Add to collection(s) Add to saved
  1. No category
Uploaded by seanvanhandel

ACI Fabric Configuration: L2/L3 Connections Lab Guide

advertisement 
External L2 and L3 Connections
LTRCRT-2611
Michael Wertz
1|Page
Physical Topology of Lab Environment
2|Page
Lab 1: Configuring Basic Network Constructs
Complete this lab activity to create the basic network constructs to allow communication
into the ACI fabric.
All of the labs will leverage the multi-tenancy capabilities that allow ACI to scale. ACI
is designed to scale from smaller commercial environments, which may use a single
tenant to large cloud providers with support for 64,000 tenants and above. A single
enterprise can also leverage tenants to enforce administrative and operational separation
between different internal businesses or processes.
Activity Objective
In this activity, you will meet these objectives:
◼
Create a tenant
◼
Create a context (a VRF or private Layer 3 network)
◼
Create a bridge domain
Job Aids
Group Naming Conventions and Bridge Domain IP Addresses
Group
Tenant Name
Bridge
Domain
Subnet
Bridge Domain
Prefix
Bridge Domain
Gateway
1
CiscoLive-Student01
10.57.1.0
/24
10.57.1.1
2
CiscoLive-Student02
10.57.2.0
/24
10.57.2.1
3
CiscoLive-Student03
10.57.3.0
/24
10.57.3.1
4
CiscoLive-Student04
10.57.4.0
/24
10.57.4.1
5
CiscoLive-Student05
10.57.5.0
/24
10.57.5.1
6
CiscoLive-Student06
10.57.6.0
/24
10.57.6.1
7
CiscoLive-Student07
10.57.7.0
/24
10.57.7.1
8
CiscoLive-Student08
10.57.8.0
/24
10.57.8.1
9
CiscoLive-Student09
10.57.9.0
/24
10.57.9.1
10
CiscoLive-Student10
10.57.10.0
/24
10.57.10.1
11
CiscoLive-Student11
10.57.11.0
/24
10.57.11.1
12
CiscoLive-Student12
10.57.12.0
/24
10.57.12.1
13
CiscoLive-Student13
10.57.13.0
/24
10.57.13.1
14
CiscoLive-Student14
10.57.14.0
/24
10.57.14.1
15
CiscoLive-Student15
10.57.15.0
/24
10.57.15.1
16
CiscoLive-Student16
10.57.16.0
/24
10.57.16.1
3|Page
Visual Objective
The figure illustrates what you will accomplish in this activity.
Tenant
Tenant
VRF
VRF/Context
Private Network
BD
Bridge Domain
L2 Boundary
10.57.X.1/24
IP Spaces
Required Resources
These are the resources and equipment required to complete this activity:
◼
APIC
◼
ACI fabric (two spines, two leaves)
◼
Student VM
4|Page
Task 1: Login to the CiscoLive labs sponsored by Xentaurs
In this task, you will create a tenant for your group that will be used throughout the rest
of the labs. This task will keep your space separate from other groups working within
the same fabric. All tenants have admin access; therefore, you can see all provisioning
within the APIC. In a true tenant environment, a Tenant Admin would only have access
and visibility within their own tenant.
Activity Procedure
Complete these steps:
Step 1
Open Cisco AnyConnect and connect to vpn.xentaurs.com
Step 2
Login with Group CiscoLive, a username of cl-studentXX (where XX is
your student number) and a password of C1sc0L1ve2019
Step 3
In Firefox or Chrome, navigate to the APIC at 10.10.250.55
Step 4
In the APIC login screen us the cl-studentXX user ID, Domain of
XLabsRADIUS, and a password of C1sco12345
Step 5
From the menu bar, click Tenants.
Step 6
Select your Tenant of CiscoLive-StudentXX
Task 2: Create a VRF
A context or VRF is a unique Layer 3 forwarding and application policy domain. One or
more bridge domains are associated with a context. All of the endpoints within the Layer
3 domain must have unique IP addresses.
In ACI nomenclature, the terms Context, Private Network, and VRF are synonymous.
Just as a router can have multiple VRFs configured, an ACI tenant can have multiple
VRFs associated with the tenant.
Activity Procedure
Complete these steps:
Step 7
In your Tenant, select the Networking folder.
5|Page
Step 8
On the main window drag and drop the VRF icon into the area below—this
will display the Create VRF pop-up. Enter VRF in the Name field.
Step 9
Click Submit to complete the process.
6|Page
Note
What does policy enforcement mean? By default, policy enforcement is enforced on
a VRF and is performed by either the ingress or egress leaf. If you select Ingress,
then Ingress enforcement is preferred. As traffic enters the leaf switch, the packet
fabric header is marked with the EPG of the source endpoint. The leaf switch then
performs a forwarding lookup on the packet destination IP address within the tenant
space. A unicast (/32) or subnet prefix (not /32) hit provides the EPG of the
destination endpoint destination subnet prefix, and either the local interface or the
remote leaf switch VTEP IP address where the destination endpoint subnet prefix is
present.
A miss causes the packet to be sent to the forwarding proxy in the spine switch,
which performs a forwarding table lookup. If this is a miss, the packet is dropped. If it
is a hit, the packet is sent to the egress leaf switch that contains the destination
endpoint. Because the egress leaf switch knows the EPG of the source and
destination, the switch performs the security policy enforcement.
On the egress leaf switch, the source IP address and source EPG information will be
stored in the local forwarding table through learning. Because most flows are
bidirectional, a return packet populates the forwarding table on both sides of the
flow, which enables the traffic to be ingress filtered in both directions.
7|Page
Task 3: Create a Bridge Domain
In this task, you will complete the wizard by creating a bridge domain. This domain is
the Layer 2 scope that dictates how broadcasts will be managed. You will also create a
pervasive SVI (default gateway) for the IP space of your group within that bridge
domain.
Activity Procedure
Complete these steps:
Step 10
In the main Networking window where you drag and dropped VRF, drag the
BD icon down near the VRF icon which will initiate a connection between
the VRF and BD. You will see a circle light up around the VRF with a line to
the Bridge Domain icon. This is the APIC linking them together. This will
also prompt the Create Bridge Domain wizard.
Step 11
In the Name field, type Wordpress_BD.
Step 12
Set Forwarding to Optimize.
Step 13
Select the L3 Configurations tab on the far right in the Create Bridge Domain
wizard.
8|Page
Step 14
Note
In the Subnets field, click the + (plus sign) to add a gateway for the web
server.
A bridge domain can contain multiple subnets, but a subnet is only contained within
a single bridge domain. IP space can overlap across tenants and/or VRF’s.
Step 15
For the gateway address, enter 10.57.X.1/24 (where X is your group number).
For example, you would enter 10.57.4.1/24 for Group 4.
Step 16
Under Scope, check mark Advertised Externally.
Note
The scope controls if the subnet is propagated to external L3 connections.
If the scope is Private to VRF, it will never be shared outside the fabric through
routing protocols. If it is Advertised Externally, it will be shared out of any external
connections associated with this VRF. If it is Shared between VRFs, subnets in a
bridge domain associated with an endpoint group can be leaked to other VRFs for
shared internal or external services.
Step 17
Click OK to complete the subnet creation dialog box.
Step 18
Click OK to complete the subnet creation dialog box.
Step 19
Click OK again to complete the Bridge Domain creation dialog
box.
Step 20
Click Submit at the lower right corner of the Topology window
to commit the changes.
9|Page
Note
By default, there are three preexisting tenants, which are common, infra, and mgmt.
The common tenant contains system generated preconfigured policies that govern
the operation of resources accessible to all tenants, such as firewalls, load
balancers, Layer 4 to Layer 7 services, intrusion detection appliances, and so on.
Common tenant polices are configurable by the fabric administrator.
The infra (infrastructure) tenant contains policies that govern the operation of
infrastructure resources such as the fabric VXLAN overlay. This tenant also enables
a fabric provider to selectively deploy resources to one or more user tenants.
The management tenant contains policies that govern the operation of fabric
management functions used for in-band and out-of-band configuration of fabric
nodes. The management tenant contains an out-of-bound address space for the
APIC/fabric internal communications that is outside the fabric data path that provides
access through the management port of the switches. The management tenant
enables discovery and automation of communications with virtual machine
controllers.
Activity Verification
You have completed this task when you attain these results:
◼
You created a tenant.
◼
You created a VRF.
◼
You created a bridge domain.
10 | P a g e
Lab 2: Creating a Two-Tier Application
You will now create a two-tier application profile. There is a two-tier app on the
vCenter host already. It has a W2K3 for testing from, the ACME Web Server, and an
ACME DB. You will build the application Profile, Contracts, and filters to make this
work through the ACI fabric.
Activity Objective
In this activity, you will meet these objectives:
◼
Configure the application profile for the lab app
◼
Add the application VMs to the ACI-created virtual switch and verify correct
connectivity
Visual Objective
The figure illustrates what you will accomplish in this activity (minus the L3 out done in
a later lab).
Required Resources
These are the resources and equipment required to complete this activity:
◼
APIC
◼
ACI fabric (two spines, two leaves)
◼
Student VM
◼
Lab two-tier vApp
11 | P a g e
Task 1: Create the Two-Tier Application Profile.
In this task, you will configure the application profile inside the VMM domain.
Activity Procedure
Complete these steps:
Step 1
Navigate to your Tenant and right-click on Application Profiles.
Step 2
Select Create Application Profile.
Step 3
Name the Application Profile Wordpress.
Step 4
Under EPGs, click on the plus sign to create an EPG.
Step 5
Name the EPG DB.
Step 6
Select the BD of Wordpress_BD.
Step 7
Select the Domain of your VMM Domain (C3Labs_StudentXX
(VMM_VMware).
Note
Step 8
This was created ahead of time to make the labs easier to consume for the purpose
of doing external networking.
Under Provided Contract, select Create Contract.
12 | P a g e
Step 9
Name this Contract DB_to_Web.
Step 10
Under Subjects, click on the plus sign.
Step 11
Name this Subject DB-Subject.
Step 12
Under Filter , click on the plus sign.
Step 13
Under the Name click the down arrow then the Plus sign in the top right
corner.
13 | P a g e
Step 14
Name the filter DB_filter.
Step 15
Under Entries, click on the plus to create a filter.
Step 16
Name this mysql.
Step 17
Select an EtherType of IP, an IP protocol of tcp, and in destination ports
enter 3306 in both the from and the to field.
Step 18
Click on Update, and then click Submit.
Step 19
Back on the Create Contract Subject, click on Update for the new Filter.
Step 20
Click the Plus to add another filter.
Step 21
In the drop down, select ICMP.
14 | P a g e
Step 22
Click on Update.
Step 23
Click on OK to accept the new Subject and Filters.
Step 24
On the Create Contract Window, click on Submit.
15 | P a g e
Step 25
On the Create Application Profile window, click on Update for the EPG.
Step 26
Now we will create another EPG by clicking on the plus sign again.
Step 27
Name this EPG Web.
Step 28
Select your BD of Wordpress.
Step 29
Select your VMM Domain (same as before).
Step 30
Under the Provided contract, select the down arrow and create new
contract.
Step 31
Name this contract Web_to_L3.
Step 32
Under Subjects, click the plus sign to create a new subject.
Step 33
Name this Subject Web_Subject.
Step 34
Under Filter, hit the plus sign.
Step 35
Under the Name click the down arrow then the Plus sign in the top right
corner.
Step 36
Name the Filter Web_filter
Step 37
Under Entries, hit the plus sign.
Step 38
Name the first filter http, enter an EtherType of IP, an IP Protocol of TCP,
and for destination Port / Range enter HTTP in both from and to fields.
Step 39
Click on Update, and then click Submit.
Step 40
Back on the Create Contract Subject, click on Update for the new Filter.
Step 41
Click the Plus to add another filter.
Step 42
In the drop down, select ICMP.
16 | P a g e
Step 43
Click on Update.
Step 44
Click on OK to accept the new Subject and Filters.
Step 45
Back on the Create Contract Subject, click on Update to confirm your filter.
Step 46
Click on OK.
Step 47
On the Create Contract, click on Submit.
Step 48
Now under Consumed Contract, select the DB_toWeb contract you created.
Step 49
Click on Update to confirm this EPG.
Step 50
Click on Submit to accept the Create Application Profile.
Step 51
Navigate to Application Profile>Web-App click on Topology in the work
pane.
17 | P a g e
Task 2: Add the Application VMs to the ACI-Created Virtual Switch and Verify Correct
Connectivity
In this task, you will add the VMs in the vCenter domain to the VDS Port Groups that
you just created with the Application Profile and verify that the application profile
provides the correct connectivity for the App.
Activity Procedure
Complete these steps:
Step 52
Log into vCenter with the browser pointing to 10.20.10.15
Step 53
Click on Launch Vsphere Client (HTML5)
Step 54
UserID is cl-studentXX@xentaurs.com and a password of C1sco12345
Step 55
Expand the StudentXX-DC datacenter until you can see the WP-APACHE
and the WP-MYSQL VM’s
Step 56
Right click on WP-APACHE and select edit settings.
Step 57
Under the Network adapter Click on CiscoLiveXX|Wordpress|Web
Step 58
Click on OK.
Step 59
Right click on WP-MYSQL and select edit settings.
Step 60
Under the Network adapter Click on CiscoLiveXX|Wordpress|DB
Step 61
Click on OK.
Note
Here we selected the port groups that were created in the VMM Domain when we
created each EPG
18 | P a g e
19 | P a g e
Lab 3: Configuring External Layer 2 to Internal ACI Communication
Complete the lab activity to become familiar with configuring Layer 2 communications
with external networks.
Layer 2 outside connections use a construct in ACI called an External Bridged Network,
these are associated with a Bridge Domain and are intended to extend the entire Bridge
Domain to an external VLAN with layer 2 bridging.
Activity Objective
In this activity, you will meet these objectives:
◼
Configure Layer 2 External Bridged Network
◼
Verify the tenant can reach hosts in the external network
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment required to complete this activity:
◼
APIC
◼
ACI fabric (two spines, two leaves)
◼
Student VM
◼
External switch with interfaces on VLANs bridged into ACI fabric
20 | P a g e
Task 1: Configure an External Bridged Network
In this task, you will, individually in your Groups, configure the connection details to
the external Layer 2 network.
Activity Procedure
Complete these steps:
Step 1
From the menu bar, click Tenants and from the submenu select your
Tenant GroupX (where X is your group number).
Step 2
In the navigation pane, expand the Networking folder. Right-click on
External Bridged Networks and select Create Bridged Outside.
Step 3
Type L2-Out (where X is your group number) in the Name field.
Step 4
In External Bridged Domain, select the prebuilt external connection of
CiscoLive_Ext_Bridged
Note
Step 5
This was created by the script that resets the lab. The config can be seen in the
appendix of this lab guide.
Under Bridge Domain, select Wordpress_BD CiscoLive-StudentXX where
XX is your group number.
21 | P a g e
Step 6
In Encap. enter vlan 23XX where XX is your pod number.
For example, you would enter 2304 for Group 4.
Step 7
Under Nodes and Interfaces Protocol Profiles, select Path Type as VPC.
Step 8
Select the Path of Node-101-102/vPC_PROD-CORE-SW01.
Step 9
Select the Add button after making selection.
Step 10
Click Next.
Step 11
In the External EPG Networks window, click on the plus symbol to add the
EPG.
22 | P a g e
Step 12
On the Create External Network pop-up menu, enter Name L2-Network
and click OK.
Step 13
On the original Create Bridged Outside window, select Finish.
Note
Now you must allow the network to be used by placing a provided contract in the
External Bridged Networks.
Step 14
Now you will need to add a contract to allow communication through the
External Bridged Network that you just created. Navigate to Networking >
External Bridged Networks > L2-Out > Networks > L2-Network.
Step 15
Click on the Contracts Tab in the work pane.
Step 16
Under Consumed Contracts, click the + (plus sign) and select the
CiscoLive-StudentXX/Web_to_L3out.
Step 17
Click on Update.
23 | P a g e
Activity Verification
Perform the following tasks to verify what you have configured:
Step 18
Log into vCenter with the browser pointing to 10.20.10.15
Step 19
Click on Launch Vsphere Client (HTML5)
Step 20
UserID is cl-studentXX@xentaurs.com and a password of C1sco12345
Step 21
Expand the StudentXX-DC datacenter until you can see the WP-APACHE
and the WP-MYSQL VM’s
Step 22
In vSphere click on the WP-APACHE VM.
Step 23
On the right, under summary, click on the Launch Web Console.
Step 24
Click OK in the web pop up that has Web Console already selected.
Step 25
Log into the VM with root and a password of C1sco12345.
Step 26
Here you should be able to ping 10.57.X.254.
Note
The address that you are pinging is an SVI that lives on the Cisco 3K routers that
ACI is connected to.
24 | P a g e
Task 2: Configure an Extended EPG to get to external L2
In this task, you will, individually in your Groups, configure the connection details to
the external Layer 2 network.
Activity Procedure
Step 27
Note
In ACI delete the L2-Out network.
We will need to use the VLAN ID in a different place to extend the EPG instead of
doing an external L2.
Step 28
Try to ping the 10.57.XX.254 address. This should no longer work.
Step 29
Once this is deleted, expand your application profile and drill down into
the Web EPG.
Step 30
Select Domains inside the EPG
25 | P a g e
Step 31
Right click on Domains and select Add Physical Domain Association.
Step 32
In the Add Physical Domain Association select the Domain of CiscoLiveL2-PD
Step 33
Select Submit.
Step 34
Now under the same EPG right click on Static Ports and select Deploy Static
EPG on PC, VPC, or Interface.
Step 35
Under Path Type select VPC
Step 36
Under Path select vPC_PROD-CORE-SW01Pod-1/protNode-101-102
Step 37
Select VLAN 23XX where XX is your pod number.
Step 38
Click on Submit.
Step 39
Check the Pings from the VM. You have now extended an EPG.
26 | P a g e
Lab 4: Configuring External Layer 3 to Internal ACI Communication
Complete the lab activity to become familiar with configuring Layer 3 communications
with external networks.
Layer 3 outside connections or External Routed Networks provide IP connections
between an internal VRF of a tenant and an external Layer 3 IP network. The physical
connections to the ACI fabric are via an ACI border leaf. Tenant subnets are injected
into the routing protocol running between the border leaf and the external router.
Users have control of which tenant subnets that the users want to advertise to external
routers, and which of the external networks learned are used by the internal EPGs.
Activity Objective
In this activity, you will meet these objectives:
◼
Configure an External Routed Network using OSPF for your tenant VRF and an
external EPG network to control access to external routes
◼
Verify the leaf is learning routes and verify the routes are redistributed to your
internal BD
Job Aids
Group Naming Conventions and Bridge Domain IP Addresses
Visual Objective
The figure illustrates what you will accomplish in this activity.
Required Resources
These are the resources and equipment required to complete this activity:
◼
APIC
◼
ACI fabric (two spines, two leaves)
◼
Student VM
◼
External router
27 | P a g e
Task 1: Configure External L3 Network and Associate with Your Bridge Domain
In this task, you will, individually in your Groups, configure the connection details to the
External Routed Network.
This task consists of creating an external routed network, specifying the border leaf
node and interface, configuring the routing protocol (OSPF), and creating an external
EPG to allow you to connect to advertised routes from the outside from inside ACI and
apply forwarding policy.
Activity Procedure
Complete these steps:
Step 1
Step 2
Note
From the menu bar, click Tenants and from the submenu select your
Tenant.
In the navigation pane, select the Networking folder and notice the large
topology window with the drag and drop icons. Drag the L3 icon down and
attach to the VRF in the topology.
You could also do this by selecting Networking and right-clicking on External Routed
Networks.
Step 3
In the Create Routed Outside wizard that opens, type L3Out_to_Core in
2the Name field.
Step 4
Click the OSPF check box to enable OSPF routing and type 0 in the OSPF
Area ID field.
Step 5
Ensure that Regular area is selected.
Step 6
Under External Routed Domain, select CiscoLive_L3Out.
Note
This was created by the script that resets the lab.
28 | P a g e
Step 7
Click the + (plus sign) next to Nodes and Interfaces Protocol Profiles.
Step 8
Enter Name NodeProfile in the Create Node Profile pop-up.
Step 9
Click the + (plus sign) under Nodes.
Step 10
From the Node ID dropdown menu, choose Leaf01.
Step 11
In the Router ID field type X.X.X.1 (where X is your group number).
Step 12
Click OK.
Step 13
Repeat previous steps by choosing Leaf02 (node-102).
Step 14
In the Router ID field, type X.X.X.2 (where X is your group number).
Step 15
Click OK.
Step 16
Under the OSPF Interface Profiles, click the + (plus sign).
Step 17
In the Name field, type OSPF_Int.
Step 18
Click on Next.
Step 19
Click on Next on the (STEP2 > Protocol Profiles) page.
29 | P a g e
Step 20
Click the SVI tab indicating that you will use an SVI for routing.
Note
The OSPF policy allows you to further customize the OSPF network type, interface
costs, and different time intervals for OSPF.
Note
You can use Routed Interfaces as a Layer 3 interface, SVI to encapsulate the OSPF
messaging in a VLAN, or use Routed Sub-Interfaces to have more than one Layer 3
interface per port.
Step 21
Click the + (plus sign) under SVI Interfaces.
Step 22
Ensure that the Path Type chosen is Virtual Port Channel.
Step 23
In the Path field, click the dropdown and then click interface vPC_ProdCore.
Step 24
Under Encapsulation, enter 22XX (where XX is your group number). For
example, if you are Group 1, use 2201.
Step 25
Under Side A IPv4 Address, enter 10.56.XX.3/29 (where XX is your group
number). For example, enter 10.56.7.3/29 for Group 07.
Step 26
Under Side B IPv4 Address, enter 10.56.XX.4/29 (where XX is your group
number). For example, enter 10.56.7.3/29 for Group 07.
Step 27
Enter 1500 for MTU (bytes).
Step 28
The option MTU Inherit inherits the MTU based on the access policy of the physical
interfaces. The default MTU is 9000.
30 | P a g e
Step 29
Click OK.
Step 30
Click OK to finish the Create Interface Profile.
Step 31
Click OK to finish the Create Node Profile.
31 | P a g e
Step 32
Note
Click Next on the Create Routed Outside window. The next stage when
building the Layer 3 outside network is where you will configure the external
EPG network. This step is required to filter which outside routes can be used
by the ACI fabric forwarding policy.
Later, you will build contracts for this external EPG network to allow you to ping
(ICMP) and browse (HTTP) through this external EPG network to and from the
network outside of ACI. This construct is therefore very significant to the ACI policy
model for traffic flows in and out of the fabric.
Step 33
Click the + (plus sign) under External EPG Network.
Step 34
In the Name field, type external_network.
Step 35
Click the + (plus sign) under Subnet.
Step 36
In the IP Address, enter 0.0.0.0/0.
Step 37
Click OK.
32 | P a g e
Step 38
Ensure the IP address and Scope you configured are listed under Subnet.
Step 39
Click OK to close the Create External Network wizard.
Step 40
Confirm the external_network EPG shows up under the External EPG
Network section.
Step 41
Click OK to close the Create Routed Outside wizard.
Step 42
Navigate to your Tenant > Networking > Bridge Domains >
Wordpress_BD.
Step 43
In the main window top-right tabs, select Policy > L3 Configurations.
33 | P a g e
Step 44
In the work pane, click the + (plus sign) on the Associated L3 Outs: section.
Step 45
In the dropdown menu, select L3Out_to_Core (where X is your group
number).
Step 46
Click Update.
Step 47
Confirm the Associated L3 Out section lists the Outside-Access. This
associates your BD subnet to the External Routed Network and since you
earlier allowed the 10.57.XX.1 to be advertised externally, this route should
now be redistributed from the ACI fabric into the OSPF instance you have
created for external route peering. Navigate to the Bridge Domain > Policy >
L3 Configurations
34 | P a g e
Task 2: Update the Existing Contract Associations so an EPG Associated to the Internal
Fabric Bridge Domain Can Communicate with the External L3 Network
In this task, you will update the required contract associations with the external Layer3
connection to successfully ping and connect HTTP to an internal EPG from the external
network. You will use PING and a browser to access the 2 Tier Application from your
external jump server to verify connectivity.
Activity Procedure
Complete these steps:
Step 48
Access the internal Web Server at 10.57.XX.10 (where X is your group
number) from your browser. This should fail because of the lack of contract
association with the L3 network.
35 | P a g e
Step 49
Go to Networking > External Routed Network > L3Out_to_Core >
Networks > L3-EPG (where X is your group number).
Step 50
In the main work window, select the Contracts tab, then the Consumed
Contracts tab in the top right corner.
Step 51
In the Consumed Contract, create a new contract association by clicking the
+ (plus sign).
Step 52
Select the Web_to_L3Out contract in the Name drop-down field.
Step 53
Click Update.
36 | P a g e
Activity Verification
Complete these steps:
Step 54
Note
Access the internal Web Server at 10.57.XX.10 (where X is your group
number) from your browser. This should fail because of the lack of contract
association with the L3 network.
We now have outside access with an HTTP contract to the Web-Server and a
database contract accessing the DB.
37 | P a g e
Step 55
Navigate to your Web-App and drill into the EPGs. Expand the EPG
W2K3-Test. Right-click on Contracts and select Add Provided Contract.
Step 56
Select the GroupX/HTTP contract and click on Submit.
38 | P a g e
Step 57
From the hosts and clusters view in vCenter, right-click the VM W2K3-1 and
select Open Console.
Step 58
To send Ctrl+Alt+Del from the console, select VM > Guest and then choose
Send Ctrl+Alt+Del. Log in to the Windows 2003 server. The credentials are
username Administrator and password 1234Qwer.
39 | P a g e
Step 59
From inside the VM, open a command window and ping the IP address of a
loopback interface on the 172.16.x.x network, 172.16.5X.1 (where X is your
group number). This action should be successful.
Step 60
Try to ping the address 10.1.X.1 (where X is your group number). Does this
succeed? If not, why not?
Step 61
In the APIC, navigate to Tenants > GroupX > Networking > External
Routed Networks > Outside-Access > Networks > L3-EPG (where X is
your group number).
Step 62
Click the + (plus sign) next to Subnets. Add the subnet 10.1.X.0/24 (where
X is your group number) and enable the Shared Security Import Subnet
checkbox and click Submit.
40 | P a g e
Step 63
Ping the address 10.1.X.1 (where X is your group number) from the W2K3-1
VM console. This time you should be successful. This lab has demonstrated
the use of policy control using filters associated with contracts used by EPGs,
and subnets associated to the L3 external networks, used by EPGs for
external connectivity, and how they control traffic flow in ACI.
You have completed this task when you attain these results:
◼
You can connect from your RDP jump host browser to 192.168.10X.11 (where X is
your group number).
◼
You can ping the IP address of a loopback interface on the 172.16.x.x network,
172.16.50+X.1/24 (where X is your group number) from the W2k3-1 VM inside
ACI.
◼
You created a new external EPG network with the address 10.1.X.1 (where X is
your group number) which you can now ping from the W2K3-1 VM console.
41 | P a g e
Related documents
ASSISTANT PROPERTY MANAGER RESPONSIBILITIES Oversee
ASSISTANT PROPERTY MANAGER RESPONSIBILITIES Oversee
Harlech Castle rebuilt over Easter 2015
Harlech Castle rebuilt over Easter 2015
Project Compliance Report: Rental Housing Monitoring HOME
Project Compliance Report: Rental Housing Monitoring HOME
Download
advertisement