Solved: hi Daniel,Could you please

ciscomoderator · ‎12-01-2014

Learn and ask general questions about ACI fabric bringup, basic configuration, technical operation, and some options for integrating ACI with your existing network with Cisco Expert, Daniel Pita.

December 8th through December 19, 2014

Daniel Pita is a Customer Support Engineer in Cisco TAC who has been working with ACI for the past 8 months. Daniel holds a Masters of Science degree in Telecommunications and Network Engineering from Florida International University. Prior to joining Cisco, Daniel was a Project Manager for his alma mater for the Planning and Design Services department where he managed the physical network infrastructure for all the university campuses existing buildings, renovations, and new constructions from ground breaking to occupancy.

Remember to use the rating system to let Daniel know if you have received an adequate response.

This event lasts through December 19, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

dpita · ‎12-09-2014

Hello

Thanks for the question! I will have to research the answer for you since it is not really a technical question about ACI more of a marketing question and out of the scope of this session. Rest assured, I will reply with a suitable answer!

Initially, I can tell you that NSX focuses on virtualization of network hardware which means additional physical hardware has to be integrated into NSX to allow physical endpoints to be connect and communicate into NSX.

On the contrary, ACI uses stateless physical hardware which can natively integrate with multiple hypervisors, L4-L7 devices (physical and virtual), and physical endpoints/servers right out of the box!

I will continue into the research and reply to the post. Thanks for participating! Have a nice day.

View solution in original post

dpita · ‎12-13-2014

Hello Andrew,

Coincidentally, this has been a discussion on my team recently. You are correct, at this time, there is no difference. When using an EPG to extend an external L2 network, a static path is created under the EPG and 1 VLAN is specified. As you may know, the EPG will provide the point of policy for that 1 VLAN being brought into the ACI fabric. Similarly, when using an External Bridge Network, each time a VLAN is to be extended, the BD is referenced, just like a standard EPG and an external VLAN is referenced, and then the path. Each time, an external L2 EPG is created in order to apply policy to that external VLAN.

The take away from my explanation is that, at this time, 1 EPG is 1 VLAN.

Now, if i am asked my opinion, I believe it is better to use an External L2 to extend VLANs into the fabric and not muddy the water by using a static path under a standard EPG. This way, know that my EPG will be for endpoints attached directly to the fabric where as an external L2 EPG will be for VLANs from my legacy network. I like the separation and the ability to manage those VLANs in one place instead of worrying about a static path under EPGs.

View solution in original post

huangedmc · ‎12-09-2014

hi Daniel,
Could you please tell us the main differences between Cisco ACI & VMWare NSX, and how ACI could be a better choice?

thanks,
Kevin

dpita · ‎12-09-2014

Hello

Thanks for the question! I will have to research the answer for you since it is not really a technical question about ACI more of a marketing question and out of the scope of this session. Rest assured, I will reply with a suitable answer!

Initially, I can tell you that NSX focuses on virtualization of network hardware which means additional physical hardware has to be integrated into NSX to allow physical endpoints to be connect and communicate into NSX.

On the contrary, ACI uses stateless physical hardware which can natively integrate with multiple hypervisors, L4-L7 devices (physical and virtual), and physical endpoints/servers right out of the box!

I will continue into the research and reply to the post. Thanks for participating! Have a nice day.

lmn20176 · ‎12-09-2014

Hi Daniel,

Is there a step by step guide on how to put 4x10G interfaces into a vPC? with REST API call as well? Best practice...set up link level, bpduguard...etc the whole process and not just a quick start.

Thanks.

-lmn

dpita · ‎12-09-2014

Hi Luan

I don't believe there is an external document that covers your exact question. I can give you a high level overview, with this reply, of the concepts. With some more time I can provide an outline of the policies needed in the GUI and a series of POST calls to accomplish the same configuration.

Just as a general point of interest. the port channels in the vPC are created and bundled based on the interface policy group assigned to the interface selector block. In your question, 4x10G interfaces will take the same vPC interface policy group.

I will work on the outline of the steps as well as a POST call for you.

Thanks for participating!

cooperb01 · ‎12-10-2014

Hi Daniel

When you create an external EPG that binds the fabric to the outside network and allows you to advertise prefixes into and out of fabric, is it possible to use the command line on the border leaf to view this type of EPG?

I know it is possible to view all application EPG's using the "show vlans" command and "show endpoints" but I would like to understand if its possible to see the External EPG on the border leafs via the command line. Also is it possible to see the mac address table used for forwarding to the external switches?

Thanks

Ben

dpita · ‎12-10-2014

Hello Ben,

The external EPG is a little different in nature than a standard EPG. In your question, it seems you are referencing an external routed network. In this case, the external EPG is just a place to apply policy and which subnets from the outside to apply those policies to.

Learning does not occur on that EPG and since the External Routed Network is not tied to a BD either, only to a Context, learning will not occur in the traditional ACI sense. Everything will be taken care of by traditional routing. Once routes are learned into the context that is how forwarding will occur.

On the border leaf, issuing a "show ip ospf database vrf tenant:context" will show all the routes learned and advertised. "show ip route vrf tenant:context" will show the external routes as well as ACI routes.

I just set it up in the lab and was trying to confirm if any loopback IP's i have on the routers are learned either in EPMC or in the NorthStar tables and don't see anything. This leads me to believe its purely L3 forwarding.

I hope this was a substantial answer to your question. If you like, i can continue to test in the lab.

Thanks for participating! Have a nice day.

cooperb01 · ‎12-11-2014

Thanks Daniel, that helps.

What commands did you use to check the EPMC and NorthStar tables?

Ben

dpita · ‎12-13-2014

Hello,

To check EPMC the "show endpoint" command can be used directly from ibash for a summarized and formatted output of the EPMC process, otherwise there is a linecard specific command to check EPMC entries. To check the Application Leaf Engine (codename NorthStar, it slipped out from habit) the "show platform internal ns forwarding <table-name>" command is used.

Please reference this document on CSC for a wide range of useful commands:

https://supportforums.cisco.com/document/12268026/cisco-aci-cli-commands-cheat-sheet

Andrew Horrigan · ‎12-12-2014

Hey Daniel,

Can you explain the main differences between using an EPG on a port connected to an external device, such as a N7K, versus using an external bridged network? I have been told that there is no functional difference right now, but that in the future, there will be a reason to do one or the other.

Thanks!,

Andrew

dpita · ‎12-13-2014

Hello Andrew,

Coincidentally, this has been a discussion on my team recently. You are correct, at this time, there is no difference. When using an EPG to extend an external L2 network, a static path is created under the EPG and 1 VLAN is specified. As you may know, the EPG will provide the point of policy for that 1 VLAN being brought into the ACI fabric. Similarly, when using an External Bridge Network, each time a VLAN is to be extended, the BD is referenced, just like a standard EPG and an external VLAN is referenced, and then the path. Each time, an external L2 EPG is created in order to apply policy to that external VLAN.

The take away from my explanation is that, at this time, 1 EPG is 1 VLAN.

Now, if i am asked my opinion, I believe it is better to use an External L2 to extend VLANs into the fabric and not muddy the water by using a static path under a standard EPG. This way, know that my EPG will be for endpoints attached directly to the fabric where as an external L2 EPG will be for VLANs from my legacy network. I like the separation and the ability to manage those VLANs in one place instead of worrying about a static path under EPGs.

cooperb01 · ‎12-14-2014

Hi Daniel

How is configuration / version control managed between the APIC and L4-7 appliances used within a service graph?

It is possible to create a service graph using the ASA firewall, have the APIC apply the functions defined when the graph is built, and then change these parameters in ASDM. This means we now have inconsistency between the APIC and the ASA. The same applies to Netscalers.

Is it possible to lock appliances and only allow change from the APIC?

Ben

dpita · ‎12-15-2014

Hello

Spoke with a colleague in order to get this answer. It does not seem there is a lock ACI can enforce on an ASA or any other 3rd party equipment.

After a L4-L7 device package is imported and configured in a service graph, it is highly recommended that the parameters that are configurable from the APIC are configured and managed through the APIC. If there does happen to be a difference at one point from the APIC to the device, then the APICs configuration will take precedence and overwrite the configuration on the L4-L7 device.

Under a few circumstances will this rewrite actually occur. When the device is first registered to the APIC, when the management connection to the device is lost/restored, or when an administrator manually forces a sync.

Here is a link to the L4-L7 configuration guide for ACI.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy/b_L4L7_Deploy_chapter_01.html

Hope this helps!

cooperb01 · ‎12-15-2014

Hi Daniel

In my lab I have a leaf and spine deployment with a single APIC that communicates to a VMM domain (vmware).

At 11:00 today my V-Center evaluation license expired. I then noticed that all the vm's within the lab were unable to ping there default gateway that's defined in the bridge domain.

What is the impact to existing services when either connectivity between the APIC and V-center is lost or the V-center license expires?

Thanks

Ben

dpita · ‎12-15-2014

Hello

When management access to the vCenter is lost, the only ability that is interrupted is pushing new EPGs/DVS port groups into vCenter. Otherwise, VM and regular data traffic will continue to flow so long as ESXI uplinks remain active.

Regarding the license expiring in vCenter, it seems there are a few impacts regarding an expired license. First, hosts will disconnect from vCenter, then VMs will be unmanageable (power on or off), and finally, many features will become unavailable such as vMotion, HA, DRS, Storage I/O Control, and others.

Ask the Expert: Application Centric Infrastructure with Daniel Pita