Solved: [Study] Question about Domains

BertiniB · ‎08-15-2023

Hello, I am initiating my learnings with Cisco ACI since it`s both an exciting technology and also required at work.

For context, I am trying to connect to ACI a UCS C220 running ESXi with vCenter using vPC. I was originally creating a Physical Domain, associating a VLAN Pool with Static VLANs and attaching an AAEP. After that I would create a VMM Domain, associate a VLAN Pool with Dynamic VLANs and attach a different AAEP. Then I would I create the vPC Policy group and select the interface, then attach the AAEP. But this didn`t work. I am seeing the process wrongly. I was hoping I could get a better explanation here if someone could help.

Do in this example I need a Physical Domain for the cabling and a VMM Domain for the ESXi? Or do I only need the VMM Domain?

I got this explanation from a source I can`t trust (Chat GPT haha), is it correct?

Question:

Speaking to someone who is rather new to ACI and Data Centers. To connect a rack server running ESXi which is being orchestrated by a vCenter. I would only create a VMM Domain, attach a VLAN Pool with Dynamic VLANs and a AAEP, and that same AAEP I would use to link to the vPC Policy Group and Port Selector, right?

ChatGPT

"Yes, you've got the basic flow correct for integrating an ESXi server into a Cisco ACI fabric when orchestrated by vCenter. I'll break this down step by step for clarity:

VMM Domain Creation:
- Create a VMM domain in ACI.
- Associate this VMM domain with your vCenter by providing the vCenter credentials. This allows ACI to communicate with vCenter and manage the Distributed Virtual Switch (DVS) within VMware.
VLAN Pool:
- Attach a VLAN Pool to the VMM domain with dynamic allocation. This pool provides the VLANs that the DVS will use to tag VM traffic.
Attachable Access Entity Profile (AAEP):
- This is a construct in ACI that allows you to map the physical infrastructure to the logical setup. You will create an AAEP and associate your VMM domain with this AAEP.
Policy Group and Port Selector:
- Create an interface policy group (like a vPC policy group if you're using vPC for redundancy).
- Attach your AAEP to this policy group.
- Create an interface profile, and within it, create a port selector that selects the ports where your ESXi servers are connected. Apply the vPC policy group to this port selector.

This way, the physical ports where your ESXi servers are connected are now associated with the VMM domain via the AAEP, and traffic from VMs will be dynamically tagged based on the VLANs from the VLAN pool you associated with the VMM domain.

Remember, ACI's policy-driven approach might seem complex initially, but it provides a lot of flexibility and scalability. Once you get used to the workflow, it becomes a powerful tool for managing network configurations in a data center environment."

RedNectar · ‎08-16-2023

Hi @BertiniB ,

I'd give your ChatGPT answer a 8/10 given the way you ASKED the question. One mark would be deducted for telling you to to attach things the wrong way-around - especially the VLAN Pool, another for not telling you how to link the VMM domain to your logical Tenant construction.

I was also going to deduct1 mark for not mentioning the Physical Domain vs VMM Domain option (as explained by @mvankleij ), but given the way you asked the question, that would be unfair - however, the Physical Domain option is the alternative you must choose if you don't have the correct licencing for vCenter (that allows for the creation of VMware Distributed Switches)

He's what the answer should have been for 10 marks.

"Yes, you've got the basic flow correct for integrating an ESXi server into a Cisco ACI fabric when orchestrated by vCenter. I'll break this down step by step for clarity:

VLAN Pool:
- Create a VLAN Pool ~~to the VMM domain~~ with dynamic allocation. This pool provides the VLANs that the DVS will use to tag VM traffic.
VMM Domain Creation:
- Create a VMM domain in ACI.
- Associate this VMM domain with your vCenter by providing the vCenter credentials. This allows ACI to communicate with vCenter and manage the Distributed Virtual Switch (DVS) within VMware.
- Attach the VLAN Pool created in step 1 to the VMM domain ~~with dynamic allocation. This pool provides the VLANs that the DVS will use to tag VM traffic.~~
Attachable Access Entity Profile (AAEP):
- This is a construct in ACI that allows you to map the physical infrastructure to the logical setup. You will create an AAEP and associate your VMM domain with this AAEP.
Policy Group and Port Selector:
- Create an interface policy group (like a vPC policy group if you're using vPC for redundancy).
- Attach your AAEP to this policy group.
- If using ACI prior to APIC version 5.2(7g)
  - Create an interface profile, and within it, create a port selector that selects the ports where your ESXi servers are connected. Apply the vPC policy group to this port selector.
- If using ACI with APIC version 5.2(7g) or later
  - Use the Interface Configuration wizard found under Fabric > Access Policies to associate the VPC Interface Policy Group to the appropriate VPC Leaf Switch Pair

This way, the physical ports where your ESXi servers are connected are now associated with the VMM domain via the AAEP, and traffic from VMs will be dynamically tagged based on the VLANs from the VLAN pool you associated with the VMM domain once you have associated your relevant EPGs within your Tenant with the VMM Domain.

Remember, ACI's policy-driven approach might seem complex initially, but it provides a lot of flexibility and scalability. Once you get used to the workflow, it becomes a powerful tool for managing network configurations in a data center environment."

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

mvankleij · ‎08-16-2023

Hi BertiniB,

It depends on what kind of connection you want to achieve with the ESXi server. There are multiple ways to connect a VMware environment to ACI:

VMM integration
Port bindings (trunking)

VMM integration means that the APIC communicates with the vSphere server to provision a VDS and configure port-groups on that. The APIC selects the vlan encap needed for that and provisions it on the relevant ports. For this you need a VMM domain and need to provide this to the ports you use to connect to the ESXi servers via an AAEP. The process is described on the following page: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/virtualization/Cisco-ACI-Virtualization-Guide-42x/Cisco-ACI-Virtualization-Guide-421_chapter_011.html

The other option is that you configure vlans on a trunk port which is connected to an ESXi server. This is similar to the way you would do it on classical switches. In this case you need a physical domain with a "on the wire" vlan pool. You create an AAEP in which the physical domain is used. Then you can choose whether to map an EPG to each port configured with the AAEP, or manually create static port bindings under the EPG. Whatever works best for you. In this case you don't need a VMM domain, but the APIC will _not_ configure the VDS and port-groups.

BertiniB · ‎08-16-2023

So I could assign the interfaces directly under the EPG configuration instead of going to Access Policies, creating a Policy Group of the type of interface and attaching the AAEP used with the Physical Domain?

RedNectar · ‎08-16-2023

Hi @BertiniB ,

I'd give your ChatGPT answer a 8/10 given the way you ASKED the question. One mark would be deducted for telling you to to attach things the wrong way-around - especially the VLAN Pool, another for not telling you how to link the VMM domain to your logical Tenant construction.

I was also going to deduct1 mark for not mentioning the Physical Domain vs VMM Domain option (as explained by @mvankleij ), but given the way you asked the question, that would be unfair - however, the Physical Domain option is the alternative you must choose if you don't have the correct licencing for vCenter (that allows for the creation of VMware Distributed Switches)

He's what the answer should have been for 10 marks.

"Yes, you've got the basic flow correct for integrating an ESXi server into a Cisco ACI fabric when orchestrated by vCenter. I'll break this down step by step for clarity:

VLAN Pool:
- Create a VLAN Pool ~~to the VMM domain~~ with dynamic allocation. This pool provides the VLANs that the DVS will use to tag VM traffic.
VMM Domain Creation:
- Create a VMM domain in ACI.
- Associate this VMM domain with your vCenter by providing the vCenter credentials. This allows ACI to communicate with vCenter and manage the Distributed Virtual Switch (DVS) within VMware.
- Attach the VLAN Pool created in step 1 to the VMM domain ~~with dynamic allocation. This pool provides the VLANs that the DVS will use to tag VM traffic.~~
Attachable Access Entity Profile (AAEP):
- This is a construct in ACI that allows you to map the physical infrastructure to the logical setup. You will create an AAEP and associate your VMM domain with this AAEP.
Policy Group and Port Selector:
- Create an interface policy group (like a vPC policy group if you're using vPC for redundancy).
- Attach your AAEP to this policy group.
- If using ACI prior to APIC version 5.2(7g)
  - Create an interface profile, and within it, create a port selector that selects the ports where your ESXi servers are connected. Apply the vPC policy group to this port selector.
- If using ACI with APIC version 5.2(7g) or later
  - Use the Interface Configuration wizard found under Fabric > Access Policies to associate the VPC Interface Policy Group to the appropriate VPC Leaf Switch Pair

This way, the physical ports where your ESXi servers are connected are now associated with the VMM domain via the AAEP, and traffic from VMs will be dynamically tagged based on the VLANs from the VLAN pool you associated with the VMM domain once you have associated your relevant EPGs within your Tenant with the VMM Domain.

Remember, ACI's policy-driven approach might seem complex initially, but it provides a lot of flexibility and scalability. Once you get used to the workflow, it becomes a powerful tool for managing network configurations in a data center environment."

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

BertiniB · ‎08-16-2023

Thanks @RedNectar and @mvankleij for the replies. I think I caught the grasp of it now. It is a shame that my hardware here doesn`t support ACI 6.0 and later, but I will continue my studies.