Communication between 02 IPs in same or different EPGs -specific port

netbeginner · ‎08-08-2023

Dear All,

Requesting help to now the step and process for checking/troubleshooting the communication status between 02 IPs (in same EPGs) with specific ports. Below are some scenarios.

As I know, This can be done using APIC CLI. Kindly share the relevant CLI for all given scenarios.

1) Scenario-1 : When Source and Destination IPs are in same EPG (same VRF and same tenant).
Source EPG : EPG-1 (in VRF-1 , Tenant-1)
Source IP : 10.10.10.100

Destination EPG : EPG-1 (in VRF-1 , Tenant-1)
Destination IP: 10.10.10.200

Destination Port : TCP-8443

++++++++++++++++++++++++++++++++++++++++++

2) Scenario-2 : When Source and Destination IPs are in different EPG but in same VRF (same tenant).

Source EPG: EPG-1 (in VRF-1 , Tenant-1)
Source IP: 10.10.10.100

Destination EPG : EPG-10 (in VRF-1 , Tenant-1)
Destination IP: 192.168.10.100

Destination Port : TCP-8443

+++++++++++++++++++++++++++++++++++++++++

3) Scenario-3 : When Source and Destination IPs are in different EPG in different VRF (in same tenant).

Source EPG: EPG-11 (in VRF-11 , Tenant-1)
Source IP: 10.10.10.100

Destination EPG : EPG-21 (in VRF-21 , Tenant-1)
Destination IP: 10.150.100.100

Destination Port : TCP-8443

+++++++++++++++++++++++++++++++++++++++++

4) Scenario-3 : When Source and Destination IPs are in different tenant altogether.

Source Tenant: Tenant-1
Source IP: 10.10.10.100

Destination Tenant : Tenant-2
Destination IP: 10.130.200.200

Destination Port : TCP-8443

RedNectar · ‎08-08-2023

Hi @netbeginner ,

Q1: Is this a REAL problem, or a problem posed in some assignment/assessment/interview preparation?

Assuming it is a genuine question, let me start by saying you are missing a FUNDAMENTAL concept in ACI.

You see, ACI creates a MODEL. A blueprint. You can't live in a blueprint of a house, you have to wait until that house is built from the blueprint.

What you have given us is a blueprint, and until you tell me exactly what interfaces on what leaf switches the endpoints are in your scenarios, and what VLAN tags will be on traffic coming from those endpoints, you have virtually nothing you can troubleshoot from CLI for the BLUEPRINT.

The best place to find errors in the BLUEPRINT is actually the ACI GUI. But since you asked for CLI - here it is - just one command. show running-config

And below is what you'd expect to see for Scenario#1 above, with some assumptions made about BD names, BD IP addresses and Application Profile names. And since it is Best Practice to NOT use hyphens-dashes in names, I've replaced yours with underscores_

apic1# show running-config tenant Tenant_1
# Command: show running-config tenant Tenant_1
  tenant Tenant_1
    vrf context VRF_1
      exit
    bridge-domain BD_1
      vrf member VRF_1
      exit
    application AppProf_1
      epg EPG_1
        bridge-domain member BD_1
        set qos-class level3
        exit
      exit
    interface bridge-domain BD_1
      ip address 10.10.10.1/24 secondary
      mac-address 00:22:BD:F8:CC:BD
      exit
    exit

Notice that there is no reference to TCP port 8843, because the two EPs are in the same EPG, so there is no need for any filters or contracts for them to communicate. Also note that the commands set qos-class level3 and mac-address 00:22:BD:F8:CC:BD are added by the system.

WARNING - do not ever use the CLI to create stuff in ACI

So if you really want to to real CLI troubleshooting, you'll need to tell me what leaves and interfaces and VLAN IDs have been assigned to enable the endpoints in your scenarios.

Oh - there's also the Access Policy Chain that needs to be configured for the physical ports involved too, but I'm happy to assume that there is an Access Policy Chain for the relevant ports and your EPG(s) are linked to the relevant Domain in that Access Policy Chain.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.