Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4309
Views
0
Helpful
5
Replies

Vcenter / APIC integration question

Go to solution
Networker_eg
Level 1
Level 1

‎01-16-2017 06:35 AM - edited ‎03-01-2019 05:07 AM

When you Create Vmm domain on one APIC and you Have 3 APICs Which APIC will Push config to Vcenter and What happens if this APIC fails ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎01-16-2017 09:30 AM

Network_eg,

All APICs will establish persistent TCP listener sockets to vCenter, in order to receive any inventory updates or connection changes.  One APIC per VMM domain will be elected as the cluster as the Leader/Master.  The Leader is responsible for pushing Config from the APIC to vCenter. You can determine this from a simple CLI command.  The config connection sockets are non-persistent, only brought up when config changes are made & pushed then torn down. 

Determining which APIC is the master controller for the VMM domain

 From any APIC issue:

  • bash
  • cat /debug/<apic-name>/vmmmgr/comp/prov-VMware/ctrlr-\[<vmm domain name> \]-<ctrlr-name>/info/mo | grep Role

Ex

apic3# bash

admin@apic3:~> cat /debug/apic3/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic2/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic1/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : Leader

Should the elected "Leader" ever fail, another Leader will be elected from the remaining Cluster members.

Verifying Established Listener Sockets

If you want to verify the listener sockets on each APIC, you can use netstat to do so

netstat -l | grep VC_IP_Address

 Ex.

apic2# netstat -l | grep 192.168.1.34
tcp        0      0 192.168.1.2:36338        192.168.1.34:https         ESTABLISHED
apic2#

Let me know if you have any other questions!

Regards,

Robert

View solution in original post

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to Networker_eg

‎01-17-2017 06:40 AM

The vCenter account used by the APIC needs permission to create & manage the vDS.  Most people use the default vCenter administrator/root account for this which is pretty unrestricted, but you can also use a custom user role with the necessary permissions as well. 

Since the credentials the APIC users are simply a vCenter account, we can't restrict any access from our (ACI) side.  It would have to be done on the vCenter side. 

If you really wanted to ensure your VMware admins "can't touch" the APIC managed vDS, you could to the follow.

-Create a separate "vc-admin" account with global "admin" permissions.

-Create a separate "apic-admin" account with global min. permissions defined below.

-Using the root/administrator account, remove the permission "inheritance" on the vDS folder, then change the permission to "read-only".

-Toss away/secure the default administrator/root account.

Here's a link to the permissions (minimum) that a vCenter custom user role would need to manage & deploy a vDS:  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_chapter_1_2_1x_0300.html#concept_4954018D4D4943BBBB565949752BA1F9

Robert

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎01-16-2017 09:30 AM

Network_eg,

All APICs will establish persistent TCP listener sockets to vCenter, in order to receive any inventory updates or connection changes.  One APIC per VMM domain will be elected as the cluster as the Leader/Master.  The Leader is responsible for pushing Config from the APIC to vCenter. You can determine this from a simple CLI command.  The config connection sockets are non-persistent, only brought up when config changes are made & pushed then torn down. 

Determining which APIC is the master controller for the VMM domain

 From any APIC issue:

  • bash
  • cat /debug/<apic-name>/vmmmgr/comp/prov-VMware/ctrlr-\[<vmm domain name> \]-<ctrlr-name>/info/mo | grep Role

Ex

apic3# bash

admin@apic3:~> cat /debug/apic3/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic2/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic1/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : Leader

Should the elected "Leader" ever fail, another Leader will be elected from the remaining Cluster members.

Verifying Established Listener Sockets

If you want to verify the listener sockets on each APIC, you can use netstat to do so

netstat -l | grep VC_IP_Address

 Ex.

apic2# netstat -l | grep 192.168.1.34
tcp        0      0 192.168.1.2:36338        192.168.1.34:https         ESTABLISHED
apic2#

Let me know if you have any other questions!

Regards,

Robert

0 Helpful

Go to solution
Networker_eg
Level 1
Level 1
In response to Robert Burns

‎01-17-2017 01:32 AM

Thanks Robert , Got check  moquery  more.

Another Question If I may :

My customer is asking Once the DVS is created in the vcenter is there any way we can deny Vcenter admins from changing the VMM-domain DVS config ?

Thanks in advance

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to Networker_eg

‎01-17-2017 06:40 AM

The vCenter account used by the APIC needs permission to create & manage the vDS.  Most people use the default vCenter administrator/root account for this which is pretty unrestricted, but you can also use a custom user role with the necessary permissions as well. 

Since the credentials the APIC users are simply a vCenter account, we can't restrict any access from our (ACI) side.  It would have to be done on the vCenter side. 

If you really wanted to ensure your VMware admins "can't touch" the APIC managed vDS, you could to the follow.

-Create a separate "vc-admin" account with global "admin" permissions.

-Create a separate "apic-admin" account with global min. permissions defined below.

-Using the root/administrator account, remove the permission "inheritance" on the vDS folder, then change the permission to "read-only".

-Toss away/secure the default administrator/root account.

Here's a link to the permissions (minimum) that a vCenter custom user role would need to manage & deploy a vDS:  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_chapter_1_2_1x_0300.html#concept_4954018D4D4943BBBB565949752BA1F9

Robert

0 Helpful

Go to solution
Networker_eg
Level 1
Level 1
In response to Robert Burns

‎01-18-2017 02:32 AM

Thank you Robert

Your answers and swift support is much appreciated

Regards

Amr

0 Helpful

Go to solution
sandevsingh
Level 1
Level 1
In response to Robert Burns

‎04-30-2019 05:34 AM

Hi Robert, great explanation. So from I understand, it is always the APIC that initiates a connection to the Vcenter. Is there any use case when the vcenter initiates to the APIC? 

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License