Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6326
Views
5
Helpful
8
Replies

Read-Only VMM Domain

aertural1
Level 1
Level 1

‎02-04-2019 03:20 AM - edited ‎03-01-2019 05:46 AM

Hi all,

 

What is the purpose of having a read-only VMM domain and attaching it to an EPG?

 

Only benefit mentioned in configuration guide is being able to see the vCenter inventory. Is there more to that?

 

Thanks.

1 person had this problem
Labels:
0 Helpful
8 Replies 8

RedNectar
VIP
VIP

‎02-04-2019 04:47 AM

Hi aertural1,

This turned out to be a bit more comlicated to answer that I originally thought - so let be begin with at backgrounder that might help readers who are not that familiar with VMM Domains - this allows me to refer back to this section later:

Backgrouder

As you probably know, a regular VMM Domain has two jobs in ACI

  1. It holds the credentials to a vCenter instance somewhere, and uses those credentials to log into that vCenter and create
    1. a Folder in that vCenter in the given Datacenter (created with the same name as the VMM Domain)
    2. a VMware Distributed Switch (VDS) for that vCenter (also created with the same name as the VMM Domain)
      • Note: The above is important to understand when I discuss Read Only VMM Domains later
  2. It provides a link between:
    1. a set of phyical ports where ESXi hosts that are being managed by that vCenter are attached; and
    2. a dynamic range of VLANs (or VXLANs) in a pool that can be allocate on demand; and
    3. the EPGs that ultimately have EPs that attach via the VDS in thos ESXi hosts

When you associate an EPG with a VMM Domain, ACI creates a portgroup on the VDS using a VLAN fromt the VLAN pool. Now any VMs that are added to that portgroup are automatically members of the EPG

Now on to Read Only VMM Domains 

Read Only VMM Domains 

It is quite possible, and even likely that there are other vCenter instances within the organisation that are NOT associated with ACI.

So what if you want to map those existing VMs to EPGs in ACI?

The idea of the "read-only" VMM is to allow you to add login credentials for a vCenter you wish to see information about under ACI's  Virtual Networking tab, but without actually creating a VDS - in fact, to make Read-only VMM Domains work, you have to:

  1. manually go to vCenter and create a Folder with the same name as the VDS you wish to use in yourRead-only VMM Domain
  2. Place that DVS in this folder
  3. use the exact same name as the VDS to create your Read-only VMM Domain
    • In other words, you've simulated what the normal VMM Domain does
  4. Make sure the VMM Domain is in an Access Policy Chain that defines
    1. a set of phyical ports where ESXi hosts that are being managed by that vCenter are attached; and
    2. a STATIC range of VLANs in a DYNAMIC pool - these VLANs are the ones you have already MANUALLY assigned to the portgroups in your VDS

Now this is where things get different, and I have to admit I may not have the detail quite right - if I get a chance to test it I'll edit this response and verify

You still associate the EPG with the VMM Domain, but you now have to manually assign the VLAN to the EPG as a static mapping (at least that's my understanding)

The end result is that it gives you a way of integrating existing DVSs with ACI, but not the flexibility of dynamically assigned VLANs.

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

 

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

aertural1
Level 1
Level 1
In response to RedNectar

‎02-04-2019 05:06 AM - edited ‎02-04-2019 05:07 AM

Firstly, thanks a lot for a quick reply.

I test it on our lab, I did the exact things until last step. I could not find a way to associate VLAN Pool and Read-Only VMM domain. Since, while creating read-only VMM domain, it does not let you choose a vlan pool. Hence, when I attach VMM Domain to EPG, it gives the fault with F0565 code: "Deployment of EPG uni/tn-TTT/ap-AAA/epg-EEE failed on domain READ_ONLY_TEST due to No valid encapsulation identifier allocated for the epg."

0 Helpful

Jayesh Singh
Cisco Employee
Cisco Employee
In response to aertural1

‎02-04-2019 05:26 AM

Hi Aertural,

 

Just one thing you can quickly check, while attaching read only VMM domain to your EPG there should be encap section where you can manually assign vlan id.

 

Regards,

Jayesh

 

 

0 Helpful

aertural1
Level 1
Level 1
In response to Jayesh Singh

‎02-04-2019 05:30 AM

@Jayesh Singh  wrote:

Hi Aertural,

 

Just one thing you can quickly check, while attaching read only VMM domain to your EPG there should be encap section where you can manually assign vlan id.

 

Regards,

Jayesh

 

 

Hi,

 

Yes, there is. However, when a vlan-id is statically assigned, it gives above fault (F0565). If you do not assign any vlan-id, everything seems OK (no faults), but it has no use.

 

Regards.

0 Helpful

Jayesh Singh
Cisco Employee
Cisco Employee
In response to aertural1

‎02-04-2019 05:43 AM

Have you created static vlan pool  and that vlan id is added in that vlan pool?

0 Helpful

aertural1
Level 1
Level 1
In response to Jayesh Singh

‎02-04-2019 06:19 AM

Yes, I have created VLAN pool.. But there is no way to associate VLAN pool and read-only VMMdomain.
0 Helpful

Jayesh Singh
Cisco Employee
Cisco Employee
In response to aertural1

‎02-04-2019 06:50 AM

Hi Aertural,

I am getting the same result in my lab.

 

Just a theory, read only vmm domain is for visibility of vmm inventories. ACI can't push any config on the DVS. So that means, servers have to be onboarded just like physical servers with static port binding in EPG.

 

I think you need to do static port binding in the EPG with ports which are connecting to the server. Vlan id cooresponding to port group has to be configured during static port binding. Also, physical domain has to be attached to the EPG.

 

Sorry I am replying from mobile device so not able to share detailed steps.

 

Regards,

Jayesh

 

0 Helpful

RedNectar
VIP
VIP
In response to Jayesh Singh

‎02-04-2019 12:27 PM

Wow. This is getting interesting. I won't have time today (or tomorrow probably) to test this. Hopefully on Thursday I'll have a chance.  In theory, it SHOULD be able to be done:

"You can associate an EPG to the VMM domain and configure policies for it. " (https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-x/virtualization/b_ACI_Virtualization_Guide_3_1_1/b_ACI_Virtualization_Guide_3_1_1_chapter_011.html#concept_pms_xtn_wcb)

So if you can configure polices, you must be able to link the policies by VLAN association - unless it links the policies by some other means. Perhaps EPG Name=Port Group Name? But that's a long shot.

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License