06-13-2017 08:40 AM - edited 03-01-2019 05:15 AM
Hello community,
All my APICs are having a docker0 interface with the same IP address 172.17.0.1/16. This subnet is in the production network VLAN 100 and causes the problem with VLAN 100 to access APIC because route was wrong.
Question: How do I change APICs docker0 ip address? I prefer to change them to a loop-back address like 127.0.0.2
Thanks,
06-13-2017 09:08 AM
Trinh,
I will take a look in our lab, but at the moment I am unaware of a method to change the docker0 address.
With that said, what type of service is the APIC trying to reach and what is its path through ACI fabric?
Are you using in-band management and you are expecting the APIC to reply using the VICs/in-band EPG to reach some external Endpoint sourced traffic within the 172.17.0.1/16 subnet?
-Gabriel
06-13-2017 09:16 AM
Gabriel,
I am using OOBMGMT interface. This service is for management only, nothing wrong in ACI. I have a TACACS server in 172.17.0.0 that cannot be reach by all APICs
Note that all three APICs are having the same docker0 ip address 172.17.0.1
external@APIC1:~> ifconfig docker0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
RX packets 128 bytes 8576 (8.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2345321 bytes 98503674 (93.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Thanks for looking at this.
Regards,
_Trinh
06-13-2017 10:28 AM
Trinh,
I just got confirmation from our development team that it is not configurable at this point. I will file an enhancement to allow that to happen in the future.
As for immediate solutions, I am assuming it is not possible to change the address of the TACACS service that is on the 172.17.0.0/16 subnet outside of ACI?
Also, could you please send me the output of the following (if acceptable), otherwise please open an SR to send over this info:
>route -rm
>arp -an
>the address of your TACACS server
Thanks,
Gabriel
06-13-2017 11:24 AM
Gabriel,
No, changing the TACACS IP address is not an option.
These are the outputs of the commands with some IP and MAC mask-out:
IP address of TACACS is 172.17.N.M (it is in the arp table)
external@APIC1:~> route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.X.Y.1 0.0.0.0 UG 16 0 0 oobmgmt
10.1.0.0 10.1.0.30 255.255.0.0 UG 0 0 0 bond0.3961
10.1.0.30 0.0.0.0 255.255.255.255 UH 0 0 0 bond0.3961
169.254.1.0 0.0.0.0 255.255.255.0 U 0 0 0 teplo-1
169.254.254.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.X.Y.0 0.0.0.0 255.255.255.0 U 0 0 0 oobmgmt
external@APIC1:~> arp -an
? (172.31.10.145) at xxxxxxxxxx [ether] on oobmgmt
? (172.31.10.181) at xxxxxxxxxx [ether] on oobmgmt
<output omit>..
? (172.17.N.M) at <incomplete> on docker0
? (172.31.10.131) at xxxxxxxxxx [ether] on oobmgmt
external@APIC1:~>
Thanks again.
_Trinh
06-28-2017 02:47 PM
This issue is now track under bug id CSCve84297. No workaround
01-03-2018 03:57 AM
Hello All,
Did we manage to get a solution for this, I'm facing similar challenge where our resources are in 172.17.0.0/16 subnet so as the docker subnet in the APIC setup.
@Trinh Nguyen wrote:
This issue is now track under bug id CSCve84297. No workaround
Regards,
Lalit
12-04-2018 11:21 PM
Hi All,
Old post but I think its still relevant!
Docker0 interface in APIC continues to hold 172.17.0.0/16 (last checked in 3.2(3O)), keeping users from accessing their mgmt network in that private segment.
Just a known work around for this is to have the docker0 interface IP changed by TAC.
It requires root access which only TAC has.
Procedure is same as changing interface IP in linux, just users don't have the root access.
Thanks,
Jayesh
***Rate all Helpful Responses***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide