cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2487
Views
0
Helpful
5
Replies
Highlighted
Beginner

Vcenter / APIC integration question

When you Create Vmm domain on one APIC and you Have 3 APICs Which APIC will Push config to Vcenter and What happens if this APIC fails ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Network_eg,

All APICs will establish persistent TCP listener sockets to vCenter, in order to receive any inventory updates or connection changes.  One APIC per VMM domain will be elected as the cluster as the Leader/Master.  The Leader is responsible for pushing Config from the APIC to vCenter. You can determine this from a simple CLI command.  The config connection sockets are non-persistent, only brought up when config changes are made & pushed then torn down. 

Determining which APIC is the master controller for the VMM domain

 From any APIC issue:

  • bash
  • cat /debug/<apic-name>/vmmmgr/comp/prov-VMware/ctrlr-\[<vmm domain name> \]-<ctrlr-name>/info/mo | grep Role

Ex

apic3# bash

admin@apic3:~> cat /debug/apic3/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic2/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic1/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : Leader

Should the elected "Leader" ever fail, another Leader will be elected from the remaining Cluster members.

Verifying Established Listener Sockets

If you want to verify the listener sockets on each APIC, you can use netstat to do so

netstat -l | grep VC_IP_Address

 Ex.

apic2# netstat -l | grep 192.168.1.34
tcp        0      0 192.168.1.2:36338        192.168.1.34:https         ESTABLISHED
apic2#

Let me know if you have any other questions!

Regards,

Robert

View solution in original post

Highlighted

The vCenter account used by the APIC needs permission to create & manage the vDS.  Most people use the default vCenter administrator/root account for this which is pretty unrestricted, but you can also use a custom user role with the necessary permissions as well. 

Since the credentials the APIC users are simply a vCenter account, we can't restrict any access from our (ACI) side.  It would have to be done on the vCenter side. 

If you really wanted to ensure your VMware admins "can't touch" the APIC managed vDS, you could to the follow.

-Create a separate "vc-admin" account with global "admin" permissions.

-Create a separate "apic-admin" account with global min. permissions defined below.

-Using the root/administrator account, remove the permission "inheritance" on the vDS folder, then change the permission to "read-only".

-Toss away/secure the default administrator/root account.

Here's a link to the permissions (minimum) that a vCenter custom user role would need to manage & deploy a vDS:  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_chapter_1_2_1x_0300.html#concept_4954018D4D4943BBBB565949752BA1F9

Robert

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Network_eg,

All APICs will establish persistent TCP listener sockets to vCenter, in order to receive any inventory updates or connection changes.  One APIC per VMM domain will be elected as the cluster as the Leader/Master.  The Leader is responsible for pushing Config from the APIC to vCenter. You can determine this from a simple CLI command.  The config connection sockets are non-persistent, only brought up when config changes are made & pushed then torn down. 

Determining which APIC is the master controller for the VMM domain

 From any APIC issue:

  • bash
  • cat /debug/<apic-name>/vmmmgr/comp/prov-VMware/ctrlr-\[<vmm domain name> \]-<ctrlr-name>/info/mo | grep Role

Ex

apic3# bash

admin@apic3:~> cat /debug/apic3/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic2/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : NonLeader

admin@apic3:~> cat /debug/apic1/vmmmgr/comp/prov-VMware/ctrlr-\[AVS-roberbur-LS\]-VCA/info/mo | grep Role
CurrentRole                : Leader

Should the elected "Leader" ever fail, another Leader will be elected from the remaining Cluster members.

Verifying Established Listener Sockets

If you want to verify the listener sockets on each APIC, you can use netstat to do so

netstat -l | grep VC_IP_Address

 Ex.

apic2# netstat -l | grep 192.168.1.34
tcp        0      0 192.168.1.2:36338        192.168.1.34:https         ESTABLISHED
apic2#

Let me know if you have any other questions!

Regards,

Robert

View solution in original post

Highlighted

Thanks Robert , Got check  moquery  more.

Another Question If I may :

My customer is asking Once the DVS is created in the vcenter is there any way we can deny Vcenter admins from changing the VMM-domain DVS config ?

Thanks in advance

Highlighted

The vCenter account used by the APIC needs permission to create & manage the vDS.  Most people use the default vCenter administrator/root account for this which is pretty unrestricted, but you can also use a custom user role with the necessary permissions as well. 

Since the credentials the APIC users are simply a vCenter account, we can't restrict any access from our (ACI) side.  It would have to be done on the vCenter side. 

If you really wanted to ensure your VMware admins "can't touch" the APIC managed vDS, you could to the follow.

-Create a separate "vc-admin" account with global "admin" permissions.

-Create a separate "apic-admin" account with global min. permissions defined below.

-Using the root/administrator account, remove the permission "inheritance" on the vDS folder, then change the permission to "read-only".

-Toss away/secure the default administrator/root account.

Here's a link to the permissions (minimum) that a vCenter custom user role would need to manage & deploy a vDS:  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/virtualization/b_ACI_Virtualization_Guide_1_2_1x/b_ACI_Virtualization_Guide_chapter_1_2_1x_0300.html#concept_4954018D4D4943BBBB565949752BA1F9

Robert

View solution in original post

Highlighted

Thank you Robert

Your answers and swift support is much appreciated

Regards

Amr

Highlighted

Hi Robert, great explanation. So from I understand, it is always the APIC that initiates a connection to the Vcenter. Is there any use case when the vcenter initiates to the APIC? 

Content for Community-Ad