listed. OK
Is this related to your issue you had connecting a VPC to an ESXi? If so, in my step 5.2 above (The Port Channel Policy is a policy that sets LACP to Active) should probably be
The Port Channel Policy is a policy that sets the policy to MAC Pinning No, it is VPC to Cat9500 core switch
Hi @most_ahdy ,
OK. A couple of things.
Firstly, kudos for such a detailed answer! (BTW - answering your question inspired me to write this). I just LOVE picture - you've told me so many things with your screendumps!
- I did notice that there were more than one Interface Profile in Step 1- However, the descriptions seem to indicate that someone knew what they were doing, so no problem there
- I see there is an error showing in step 2 - it would be good to see what that is
- There is also a fault showing in step 3 - but it is likely to be the same fault as Step 2
- I've noticed something in you Domain configuration which I'll I'll discuss later
So thanks for going through that process. Let's discuss
Bug CSCvn15506
That bug DOES look suspiciously like your problem. I think the following will help determine if the Wizard was to blame:
From the APIC, issue the following commands: - note that that is TWO underscore characters before "ui" in the 2nd command
apic1# cd /mit/uni/infra
apic1# find *__ui*
zsh: no matches found: *__ui*
IF ANY objects are found, we'll go down the path of deleting them - hopefully you'll get the same output as above
Security Domains
I noticed that the L3 Domain was assigned to a Security Domain. So I have a question
Were you logged in as THE admin user when the drop-down didn't appear?
If not, can you please try again logged in as admin
The reason being is that IF you create a security domain, say Tenant1 Security Domain, and then assign that security domain to a user, say User1 and to a tenant, say Tenant_1 (to avoid confusion with the security domain name), and then you log in as User1 then you are seeing EXACTLY WHAT I'D EXPECT you to see when editing Tenant_1
I know that is a poor explanation, and if it does turn out to be the cause of your problem, I'll write a blog post about the Incredible Inadequacies of the ACI RBAC System
