DCACI
Implementing Cisco Application
Centric Infrastructure Lab Guide
Version 1.11 Rev B
March 2023
ACI v5.1
VMware v6.7
This DCACI lab guide:
1. Is based on using both the Cisco ACI Simulator and the ACI Physical
Equipment.
2. No Instructor demonstrations are required.
3. This document contains extra NterOne Bonus labs on ACI
Table of Contents
Discovery Lab 0: Accessing the NterOne Lab Devices .............................................. 1
Task 1: Connect to your NterOne Lab Environment ............................................. 2
Discovery Lab 1: Validate Fabric Discovery............................................................... 7
Task 1: Configure your ACI Fabric ....................................................................... 8
Task 2: Log in to the APIC Controller from the GUI............................................ 11
Task 3: Register the ACI Fabric Switches .......................................................... 18
Discovery Lab 2: Configure NTP ............................................................................... 28
Task 0: Log in to the APIC Controller ................................................................. 29
Task 1: Configure the Date and Time Format and NTP ..................................... 30
Discovery Lab 3: Create Access Policies and vPC .................................................. 35
Task 0: Log in to the APIC Controller in the Physical Equipment ....................... 40
Task 1: Verify the NTP Time .............................................................................. 43
Task 2: Verify DNS for the APIC ........................................................................ 44
Task 3: Verify DNS for the Fabric Switches ....................................................... 46
Task 4: Verify the MP-BGP Route Reflectors..................................................... 48
Task 5: Verify the ACI Inactivity Timer ............................................................... 52
Task 6: Create Link Level Interface Policies ...................................................... 53
Task 7: Create CDP Interface Policies ............................................................... 56
Task 8: Create LLDP Interface Policies ............................................................. 59
Task 9: Verify Interface Profiles and Switch Profiles .......................................... 62
Task 10: Verify VPC Pair ................................................................................... 64
Task 11: Configure Interface Selectors for the Interface Profiles........................ 66
Task 12: Configure Interface Policy Groups ....................................................... 68
Task 13: Configure VLAN Pool, Physical Domain, and AAEP ............................ 71
Task 14: Configure Port Channel on the External Switch ................................... 77
Table of Contents
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
i
Task 15: Verify the vPC ..................................................................................... 79
Discovery Lab 4: Enable Layer 2 Connectivity in the same EPG............................. 81
Task 0: Log in to the APIC Controller ................................................................. 83
Task 1: Create a Tenant .................................................................................... 84
Task 2: Create a VRF ........................................................................................ 86
Task 3: Create a Bridge Domain ........................................................................ 88
Task 4: Create Subnets within the Bridge Domain ............................................. 90
Task 5: Create Filters ........................................................................................ 93
Task 6: Create Contracts ................................................................................... 97
Task 7: Create Application Profile .................................................................... 104
Discovery Lab 5: Integrate Cisco APIC with VMware vCenter Using VMware
VDS ............................................................................................................................ 109
Task 0: Log in to the APIC Controller and the Web based VMware
vSphere Client ................................................................................................. 111
Task 1: Create a VLAN Pool ............................................................................ 115
Task 2: Create a VMM Domain ........................................................................ 118
Task 3: Verify the APIC Connection to the vCenter Server .............................. 122
Task 4: Verify an Attachable Access Entity Profile ........................................... 124
Task 5: Add the VMM Domain to the AEP ....................................................... 125
Task 6: Create an Interface Policy Group ........................................................ 127
Task 7: Verify the Properties of your Pod Distributed Switch ........................... 129
Task 8: Verify the Interface Policy Groups ....................................................... 132
Task 9: Verify the Leaf Interface Profiles ......................................................... 133
Task 10: Verify the Leaf Profiles ...................................................................... 134
Task 11: Add ESXi Hosts to the ACI DVS ........................................................ 136
Task 12: Associate the vCenter Domain to the APP EPG ................................ 144
Task 13: Associate the vCenter Domain to the DB EPG .................................. 146
Task 14: Associate the vCenter Domain to the WEB EPG ............................... 147
Task 15: Verify the Creation of the ACI DVS Port Groups within vCenter ........ 148
Task 16: Add the App Server VM to the ACI DVS ............................................ 154
Task 17: Add the DB Server VM to the ACI DVS ............................................. 162
Task 18: Add the Web Server VM to the ACI DVS ........................................... 163
Task 19: Verify Base Connectivity in the Three VMs........................................ 164
Discovery Lab 6: Enable Inter-EPG Layer 2 Connectivity ..................................... 170
Table of Contents
Task 0: Log in to the APIC Controller and the Web based VMware
vSphere Client ................................................................................................. 172
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
ii
Task 1: Create a VLAN Pool ............................................................................ 176
Task 2: Create a Physical Domain ................................................................... 179
Task 3: Create an Attachable Access Entity Profile ......................................... 181
Task 4: Create an Interface Policy Group ........................................................ 183
Task 5: Create an Interface Profile .................................................................. 185
Task 6: Create a Switch Profile ........................................................................ 187
Task 7: Create a Bridge Domain ...................................................................... 189
Task 8: Create a Bare Metal EPG.................................................................... 192
Task 9: Create a New Contract ........................................................................ 196
Task 10: Configure Contracts between the DB EPG and the Bare Metal
EPG ................................................................................................................. 199
Task 11: Verify Connectivity to the Bare Metal Server ..................................... 203
Task 12: Verify Connectivity to the Bare Metal Server as a Layer 2
Connection ...................................................................................................... 209
Discovery Lab 7: Enable Inter-EPG Layer 3 Connectivity ..................................... 212
Task 0: Log in to the APIC Controller and the Web based VMware
vSphere Client ................................................................................................. 213
Task 1: Examine Cisco ACI Layer 3 Networking .............................................. 217
Discovery Lab 8: Configure External Layer 2 Connection ..................................... 224
Task 0: Log in to the APIC Controller and the Web based VMware
vSphere Client ................................................................................................. 225
Task 1: Verify an Attachable Access Entity Profile ........................................... 229
Task 2: Verify an Interface Policy Group .......................................................... 230
Task 3: Verify an Interface Profile .................................................................... 231
Task 4: Verify a Switch Profile ......................................................................... 232
Task 5: Create a VLAN Pool for the External Bridged Domain ......................... 234
Task 6: Create an External Bridged Domain (Layer 2 Domain) ........................ 237
Task 7: Create an External Bridged Network ................................................... 239
Task 8: Configure Contracts between the Web EPG and the External
Bridged Network .............................................................................................. 242
Task 9: Verify That the Web EPG Can Communicate with the External
Bridged Domain ............................................................................................... 245
Discovery Lab 9: Configure External Layer 3 (L3Out) Connection ....................... 249
Task 0: Log in to the APIC Controller and the Web based VMware
vSphere Client ................................................................................................. 251
Task 1: Verify an Attachable Access Entity Profile used for L3Out ................... 255
Task 2: Verify a Leaf Access Port .................................................................... 256
Table of Contents
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
iii
Task 3: Verify an Interface Profile .................................................................... 257
Task 4: Verify a Leaf Profile ............................................................................. 258
Task 5: Create a VLAN Pool for the External Routed Domain ......................... 260
Task 6: Create an External Routed Domain (Layer 3 Domain)......................... 263
Task 7: Configure an OSPF Interface Policy .................................................... 265
Task 8: Create an External Routed Network .................................................... 267
Task 9: Verify that the Leaf is Learning OSPF Routes ..................................... 272
Task 10: Configure Contracts between the Web EPG and the External
Routed Network ............................................................................................... 277
Task 11: Associate the External Routed Network to the Bridge Domain .......... 279
Task 12: Advertise Subnets to the External Routed Network ........................... 281
NTERONE ACI BONUS LABS ............................................................................................... 286
Discovery Lab 10: Monitoring and Diagnosing ACI ............................................... 287
Task 0: Log in to the APIC Controller ............................................................... 288
Task 1: Configuring Syslog Monitoring............................................................. 289
Task 2: View Faults Using the Cisco APIC GUI ............................................... 295
Task 3: View Events Using the Cisco APIC GUI .............................................. 299
Task 4: Using the API Inspector....................................................................... 300
Discovery Lab 11: Use Visore to Explore an ACI Tenant ...................................... 305
Task 0: Log in to the APIC Controller ............................................................... 306
Task 1: Use the Managed Object Browser (Visore) ......................................... 307
Discovery Lab 12: Configure Tenant Span ............................................................. 310
Task 0: Log in to the APIC Controller ............................................................... 311
Task 1: Using the Operations Tab in APIC ...................................................... 312
Task 2: Configure SPAN .................................................................................. 316
Discovery Lab 13: Configure RBAC using Local and Radius Users ................... 328
Task 0: Log in to the APIC Controller ............................................................... 329
Task 1: Verify the RADIUS Provider ................................................................ 330
Task 2: Create a Security Domain and Map It to Your Tenant ......................... 332
Task 3: Configure Local Users and Roles for your Tenant Security
Domain ............................................................................................................ 334
Task 4: Verify the Configuration of the Local User Accounts............................ 340
Task 5: Create a RADIUS Security Domain and Map It to your Tenant............ 347
Task 6: Create a RADIUS User Accounts ........................................................ 352
Task 7: Verify the Configuration of the RADIUS User Accounts ....................... 354
Table of Contents
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
iv
Discovery Lab 14: Configure the APIC Using the ACI Cobra SDK (Python) ......... 358
Task 0: Log in to the APIC Controller ............................................................... 359
Task 1: Enable HTTP Access for the APIs to use TCP port 80 ........................ 360
Task 2: Review an Existing Python Script ........................................................ 362
Task 3: Use a Python Script to Create a Tenant .............................................. 365
Discovery Lab 15: Configure the APIC Using the Cisco APIC REST to
Python Adapter (ARYA) ............................................................................................ 370
Task 0: Log in to the APIC Controller ............................................................... 371
Task 1: Save an Object as an XML File ........................................................... 372
Task 2: Use ARYA to Create a Python Script .................................................. 375
Task 3: Configure the APIC Using the Modified Python Script ......................... 380
Table of Contents
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
v
Discovery Lab 0: Accessing the
NterOne Lab Devices
The purpose of this lab exercise is to make you familiar with the NterOne lab environment and how to
successfully connect to the various devices that you will use during this class.
Discovery Lab 0
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
1
Task 1: Connect to your NterOne Lab Environment
Activity Procedure
Follow the steps in this Task in order to log in to a Student Server.
Step 1
Log in to your personal/work computer where you are at now.
Step 2
Verify that your computer is able to access the Internet. A simple test to verify
this would be to use a browser to access www.nterone.com.
Note
Ideally disconnect from any VPN you may have open. Your lab performance will be better without
any VPN connection.
Step 3
From your computer where you are physically at now, open your web browser
and go this web site as assigned by your instructor.
Discovery Lab 0
https://my.labtyme.com/#/
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
2
Step 4
Enter the Username and Password needed to connect to the Student Server.
Note
Ask your instructor for the login credentials.
Username:
Password:
Step 5
Discovery Lab 0
Under All Connections, open the tab ACI-Simulator. Note the two virtual
machines available for these next few labs for your assigned pod:
AdminPC
APIC
Note
The ACI-Simulator will be used for the first two DCACI labs. Later labs will use the ACI-Physical
equipment.
Step 6
Right-click on the APIC object and select Open link in new tab.
Note
While you can just left click on a link to go directly into the selected virtual machine, opening in a
new tab will allow you to switch back and forth between the virtual machine with greater ease in this
lab environment.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
3
Discovery Lab 0
Note
FYI: If you happen to directly left-click on one of the VMs, you will only see that VM in your browser.
As needed, you can click the back button in your browser to return to the main Labtyme portal.
Step 7
From the Labtyme portal, right-click on the AdminPC object and select Open
link in new tab.
Step 8
Click on the AdminPC tab in your browser.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
4
Step 9
Note
Discovery Lab 0
Log in as needed to Windows on the AdminPC as:
username: admin
Password: 1234QWer
You may be logged into this Windows AdminPC automatically. You don’t have to log in again
manually if so.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
5
Discovery Lab 0
Note
The most commonly used applications, such as Chrome, will have a shortcut to them on the
Desktop. Other applications may also be found using the Start menu.
Step 10
The process to connect to your lab environment is complete. Keep these two
tabs open as you will refer back to them often in later labs.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
6
Discovery Lab 1:
Validate Fabric Discovery
Overview
This activity will guide you through this process, and then familiarize you with the fabric topology portion
of the APIC GUI.
Upon completing this guided lab, you will be able to:
Configure a new APIC.
Log in to the APIC.
Register Nexus 9000 switches to the primary APIC controller.
Explore the management interface on the APIC controller.
Lab Devices
During this class you will be using the ACI Lab environment. This DCACI ACI lab uses the Cisco ACI
Simulator that contains the following equipment all provisioned virtually:
One (1) Cisco Application Policy Infrastructure Controller (APIC).
One (1) Cisco Nexus C9000 Switch running in ACI mode (Spine switch).
Two (2) Cisco Nexus C9000 Switches running in ACI mode (Leaf switches).
Discovery Lab 1
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
7
Task 1: Configure your ACI Fabric
In this task you will configure the ACI APIC from the very beginning. This lab is based on the Cisco
APIC Simulator. You will see the questions asked on a very initial ACI APIC configuration.
Note
This lab must be performed on the ACI-Simulator as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Discovery Lab 1
Step 1
Click on your web browser connection to the APIC. Your screen will initially
appear all black. Left mouse click on the black screen and press enter a few
times to “wake it up.”
Note
You may have answered a few of the initial questions accidentally by clicking on the screen. This is
OK initially.
Step 2
Press ctrl-d to start the APIC installation again from the very beginning.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
8
Discovery Lab 1
Step 3
Enter the fabric name: ACI Fabric1
Note
When an entry shows up in [brackets] as the default being the same as you are required to enter,
you can just click enter on the question. Do not do this for all entries as some entries must be
changed in this lab environment per the following steps.
Step 4
Enter the fabric ID: 1
Step 5
Enter the number of active controllers in the fabric: 3
Step 6
Enter the POD ID: 1
Step 7
Is this a standby controller: NO
Step 8
Enter the controller ID: 1
Step 9
Enter the controller name: apic1
Step 10
Enter address pool for TEP addresses: 10.0.0.0/16
Step 11
Enter the VLAN ID for infra network: 4
Step 12
Enter address pool for BD multicast addresses: 225.0.0.0/15
Step 13
Enable IPv6 for Out of Band Mgmt Interface: N
Step 14
Enter the IPv4 address: 192.168.51.12/24
Note
This is the IP address to access the APIC for all ACI management. Be sure to NOT use the default
IP address provided by the simulator or you will not have access in this lab environment to the
APIC from the AdminPC.
Step 15
Enter the IPv4 address of the default gateway: 192.168.51.1
Step 16
Enter the interface speed/duplex mode: auto
Step 17
Enable strong passwords: N
Step 18
password for admin: 1234QWer
Step 19
When you are prompted to edit the configuration, you can do so if you doubt any
of your prior configurations. If you do not need to make any changes, enter: n
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
9
Note
The APIC will accept your configuration and reboot. This will take several minutes. When the APIC
reboots it will ask you to login. If you enter in the credentials right away, the login will fail as the
APIC is still starting services in the background. Give the APIC at least 5 minutes.
Step 20
Login to the APIC in the console with the credentials:
Note
Discovery Lab 1
Apic login: admin
Password: 1234QWer
You can keep the browser tab to the APIC CLI open as you will refer back to it in later lab steps.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
10
Task 2: Log in to the APIC Controller from the GUI
In this task, you will log in to the APIC controller using the graphical user interface (GUI) from the
AdminPC. Be sure you allow at least 5 minutes for the APIC to be installed, reboot and services
started from the last task before you start this task.
Activity Procedure
Complete the following steps:
Step 1
Click in the browser tab to your Windows 10 AdminPC.
Step 2
From your AdminPC desktop, start the Chrome browser.
Step 3
Navigate to the following URL of your newly installed Cisco APIC:
https://192.168.51.12
Discovery Lab 1
Note
Http is disabled on any newly configured APIC. Be sure to connect with https.
Step 4
Click Advanced if you are prompted about your browser connection.
Step 5
Click to Proceed to 192.168.51.12 (unsafe).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
11
Discovery Lab 1
Note
You are seeing these security warnings in your browser because in this ACI lab environment there
is no Public Key Infrastructure (PKI) with a Certificate Authority (CA) to manage the digital
certificates between your browser and the APIC.
Step 6
Login to the APIC using the following credentials:
User ID: admin
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
12
Step 7
Discovery Lab 1
At this point you should see the APIC dashboard. Select Do not show on login.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
13
Discovery Lab 1
Step 8
Click Begin First Time Setup.
Step 9
Click Close.
Step 10
Note the layout of the Cisco ACI GUI interface. The top portion is referred to as
the Menu bar.
Step 11
Once a tab is selected from the Menu bar, a Submenu bar will appear below the
Menu bar. Click on Tenants. Note how the Submenu changes.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
14
Discovery Lab 1
Note
The Navigation pane displays on the left side of the APIC GUI, below the Submenu bar. This pane
provides centralized navigation to all elements of the submenu category. When you choose a
component in the Navigation pane, the object displays in the Work pane that displays on the right
side of the APIC GUI. This pane displays details about the component selected in the Navigation
pane.
Step 12
In the far upper right, click on Manage my profile.
Note
The upper right-hand corner of the APC GUI indicates the user account with which you logged in to
the APIC GUI.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
15
Step 13
Select Settings from the drop-down menu.
Step 14
The Application Settings window will appear. These settings affect how the
APIC GUI responds as you use it. Enter the values in the following table.
Field
Discovery Lab 1
Value
Remember Tree Selection
Checked
Preserve Tree Divider Position
Checked
Disable Notification on Success
Checked
Disable Deployment Warning at Login
Unchecked
Show all UI Sections
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
16
Step 15
Discovery Lab 1
Click the OK button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
17
Task 3: Register the ACI Fabric Switches
This task is only done once per ACI fabric. In this task, you will register the Nexus 9000 Switches to the
fabric managed by APIC-1.
Activity Procedure
Complete the following steps:
Discovery Lab 1
Step 1
From your AdminPC, login to the APIC as needed.
Step 2
In the Menu bar, click Fabric.
Step 3
In the Submenu bar, click Inventory.
Step 4
Click Fabric Membership and select the tab Registered Nodes. Note that
initially there are no Spines or Leaves registered to this new APIC.
Step 5
Click on the tab Node Pending Registration in the Navigation pane to expand
the view and notice the single switch entry under the Fabric Membership folder.
This is the leaf switch that the APIC is first connected to, which is not yet
registered. Right-click on the leaf and click Register.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
18
Discovery Lab 1
Note
The APICs and the ACI switches use Link Layer Discovery Protocol (LLDP) to discover connected
devices. Devices that are discovered are not automatically added to the fabric; an ACI admin must
determine which devices should be added to the fabric and then manually register them.
Note
Unregistered switches are assigned the Node ID of 0. By default, switches detected by the fabric
are not added to the fabric automatically, they must be added manually.
Note
The APIC is connected to two leaf switches; these leaf switches will be registered as Leaf-1 and
Leaf-2 in the next few steps
Step 6
Add the entries for the first Leaf.
Node ID: 101
Node Name: Leaf-1
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
19
Discovery Lab 1
Note
The Node ID has to be greater than 100 because the APIC reserves the node IDs 1 through 100 for
future APICs that may be added to the fabric.
Step 7
Click the Register button.
Step 8
The APIC will now begin discovering the fabric along with other APICs. Wait 30
to 60 seconds for the APIC GUI to see other spine switches in the fabric. You
should see an additional switch appear in the Nodes Pending Registration tab.
This switch will be the spine switch in the ACI Rack.
Note
Observe that the Leaf switch now has a private (RFC 1918) IP address assigned. This DHCP
address range is configured on the APIC when first installed and managed by the APIC for
infrastructure communication across the ACI fabric.
Note
The fabric will discover another switch. Notice under the ROLE that these are spine switches with
their Node ID set to 0.
Step 9
After a minute or so, look under the Nodes Pending Registration for the spine
to appear. Right-click on the spine when it appears and select Register.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
20
Step 10
Step 11
Discovery Lab 1
Add the entries for the Spine. There is only one spine that will appear in this
APIC simulator.
Node ID: 102
Node Name: Spine-1
Click Register.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
21
Step 12
After a minute or so, look under the Nodes Pending Registration for the last
leaf to appear.
Step 13
Register the next leaf with following entries:
Step 14
Discovery Lab 1
Node ID: 103
Node Name: Leaf-2
Verify that the spine and two leaf switches register with the correct node id with
the Status Active under the Registered Nodes tab.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
22
Discovery Lab 1
Note
You may have to highlight a switch, right-click and click Commission to ensure all switches
become Active. Do so as needed.
Step 15
In the Navigation pane, click the Topology folder and the Topology tab. You
should see the complete ACI fabric, which now includes one spine switch, two
leaf switches, and one APIC.
Note
In a production network, you can have more spines, APICs and many more leaves than shown
here.
Step 16
Double-click on Spine-1. Note the connections to the two leaves.
Step 17
Click the X in the upper right to close the window when you are done.
Step 18
Navigate to Fabric > Inventory > Pod 1 > Leaf-1 and choose the General tab.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
23
Discovery Lab 1
Step 19
Note the various pieces of information such as the Model type, serial number of
the switch, the management address not yet assigned and other chassis
information.
Step 20
Click on the Interface tab.
Step 21
Hover your mouse over each interface and note all information that appears on
the pop-up window.
Step 22
Navigate to Fabric > Inventory > Pod 1 > Leaf-1 > Interfaces > Physical
Interfaces.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
24
Discovery Lab 1
Step 23
Note all the information on each of the Leaf-1 interfaces.
Step 24
From your AdminPC desktop, start a PuTTY session.
Step 25
Log in to APIC-1 using the following information:
IP address: 192.168.51.12
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Note
You may want to make your PuTTY window wide on your screen to increase visibility.
Step 26
Run the acidiag -h command to view the available ACI diagnostics options.
Note
If you follow the command with | more you can read the output one page at a time.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
25
Discovery Lab 1
Note
The acidiag command is a useful troubleshooting command that allows you to gather information
about the entire ACI fabric from the APIC command line.
Step 27
View the fabric node vector using the acidaig fnvread command.
Step 28
Go to the configuration mode on the APIC and display the entire fabric running
configuration.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
26
Discovery Lab 1
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
27
Discovery Lab 2:
Configure NTP
Overview
The Network Time Protocol (NTP) synchronizes the time of day among a set of distributed time servers
and clients. NTP uses the User Datagram Protocol (UDP) as its transport protocol. All NTP
communications use Coordinated Universal Time (UTC).
NTP uses a stratum to describe the distance between a network device and an authoritative time
source. A stratum 1 time server is directly attached to an authoritative time source (such as a radio or
atomic clock or a GPS time source). A stratum 2 NTP server receives its time through NTP from a
stratum 1 time server.
An NTP server usually receives its time from an authoritative time source, such as a radio clock or an
atomic clock attached to a time server, and then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary to synchronize two machines to
within a millisecond of each other.
In this scenario, you will use NTP to synchronize the APIC and the fabric to an NTP server in the lab
environment. NTP will start working after out-of-band management IP addresses are configured on the
fabric switches.
These NTP settings are applied only once per ACI fabric.
Discovery Lab 2
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
28
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Activity Procedure
Note
This lab must be performed on the ACI-Simulator as shown in the Labtyme portal.
Complete the following steps:
Step 1
Verify that you are currently logged in to your AdminPC within the ACISimulator.
Step 2
From your AdminPC desktop, start the Chrome browser as needed.
Step 3
Navigate to https://192.168.51.12.
Step 4
Log in to the APIC using the following credentials:
Step 5
Discovery Lab 2
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
29
Task 1: Configure the Date and Time Format and
NTP
In this task, the Instructor will configure the date and time format of the clock and the NTP server used
by the fabric. This task is performed only once per ACI fabric.
Activity Procedure
Complete the following steps:
Discovery Lab 2
Step 1
In the Menu bar, click System.
Step 2
In the Submenu bar, click System Settings.
Step 3
Navigate to Date and Time.
Step 4
In the Work pane, in the Time Zone drop-down list, select America/New_York.
Step 5
Click the Submit button at the bottom of the Work pane. A Policy Usage
Warning will appear indicating the other objects that will be affected by the
changes.
Step 6
Click the Submit Changes button.
Step 7
In the Menu bar, click Fabric.
Step 8
In the Submenu bar, click Fabric Policies.
Step 9
Navigate to Policies > Pod > Date and Time.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
30
Step 10
Discovery Lab 2
In the Navigation pane, right-click the Date and Time folder and select Create
Date and Time Policy from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
31
Step 11
The Create Date and Time Policy wizard will appear. In STEP 1 > Identity, in
the Name file, type DATE-TIME-POLICY.
Step 12
Click the Next button.
Step 13
In STEP 2 > NTP Servers, click the plus sign + to create a new entry and enter
the values in the following table.
Field
Discovery Lab 2
Value
Name
192.168.51.11
Preferred
Checked
Management EPG
default (Out-of-Band)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
32
Discovery Lab 2
Step 14
Click the OK button to complete the Create Providers wizard.
Step 15
Click the Finish button to complete the Create Date and Time Policy wizard.
Step 16
In the Navigation pane, expand the Fabric > Fabric Policies > Pods > Policy
Groups folder.
Step 17
Right-click Policy Groups and select Create Pod Policy Group.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
33
Step 18
Enter the values in the following table.
Field
Discovery Lab 2
Value
Name
POD-POLICY-GROUP
Date Time Policy
DATE-TIME-POLICY
Step 19
Click the Submit button at the bottom of the Work pane.
Step 20
You may see a Warning message will appear indicating the other objects that
will be affected by the changes. Click Yes if applicable.
Step 21
Click the Submit Changes button if needed.
Note
The APIC simulator does not provide a way to verify the time on the switches. In later labs, you will
use the Physical racks which are pre-configured with the same settings you just configured here.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
34
Discovery Lab 3:
Create Access Policies and vPC
Lab Devices and Pods
For this lab and all following DCACI labs you will be using the ACI-Physical Equipment.
The NterOne ACI Lab Rack contains the following equipment:
One (1) Cisco Application Policy Infrastructure Controller (APIC).
One (1) Cisco Nexus C9000 Switch running in ACI mode (Spine switch).
Two (2) Cisco Nexus C9000 Switches running in ACI mode (Leaf switches).
Cisco UCS C200 C-Series Servers running VMware ESXi.
One (1) vCenter.
You will have access to all of these devices; however, you will be assigned a single Pod within the UCS
Lab Rack:
A Pod is a portion of the ACI Lab Rack that is configured by one or two students.
Pod Number is used to uniquely identify each Pod. The Pod Number (“##”) is a value between
11 and 26.
You will be assigned to a Pod for a given lab exercise, possibly with another student depending
on the class size.
During the lab exercises you will be asked to configure the devices in your Pod. Do not
configure any devices outside your assigned Pod unless specifically instructed to do so.
Discovery Lab 3
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
35
Letter Variables
The Lab Guide for your class uses letter variables (similar to algebra) to represent digits within a
command or command output. Usually, whenever you see one of the capital letters in the following
table you should replace that letter with the correct value; the Lab Guide should also point out when a
letter variable is being used. The variables will be displayed with a font color of red.
For example, if you are currently assigned to Pod 23, and if you are instructed to configure an IP
address of 192.168.1.##, the IP address that you should use would be 192.168.1.23. The following
table lists all of the letter variables that are commonly used in the Lab Guide.
Letter Variable
Possible Values
Description
R
3, 4, 5 or 6
Your ACI Rack Number
##
11 through 26
Your Pod Number
@
A, B, C, or D
Your vCenter Server
@@
A1, A2, B1, B2, C1, C2, D1, or D2
Your ESXi Host
You must know the value of each of these variables before you start each lab exercise based on your
pod assignment from your instructor. If you do not use the correct values you may not be able to
complete the lab exercise and you may also cause another student’s lab devices to malfunction.
Be sure to open and use the Resource Guide document from your Instructor.
Overview
Fabric access policies enable communication of systems that are attached to the Cisco ACI fabric. In
this lab exercise, you will configure an access policy.
You build a fabric access policy with multiple configuration elements: pools, physical domains,
attachable access entity profiles, interface policies, interface policy groups, interface selectors, interface
profiles, and switch profiles. This approach provides scalability and modularity of the configuration. The
configuration elements are:
Pool: Defines a range of identifiers, such as VLANs.
Physical/external/VMM domain: References a pool. You can think of it as a resource
container.
Attachable access entity profile (AAEP): References a domain, and therefore specifies the
resource pool that is activated on an interface.
Interface policy: Defines a protocol or interface properties that are applied to interfaces.
Interface policy group: Gathers multiple interface policies into one set and binds them to an
AAEP.
Interface selector: Identifies one or more interfaces (interface blocks) and associates them with
an interface policy group.
Interface profile: Groups one or more interface selectors, effectively specifying the policies
consumed by the interface blocks.
Switch profile: Chooses one or more leaf switches and associates them with an interface
profile, effectively specifying the policies consumed by the interface blocks on a given switch.
Discovery Lab 3
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
36
The following figure illustrates the relationships between the configuration elements.
Cisco APIC allows scalable configurations by making the policies reusable. As the configuration grows,
a single switch profile can reference multiple interface profiles, each containing several interface
selectors. Similarly, an interface policy group may include several interface policies and a single AAEP
can point to multiple domains, each with its own resource pool. The following figure shows the
relationships:
Note
There are multiple ways of configuring elements in the Cisco APIC GUI: using configuration
wizards, configuring components individually, or choosing a different configuration order. This
lab exercise aims to present the required building blocks, and not necessarily achieve the goal
in the quickest way possible.
Cisco APIC allows scalable configurations by making the policies reusable. As the configuration grows,
a single switch profile can reference multiple interface profiles, each containing several interface
selectors. Similarly, an interface policy group may include several interface policies and a single AAEP
can point to multiple domains, each with its own resource pool.
Discovery Lab 3
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
37
Visual Objective
The figure illustrates what you will accomplish in this activity.
Job Aids
Device Access Racks = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-1
192.168.R0.101
—
admin/1234QWer
leaf-2
192.168.R0.103
—
admin/1234QWer
Spine-1
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
ESXi
VMs
Discovery Lab 3
esxi-a1.dc.local
esxi-a2.dc.local
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
| © 2023 Cisco Systems, Inc.
N/A (auto-login)
DCACI Lab Guide
38
Access Policies Configured in the Activity
Type of Policy
Policy Name
Function
CDP interface policy
Enable_CDP
Enable Cisco Discovery Protocol.
LLDP interface policy
Disable_LLDP
Disable LLDP.
Port channel policy
Static_Channel
Enable Port Channeling using mode On.
VPC interface policy group
Leaf101..102:1:03_VPCIPG
Gathers interface policies into a group. This policy
group will be applied to interface eth1/3 on both
leaves, e.g., with IDs 101 and 102.
Interface selector
1:03
Selects the interface eth1/3 as a member of the leaf
interface profile and binds an interface policy group to
the interface.
Leaf interface profile
L101..102_VPCIntProf
Groups interface selectors. This profile will be
associated with both leaves, which will act as vPC pair.
Leaf profile
L101..102_VPCLeafProf
Binds a leaf interface profile to the leaf switches that
form a vPC pair.
VPC protection group
L101..102_ProtectionGroup
Selects leaf switches for the vPC.
Command List
The table describes the Cisco APIC and Nexus switch CLI commands that are used in this activity.
Refer to this list for configuration command assistance during the lab activities.
Command
Description
show cdp neighbor
Display Cisco Discovery Protocol neighbors (Nexus ACI).
show hardware
Display the hardware platform details (Nexus ACI).
show lldp neighbor
Display LLDP neighbors (Nexus ACI).
show version
Display the switch software version (Nexus ACI).
In this lab you will create a virtual port channel (vPC) for your assigned pod between Leaf-1 and Leaf-2
to an external Cisco IOS switch.
Discovery Lab 3
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
39
Task 0: Log in to the APIC Controller in the
Physical Equipment
In this task, you will log in to the APIC controller using the graphical user interface (GUI)
Discovery Lab 3
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Note
Each student will perform all steps in this task.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
40
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
In your Labtyme web portal, fully open the Physical Equipment entries under
All Connections.
Step 2
Your instructor will assign you either the user student or student2. Verify you
have the correct user.
Warning
Be very sure you don’t use the wrong user. Note also that these Physical Equipment virtual
machines are different from the ACI-Simulator virtual machines.
Step 3
Right-click your assigned user (student or student2) and select Open link in new
tab.
Step 4
From your Student Server desktop, start the Chrome browser.
Step 5
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Note
The APIC IP addresses here and in all following DCACI labs are different and will not connect to
the APIC Simulator that you used in prior labs.
Note
You may be warned by Chrome that the connection is not private.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
41
Note
Do not worry if you see any message like this about your connection not being private in these
labs. Click Proceed… and “agree” with all browser security requests.
Step 6
Log in to the APIC using the following credentials:
Step 7
Discovery Lab 3
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
42
Task 1: Verify the NTP Time
In this task, you will verify the NTP time configured in the APIC. The necessary date and time settings
for the fabric have been pre-configured in this lab exactly like you did manually in the prior lab.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
You can view the date and time for the fabric at the bottom right of the APIC GUI.
It may take several seconds for the correct time to be displayed.
Step 2
Open a PuTTY session to Leaf-1. Log in as needed with the credentials:
Username: admin
Password: 1234QWer
Step 3
To verify that NTP is functioning properly on the switch enter the show ntp peerstatus command. You should see that there is a single peer, and the peer is
selected for synchronization. This output is for rack 4.
Step 4
Use the show clock command to verify that the clock on the switch is set
correctly.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
43
Task 2: Verify DNS for the APIC
In this task you will verify the APIC to use DNS for name resolution. This task is configured only once
per ACI fabric. The APIC DNS settings have been pre-configured in this ACI Fabric.
Activity Procedure
Complete the following steps:
Step 1
Return to the APIC GUI running in your Chrome browser.
Step 2
In the Menu bar, click Fabric.
Step 3
In the Submenu bar, click Fabric Policies.
Step 4
In the Navigation pane, expand Policies > Global > DNS Profiles > default.
Step 5
In the DNS Providers subsection, note the pre-configured IP of 192.168.R0.40
(replace “R” with your ACI Rack Number).
Step 6
Under the DNS Domain field, note the Name field as dc.local.
Step 7
Open a new PuTTY session to the APIC.
Step 8
Discovery Lab 3
IP: 192.168.R0.1
Username: admin
Password: 1234QWer
To verify that DNS name resolution is functioning properly enter the ping leaf1.dc.local command. After a few seconds press <Ctrl>+<C> to stop the ping.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
44
Discovery Lab 3
Step 9
Enter the ping leaf-1 command; make sure not to include the domain. After a
few seconds press <Ctrl>+<C> to stop the ping.
Note
The APIC used the IP address of 192.168.R0.101 for leaf-1.dc.local, and it used a 172.19..x.x
address for leaf-1. The IP address 192.168.R0.101 is the out-of-band address, while the
172.19.x.x address is the infrastructure address assigned to leaf-1 when it was connected to the
fabric.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
45
Task 3: Verify DNS for the Fabric Switches
In this task, you will verify the fabric switches to use DNS for name resolution. This task is only
configured once per ACI fabric.
Activity Procedure
Complete the following steps:
Step 1
In the Navigation pane, expand Fabric > Fabric Policies > Policies > Global >
DNS Profiles.
Step 2
Select the pre-configured DNS-PROFILE folder.
Note the pre-configured DNS Provider of 192.168.R0.40 and DNS Domain of
dc.local. (Replace “R” with your ACI Rack Number.)
Discovery Lab 3
Step 3
In the Menu bar, click Tenants and ALL TENANTS.
Step 4
In the Submenu bar, double-click mgmt.
Step 5
In the Navigation pane, expand the tenant mgmt > Networking > VRFs > oob.
Click on the Policy tab.
Step 6
Near the bottom of the Work pane, note the pre-configured entry of DNS Labels
as DNS-PROFILE.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
46
Discovery Lab 3
Step 7
Return to the PuTTY window containing your session to Leaf-1. Log in as
needed.
Step 8
To verify that DNS name resolution is functioning properly enter the ping leaf2.dc.local command. After a few seconds press <Ctrl>+<C> to stop the ping.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
47
Task 4: Verify the MP-BGP Route Reflectors
In this task, you will verify the MP-BGP Route Reflectors.
Internal to the ACI fabric, MP-BGP is implemented between leaf and spine switches to propagate
external routes within the ACI fabric; all the leaf and spine switches are in one single BGP AS. The
border leaf uses MP-BGP to advertise the external routes to the spine switches, which act as BGP
route reflectors to avoid the full mesh requirements of BGP. Routes are only propagated by spines to
leaf switches where the Private Networks are instantiated.
Note
Private Networks are only instantiated on a leaf when an EPG for that Private Network has
endpoints connected off the leaf.
MP-BGP is not enabled by default in ACI fabric. You will verify the BGP policy, specifying the BGP AS
number and specific spine nodes as BGP route reflectors. Once configured, the APIC will automatically
configure iBGP peering between leaf and spine and specify leaf switches as route reflector clients.
APIC also automatically generates the required configuration for route redistribution on the border leaf.
This task is configured only once per ACI fabric.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
In the Menu bar, click System.
Step 2
In the Submenu bar, click System Settings.
Step 3
In the Navigation pane, select BGP Route Reflector.
Step 4
In the Work pane, note the pre-configured Autonomous System Number of
100.
Note
The iBGP ASN must match the external router configuration if iBGP will be configured between the
ACI Fabric and an external network. If using static routes, OSPF, or EIGRP between the ACI Fabric
and an external network, the iBGP ASN value can be any valid value.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
48
Discovery Lab 3
Step 5
In the Route Reflector Nodes subsection, note the entry of Spine-1.
Note
This configuration applies to the entire fabric and is not enforced per Tenant. BGP will be
automatically enabled on any leaf switch which has an external Layer 3 network attached, as well
as any leaf switch where the Private Network associated with the Layer 3 external network are
instantiated (leaves which do not have the Private Network associated preserve the hardware
resources by not running BGP or not storing the routes).
Note
Once the border leaf forms a neighbor relationship, it will propagate Tenant routes to the external
router. Users have control of which Tenant subnets to advertise to external routers.
Note
When specifying subnets under the bridge domain for a given Tenant, the user has the choice to
specify the scope (private, public, or shared) of a subnet.
Note
For security and separation, MP-BGP maintains separate BGP routing tables for each ACI Private
Network.
Step 6
Navigate to Fabric > Fabric Policies > Pods > Policy Group. Select the preconfigured RR-POD-POLICY-GROUP and verify the BGP Route Reflector
policy is set at default.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
49
Discovery Lab 3
Step 7
Navigate to Fabric > Fabric Policies > Pods > Profiles. Select the preconfigured Profile of POD-PROFILE.
Step 8
Note the Pod Selector with the name Pod with a Type of ALL and the Policy
Group of RR-POD-POLICY-GROUP.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
50
Step 9
To verify that the BGP route reflectors are functioning, navigate to Fabric >
Inventory > Pod1 > Spine-1 > Protocols > BGP > BGP for VRF-overlay-1 >
Sessions.
Step 10
Verify that you see two Established BGP sessions, one to each leaf switch.
Step 11
From your Student Server desktop, start a PuTTY session with Spine-1.
Step 12
Log in to Spine-1 using the following information:
Step 13
Discovery Lab 3
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Verify that the BGP sessions to the leaf switches are established by entering the
show bgp sessions vrf overlay-1 command.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
51
Task 5: Verify the ACI Inactivity Timer
In this task, you will verify the ACI inactivity timer. The purpose of this is to make it easier during your
labs so you won’t be logged out as often during inactivity.
Note
In a production environment, changing any inactivity timers to a long duration would not be
suggested for security purposes.
This task is configured only once per ACI fabric.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
In the Menu bar, click Admin.
Step 2
In the Submenu bar, click AAA > Security.
Step 3
Under the Management Settings tab, note the Web Session Idle Timeout(s)
has the maximum number of 9999.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
52
Task 6: Create Link Level Interface Policies
In this task, you will create two Link Level Interface Policies:
A Link Level Policy for leaf switch interfaces that will be configured for a speed of 1 Gbps.
A Link Level Policy for leaf switch interfaces that will be configured for a speed of 10 Gbps.
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
In the Menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Policies > Interface > Link Level.
Step 4
Right-click the Link Level folder and then select Create Link Level Policy from
the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
53
Step 5
The Create Link Level Policy wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Field
Discovery Lab 3
Value
Name
POD##-1G-LINK-LEVEL-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Auto Negotiation
off
Speed
1 Gbps
Step 6
Click the Submit button to complete the Create Link Level Policy wizard.
Step 7
Right-click the Link Level folder again POD and then select Create Link Level
Policy from the context menu to create another policy.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
54
Step 8
The Create Link Level Policy wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Field
Step 9
Discovery Lab 3
Value
Name
POD##-10G-LINK-LEVEL-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Auto Negotiation
off
Speed
10 Gbps
Click the Submit button to complete the Create Link Level Policy wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
55
Task 7: Create CDP Interface Policies
The Cisco Discovery Protocol is by default disabled on Cisco ACI interfaces. You will create an
interface policy that enables Cisco Discovery Protocol, disables LLDP, and configures a port channel
policy. These policies will be needed to establish connectivity between the hypervisor and the Cisco
ACI leaves.
In this task, you will create two CDP Interface Policies:
A CDP Interface Policy for leaf switch interfaces that will be configured to enable CDP.
A CDP Interface Policy for leaf switch interfaces that will be configured to disable CDP.
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
Navigate to Fabric > Access Policies > Policies > Interface > CDP Interface.
Step 2
Right-click the CDP Interface folder and then select Create CDP Interface
Policy from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
56
Step 3
The Create CDP Interface Policy wizard will appear. Enter the values in the
following table.
Field
Value
Name
POD##-ENABLE-CDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Admin State
Enabled
Step 4
Click the Submit button to complete the Create CDP Interface Policy wizard.
Step 5
Right-click the CDP Interface folder again and then select Create CDP Interface
Policy from the context menu.
Step 6
The Create CDP Interface Policy wizard will appear. Enter the values in the
following table.
Field
Discovery Lab 3
Value
Name
POD##-DISABLE-CDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Admin State
Disabled
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
57
Step 7
Discovery Lab 3
Click the Submit button to complete the Create CDP Interface Policy wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
58
Task 8: Create LLDP Interface Policies
In this task, you will create two LLDP Interface Policies:
An LLDP Interface Policy for leaf switch interfaces that will be configured to enable LLDP.
An LLDP Interface Policy for leaf switch interfaces that will be configured to disable LLDP.
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
Navigate to Fabric > Access Policies > Policies > Interface > LLDP Interface.
Step 2
Right-click the LLDP Interface folder and then select Create LLDP Interface
Policy from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
59
Step 3
The Create LLDP Interface Policy wizard will appear. Enter the values in the
following table.
Field
Value
Name
POD##-ENABLE-LLDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Receive State
Enabled
Transmit State
Enabled
Step 4
Click the Submit button to complete the Create LLDP Interface Policy wizard.
Step 5
Right-click the LLDP Interface folder again and then select Create LLDP
Interface Policy from the context menu.
Step 6
The Create LLDP Interface Policy wizard will appear. Enter the values in the
following table.
Field
Discovery Lab 3
Value
Name
POD##-DISABLE-LLDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Receive State
Disabled
Transmit State
Disabled
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
60
Step 7
Discovery Lab 3
Click the Submit button to complete the Create LLDP Interface Policy wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
61
Task 9: Verify Interface Profiles and Switch Profiles
In this task, you will verify three pairs of interface and switch profiles.
It is good practice to create interface and switch profiles for every leaf and vPC leaf pair, even before
configuring specific ports.
These settings in this task are performed only once in the ACI fabric.
Activity Procedure
Complete the following steps in the Web connection to the APIC:
Discovery Lab 3
Step 1
In the Menu bar, navigate to Fabric > Inventory > Fabric Membership.
Step 2
Under the Registered Nodes tab, take note of the Node ID and Name of the
Nexus switches. It is important to note which Node ID is associated with which
Name as you will refer to these labels in later lab steps. Make no changes here.
Step 3
In the Menu bar, navigate to Fabric > Access Policies > Interfaces > Leaf
Interfaces > Profiles.
Note
You can always learn more about the meaning of any object and its parameters from Cisco APIC
Online Help by clicking the question mark {?) button on the top right corner of your web browser
connected to the APIC.
Step 4
Note the pre-configured Profiles of LEAF101_IFP and LEAF103_IFP.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
62
Discovery Lab 3
Step 5
In the Menu bar, navigate to Fabric > Access Policies > Switches > Leaf
Switches > Profiles.
Step 6
Note the pre-configured Profiles of LEAF101_SWP and LEAF101_SWP with
the selected Interface Selectors.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
63
Task 10: Verify VPC Pair
A vPC domain is associated with a vPC security policy. The vPC security policy defines the leaf
switches that belong to the vPC domain. You will review the default vPC domain and add both leaf
switches to the vPC security policy.
These settings in this task are performed only once in the ACI fabric.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, navigate to Fabric > Access Policies > Policies > Switch >
VPC Domain and choose default. Briefly review the default VPC Domain
parameters. Make no changes here.
Step 2
In the Menu bar, navigate to Fabric > Access Policies > Policies > Switch and
choose Virtual Port Channel default. Note the following pre-configured settings.
Change the vPC domain policy to default as needed and click Submit and
Submit Changes.
Field
Discovery Lab 3
Value
Name
LEAF101-103_ProtectionGroup
ID
100
vPC domain policy
default
Switch 1
101
Switch 2
103
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
64
Discovery Lab 3
Step 3
In the Menu bar, navigate to Fabric > Access Policies > Policies > Interface >
Port Channel and examine the default policy.
Step 4
Select the pre-configured Port Channel Policy of Static_Channel_On and
verify the settings. Ensure that the Mode is Static Channel – Mode On.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
65
Task 11: Configure Interface Selectors for the
Interface Profiles
The interface selector identifies a single interface or an interface block (range) that belongs to the
interface profile.
In this task, you will configure Interface Selectors for the Interface Profiles.
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Step 1
Open the other PDF document for your assigned Rack number from your
Instructor named NterOne Cisco ACI Lab Resource Guide. Keep this
document open along with your lab guide as you will need both documents.
Step 2
In the Resource Guide, scroll down to the section entitled VPC Ports. Note the
settings for your assigned Pod number for both Leaf-1 and Leaf-2. You will use
these settings in later steps of this task. Keep this document open and available
to you.
Step 3
In the ACI Menu bar, navigate to Fabric > Access Policies > Interfaces > Leaf
Interfaces > Profiles. Select the pre-configured LEAF101_IFP.
Step 4
On the Interface Selectors section, click the plus sign (+).
Step 5
Click Continue on the Policy Usage Warning.
Step 6
Add these fields in the Create Access Port Selector window where ## is your
assigned pod number.
Name
Discovery Lab 3
Entry
Name
POD##
Interface ID
Select the Ethernet interface for your assigned pod on
Leaf-1 (101) from the VPC Ports table in the Resource
Guide for your assigned Rack.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
66
Step 7
Click Submit.
Step 8
In the Menu bar, navigate to Fabric > Access Policies > Interfaces > Leaf
Interfaces > Profiles. Select the LEAF103_IFP and click the plus sign + to add
an Interface Selector.
Step 9
Click Continue on the Policy Usage Warning.
Step 10
Add these fields in the Create Access Port Selector window.
Name
Step 11
Discovery Lab 3
Entry
Name
POD##
Interface ID
Select the Ethernet interface for your assigned pod on
Leaf-2 (103) from table in the Resource Guide for your
assigned Rack.
Click Submit.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
67
Task 12: Configure Interface Policy Groups
An interface policy defines a protocol or properties that are applied to an interface. You may use default
interface policies that ship with the APIC or configure your own. You will examine three default interface
policies (LLDP, CDP and Port Channel) and verify that the default LLDP and Port Channel policies suit
your needs. Nevertheless, you will configure explicit policies for LLDP, CDP, and Port Channel to
enable LLDP/CDP and configure static port channel (on). Enabling CDP will allow a vSphere standard
switch to discover its adjacent leaves.
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy
Groups.
Step 2
Right-click Leaf access Port to Create Leaf Access Port Policy Group.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
68
Step 3
Enter these fields.
Note
The setting of Link Level is different from Link Level Flow Control.
Name
Discovery Lab 3
Value
Name
POD##_VPC_IPG
CDP
POD##-ENABLE-CDP-INTERFACE-POLICY
LLDP
POD##-ENABLE-LLDP-INTERFACE-POLICY
Link Level
POD##-1G-LINK-LEVEL-POLICY
Step 4
Click Submit.
Step 5
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy
Groups and right-click VPC Interface to Create VPC Interface Policy Group.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
69
Step 6
Enter these fields.
Name
Discovery Lab 3
Value
Name
POD##
CDP
POD##-ENABLE-CDP-INTERFACE-POLICY
Link Level
POD##-1G-LINK-LEVEL-POLICY
LLDP
POD##-ENABLE-LLDP-INTERFACE-POLICY
Port Channel
Static_Channel_on
Step 7
Click Submit.
Step 8
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Profiles.
Step 9
Expand the LEAF101_IFP profile and double-click your pod Interface Selector
POD##. From the Interface Policy Group drop-down menu, choose your Policy
Group named POD##_VPC_IPG.
Step 10
Click Submit and Submit Changes.
Step 11
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Profiles.
Step 12
Expand the LEAF103_IFP profile and double-click your pod Interface Selector
POD##. From the Interface Policy Group drop-down menu, choose your Policy
Group named POD##_VPC_IPG.
Step 13
Click Submit and Submit Changes.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
70
Task 13: Configure VLAN Pool, Physical Domain,
and AAEP
You will define the encapsulation resources to be used for the connections to the ESXi host and the
external endpoint. These resources are configured using a VLAN pool, physical domain, and AAEP.
The allocation mode can be static or dynamic. The static mode allows you to individually select the
VLAN IDs for the endpoint groups (EPG) connected to the fabric. In the dynamic mode, the APIC uses
an internal scheme to allocate VLANs to the EPGs. Integration with VMM domains requires dynamic
allocation mode.
A physical domain profile stores the physical resources (ports and port channels) via AAEP and
encapsulation resources (VLAN) via VLAN Pool that should be used for endpoint group connections to
the fabric.
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
In the Menu bar, navigate to Fabric > Access Policies > Pools. Right-click
VLAN and choose Create VLAN Pool.
Step 2
Create a VLAN pool POD##-VPC and select the Allocation Mode: Static
Allocation.
Step 3
Click the plus sign (+) to add an Encap Blocks.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
71
Discovery Lab 3
Note
The name of the VLAN pool indicates its intended use, for a physical domain dedicated to your
assigned tenant POD## (## is your assigned pod number).
Step 4
Define VLAN Range 5## for one VlAN just for your pod and select Static
Allocation. Leave all settings at their default values. Click OK.
Step 5
Click Submit to complete the configuration of the Create VLAN Pool.
Step 6
Navigate to Fabric > Access Policies > Physical and External Domains,
right-click Physical Domains, and choose Create Physical Domain.
Step 7
Configure a physical domain POD##_PD. Select the VLAN pool POD##VPC(static).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
72
Discovery Lab 3
Note
The name of the physical domain indicates its intended use, for your tenant POD##.
Step 8
Click Submit.
Step 9
Navigate to Fabric > Access Policies > Policies > Global, right-click
Attachable Access Entity Profiles, and choose Create Attachable Access
Entity Profile.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
73
Discovery Lab 3
Note
An AAEP is a component that bundles a group of interfaces through Interface Policy Groups, which
contain multiple interfaces that share same port level policies such as LLDP. An AAEP is attached
to a domain so that a domain can provide a group of interfaces (via AAEP) and VLANs (via VLAN
pool) to the logical resources such as EPG, L3OUT. An AAEP can be attached to more than one
domain.
Step 10
Create an AAEP with the name POD##_VPC_AEP, click the plus sign (+) to add
a Domain, and select the POD##_PD(Physical) domain.
Step 11
Continue the AAEP configuration by clicking Update.
Step 12
Verify the Encapsulation details and click Next.
Step 13
Scroll down to POD##_VPC_IPG. Select All to select your pod interfaces.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
74
Discovery Lab 3
Step 14
Complete the Create Attachable Access Entity Profile configuration by clicking
Finish.
Step 15
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy
Groups > Leaf Access Port, select your interface policy group
POD##_VPC_IPG.
Step 16
Select POD##_VPC_AEP from the Attached Entity Profile drop-down menu.
Click Submit and Submit Changes as needed.
Step 17
Go to Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy
Groups > VPC Interface.
Step 18
Select your interface policy group POD## and choose POD##_VPC_AEP from
the Attached Entity Profile drop-down menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
75
Step 19
Discovery Lab 3
Click Submit and Submit Changes.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
76
Task 14: Configure Port Channel on the External
Switch
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Step 1
Open PuTTY and connect to the external switch VPC-RR-SW2 with the following
information:
Setting
Entry
IP Address
192.168.R0.44
Connection type
Telnet
Username
admin
Password
1234QWer
Note
SSH is not enabled on this switch.
Step 2
From global config mode, create the vlan 5##, where ## is your assigned pod
number. Type exit when done.
Step 3
In the Resource Guide under the VPC Ports section, identify the
GigabitEthernet Interface port number for your pod connected to Leaf-1.
Step 4
For your assigned Pod ##, configure the GigabitEthernet Interface for Leaf-1
with these settings. Be sure to reference the Resource Guide under the section
VPC Ports for your assigned pod port numbers, ## is your assigned pod
number.
Setting
Discovery Lab 3
Entry
GigabitEthernet Interface
Refer to Resource Guide for Leaf-1 (101)
switchport access vlan
5##
switchport mode access
on
channel-group ## mode
on
admin status
no shutdown
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
77
Step 5
For your assigned Pod ##, configure the GigabitEthernet Interface for Leaf-2
with these settings:
Setting
Entry
GigabitEthernet Interface
Refer to Resource Guide for Leaf-2 (103)
switchport access vlan
5##
switchport mode access
on
channel-group ## mode
on
admin status
no shutdown
Step 6
Type exit when done.
Step 7
For your assigned Pod ##, configure the Port-Channel Interface with these
settings:
Setting
Discovery Lab 3
Entry
Port-channel Interface
##
switchport access vlan
5##
switchport mode access
on
Step 8
Type end when done.
Step 9
Save your settings with wr.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
78
Task 15: Verify the vPC
Note
Each student will perform all steps in this task.
Activity Procedure
Complete the following steps:
Discovery Lab 3
Step 1
In PuTTY, connect to Leaf-1. List the available VPC verification commands by
entering show vpc and pressing ESC twice to see all the show vpc keyword
options.
Step 2
On Leaf-1, examine the vPC domain using the show vpc command.
Step 3
On Leaf-1, examine the vPC role using the show vpc role command.
Step 4
Use PuTTY to connect to Leaf-2, log in as admin with password 1234QWer,
verify the vPC domain (show vpc) and vpc role (show vpc role). The role should
be complementary to the role of Leaf-1.
Step 5
In the APIC UI, go to Fabric > Access Policies > Policies > Switch > Virtual
Port Channel default and view the vPC TEP address, shown as the Virtual IP
of the Explicit VPC Protection Groups.
Step 6
In PuTTY, connect to the external switch2 VPC-RR-SW2 at 192.168.R0.44. The
hostname will be resolved to 192.168.10.211. Log in as admin and 1234QWer.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
79
Discovery Lab 3
Step 7
Verify your port channel was configured for interface po##.
Step 8
Type show etherchannel summary and verify your pod Po## has the correctly
assigned ports.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
80
Discovery Lab 4: Enable Layer
2 Connectivity in the same EPG
Introduction
The Cisco Application-Centric Infrastructure (ACI) is designed to scale from smaller commercial
environments, which may use a single tenant, to large cloud providers with many tenants. A single
enterprise can use tenants to enforce administrative and operational separation between internal
businesses.
In this activity, you will create a tenant and configure its basic elements:
A tenant is a logical container for application policies that enable an administrator to exercise
domain-based access control. A tenant represents a unit of isolation from a policy perspective,
such as a customer in a service provider setting, an organization or domain in an enterprise
setting, or just a convenient grouping of policies.
A VRF is a unique Layer 3 forwarding domain. All endpoints within the Layer 3 domain must
have unique IP addresses. The terms VRF, network, context, and private network are
synonymous. Just as a router can have multiple VRFs configured, a tenant can have multiple
networks that are associated with it.
A bridge domain is a logical grouping of endpoints that appear to be on the same LAN. A bridge
group can contain one or more subnets. One or more bridge domains are associated with a
network. Subnets may overlap across tenants.
A subnet corresponds to an IP subnet and is configured as a default gateway address for that
subnet.
Endpoint groups (EPGs) are collections of similar endpoints representing an application tier or a
set of services. They provide a logical grouping for objects that require a similar policy.
An application profile is the combination of EPGs and the policies that define their interactions.
The interaction policies are called contracts.
Discovery Lab 4
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
81
The common tenant contains system generated pre-configured policies that govern the operation of
resources accessible to all tenants, such as firewalls, load balancers, Layer 4 to Layer 7 services,
intrusion detection appliances, and so on. Common tenant polices are configurable by the fabric
administrator.
The infra (infrastructure) tenant contains policies that govern the operation of infrastructure resources
such as the fabric VXLAN overlay. It also enables a fabric provider to selectively deploy resources to
one or more user tenants.
The management tenant contains policies that govern the operation of fabric management functions
used for in-band and out-of-band configuration of fabric nodes. The management tenant contains an
out-of-band address space for the APIC/fabric internal communications that is outside the fabric data
path that provides access through the management port of the switches. The management tenant
enables discovery and automation of communications with virtual machine controllers.
Job Aids
Device Access Rack = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-a
192.168.R0.101
—
admin/1234QWer
leaf-b
192.168.R0.103
—
admin/1234QWer
spine
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
esxi-a1.dc.local
esxi-a2.dc.local
ESXi
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
VMs
N/A (auto-login)
Overview
Complete this lab activity to create the basic network constructs to allow communication into the ACI
Fabric. All of the labs will leverage the multi-tenancy capabilities that allow ACI to scale. ACI is
designed to scale from smaller commercial environments, which may use a single Tenant to large cloud
providers with support for 64,000 Tenants and above. A single Enterprise can also leverage Tenants to
enforce administrative and operational separation between different internal businesses or processes.
Upon completing this guided lab, you will be able to:
Create a VRF.
Create a Bridge Domain.
Create Subnets.
Discovery Lab 4
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
82
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Every student performs this lab independently.
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
Discovery Lab 4
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
83
Task 1: Create a Tenant
In this task, you will create a Tenant using the APIC wizard. A tenant is a container for policies to
exercise domain-based access control. A tenant represents a unit of isolation from a policy perspective,
but it does not represent a private network. Tenants can represent a customer in a service provider
setting, an organization, a domain in an enterprise setting, or just a convenient grouping of policies.
Activity Procedure
Complete the following steps:
Step 1
In the ACI Menu bar, click Tenants.
Note
By default there are three pre-existing tenants: common, infra, and mgmt.
Step 2
In the Submenu bar, click Add Tenant.
Step 3
The Create Tenant wizard will appear. Enter the values in the following table and
do NOT change any of the values that are not listed in the following table.
Field
Discovery Lab 4
Value
Name
POD## (replace “##” with your assigned 2-digit Pod Number)
Description
(enter your name and/or nickname)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
84
Step 4
Discovery Lab 4
Click the Submit button to complete the Create Tenant wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
85
Task 2: Create a VRF
In this task, you will create a VRF within your assigned pod Tenant.
A VRF is a unique Layer 3 forwarding and application policy domain. One or more bridge domains are
associated with a VRF. All of the endpoints within the Layer 3 domain must have unique IP addresses.
In ACI nomenclature, the terms Context, Private Network, and VRF are synonymous. Just as a router
can have multiple VRFs configured, an ACI tenant can have multiple Contexts associated with it.
Activity Procedure
Complete the following steps within your newly created tenant:
Discovery Lab 4
Step 1
Navigate to Tenants > POD##.
Step 2
Expand POD## > Networking > VRFs.
Step 3
Right-click the VRFs folder and then select Create VRF from the context menu.
Step 4
The Create VRF wizard will appear. In STEP 1 > VRF, enter the values in the
following table; do NOT change any of the values that are not listed in the
following table.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
86
Field
Value
Name
POD##-VRF
(replace “##” with your assigned 2-digit Pod Number)
Create a Bridge Domain
Unchecked
Step 5
Click the Finish button.
Note
What does Policy Enforcement mean? By default, policy enforcement is enforced on a context and
is performed by either the ingress or egress Leaf. As traffic enters the leaf switch the packet fabric
header is marked with the EPG of the source endpoint. The leaf switch then performs a forwarding
lookup on the packet destination IP address within the tenant space. A unicast (/32) or subnet
prefix (not /32) hit provides the EPG of the destination endpoint destination subnet prefix, and
either the local interface or the remote leaf switch VTEP IP address where the destination endpoint
subnet prefix is present.
A miss causes the packet to be sent to the forwarding proxy in the spine switch, which performs a
forwarding table lookup. If this is a miss, the packet is dropped. If it is a hit, the packet is sent to the
egress leaf switch that contains the destination endpoint. Because the egress leaf switch knows the
EPG of the source and destination, it performs the security policy enforcement.
On the egress leaf switch, the source IP address and source EPG information will be stored in the
local forwarding table through learning. Because most flows are bidirectional, a return packet
populates the forwarding table on both sides of the flow, which enables the traffic to be ingress
filtered in both directions.
Discovery Lab 4
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
87
Task 3: Create a Bridge Domain
In this task, you will create a bridge domain in your assigned tenant.
Activity Procedure
Complete the following steps within your tenant:
Step 1
In the ACI navigation pane, expand POD## > Networking > Bridge Domains.
Step 2
Right-click the Bridge Domains folder and then select Create Bridge Domain
from the context menu.
Step 3
The Create Bridge Domain wizard will appear. In STEP 1 > Main, enter the
values in the following table and do NOT change any of the values that are not
listed in the following table.
Field
Discovery Lab 4
Value
Name
POD##-BD
(replace “##” with your assigned 2-digit Pod Number)
VRF
POD##-VRF
(replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
88
Discovery Lab 4
Step 4
Click the Next button. In STEP 2 > L3 Configurations, do not make any
changes.
Step 5
Click the Next button. In STEP 3 > Advanced/Troubleshooting, do not make
any changes.
Step 6
Click the Finish button to complete the Create Bridge Domain wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
89
Task 4: Create Subnets within the Bridge Domain
In this task, you will create subnets within the bridge domain. These subnet IP addresses will be the
default gateway of your Windows VMs that you will configure in later labs.
Activity Procedure
Complete the following steps:
Step 1
In the Navigation pane, expand Tenants > POD## > Networking > Bridge
Domains > POD##BD > Subnets.
Step 2
Right-click the Subnets folder and then select Create Subnet from the context
menu.
Step 3
The Create Subnet wizard will appear. Enter the values in the following table
and do NOT change any of the values that are not listed in the following table.
Field
Gateway IP
Discovery Lab 4
| © 2023 Cisco Systems, Inc.
Value
10.##.1.254/24
(replace “##” with your assigned 2-digit Pod Number)
DCACI Lab Guide
90
Discovery Lab 4
Note
The Scope of a subnet defines the network visibility of the subnet. The scope can be:
Advertised Externally – Defines subnets under an endpoint group to route leak to other
Tenants in the Fabric.
Shared between VRFs – Defines subnets under an endpoint group to route leak for shared
services (endpoint groups in a different VRF).
Step 4
Click the Submit button. The subnet you just created will be visible in the
Subnets subsection.
Step 5
Repeat the previous three steps to create a subnet with the Gateway IP of
10.##.2.254/24 (replace “##” with your assigned 2-digit Pod Number).
Step 6
Repeat the previous three steps to create a subnet with the Gateway IP of
10.##.3.254/24 (replace “##” with your assigned 2-digit Pod Number).
Step 7
In the Navigation pane, in the Subnets folder, verify that you see the three
Subnets listed.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
91
Discovery Lab 4
Step 8
From your Student Server desktop, start a PuTTY session with your assigned
rack APIC.
Step 9
Log in to APIC-1 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Step 10
View the current configuration of your tenant by entering the show runningconfiguration tenant POD## command (replace “##”with your assigned 2- digit
Pod Number). Verify you see your tenant, the bridge domain, the VRF, and the
subnets that you created during this lab exercise.
Note
The name of the tenant is case-sensitive in this command, as are all other commands executed on
the APIC command line.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
92
Task 5: Create Filters
In this task, you will create filters in your tenant to be used in the various contracts that you will create in
the next Task.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand POD## > Contracts > Filters.
Step 4
Right-click the Filters folder and then select Create Filter from the context
menu.
Step 5
The Create Filter wizard will appear. In the Name field type POD##-FILTERANY (replace “##” with your assigned 2-digit Pod Number).
Step 6
In the Entries subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Discovery Lab 4
Value
Name
ANY
EtherType
Unspecified
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
93
Note
An ACI filter with the EtherType of Unspecified will allow all traffic over Ethernet.
Step 7
Click the Update button.
Step 8
Click the Submit button to complete the Create Filter wizard. You should now
see the filter you just created in the Filters folder.
Step 9
Right-click the Filters folder again and then select Create Filter from the context
menu to create the next filter.
Step 10
The Create Filter wizard will appear. In the Name field type POD##-FILTERICMP (replace “##” with your assigned 2-digit Pod Number).
Step 11
In the Entries subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Discovery Lab 4
Value
Name
ICMP
EtherType
IP
IP Protocol
icmp
Match Only Fragment
Unchecked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
94
Step 12
Click the Update and Submit buttons.
Step 13
Right-click the Filters folder again and then select Create Filter from the context
menu to create the next filter.
Step 14
The Create Filter wizard will appear. In the Name field type POD##-FILTERPORT-80 (replace “##” with your assigned 2-digit Pod Number).
Step 15
In the Entries subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Discovery Lab 4
Value
Name
PORT-80
EtherType
IP
IP Protocol
tcp
Match Only Fragment
Unchecked
Stateful
Checked
Source Port / Range – From
1024
Source Port / Range – To
65535
Destination Port / Range – From
80 (you can also select http)
Destination Port / Range – To
80 (you can also select http)
TCP Session Rules (default)
Unspecified
Step 16
Click the Update button.
Step 17
Click the Submit button to complete the Create Filter wizard.
Step 18
Verify you see the filters you just created in the Filters folder. At this point there
should be three filters listed under the Contracts folder.
Note
These filters are not yet functional in your whitelist. They need to be added to a contract as you will
do in the next task.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
95
Discovery Lab 4
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
96
Task 6: Create Contracts
In this task, you will create Contracts that will use the Filters that you created in the previous task. You
will apply these contracts in the subsequent lab exercises.
Activity Procedure
Complete the following steps in your assigned tenant:
Discovery Lab 4
Step 1
In the Navigation pane under Tenants, expand POD## > Contracts.
Step 2
Right-click the Contracts folder and then select Create Contract from the
context menu.
Step 3
The Create Contract wizard will appear. In the Name field type POD##CONTRACT-ANY (replace “##” with your assigned 2-digit Pod Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
97
Step 4
In the Subjects subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Discovery Lab 4
Value
Name
SUBJECT-ANY
Apply Both Directions
Checked
Reverse Filter Ports
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
98
Discovery Lab 4
Step 5
In the Filter Chain subsection, click the plus sign + to create a new entry. In the
drop-down list, select POD##-FILTER-ANY.
Step 6
Click the Update button and then click the OK button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
99
Step 7
Click the Submit button to complete the Create Contract wizard. You should
now see the contract you just created in the Contracts folder.
Step 8
Right-click the Contracts folder again and then select Create Contract from the
context menu to create the next contract.
Step 9
The Create Contract wizard will appear. In the Name field type POD##CONTRACT-DB-APP (replace “##” with your assigned 2-digit Pod Number).
Step 10
In the Subjects subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Discovery Lab 4
Value
Name
SUBJECT-ANY
Apply Both Directions
Checked
Reverse Filter Ports
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
100
Step 11
In the Filter Chain subsection, click the plus sign + to create a new entry. In the
drop-down list, select POD##-FILTER-ANY.
Step 12
Click the Update button, and then click the OK button.
Step 13
Click the Submit button to complete the Create Contract wizard. You should
now see the two contracts you just created in the Contracts folder.
Step 14
Right-click the Contracts folder again and then select Create Contract from the
context menu to make the next contract.
Step 15
The Create Contract wizard will appear. In the Name field type POD##CONTRACT-APP-WEB (replace “##” with your assigned 2-digit Pod Number).
Step 16
In the Subjects subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Discovery Lab 4
Value
Name
SUBJECT-ANY
Apply Both Directions
Checked
Reverse Filter Ports
Checked
Step 17
In the Filter Chain subsection, click the plus sign + to create a new entry. In the
drop-down list, select POD##-FILTER-ANY.
Step 18
Click the Update button, and then click the OK button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
101
Discovery Lab 4
Step 19
Click the Submit button to complete the Create Contract wizard. At this point
there should be three contracts listed in the Contracts folder.
Step 20
From your Student Server desktop, start a PuTTY session with your APIC.
Step 21
Log in to APIC-1 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
102
Discovery Lab 4
Step 22
View the current configuration of your tenant by entering the show runningconfiguration tenant POD## command (replace “##” with your assigned 2-digit
Pod Number). You should see the filters and contracts that you created during
this lab exercise.
Note
The name of the tenant is case-sensitive in this command, as are all other commands executed on
the APIC command line.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
103
Task 7: Create Application Profile
With the Filters and Contracts from the previous tasks, you can now build an Application Profile. The
Application Profile allows your environment to build a template of network attributes and policies that
can be dynamically instantiated and seamlessly inserted.
Application Profiles are a powerful tool for building out application connectivity and policy using
repeatable processes. Application connectivity is defined based on the services tiers or components
provide and the tiers they consume. Contracts define the policy for those connections and can be used
for provider or consumer relationships.
Complete this task to become familiar with the configuration of an Application Profile.
In this task, you will create an Application Profile.
Activity Procedure
Complete the following steps within your assigned Tenant:
Discovery Lab 4
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand POD## > Application Profiles.
Step 4
Right-click the Application Profiles folder and then select Create Application
Profile from the context menu.
Step 5
The Create Application Profile wizard will appear. In the Name field type
POD##-APPLICATION-PROFILE (replace “##” with your assigned 2-digit Pod
Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
104
Step 6
In the EPGs subsection, click the plus sign + to create a new EPG. Enter the
values in the following table and do NOT change any of the values that are not
listed in the following table.
Field
Name
BD
Provided Contract
Discovery Lab 4
| © 2023 Cisco Systems, Inc.
Value
POD##-DB-EPG
(replace “##” with your assigned 2-digit Pod Number)
POD##-BD
replace “##” with your assigned 2-digit Pod Number)
POD##-CONTRACT-DB-APP
(replace “##” with your assigned 2-digit Pod Number)
DCACI Lab Guide
105
Step 7
Click the Update button.
Step 8
In the EPGs subsection, click the plus + to create another EPG. Enter the values
in the following table and do NOT change any of the values that are not listed in
the following table.
Field
Name
BD
Provided Contract
Consumed Contract
POD##-APP-EPG
(replace “##” with your assigned 2-digit Pod Number)
POD##-BD
(replace “##” with your assigned 2-digit Pod Number)
POD##-CONTRACT-APP-WEB
(replace “##” with your assigned 2-digit Pod Number)
POD##-CONTRACT-DB-APP
(replace “##” with your assigned 2-digit Pod Number)
Step 9
Click the Update button.
Step 10
In the EPGs subsection, click the plus + to create another EPG. Enter the values
in the following table and do NOT change any of the values that are not listed in
the following table.
Field
Name
BD
Consumed Contract
Discovery Lab 4
Value
Value
POD##-WEB-EPG
(replace “##” with your assigned 2-digit Pod Number)
POD##-BD
(replace “##” with your assigned 2-digit Pod Number)
POD##-CONTRACT-APP-WEB
(replace “##” with your assigned 2-digit Pod Number)
Step 11
Click the Update button. You should now see three EPGs listed in the EPGs
pane.
Step 12
Click the Submit button to complete the Create Application Profile wizard.
Step 13
In the Navigation pane, expand the Application Profiles folder, and then click
the POD##-APPLICATION-PROFILE object. In the Work pane, select the
Topology tab. This tab displays a diagram that logically represents the
application profile. This is the whitelist in your tenant.
Note
You may need to drag-and-drop the various icons in order to create a diagram that is easier to
view. Click the Save Layout button when done to save your relative positions.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
106
Step 14
In the Navigation pane, expand from your tenant POD## > Contracts >
Standard > POD##-CONTRACT-APP-WEB. In the Work pane, select the
Topology tab. This tab displays a smaller diagram that logically represents the
contract and its relationship with the end point groups.
Note
The arrows from an EPG to a Contract indicates a provided contract.
Note
The arrows from a Contract to an EPG represents a consumed contract. Note the table of Relation
Indicators on the right for color coding.
Step 15
From your Student Server desktop, start a PuTTY session with your APIC.
Step 16
Log in to the APIC using the following information:
Step 17
Discovery Lab 4
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
View the current configuration of your tenant by entering the show runningconfiguration tenant POD## application command (replace “##” with your
assigned 2-digit Pod Number). You should see the application profile that you
created during this lab exercise.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
107
Discovery Lab 4
Note
The name of the tenant is case-sensitive in this command and all other commands executed on the
APIC command line.
Note
Actual verification of network connectivity within the whitelist you just configured in your tenant
requires integration of virtual machines in this lab environment. You will perform this integration in
the following labs.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
108
Discovery Lab 5: Integrate
Cisco APIC with VMware
vCenter Using VMware VDS
Overview
Integration of virtual machine managers (VMMs) with Cisco ACI allows you to apply policies to
individual VMs. In this lab exercise, you will integrate the Cisco APIC with the vCenter domain, assign
multiple VMs to their port groups, and test the IP connectivity among them.
The ACI fabric is able to integrate with various hypervisor technologies. This lab demonstrates the
capability of integrating into VMware's vCenter technology and will allow the APIC to create policies
that the VMware virtual environment can use.
In this lab section, you will register the APIC to your virtual environment, which will be using VMware's
vCenter Server. This lab will walk you through this registration process, which will allow the APIC to
push application policies down to the virtual machines in your pod. This tight integration will be shown
in another lab; this lab will focus on building the connection between the APIC and VMware's vCenter
Server.
Complete this lab activity to become familiar with registering a VMware domain in ACI. Upon
completing this guided lab, you will be able to:
Register APIC to VMware vCenter Server, creating a Distributed Virtual Switch inside VMware's
Network construct.
Create vCenter Credentials and a Server object.
Verify that the ACI DVS has been created and the connection between APIC and vCenter
Server is established.
Discovery Lab 5
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
109
Job Aids
Device Access Rack = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-1
192.168.R0.101
—
admin/1234QWer
leaf-2
192.168.R0.103
—
admin/1234QWer
Spine-1
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
ESXi
VMs
Discovery Lab 5
esxi-a1.dc.local
esxi-a2.dc.local
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
| © 2023 Cisco Systems, Inc.
N/A (auto-login)
DCACI Lab Guide
110
Task 0: Log in to the APIC Controller and the Web
based VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will
log in to your assigned VMware vCenter server using the web based VMware vSphere Client.
Activity Procedure
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Warning
This lab demands that you use and refer to the Resource Guide. Open the resource guide now.
Pay close attention to your assigned pod and rack number.
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
Discovery Lab 5
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
111
Discovery Lab 5
Warning
You may have this older VMware vSphere client on your desktop. Do NOT use this client as it has
been deprecated by VMware for the later versions of vCenter used in this lab environment.
Step 6
From your Student Server, within your Chrome browser, open another browser
tab and log in to your assigned vCenter server using the following credentials:
IP address / Name: vcenter-@.dc.local (replace “@” with your assigned
vCenter letter) or 192.168.R0.51
Select LAUNCH VSPHERE CLIENT (HTML5).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
112
Step 7
Discovery Lab 5
Log in using these credentials:
Username: root@vsphere.local
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
113
Discovery Lab 5
Step 8
In the vSphere Client window, click on the Hosts and Clusters icon in the
upper left. Expand the Datacenter and Cluster. Locate the VMs assigned to
your pod.
Note
Keep both tabs open in your browser to vCenter and the APIC. You will refer back to these often in
later lab steps.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
114
Task 1: Create a VLAN Pool
In this task, you will create VLAN pool that will be used by the VMM domain you will create in a
subsequent task.
A VLAN pool specifies the VLAN IDs or ranges used for VLAN encapsulation that the VMM domain
consumes. Each time you associate an EPG to a VMM domain a VLAN ID is taken from the VLAN pool
and assigned to the virtual machine group that is created within the VMM domain (e.g., a port group
within the ACI DVS within a vCenter).
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
Return to the APIC GUI running in your Chrome browser.
Step 2
In the ACI menu bar, click Fabric.
Step 3
In the Submenu bar, click Access Policies.
Step 4
In the Navigation pane, expand Pools > VLAN.
Step 5
Right-click the VLAN folder and then select Create VLAN Pool from the context
menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
115
Step 6
Step 7
Step 8
Discovery Lab 5
The Create VLAN Pool wizard will appear. Enter the values in the following
table.
Field
Value
Name
POD##-VMM-DOMAIN-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
Allocation Mode
Dynamic Allocation
In the Encap Blocks subsection, click the plus sign + to create a new VLAN
range. Enter the values in the following table.
Field
Value
Range (From)
3##0 (replace “##” with your assigned 2-digit Pod Number)
Range (To)
3##9 (replace “##” with your assigned 2-digit Pod Number)
Click the OK button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
116
Discovery Lab 5
Step 9
Click the Submit button to complete the Create VLAN Pool wizard.
Step 10
Verify that you see the VLAN Pool you just created in the VLAN folder.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
117
Task 2: Create a VMM Domain
In this task, you will create a VMM domain, which will integrate the ACI fabric with your assigned
vCenter server.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
In the ACI top Menu bar, click Virtual Networking and VMware.
Step 2
In the Navigation pane right-click the VMware folder and select Create vCenter
Domain from the pull-down menu.
Step 3
The Create vCenter Domain wizard will appear. Enter the values in the following
table and do NOT change any of the values that are not listed in the following
table. Do not yet click Submit.
Field
Value
Virtual Switch Name
POD##-VMM-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Virtual Switch
VMware vSphere Distributed Switch
VLAN Pool
POD##-VMM-DOMAIN-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
118
Step 4
Discovery Lab 5
In the vCenter Credentials subsection, click the plus sign + to create a new
entry. The Create vCenter Credential wizard will appear. Enter the values in the
following table.
Field
Value
Name
VCENTER-CREDENTIAL
Username
root@vsphere.local
Password and Confirm Password
1234QWer
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
119
Discovery Lab 5
Step 5
Click the OK button to complete the Create vCenter Credential wizard.
Do NOT yet click Submit.
Step 6
Open the NterOne Cisco ACI Resource Guide for your assigned Rack. You will
need it for entries that follow.
Step 7
In the vCenter subsection, click the plus sign + to create a new entry. The Add
vCenter Controller wizard will appear. Enter the values in the following table
and do NOT change any of the values that are not listed in the following table.
Be sure to refer to your resource guide for the value of @.
Warning
The version of VMware running in this lab environment is v6.7. However, be sure to select the DVS
Version 6.5 as shown in this table. If not, the VMM integration will fail.
Field
Value
Name
vCenter-@
(replace “@” with your assigned vCenter CAPITAL letter)
Host Name (or IP Address)
192.168.R0.51
DVS Version
DVS Version 6.5
Datacenter
Datacenter-@
(replace “@” with your assigned vCenter CAPITAL letter)
Associated Credential
VCENTER-CREDENTIAL
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
120
Discovery Lab 5
Note
The name of the Datacenter must exactly match the name as it appears in the vSphere Client,
otherwise the APIC will not be able to locate and configure the correct Datacenter in the vCenter
Server. In this lab the “D” at the beginning of the name and the vCenter letter are capitalized; the
rest of the name is in lower case.
Step 8
Click the OK button to complete.
Step 9
Click the Submit button to complete the Create vCenter Domain wizard.
Step 10
Verify that you see the VMM domain you just created in the VMware folder.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
121
Task 3: Verify the APIC Connection to the vCenter
Server
In this task, you will verify the APIC connection to your assigned vCenter server.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Note
The following steps demonstrate how you can also verify the connection between the APIC and the
vCenter server by using the vSphere client to view that the ACI DVS has been created.
Step 1
Return to the VMware vSphere Client tab within Chrome.
Step 2
Select the Networking icon from the Menu.
Step 3
Expand the Datacenter and POD##-VMM-DOMAIN folders.
Step 4
Verify that a new DVS has been created for your pod named POD##-VMMDOMAIN and there are two default port groups: one port group for DVS uplinks
and another port group named quarantine. If this step fails, return to the prior
task, and verify every case sensitive entry.
Note
You may or may not see other student pods appearing here.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
122
Note
Discovery Lab 5
The presence of the created switch verifies that the APIC now has a connection to the VMware
vCenter Server.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
123
Task 4: Verify an Attachable Access Entity Profile
In this task, you will verify an Attachable Access Entity Profile that will contain the VMM domain that
you created previously.
An attachable entity profile (AEP) represents a group of external entities with similar infrastructure
policy requirements. The infrastructure policies consist of physical interface policies, for example, Cisco
Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), maximum transmission unit (MTU),
and Link Aggregation Control Protocol (LACP). A VM Management (VMM) domain automatically
derives the physical interfaces policies from the interface policy groups that are associated with an
AEP.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
In the ACI Menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Policies > Global > Attachable Access Entity Profiles.
Step 4
Verify the settings of the pre-configured Attachable Access Entity Profile with
these entries.
Field
Value
Name
VCENTER-@-AEP
(replace “@” with your assigned vCenter letter)
Enable Infrastructure VLAN
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
124
Task 5: Add the VMM Domain to the AEP
In this task, you will add the VMM domain that you created previously to the vCenter AEP created in the
last task.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Note
All students must perform this task for your assigned pod.
Step 1
Navigate to Fabric > Access Policies > Policies > Global > Attachable
Access Entity Profiles.
Step 2
Verify you see this pre-created AAEP in the last task: VCENTER-@-AEP.
Highlight this object and double-click this object to go into its configuration.
Step 3
In the Work pane, in the Domains (VMM, Physical or External) Associated to
Interfaces subsection, click the plus + sign to associate your pod VMM domain.
Step 4
A Policy Usage Warning will appear indicating the other objects that will be
affected by the changes. Click the Continue button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
125
Discovery Lab 5
Step 5
In the name drop-down list, select POD##-VMM-DOMAIN (replace “##” with your
assigned two-digit Pod Number).
Step 6
Click the Update button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
126
Task 6: Create an Interface Policy Group
In this task, you will create an Interface Policy Group that will be used in a subsequent task.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Note
All students perform this task.
Step 1
In the ACI menu bar, click Virtual Networking and VMWare.
Step 2
Navigate to VMware > POD##-VMM-DOMAIN (replace “##” with your assigned
two-digit Pod Number).
Step 3
Right-click your POD##-VMM-DOMAIN and then select Create vSwitch
Policies in the context menu.
Step 4
Note that a warning will appear indicating that the vSwitch policy container has
been created.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
127
Discovery Lab 5
Step 5
Click the OK button on the Warning pop-up window.
Step 6
Click the VSwitch Policy tab to the right of the General tab within the content
pane on the right.
Step 7
Enter the values in the following table and do NOT change any of the values that
are not listed in the following table.
Warning
If the CDP and LLDP settings do not match the VMware settings the VMM integration will fail.
Field
Value
LLDP Policy
POD##-DISABLE-LLDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
CDP Policy
POD##-ENABLE-CDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Step 8
Click the Submit button.
Step 9
A Policy Usage Warning will appear indicating the other objects that will be
affected by the changes. Click the Submit Changes button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
128
Task 7: Verify the Properties of your Pod
Distributed Switch
In this task, you will verify that the properties of your POD##-VMM-DOMAIN distributed switch within
the VMware vCenter have been updated to use Cisco Discovery Protocol (CDP) as the Discovery
Protocol between the ACI fabric and the VMware ESXi hosts that will be attached to the fabric later in
this lab exercise.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
Return to the VMware vSphere Client tab within Chrome.
Step 2
Select Networking section from the menu.
Step 3
Expand the Datacenter and POD##-VMM-DOMAIN folders.
Step 4
Right-click your assigned POD##-VMM-DOMAIN distributed switch and then
select Settings > Edit Settings… from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
129
Discovery Lab 5
Step 5
The POD##-VMM-DOMAIN Edit Settings window will appear. Click Advanced
in the left-hand side of the window.
Step 6
The Discovery Protocol settings will be visible in the right-hand side of the
window. Verify that the Type is now set to Cisco Discovery Protocol. Click OK
when you are done.
Note
It is critical that this setting is correct in order for the VMware ESXi hosts to communicate properly
with the leaf switches in the next lab exercise.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
130
Discovery Lab 5
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
131
Task 8: Verify the Interface Policy Groups
In this task, you will verify the Interface Policy Groups that will be used in a subsequent task. These
policy groups are configured once per fabric available to all tenants.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
In ACI, navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Policy Groups > Leaf Access Port.
Step 2
Verify you see two pre-configured Leaf Access Ports for ESXi A1 and A2 as
referenced in the following table.
Field
Value
Name
ESXI-@@-INTERFACE-POLICY-GROUP
(replace “@@” with your assigned ESXi host ID)
Attached Entity Profile
VCENTER-@-AEP
(replace “@” with your assigned vCenter letter)
Link Level
POD##-10G-LINK-LEVEL-POLICY
(replace “##” with your assigned 2-digit Pod Number)
CDP
POD##-ENABLE-CDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
LLDP
POD##-DISABLE-LLDP-INTERFACE-POLICY
(replace “##” with your assigned 2- digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
132
Task 9: Verify the Leaf Interface Profiles
In this task, you will verify the Leaf Interface Profiles that will be used in a subsequent task. These
profiles are configured once per fabric available to all tenants.
The VPC you configured in prior labs was not configured for the ESXi hosts. The ESXi hosts are singlehomed in this lab environment.
Activity Procedure
Complete the following steps:
Step 1
Open your Resource Guide. Scroll down to the diagram Lab Topology and
Wiring Diagram-ESXi Hosts Managed By vCenter-A. Note the exact singlehomed ports from each Leaf to each ESXi host.
Step 2
In ACI, navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Profiles.
Step 3
Verify that both of the two pre-configured Profiles ESXI-A1-INTERFACEPROFILE and ESXI-A2-INTERFACE-PROFILE have the correct settings per the
table:
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
ESXi-A1: 1/33
ESXi-A2: 1/34
ESXi-B1: 1/35
ESXi-B2: 1/36
ESXi-C1: 1/37
ESXi-C2: 1/38
ESXi-D1: 1/39
ESXi-D2: 1/40
Interface Policy Group
Discovery Lab 5
| © 2023 Cisco Systems, Inc.
ESXI-@@-INTERFACE-POLICY-GROUP
(replace “@@” with your assigned ESXi host ID)
DCACI Lab Guide
133
Task 10: Verify the Leaf Profiles
In this task, you will verify the Leaf Profiles that will be used in a subsequent task. These profiles are
configured once per fabric available to all tenants.
Activity Procedure
Complete the following steps:
Step 1
Navigate to Fabric > Access Policies > Switches > Leaf Switches > Profiles.
Step 2
Verify that both of the two pre-configured Leaf Profiles ESXI-A1-SWITCHPROFILE and ESXI-A2-SWITCH-PROFILE have the correct settings per the
table:
Step 3
Discovery Lab 5
Field
Value
Leaf Selector
SWITCH-SELECTOR
Blocks
ESXi-A1: 101
ESXi-A2: 103
ESXi-B1: 101
ESXi-B2: 103
ESXi-C1: 101
ESXi-C2: 103
ESXi-D1: 101
ESXi-D2: 103
Associated Interface Selector
Profiles:
ESXI-@@-INTERFACE-PROFILE (replace “@@” with your
assigned ESXi host ID
From your Student Server desktop, start a PuTTY session with Leaf-1.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
134
Step 4
Log in to Leaf-1 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Step 5
From your Student Server desktop, start another PuTTY session with Leaf-2.
Step 6
Log in to Leaf-2 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Warning
Be sure to review the NterOne Resource Guide right now. Note the drawing that shows only one
cable from each ESXi host to a leaf switch, and that the other ESXi host connects to the other leaf
switch. Multihoming is not present for these ESXi hosts to your leaves.
Step 7
Execute the show interface e1/XX brief command using the interface number
corresponding to your ESXi host. This command will show you the status of the
interface connected to your ESXi host. Verify that the interface is in the up state.
There will not be any traffic between the leaf switch and the ESXi host yet until
the ESXi host has been configured to use the interface.
Interface ID
ESXi-A1: Leaf-1 1/33
ESXi-A2: Leaf-2 1/34
ESXi-B1: Leaf-1 1/35
ESXi-B2: Leaf-2 1/36
ESXi-C1: Leaf-1 1/37
ESXi-C2: Leaf-2 1/38
ESXi-D1: Leaf-1 1/39
ESXi-D2: Leaf-2 1/40
Leaf-1# show interface e1/XX brief
-------------------------------------------------------------------------------Ethernet
VLAN
Type Mode
Status Reason
Speed
Port Interface
Ch #
-------------------------------------------------------------------------------Eth1/XX
0
eth trunk
up
none
10G(D)
-Step 8
Discovery Lab 5
Be SURE this task is verified for both ESXi hosts in your assigned vCenter.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
135
Task 11: Add ESXi Hosts to the ACI DVS
In this task, you will add ESXi hosts to the ACI DVS that has been created by the APIC within the
vCenter server.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Note
All students must perform this Task for your assigned pod only.
Step 1
Return to the VMware vSphere Client tab in Chrome.
Step 2
Select Networking section from the Menu.
Step 3
Navigate to 192.168.R0.51 > Datacenter-@ > POD##-VMM-DOMAIN >
POD##-VMM-DOMAIN.
Step 4
Right-click your POD##-VMM-DOMAIN distributed switch and select Add and
Manage Hosts… from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
136
Step 5
Discovery Lab 5
The Add and Manage Hosts wizard will appear. The first step of the wizard is to
select Add Host and click NEXT.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
137
Discovery Lab 5
Step 6
On the 2. Select hosts page, select the green Plus + to add New hosts.
Step 7
Select both ESXi hosts and click OK, and then NEXT.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
138
Step 8
Discovery Lab 5
From the Manage physical adapters page, you will be selecting only one vmnic
interface from both of the hosts listed in the table. These vmnic’s will be
connected to your VMM domain distributed virtual switch. There will be several
physical adapters listed under each host. Use the following table to determine the
vmnic interfaces that you should select; select the same vmnic interface on both
hosts.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
139
Note
Pod
Number
First ESXi Host
vmnic Interface
Second ESXi Host
vmnic Interface
11
esxi-a1.dc.local
vmnic5
esxi-a2.dc.local
vmnic5
12
esxi-a1.dc.local
vmnic6
esxi-a2.dc.local
vmnic6
13
esxi-a1.dc.local
vmnic7
esxi-a2.dc.local
vmnic7
14
esxi-a1.dc.local
vmnic8
esxi-a2.dc.local
vmnic8
15
esxi-a1.dc.local
vmnic9
esxi-a2.dc.local
vmnic9
16
esxi-a1.dc.local
vmnic10
esxi-a2.dc.local
vmnic10
17
esxi-a1.dc.local
vmnic11
esxi-a2.dc.local
vmnic11
18
esxi-a1.dc.local
vmnic12
esxi-a2.dc.local
vmnic12
19
esxi-a1.dc.local
vmnic13
esxi-a2.dc.local
vmnic13
20
esxi-a1.dc.local
vmnic14
esxi-a2.dc.local
vmnic14
21
esxi-a1.dc.local
vmnic15
esxi-a2.dc.local
vmnic15
22
esxi-a1.dc.local
vmnic16
esxi-a2.dc.local
vmnic16
23
esxi-a1.dc.local
vmnic17
esxi-a2.dc.local
vmnic17
24
esxi-a1.dc.local
vmnic18
esxi-a2.dc.local
vmnic18
25
esxi-a1.dc.local
vmnic19
esxi-a2.dc.local
vmnic19
Step 9
Discovery Lab 5
Any vmnic can be used by any pod. BUT, two pods cannot share the same vmnic. This chart is
suggested, but NOT required. Do NOT select a vmnic that is already assigned to another pod.
Select your vmnic and click Assign uplink.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
140
Discovery Lab 5
Step 10
The Select an Uplink window will appear. Select uplink1, check the box Apply
the uplink assignment to the rest of the hosts and click OK.
Step 11
Click the NEXT button.
Step 12
The Manage VMkernal adapters step will appear. Click the NEXT button.
Step 13
The Migrate VM networking step will appear. Click the NEXT button.
Step 14
The Ready to Complete step will appear.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
141
Discovery Lab 5
Step 15
Click the FINISH button.
Step 16
Click the Hosts tab in the Work pane. Verify that you see your two ESXi hosts
listed there and in a connected state.
Note
As long as your hosts are both present for your switch, any ESXi warnings or alerts present in ESXi
are of little concern.
Step 17
Return to the PuTTY sessions to both of your leaf switches.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
142
Step 18
Discovery Lab 5
Execute the show cdp neighbors command. Verify that you see that the leaf
switch is receiving CDP information from its attached ESXi host. It may take a
few minutes for the CDP entries to appear. While referring to your resource
guide, check the CDP neighbors for both leaves.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
143
Task 12: Associate the vCenter Domain to the APP
EPG
In this task, you will associate the vCenter Domain to the APP EPG.
Activity Procedure
Complete the following steps for your assigned Pod/Tenant:
Discovery Lab 5
Step 1
In the ACI Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand Tenant POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > POD##-APP-EPG.
Step 4
Right-click the EPG POD##-APP-EPG folder and then select Add VMM Domain
Association from the context menu.
Step 5
The Add VMM Domain Association wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Field
Value
VMM Domain Profile
POD##-VMM-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Deploy Immediacy
Immediate
Resolution Immediacy
Immediate
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
144
Discovery Lab 5
Note
Resolution Immediacy controls when the policies are downloaded to the leaf. Immediate specifies
that EPG policies (including contracts and filters) are downloaded to the leaf upon hypervisor
attachment to VDS. LLDP or OpFlex permissions are used to resolve the hypervisor to leaf node
attachments. On Demand specifies that EPG policies are downloaded to the leaf only when a pNIC
attaches to the hypervisor connector and a VM is placed in the port group (EPG).
Note
Deploy Immediacy controls when the policy is pushed into the hardware policy CAM. Immediate
specifies that the policy is programmed in the hardware policy CAM as soon as the policy is
downloaded in the leaf software. On Demand specifies that the policy is programmed in the
hardware policy CAM only when the first packet is received through the data path. This process
helps to optimize the hardware space.
Step 6
Click the Submit button to complete the Add VMM Domain Association wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
145
Task 13: Associate the vCenter Domain to the DB
EPG
In this task, you will associate the vCenter Domain to the DB EPG.
Activity Procedure
Complete the following steps:
Step 1
In the Navigation pane, expand Tenant POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG.
Step 2
Right-click the EPG POD##-DB-EPG folder and then select Add VMM Domain
Association from the context menu.
Step 3
The Add VMM Domain Association wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Step 4
Discovery Lab 5
Field
Value
VMM Domain Profile
POD##-VMM-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Deploy Immediacy
Immediate
Resolution Immediacy
Immediate
Click the Submit button to complete the Add VMM Domain Association wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
146
Task 14: Associate the vCenter Domain to the WEB
EPG
In this task, you will associate the vCenter Domain to the WEB EPG.
Activity Procedure
Complete the following steps:
Step 1
In the Navigation pane, expand Tenant POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > EPG POD##-WEBEPG.
Step 2
Right-click the EPG POD##-WEB-EPG folder and then select Add VMM Domain
Association from the context menu.
Step 3
The Add VMM Domain Association wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Step 4
Discovery Lab 5
Field
Value
VMM Domain Profile
VMware/POD##-VMM-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Deploy Immediacy
Immediate
Resolution Immediacy
Immediate
Click the Submit button to complete the Add VMM Domain Association wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
147
Task 15: Verify the Creation of the ACI DVS Port
Groups within vCenter
In this task, you will verify that the correct ACI DVS port groups were created within the vCenter.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
Return to the VMware vSphere Client tab in your browser.
Step 2
Navigate to the Networking section.
Step 3
Navigate to 192.168.R0.51 > Datacenter-@ > POD##-VMM-DOMAIN >
POD##-VMM-DOMAIN.
Step 4
Verify you have three new port groups listed under the ACI DVS, each of which
will correspond to the EPGs within your application profile. The name of each
port group is a combination of the Tenant, Application Profile, and EPG names.
If the port groups don’t show up, review your prior lab steps for any
misconfigurations.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
148
Step 5
Discovery Lab 5
Right-click one of the port groups that were created and then select Edit
Settings… from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
149
Note
Discovery Lab 5
In the Settings window that appears, in the left-hand side click VLAN. You will see the VLAN ID
that was assigned to the port group by the APIC. The VLAN ID was taken from the VLAN pool
associated with the VMM domain associated with vCenter. Make no changes.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
150
Step 6
Look at the other settings of the port group which were assigned by the APIC.
Click CANCEL when you are done to close this window.
Step 7
From your Student Server desktop, start a PuTTY session with Leaf-1.
Step 8
Log in to Leaf-1 using the following information:
Step 9
Discovery Lab 5
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Execute the show vrf command. Verify that you now see that a VRF has been
created in the fabric corresponding to the VRF used by your application profile
(within your pod). The name of the VRF will be the combination of the names of
the Tenant and Private Network (VRF).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
151
Step 10
Execute the show vlan extended command. You should now see that VLANs
have been created corresponding to the EPGs that you have associated to the
vCenter server.
Step 11
From your Student Server desktop, start a PuTTY session with Leaf-2.
Step 12
Log in to Leaf-2 using the following information:
Step 13
Discovery Lab 5
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Execute the show vrf command. You should now see that a VRF has been
created in the fabric corresponding to the VRF used by your application profile
(within your pod). The name of the VRF will be the combination of the names of
the Tenant and Private Network (VRF).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
152
Step 14
Discovery Lab 5
Execute the show vlan extended command. You should now see that VLANs
have been created corresponding to the EPGs that you have associated to the
vCenter server.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
153
Task 16: Add the App Server VM to the ACI DVS
In this task, you will configure the network adapter within the App Server VM to use the correct ACI
DVS port group.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
Return to the Chrome tab for VMware vSphere Client.
Note
Be sure you are connected to your vCenter, and not to any ESXi host directly.
Step 2
Select Hosts and Clusters section from the Menu.
Note
If your VMs are powered on when you change the port groups in the following steps, you will have
to reboot the Windows VM to implement the change. Do NOT reboot the ESXi host.
Step 3
Navigate to 192.168.R0.51 > Datacenter-@ > Cluster-@ (replace “@” with your
assigned vCenter letter). Verify that see three virtual machines which are
assigned to your Pod (replace “##” with your assigned Pod number):
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
154
Discovery Lab 5
Step 4
Verify that your three VMs are currently powered off by not showing the green
triangle on the VM icon.
Warning
If the VMs are powered on and you changed the network settings in the following steps, you will
need to reboot the Windows VMs following these settings.
Step 5
Right-click the Pod##-App VM and then select Edit Settings… from the context
menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
155
Discovery Lab 5
Step 6
The Edit Settings window for Pod##-App will appear.
Step 7
In the left-hand side of the window select Network adapter 1.
Step 8
Click the pull-down menu next to the vSS Port Group and select Browse from
the menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
156
Step 9
Discovery Lab 5
From the Select Network window, select POD##|POD##-APPLICATIONPROFILE|POD##-APP-EPG from the drop-down list. Click OK.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
157
Discovery Lab 5
Warning
Be sure to select for your assigned pod number. Other pod entries will likely be present.
Step 10
Verify that the Connect box is checked.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
158
Discovery Lab 5
Step 11
Click the OK button to save the changes to the properties of the virtual machine.
Step 12
Right-click the Pod##-App VM, and then select Power > Power On from the
context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
159
Step 13
Discovery Lab 5
After a few seconds verify that you see the powered on green triangle icon next
to the virtual machine. If you see this, skip ahead to the next Task.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
160
Step 14
In some cases it is possible that when you power on a virtual machine you will
see a small “i” appear on the virtual machine icon:
If this occurs, select the virtual machine, and then select the Summary tab in the
Work pane. You will see a question presented to you regarding the state of the
virtual machine.
Step 15
Discovery Lab 5
Select I Moved It, and then click the OK button. The VM will then complete the
power on process.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
161
Task 17: Add the DB Server VM to the ACI DVS
In this task, you will configure the network adapter within the DB Server VM to use the correct ACI DVS
port group.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
Right-click the Pod##-DB VM and then select Edit Settings… from the context
menu.
Step 2
The Edit Settings for Pod##-DB will appear.
Step 3
In the left-hand side of the window select Network adapter 1.
Step 4
In the right side of the window, click the Network label setting and then select
Browse to select POD##|POD##-APPLICATION-PROFILE|POD##-DB-EPG
from the drop-down list.
Step 5
Click the OK button to save the changes to the properties of the virtual machine.
Step 6
Right-click the Pod##-DB VM and then select Power > Power On from the
context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
162
Task 18: Add the Web Server VM to the ACI DVS
In this task, you will configure the network adapter within the Web Server VM to use the correct ACI
DVS port group.
Activity Procedure
Complete the following steps:
Discovery Lab 5
Step 1
Right-click the Pod##-Web VM, and then select Edit Settings… from the context
menu.
Step 2
The Virtual Machine Properties for Pod##-Web will appear.
Step 3
In the left-hand side of the window select Network adapter 1.
Step 4
In the right-hand side of the window, click the Network label setting, and then
select Browse to select POD##|POD##-APPLICATION-PROFILE|POD##-WebEPG from the drop-down list.
Step 5
Click the OK button to save the changes to the properties of the virtual machine.
Step 6
Right-click the Pod##-Web VM and then select Power > Power On from the
context menu.
Step 7
Leave these three VMs powered on forever as you will refer back to them in later
labs.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
163
Task 19: Verify Base Connectivity in the Three VMs
In this task, you will verify each VM can now ping the default gateway provided by the subnet you
configured in prior labs. You will also test connectivity to other VMs allows in your previously configured
ACI whitelist.
Activity Procedure
Complete the following steps:
Step 1
Discovery Lab 5
Right-click the Pod##-Web VM, and then select Open Remote Console.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
164
Step 2
Discovery Lab 5
If you are prompted by your browser, click Open Link.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
165
Step 3
Discovery Lab 5
If you are prompted by a security warning in the VM, click Connect Anyway.
“Agree” with any other security warning that you might see.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
166
Step 4
Discovery Lab 5
When the Windows VM opens, start the Command Prompt.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
167
Step 5
Discovery Lab 5
Type ipconfig in the Command Prompt and note your pre-configured IP
address. The second byte of the IP address is your assigned Pod number.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
168
Discovery Lab 5
Step 6
Verify you can ping your default gateway. This address is the subnet in the
bridge domain in your tenant.
Note
All ping tests of IP connecitivity for your Web, App or DB VMs need to be done within the Windows
Command Prompt.
Note
If you are not able to ping your own default gateway for each VM, review prior lab steps to find and
correct any misconfigurations.
Step 7
Repeat all steps in this task for your pod Pod##-DB and Pod##-App VMs and
ensure they can ping their own default gateway.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
169
Discovery Lab 6: Enable
Inter-EPG Layer 2 Connectivity
Overview
There are a variety of methods to configure network connectivity between devices integrated into the
ACI fabric and devices in a layer 2 network that is external to the ACI fabric. This lab exercise will focus
on the method that is referred to as extending an end point group (EPG).
When extending an EPG method is used, network connectivity is configured so that the external device
is able to be added to an application EPG within the fabric. The external device is treated as an
endpoint in the same way a virtual machine within an integrated host is treated. Policies and contracts
applied to the EPG are also applied to traffic to and from the external device.
In this lab exercise you will be configuring connectivity between your assigned interface on Leaf-1 and
a device that is reachable via layer 2. You will also be creating a new bridge domain and EPG within
which you will place the external device. This is not necessary in general; however, additional
functionality will be demonstrated during the lab exercise. At the end of the lab exercise your assigned
DB server VM should be able to communicate with the external device.
Note
Discovery Lab 6
To distinguish the “extending an EPG” method from the “extending the bridge domain” method the
terms bare metal network and bare metal server will be used in this lab exercise. These terms refer
to devices that are directly or indirectly connected to a leaf switch at layer 2. The term “bare metal”
indicates that the server is not a hypervisor/host (no virtualization is present) and the Windows /
Linux / UNIX operating system is installed directly onto the hardware. These terms are found in
many of the Cisco ACI documents.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
170
Job Aids
Device Access Rack = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-1
192.168.R0.101
—
admin/1234QWer
leaf-2
192.168.R0.103
—
admin/1234QWer
Spine-1
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
ESXi
VMs
Discovery Lab 6
esxi-a1.dc.local
esxi-a2.dc.local
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
| © 2023 Cisco Systems, Inc.
N/A (auto-login)
DCACI Lab Guide
171
Task 0: Log in to the APIC Controller and the Web
based VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will
log in to your assigned VMware vCenter server using the web based VMware vSphere Client.
Activity Procedure
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Warning
This lab demands that you use and refer to the Resource Guide. Open the resource guide now.
Pay close attention to your assigned pod and rack number.
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
Discovery Lab 6
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
172
Discovery Lab 6
Warning
You may have this older VMware vSphere client on your desktop. Do NOT use this client as it has
been deprecated by VMware for the later versions of vCenter used in this lab environment.
Step 6
From your Student Server, within your Chrome browser, open another browser
tab and log in to your assigned vCenter server using the following credentials:
IP address / Name: vcenter-@.dc.local (replace “@” with your assigned
vCenter letter) or 192.168.R0.51
Select LAUNCH VSPHERE CLIENT (HTML5).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
173
Step 7
Discovery Lab 6
Log in using these credentials:
Username: root@vsphere.local
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
174
Step 8
Discovery Lab 6
In the vSphere Client window, click on Hosts and Clusters in the upper left.
Expand the Datacenter and Cluster. Locate the VMs assigned to your pod.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
175
Task 1: Create a VLAN Pool
In this task, you will create VLAN pool that will be used by the physical domain you will create in a
subsequent Task.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
Return to the APIC GUI running in your Chrome browser.
Step 2
In the Menu bar, click Fabric.
Step 3
In the Submenu bar, click Access Policies.
Step 4
In the Navigation pane, expand Pools > VLAN.
Step 5
Right-click the VLAN folder and then select Create VLAN Pool from the context
menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
176
Step 6
The Create VLAN Pool wizard will appear. Enter the values in the following
table.
Field
Value
Name
POD##-BARE-METAL-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
Allocation Mode
Static Allocation
Step 7
In the Encap Blocks subsection, click the plus sign + to create a new VLAN
range for one VLAN. Enter the values in the following table for one single VLAN.
Field
Discovery Lab 6
Value
Range (From)
4## (replace “##” with your assigned 2-digit Pod Number)
Range (To)
4## (replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
177
Discovery Lab 6
Step 8
Click the OK button.
Step 9
Click the Submit button to complete the Create VLAN Pool wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
178
Task 2: Create a Physical Domain
The next step in configuring an external bridged network is to create a Physical Domain. The physical
domain contains the VLAN Pool containing the external VLANs, and it must be added to the correct
Attachable Access Entity Profile (AEP) that is used by the correct leaf switch interface.
In this task, you will create a Physical Domain that will used by the application EPG that you will create
in a subsequent task.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
In the Menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Physical and External Domains > Physical Domains.
Step 4
Right-click the Physical Domains folder and then select Create Physical
Domain from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
179
Step 5
The Create Physical Domain wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Field
Name
POD##-BARE-METAL-PHYSICAL-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
VLAN Pool
POD##-BARE-METAL-VLAN-POOL(static)
(replace “##” with your assigned 2-digit Pod Number)
Step 6
Discovery Lab 6
Value
Click the Submit button to complete the Create Physical Domain wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
180
Task 3: Create an Attachable Access Entity Profile
In this task, you will create an Attachable Access Entity Profile that will contain the physical domain that
you created previously.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
In the Menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Policies > Global > Attachable Access Entity Profiles.
Step 4
Right-click the Attachable Access Entity Profiles folder and then select Create
Attachable Access Entity Profile from the context menu.
Step 5
The Create Attachable Access Entity Profile wizard will appear. In STEP 1. >
Profile, enter the values in the following table.
Field
Value
Name
POD##-BARE-METAL-AEP
(replace “##” with your assigned 2-digit Pod Number)
Enable Infrastructure VLAN
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
181
Discovery Lab 6
Step 6
In the Domains (VMM, Physical or External) To Be Associated to Interfaces
subsection, click the plus sign + to associate your physical domain.
Step 7
In the Domain Profile drop-down list, select POD##-BARE-METAL-PHYSICALDOMAIN (replace “##” with your assigned two-digit Pod Number).
Step 8
Click the Update button.
Step 9
Click the Next button. In STEP 2 > Association to Interfaces, do not make any
changes.
Step 10
Click the Finish button to complete the Create Attachable Access Entity
Profile wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
182
Task 4: Create an Interface Policy Group
In this task, you will create an Interface Policy Group that will be used in a subsequent Task.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
In ACI, navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Policy Groups > Leaf Access Port.
Step 2
Right-click the Leaf Access Port folder and then select Create Leaf Access
Port Policy Group from the context menu.
Step 3
The Create Leaf Access Port Policy Group wizard will appear. Enter the
values in the following table and do NOT change any of the values that are not
listed in the following table.
Field
Value
Name
POD##-BARE-METAL-INTERFACE-POLICY-GROUP
(replace “##” with your assigned 2-digit Pod Number)
Attached Entity Profile
POD##-BARE-METAL-AEP
(replace “##” with your assigned 2-digit Pod Number)
Link Level
POD##-1G-LINK-LEVEL-POLICY
(replace “##” with your assigned 2-digit Pod Number)
CDP
POD##-ENABLE-CDP-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
LLDP
POD##-ENABLE-LLDP-INTERFACE-POLICY
(replace “##” with your assigned 2- digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
183
Step 4
Discovery Lab 6
Click the Submit button to complete the Create Leaf Access Port Policy Group
wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
184
Task 5: Create an Interface Profile
In this task, you will create an Interface Profile that will be used in a subsequent Task.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Profiles.
Step 2
Right-click the Profiles folder and then select Create Leaf Interface Profile from
the context menu.
Step 3
The Create Leaf Interface Profile wizard will appear. In the Name field, type
POD##-BARE-METAL-INTERFACE-PROFILE (replace “##” with your assigned
two-digit Pod Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
185
Step 4
Discovery Lab 6
In the Interface Selectors subsection, click the plus sign + to create a new entry.
The Create Access Port Selector wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
1/##
(replace “##” with your assigned 2-digit Pod Number)
Interface Policy Group
POD##-BARE-METAL-INTERFACE-POLICY-GROUP
(replace “##” with your assigned 2- digit Pod Number)
Step 5
Click the OK button to complete the Create Access Port Selector wizard.
Step 6
Click the Submit button to complete the Create Interface Profile wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
186
Task 6: Create a Switch Profile
In this task, you will create a Switch Profile that will be used in a subsequent Task.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
Navigate to Fabric > Access Policies > Switches > Leaf Switches > Profiles.
Step 2
Right-click the Profiles folder and then select Create Leaf Profile from the
context menu.
Step 3
The Create Leaf Profile wizard will appear. In STEP 1 > Profile, in the Name
field, type POD##-BARE-METAL-SWITCH-PROFILE (replace “##” with your
assigned two-digit Pod Number).
Step 4
In the Leaf Selectors subsection, click the plus sign + to create a new entry.
Enter the values in the following table.
Field
Value
Name
SWITCH-SELECTOR
Blocks
101
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
187
Discovery Lab 6
Step 5
Click the Update button.
Step 6
Click the Next button.
Step 7
In STEP 2 > Associations, in the Interface Selector Profiles pane, select
POD##-BARE-METAL-INTERFACE-PROFILE (replace “##” with your assigned
two-digit Pod Number).
Step 8
Click the Finish button to complete the Create Leaf Profile wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
188
Task 7: Create a Bridge Domain
In this task, you will create a new Bridge Domain that will eventually contain the “bare metal server”
connected to Leaf-1 You will also create a new Subnet that will be used to communicate with the bare
metal server.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, double-click POD## (replace “##” with your assigned 2-digit
Pod Number).
Step 3
In the Navigation pane, expand POD## > Networking > Bridge Domains.
Step 4
Right-click the Bridge Domains folder and then select Create Bridge Domain
from the context menu.
Step 5
The Create Bridge Domain wizard will appear. In STEP 1 > Main, enter the
values in the following table and do NOT change any of the values that are not
listed in the following table.
Field
Value
Name
POD##-BARE-METAL-BD
(replace “##” with your assigned 2-digit Pod Number)
VRF
POD##/POD##-VRF
(replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
189
Discovery Lab 6
Step 6
Click the Next button. In STEP 2 > L3 Configurations, in the Subnets
subsection, click the plus sign + to start the Create Subnet wizard.
Step 7
The Create Subnet wizard will appear. Enter the values in the following table
and do NOT change any of the values that are not listed in the following table.
Field
Value
Gateway IP
10.##.4.254/24
(replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
190
Discovery Lab 6
Step 8
Click the OK button to complete the Create Subnet wizard.
Step 9
Click the Next button.
Step 10
In STEP 3 > Advanced/Troubleshooting, do not make any changes.
Step 11
Click the Finish button to complete the Create Bridge Domain wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
191
Task 8: Create a Bare Metal EPG
In this task, you will create a Bare Metal EPG within the Bare Metal bridge domain. You will also
configure the Bare Metal EPG with the settings necessary to include the bare metal server within the
EPG.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs.
Step 4
Right-click the Application EPGs folder and then select Create Application
EPG from the context menu.
Step 5
The Create Application EPG wizard will appear. In STEP 1 > Identity, enter the
values in the following table and do NOT change any of the values that are not
listed in the following table.
Field
Value
Name
POD##-BARE-METAL-EPG
(replace “##” with your assigned 2-digit Pod Number)
Bridge Domain
POD##/POD##-BARE-METAL-BD
(replace “##” with your assigned 2-digit Pod Number)
Statically Link with Leaves/Paths
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
192
Discovery Lab 6
Step 6
Click the Next button.
Step 7
In STEP 2 > Leaves/Paths, in the Physical Domain drop-down list, select
POD##-BARE-METAL-PHYSICAL-DOMAIN (replace “##” with your assigned
two-digit Pod Number).
Step 8
Click the Finish button to complete the Create Application EPG wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
193
Discovery Lab 6
Step 9
In the Navigation pane, expand Tenants > POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > POD##-BAREMETAL-EPG > Static Ports.
Step 10
Right-click the Static Ports folder and then select Deploy Static EPG on PC,
VPC, or Interface from the context menu.
Step 11
The Deploy Static EPG on PC, VPC, or Interface wizard will appear. Enter the
values in the following table.
Field
Value
Path Type
Port
Node
101
Path
eth1/##
(replace “##” with your assigned 2-digit Pod Number)
Port Encap (or Secondary VLAN for Micro-Seg)
VLAN 4##
(replace “##” with your assigned 2-digit Pod Number)
Deployment Immediacy
Immediate
Mode
Trunk
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
194
Discovery Lab 6
Step 12
Click Next.
Step 13
Click the Finish button to complete the Deploy Static EPG on PC, VPC, or
Interface wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
195
Task 9: Create a New Contract
In this task, you will create a new Contract that will be used (in the following Task) to allow
communications between the DB EPG and the Bare Metal EPG.
Activity Procedure
Complete the following steps in your assigned Tenant:
Discovery Lab 6
Step 1
In the Navigation pane, expand Tenant > POD## > Contracts.
Step 2
Right-click the Contracts folder and then select Create Contract from the
context menu.
Step 3
The Create Contract wizard will appear. In the Name field type POD##CONTRACT-DB-BARE-METAL (replace “##” with your assigned 2-digit Pod
Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
196
Step 4
Step 5
Discovery Lab 6
In the Subjects subsection, click the plus sign + to create a new entry. Enter the
values in the following table.
Field
Value
Name
SUBJECT-ANY
Apply Both Directions
Checked
Reverse Filter Ports
Checked
In the Filters subsection, click the plus sign + to create a new entry. In the dropdown list, select POD##/POD##-FILTER-ANY.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
197
Discovery Lab 6
Step 6
Click the Update button, and then click the OK button.
Step 7
Click the Submit button to complete the Create Contract wizard. Verify you see
the contract you just created in the Contracts folder.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
198
Task 10: Configure Contracts between the DB EPG
and the Bare Metal EPG
In this task, you will apply the Bare Metal Contract to allow traffic to flow between the DB EPG and the
Bare Metal EPG.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
In the Navigation pane, expand Tenant POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG
> Contracts.
Step 2
Right-click the Contracts folder and then select Add Provided Contract from
the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
199
Discovery Lab 6
Step 3
The Add Provided Contract wizard will appear. In the Contract field, select
POD##-CONTRACT-DB-BARE-METAL from the drop-down list.
Step 4
Click the Submit button to complete the Add Provided Contract wizard.
Step 5
In the Navigation pane, expand Tenants > POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > EPG POD##-BAREMETAL-EPG > Contracts.
Step 6
Right-click the Contracts folder and then select Add Consumed Contract from
the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
200
Step 7
Discovery Lab 6
The Add Consumed Contract wizard will appear. In the Contract drop-down list
select POD##-CONTRACT-DB-BARE-METAL (replace “##” with your assigned
2-digit Pod Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
201
Discovery Lab 6
Step 8
Click the Submit button to complete the Add Consumed Contract wizard.
Step 9
In the Navigation pane, expand Tenant > POD## > Application Profiles >
POD##-APPLICATION-PROFILE, then click the Topology tab in the Work
pane. Verify that you now see the updated diagram for the application profile and
that it includes the new connectivity to the bare metal server.
Note
You may need to drag and drop the icons to see this same visual layout.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
202
Task 11: Verify Connectivity to the Bare Metal
Server
In this task, you will verify that your Pod DB server can communicate with the bare metal server
connected to the leaf switch.
Activity Procedure
Complete the following steps:
Discovery Lab 6
Step 1
Return to the VMware vSphere Client tab in your browser.
Step 2
Select the Hosts and Clusters icon and scroll down to locate your pod VMs.
Step 3
Navigate to 192.168.R0.51 > Datastore-@ > Cluster-@ (replace “@” with your
assigned vCenter letter). You should see three virtual machines which are
assigned to your Pod (replace “##” with your assigned Pod number):
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
203
Discovery Lab 6
Note
If your Remote Console to Pod##-DB VM is still open from the prior lab, you don’t have to open it
again.
Step 4
Right-click the Pod##-DB VM and then select Open Remote Console from the
context menu.
Step 5
The console window for Pod##-DB will appear. You will see the DB server’s
desktop.
Step 6
Click on Connect Anyway if prompted.
Step 7
Open a Command Prompt window within the VM.
Step 8
Type ipconfig and note your pre-configured IP addressing.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
204
Discovery Lab 6
Step 9
Verify that your Pod##-DB can ping the bare metal file server using the ping
10.##.4.1 command (replace “##” with your assigned 2-digit Pod Number).
Note
You may see the first ping response fail. Feel free to repeat the same ping to verify full connectivity
to the bare metal server.
Step 10
Verify that your Pod##-DB can trace route to the bare metal file server using the
tracert 10.##.4.1 command (replace “##” with your assigned 2-digit Pod
Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
205
Discovery Lab 6
Note
As the 10.##.4.1 address is currently on a different Layer 3 subnet, you have to connect through
the default gateway of Pod##-DB to reach the bare metal server.
Step 11
From your Student Server desktop, start a PuTTY session with Leaf-1.
Step 12
Log in to Leaf-1 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Step 13
Execute the show vrf command.
Note
The output of the show vrf command is useful when you need to copy and paste a VRF name into
another command.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
206
Step 14
Discovery Lab 6
Execute the show endpoint vrf POD##:POD##-VRF command (replace “##”
with your assigned 2-digit Pod Number). This command will display the endpoints
identified by the APIC within your VRF. Verify that you see an entry with the IP
address of 10.##.4.1.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
207
Step 15
Discovery Lab 6
Execute the show vlan extended | grep POD## command. Verify that you see a
new fabric VLAN that has been created that is associated with the port
connected to the bare metal server.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
208
Task 12: Verify Connectivity to the Bare Metal
Server as a Layer 2 Connection
In this task, you will change the bare metal server to be on the same layer 2 subnet as the Pod##-DB
VM and verify its connectivity. In this lab environment, the Bare Metal server is simply an SVI
configured on an external switch.
Activity Procedure
Complete the following steps:
Step 1
In ACI, navigate to Tenants > POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > POD##-BARE-METAL-EPG.
Step 2
Click on the tabs Policy > General.
Step 3
Change the Bridge Domain to POD##-BD.
Step 4
Click Submit and Submit Changes.
Step 5
From your desktop, open a new PuTTY session to the ACI-SWITCH with the
credentials:
Step 6
Discovery Lab 6
IP address: 192.168.R0.42
Username: student
Password: 1234QWer
Enable Password: 1234QWer
Create an SVI of VLAN 4## with an IP address of 10.##.2.2 255.255.255.0.
Verify you can ping the address from the local switch. ## is your assigned pod
number.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
209
Step 7
Discovery Lab 6
Return to the Pod##-DB VM and verify you can ping 10.##.2.2.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
210
Discovery Lab 6
Step 8
From Pod##-DB VM verify you can do a traceroute to 10.##.2.2.
Note
Note how Pod##-DB now has connectivity to 10.##.2.2 without passing thru another Layer 3
address as they are on the same layer 2 network
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
211
Discovery Lab 7: Enable
Inter-EPG Layer 3 Connectivity
Overview
Complete this lab activity to become familiar with Layer 3 connectivity within ACI between different
EPGs. Upon completing this guided lab, you will be able to:
Verify connectivity between EPGs within an ACI Tenant.
Job Aids
Device Access Rack = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-1
192.168.R0.101
—
admin/1234QWer
leaf-2
192.168.R0.103
—
admin/1234QWer
Spine-1
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
ESXi
VMs
Discovery Lab 7
esxi-a1.dc.local
esxi-a2.dc.local
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
| © 2023 Cisco Systems, Inc.
N/A (auto-login)
DCACI Lab Guide
212
Task 0: Log in to the APIC Controller and the Web
based VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will
log in to your assigned VMware vCenter server using the web based VMware vSphere Client.
Activity Procedure
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Warning
This lab demands that you use and refer to the Resource Guide. Open the resource guide now.
Pay close attention to your assigned pod and rack number.
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
Discovery Lab 7
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
213
Discovery Lab 7
Warning
You may have this older VMware vSphere client on your desktop. Do NOT use this client as it has
been deprecated by VMware for the later versions of vCenter used in this lab environment.
Step 6
From your Student Server, within your Chrome browser, open another browser
tab and log in to your assigned vCenter server using the following credentials:
IP address / Name: vcenter-@.dc.local (replace “@” with your assigned
vCenter letter) or 192.168.R0.51
Select LAUNCH VSPHERE CLIENT (HTML5).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
214
Step 7
Step 8
Discovery Lab 7
Log in using these credentials:
Username: root@vsphere.local
Password: 1234QWer (note that “QW” is capitalized)
In the vSphere Client window, click on Hosts and Clusters in the upper left.
Expand the Datacenter and Cluster. Locate the VMs assigned to your pod.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
215
Discovery Lab 7
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
216
Task 1: Examine Cisco ACI Layer 3 Networking
In this task, you will verify that all of the steps necessary to configure network connectivity between the
Pod virtual machines have been taken.
Note
The only way to test the ACI whitelist in this lab environment is from within the console of the VMs,
as you will do in this task. Feel free to keep the console open throughout this class as you will
return to these VMs often.
Activity Procedure
Complete the following steps:
Discovery Lab 7
Step 1
In ACI, navigate to Tenants > POD## > Application Profiles > POD##APPLICATION-PROFILE.
Step 2
Click on the Topology tab. Review your currently configured whitelist in your
tenant by observing the drawing. Make no changes.
Step 3
In the vSphere Client web tab, right-click the Pod##-App VM and then select
Open Remote Console from the context menu.
Note
If you have the VM Remote Consoles open from a prior lab, you don’t have to open them again.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
217
Discovery Lab 7
Step 4
Confirm that you want to Open VMware Remote Console.
Step 5
If you get an Invalid Security Certificate, click Connect Anyway.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
218
Step 6
Discovery Lab 7
The console window for Pod##-App will appear. You will see the App server’s
desktop. Click OK on any pop-up window.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
219
Discovery Lab 7
Step 7
Open a Command Prompt window within your Windows VM.
Step 8
Type ipconfig/all and note your pre-configured IP address and MAC address.
Step 9
Verify that your Pod##-App can ping Pod##-DB at 10.##.2.1. This is allowed
because you have a contract configured between Pod##-App and Pod##-DB
with a filter allowing all traffic.
Step 10
Verify that your Pod##-Web can ping Pod##-App at 10.##.1.1. This is allowed
because you have a contract configured between Pod##-Web and Pod##-App
with a filter allowing all traffic.
Step 11
Verify that your Pod##-Web can NOT ping Pod##-DB at 10.##.2.1. This is
intentionally NOT allowed because you don’t currently have a contract configured
between Pod##-Web and Pod##-DB.
Step 12
From your Student Server desktop, start a PuTTY session with Leaf-1.
Step 13
Log in to Leaf-1 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
220
Discovery Lab 7
Step 14
Execute the show mac address-table command. Verify you can see the MAC
addresses for the virtual machines in your Pod.
Note
The output of the show mac address-table command does not give you much information about the
virtual machines and the port groups (EPGs) to which they belong.
Step 15
Execute the show endpoint detail | more command and use the space bar to
go one page at a time to see more information about the virtual machines. In the
output you can see the MAC address of each virtual machine, the name of the
port group, and the VLAN ID assigned to the port group to which it belongs.
Step 16
Return to the APIC GUI.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
221
Step 17
In the Navigation pane, select Tenant POD## > Application Profiles > POD##APPLICATION-PROFILE > Application EPGs > EPG POD##-APP-EPG.
Step 18
In the content pane select the Operational tab, and then select the Client EndPoints subtab. Refer to the Resource Guide for the IP addresses in your pod.
Verify you see the Pod##-App virtual machine listed in the table along with a
number of details about the virtual machine such as the IP and MAC addresses.
Discovery Lab 7
Step 19
Select the Configured Access Policies subtab. The contents of this tab identify
where the fabric should be seeing endpoints associated with this end point
group.
Step 20
Select the Contracts subtab. The contents of this tab identify the contracts
configured on the end point group and a summary of the amount of traffic that
has been passed between the POD##-APP-EPG and other EPGs.
Step 21
Familiarize yourself with the other tabs that are present for the POD##-APPEPG.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
222
Note
Discovery Lab 7
When troubleshooting problems communicating with an endpoint, the content pane for the
associated end point group is a good starting point.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
223
Discovery Lab 8: Configure
External Layer 2 Connection
Overview
Complete this lab activity to become familiar with configuring an L2 connection to an external network.
An L2 outside connection is associated with a bridge domain and it is designed to extend the whole
bridge domain.
Upon completing this guided lab, you will be able to:
Create an External Bridged Network.
Job Aids
Device Access Racks = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-1
192.168.R0.101
—
admin/1234QWer
leaf-2
192.168.R0.103
—
admin/1234QWer
Spine-1
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
ESXi
VMs
Discovery Lab 8
esxi-a1.dc.local
esxi-a2.dc.local
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
| © 2023 Cisco Systems, Inc.
N/A (auto-login)
DCACI Lab Guide
224
Task 0: Log in to the APIC Controller and the Web
based VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will
log in to your assigned VMware vCenter server using the web based VMware vSphere Client.
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Open your Resource Guide. Scroll down to the diagram Lab Topology and
Wiring Diagram – Connectivity to External Layer 2 Networks. Pay close
attention to your assigned pod and rack number. Study the connectivity to the
one external switch ACI-SWITCH-R that will be shared by all tenants in the
fabric.
Step 2
Verify that you are currently logged in to your Student Server.
Step 3
From your Student Server desktop, start the Chrome browser.
Step 4
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 5
Log in to the APIC using the following credentials:
Step 6
Discovery Lab 8
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
225
Discovery Lab 8
Warning
You may have this older VMware vSphere client on your desktop. Do NOT use this client as it has
been deprecated by VMware for the later versions of vCenter used in this lab environment.
Step 7
From your Student Server, within your Chrome browser, open another browser
tab and log in to your assigned vCenter server using the following credentials:
IP address / Name: 192.168.R0.51
Select LAUNCH VSPHERE CLIENT (HTML5).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
226
Step 8
Discovery Lab 8
Log in using these credentials.
Username: root@vsphere.local
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
227
Step 9
Discovery Lab 8
In the vSphere Client window, click on Hosts and Clusters in the upper left.
Expand the Datacenter and Cluster. Locate the VMs assigned to your pod.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
228
Task 1: Verify an Attachable Access Entity Profile
In this task, you will verify a pre-configured Attachable Access Entity Profile (AAEP) that will be used
in later tasks.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
Navigate to Fabric > Access Policies > Policies > Global > Attachable
Access Entity Profiles.
Step 2
Verify the configuration of the pre-configured AAEP for Layer 2 connectivity for
the entire fabric.
Field
Value
Name
L2-LAB-AEP
Enable Infrastructure VLAN
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
229
Task 2: Verify an Interface Policy Group
In this task, you will verify a pre-configured Interface Policy Group that will be used by the leaf interface
connecting to the bridged networks. The Interface Policy Group defines how an interface on a leaf
switch should operate (e.g., link speed), and the Interface Policy Group is also the point where you
indicate which AEP will use the interface. An Interface Policy Group may only include one AEP.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces > Policy
Groups > Leaf Access Port.
Step 2
Verify the pre-configured Leaf Access Port per the following table.
Field
Value
Name
L2-LAB-INTERFACE-POLICY-GROUP
Attached Entity Profile
L2-LAB-AEP
Link Level
1G-LINK-LEVEL-POLICY
CDP Policy
ENABLE-CDP-INTERFACE-POLICY
LLDP Policy
ENABLE-LLDP-INTERFACE-POLICY
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
230
Task 3: Verify an Interface Profile
In this task, you will verify a pre-configured Interface Profile that will be used by the leaf interface
connecting to the bridged networks.
An Interface Profile is used for each Fabric. The Interface Profile will identify the specific interface
number(s) on the leaf switches that will use the associated Interface Policy Group. The Interface Profile
does not identify the leaf switches where the interfaces are located; the leaf switches are identified in
the Switch Profile (created later in this lab exercise).
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
Navigate to Fabric > Access Polices > Interfaces > Leaf Interfaces > Profiles.
Step 2
Verify the settings of the pre-configured Profile in the following table. All tenants
will configure connectivity to this same external layer 2 switch in later tasks.
Field
Value
Profile
L2-LAB-INTERFACE-PROFILE
Name
INTERFACE-SELECTOR
Blocks
1/5
Policy Group
L2-LAB-INTERFACE-POLICY-GROUP
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
231
Task 4: Verify a Switch Profile
In this task, you will verify the configuration of a pre-configured Profile that will be used by the leaf
interface connecting to the bridged networks.
The Switch Profile identifies the specific nodes (leaf switches) to which the associated Interface Profile
should be applied. At the end of this step, assuming everything was configured properly, the physical
interface on the leaf switch should be in an up state.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
Navigate to Fabric > Access Policies > Switches > Leaf Switches > Profiles.
Step 2
Verify the configuration of the pre-configured Profile from the following table.
Field
Value
Profile
L2-LAB-SWITCH-PROFILE
Leaf Selectors: Name
SWITCH-SELECTOR
Blocks
103 (Leaf-2)
Associated Interface Selector Profile
L2-LAB-INTERFACE-PROFILE
Step 3
From your Student Server desktop, start a PuTTY session with Leaf-2.
Step 4
Log in to Leaf-2 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
232
Step 5
Discovery Lab 8
Verify that the interface that will be used to connect to the external switch is
functioning properly by executing the show interface ethernet 1/5 brief
command. Verify the Status is up.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
233
Task 5: Create a VLAN Pool for the External
Bridged Domain
In this task, you will create VLAN pool that will be used by the external bridged domain you will create
in the next Task.
Activity Procedure
Complete the following steps for tenant:
Discovery Lab 8
Note
All students must perform this Task and all remaining Tasks in this lab exercise.
Step 1
Return to the APIC GUI running in your Chrome browser.
Step 2
In the Menu bar, click Fabric.
Step 3
In the Submenu bar, click Access Policies.
Step 4
In the Navigation pane, expand Pools > VLAN.
Step 5
Right-click the VLAN folder and then select Create VLAN Pool from the context
menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
234
Step 6
Step 7
Discovery Lab 8
The Create VLAN Pool wizard will appear. Enter the values in the following
table.
Field
Value
Name
POD##-EXTERNAL-BRIDGED-DOMAIN-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
Allocation Mode
Static Allocation
In the Encap Blocks subsection, click the plus sign + to create a new VLAN
range of a single VLAN. Enter the values in the following table for a single VLAN.
Field
Value
Range (From)
2## (replace “##” with your assigned 2-digit Pod Number)
Range (To)
2## (replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
235
Discovery Lab 8
Step 8
Click the OK button.
Step 9
Click the Submit button to complete the Create VLAN Pool wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
236
Task 6: Create an External Bridged Domain (Layer 2
Domain)
In this task, you will create an External Bridged Domain that will use the VLAN Pool you created in the
previous Task.
You will create an External Bridged Domain which will be used in subsequent lab exercises. An
External Bridged Domain is required in order to configure layer 2 connectivity to external networks.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
In the Menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Physical and External Domains > External Bridged Domains.
Step 4
Right-click the External Bridged Domains folder and then select Create Layer
2 Domain from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
237
Step 5
Field
Value
Name
POD##-EXTERNAL-BRIDGED-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Associated Attachable Entity Profile
L2-LAB-AEP
VLAN Pool
POD##-EXTERNAL-BRIDGED-DOMAIN-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
Step 6
Discovery Lab 8
The Create Layer 2 Domain wizard will appear. Enter the values in the following
table and do NOT change any of the values that are not listed in the following
table.
Click the Submit button to complete the Create Layer 2 Domain wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
238
Task 7: Create an External Bridged Network
In this task, you will configure an External Bridged Network, which will contain all of the necessary
information to create a layer 2 connection between the leaf switch and an external VLAN.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
In the ACI menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand Tenant POD## > Networking > L2Outs.
Step 4
Right-click the L2Outs folder and then select Create L2Out from the context
menu.
Step 5
The Create L2Out wizard will appear. In STEP 1. > Identity, enter the values in
the following table and do NOT change any of the values that are not listed in the
following table.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
239
Discovery Lab 8
Field
Value
Name
POD##-EXTERNAL-BRIDGED-NETWORK
(replace “##” with your assigned 2-digit Pod Number)
External Bridged Domain
POD##-EXTERNAL-BRIDGED-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Bridge Domain
POD##-BD
(replace “##” with your assigned 2-digit Pod Number)
Encap
VLAN 2##
(replace “##” with your assigned 2-digit Pod Number)
Path Type
Port
Node
Leaf-2 (Node-103)
Path
eth1/5
(click the Add button after selecting the path)
Note
Be sure to click the Add button after you select the path. The path you select must appear in the
lower blue portion of the wizard.
Step 6
Click the Next button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
240
Discovery Lab 8
Step 7
In STEP 2 > External EPG Networks, in the External EPG Networks
subsection, click the plus sign + to create a new entry.
Step 8
The Create External EPG wizard will appear. In the Name field type POD##EXTERNAL-BRIDGED-EPG (replace “##” with your assigned 2-digit Pod
Number).
Step 9
Click the OK button to complete the Create External EPG wizard.
Step 10
Click the Finish button to complete the Create L2Out wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
241
Task 8: Configure Contracts between the Web EPG
and the External Bridged Network
In this task, you will configure Contracts to allow traffic to flow between the Web EPG and the External
Bridged Network EPG.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
In the Navigation pane, expand Tenant > POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > POD##-WEB-EPG >
Contracts.
Step 2
Right-click the Contracts folder and then select Add Consumed Contract from
the context menu.
Step 3
The Add Consumed Contract wizard will appear. In the Contract field, select
POD##-CONTRACT-ANY from the drop-down list.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
242
Discovery Lab 8
Step 4
Click the Submit button to complete the Add Consumed Contract wizard.
Step 5
In the Navigation pane, expand Tenant > POD## > Networking > L2Outs >
POD##-EXTERNAL- BRIDGED-NETWORK > External EPGs > POD##EXTERNAL-BRIDGED-EPG.
Step 6
In the Work panel, click the Policy and both Contracts tabs.
Step 7
In the Provided Contracts pane, click the plus + sign to create a new entry. In
the Name field, select POD##-CONTRACT-ANY from the drop-down list.
Step 8
Click the Update button.
Step 9
In the Navigation pane, expand Tenant POD## > Application Profiles >
POD##-APPLICATION-PROFILE and then click the Topology tab in the Work
pane. Verify you see the updated diagram for the application profile and that it
includes the new connectivity to the external bridged network from the Web EPG.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
243
Note
Discovery Lab 8
You may need to drag and drop the icons to display the same as visually shown here.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
244
Task 9: Verify That the Web EPG Can Communicate
with the External Bridged Domain
In this task, you will verify that the Web Server in your Web EPG can successfully communicate with a
device in the External Bridged Domain.
Activity Procedure
Complete the following steps:
Discovery Lab 8
Step 1
Return to the VMware vSphere Client tab in your browser.
Step 2
Click on Hosts and Clusters.
Step 3
Navigate to 192.168.R0.51 > Datastore-@ > Cluster-@ (replace “@” with your
assigned vCenter letter). Verify you see three virtual machines which are
assigned to your Pod (replace “##” with your assigned Pod number):
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Step 4
Right-click the Pod##-WEB VM and then select Open Remote Console from
the context menu.
Note
If you have the Remote Consoles open from prior labs, you don’t have to open them again.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
245
Discovery Lab 8
Step 5
The console window for Pod##-WEB will appear. You will see the WEB server’s
desktop. Click to agree to any pop-up’s you may see.
Step 6
Open a Command Prompt window.
Step 7
Type ipconfig to review your pre-configured IP address.
Step 8
Verify you can ping your own default gateway at 10.##.3.254.
Step 9
There is a device in the external bridged network that is configured to use VLAN
##1 with the IP address 10.##.3.2 (this is the same subnet used by your DB
Server virtual machine). Verify that your Web Server can ping this IP address
using the ping 10.##.3.2 command (replace “##” with your assigned 2-digit Pod
Number).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
246
Discovery Lab 8
Step 10
From your Student Server desktop, start a PuTTY session with Leaf-2.
Step 11
Log in to Leaf-2 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Step 12
Execute the show vrf command. Look for the vrf for your tenant.
Note
The output of the show vrf command is useful when you need to copy and paste a VRF name into
another command.
Step 13
Execute the show endpoint vrf POD##:POD##-VRF | more command (replace
“##” with your assigned 2-digit Pod Number). Use the space bar to advance
through the pages of output as needed. This command will display the endpoints
identified by the APIC within your VRF. You should see an entry with the IP
address of 10.##.3.2 on eth1/5.
Step 14
Execute the show vlan extended | more command. Verify you see a new fabric
VLAN that has been created that is associated with the port Eth1/5 connected to
the external bridge domain VLAN 2##.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
247
Discovery Lab 8
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
248
Discovery Lab 9:
Configure External Layer 3
(L3Out) Connection
Overview
Complete this lab activity to become familiar with configuring L3 communications to an external
network. L3 outside connections provide IP connectivity between a Private Network of a Tenant and an
external IP network. The physical connection to the ACI Fabric is via an ACI leaf (also called a border
leaf in this context). Tenant subnets are injected into the routing protocol running between the border
leaf and external router. Users have control of which Tenant subnets they want to advertise to external
routers.
Upon completing this guided lab, you will be able to:
Configure External L3 network.
Create Application Profile to propagate Internal Public Routes.
Associate an L3 outside connection to a Bridge Domain.
Verify that the Leaf is Learning OSPF Routes.
Configure a contract between internal and external EPG.
Discovery Lab 9
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
249
Job Aids
Device Access Rack = R
Device
Management IP
Other IP Addresses
Credentials
apic1
192.168.R0.1
---
admin/1234QWer
leaf-1
192.168.R0.101
—
admin/1234QWer
leaf-2
192.168.R0.103
—
admin/1234QWer
Spine-1
192.168.R0.102
—
admin/1234QWer
vCenter A
192.168.R0.51
—
root@vsphere.local /1234QWer
ESXi
VMs
Discovery Lab 9
esxi-a1.dc.local
esxi-a2.dc.local
root/1234QWer
WEB (10.##.3.1), APP (10.##.1.1),
DB (10.##.2.1)
| © 2023 Cisco Systems, Inc.
N/A (auto-login)
DCACI Lab Guide
250
Task 0: Log in to the APIC Controller and the Web
based VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will
log in to your assigned VMware vCenter server using the web based VMware vSphere Client.
Note
.This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Open your Resource Guide. Scroll down to the diagram Lab Topology and
Wiring Diagram – Connectivity to External Layer 3 Networks. Pay close
attention to your assigned pod and rack number. Study the connectivity from the
ACI Leaf-2 to the one external router ACI-ROUTER-R that will be shared by all
tenants in the fabric.
Step 2
Verify that you are currently logged in to your Student Server.
Step 3
From your Student Server desktop, start the Chrome browser.
Step 4
Navigate to https://192.168.R0.1 (replace “R” with your assigned ACI Rack
Number).
Step 5
Log in to the APIC using the following credentials:
Step 6
Discovery Lab 9
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
251
Discovery Lab 9
Warning
You may have this older VMware vSphere client on your desktop. Do NOT use this client as it has
been deprecated by VMware for the later versions of vCenter used in this lab environment.
Step 7
From your Student Server, within your Chrome browser, open another browser
tab and log in to your assigned vCenter server using the following credentials:
IP address / Name: 192.168.R0.51
Select LAUNCH VSPHERE CLIENT (HTML5).
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
252
Step 8
Discovery Lab 9
Log in using these credentials.
Username: root@vsphere.local
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
253
Step 9
Discovery Lab 9
In the vSphere Client window, click on Hosts and Clusters in the upper left.
Expand the Datacenter and Cluster. Locate the VMs assigned to your pod.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
254
Task 1: Verify an Attachable Access Entity Profile
used for L3Out
In this task, you will verify the settings of a pre-configured Attachable Access Entity Profile (AAEP)
that will be used in the following tasks.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
In the ACI menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Policies > Global > Attachable Access Entity Profiles.
Step 4
Verify the pre-configured settings of this AAEP.
Field
Value
Name
L3-LAB-AEP
Enable Infrastructure VLAN
Checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
255
Task 2: Verify a Leaf Access Port
In this task, you will verify a pre-configured Leaf Access Port that will be used by the leaf interface
connecting to the routed networks.
The Leaf Access Port defines how an interface on a leaf switch should operate (e.g., link speed), and
the Leaf Access Port is also the point where you indicate which AEP will use the interface.
A Leaf Access Port may only include one AEP.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
In ACI, navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Policy Groups > Leaf Access Port.
Step 2
Verify the settings of this pre-configured Leaf Access Port.
Field
Value
Name
L3-LAB-INTERFACE-POLICY-GROUP
Attached Entity Profile
L3-LAB-AEP
Link Level
1G-LINK-LEVEL-POLICY
CDP
ENABLE-CDP-INTERFACE-POLICY
LLDP
ENABLE-LLDP-INTERFACE-POLICY
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
256
Task 3: Verify an Interface Profile
In this task, you will verify the settings of a pre-configured Interface Profile that will be used by the leaf
interface connecting to the routed networks.
The Interface Profile will identify the specific interface number(s) on the leaf switches that will use the
associated Interface Policy Group. The Interface Profile does not identify the leaf switches where the
interfaces are located; the leaf switches are identified in the Switch Profile (created later in this lab
exercise).
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
Navigate to Fabric > Access Policies > Interfaces > Leaf Interfaces >
Profiles.
Step 2
Verify the settings of this pre-configured Interface Profile
Field
Value
Name
INTERFACE-SELECTOR
Interface ID
1/6
Interface Policy Group
L3-LAB-INTERFACE-POLICY-GROUP
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
257
Task 4: Verify a Leaf Profile
In this task, you will verify the settings of a pre-created Leaf Profile that will be used by the leaf interface
connecting to the routed networks.
The Leaf Profile identifies the specific nodes (leaf switches) to which the associated Interface Profile
should be applied. At the end of this step, assuming everything was configured properly, the physical
interface on the leaf switch should be in an up state.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
Navigate to Fabric > Access Policies > Switches > Leaf Switches > Profiles.
Step 2
Verify the settings of this pre-configured Leaf Profile.
Field
Value
Name:
L3-LAB-SWITCH-PROFILE
Leaf Selectors: Name
SWITCH-SELECTOR
Blocks
103
Associated Interface
Selector Profiles
L3-LAB-INTERFACE-PROFILE
Step 3
From your Student Server desktop, start a PuTTY session with Leaf-2.
Step 4
Log in to Leaf-2 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
258
Step 5
Discovery Lab 9
Verify that the interface that will be used to connect to the external router is
functioning properly with a Status of up by executing the show interface
ethernet 1/6 brief command.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
259
Task 5: Create a VLAN Pool for the External Routed
Domain
In this task, you will create VLAN pool that will be used by the external routed domain you will create in
the next Task.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Note
All students must perform this and all remaining tasks in this lab exercise.
Step 1
In the ACI Menu bar, navigate to Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
In the Navigation pane, expand Pools > VLAN.
Step 4
Right-click the VLAN folder and then select Create VLAN Pool from the context
menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
260
Step 5
Step 6
Discovery Lab 9
The Create VLAN Pool wizard will appear. Enter the values in the following
table.
Field
Value
Name
POD##-EXTERNAL-ROUTED-DOMAIN-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
Allocation Mode
Static Allocation
In the Encap Blocks subsection, click the plus sign + to create a new VLAN
range for a single VLAN. Enter the values in the following table.
Field
Value
Range (From)
3## (replace “##” with your assigned 2-digit Pod Number)
Range (To)
3## (replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
261
Discovery Lab 9
Step 7
Click the OK button.
Step 8
Click the Submit button to complete the Create VLAN Pool wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
262
Task 6: Create an External Routed Domain (Layer 3
Domain)
In this task, you will create an External Routed Domain that will use the VLAN Pool you created in the
previous Task and will be used in subsequent lab exercises. An External Routed Domain is required in
order to configure layer 3 connectivity to external networks.
Note
All students must perform this task.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
In the ACI menu bar, click Fabric.
Step 2
In the Submenu bar, click Access Policies.
Step 3
Navigate to Physical and External Domains > L3 Domains.
Step 4
Right-click the L3 Domains folder and then select Create L3 Domain from the
context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
263
Step 5
Field
Value
Name
POD##-EXTERNAL-ROUTED-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Associated Attachable Entity Profile
L3-LAB-AEP
VLAN Pool
POD##-EXTERNAL-ROUTED-DOMAIN-VLAN-POOL
(replace “##” with your assigned 2-digit Pod Number)
Step 6
Discovery Lab 9
The Create L3 Domain wizard will appear. Enter the values in the following table
and do NOT change any of the values that are not listed in the following table.
Click the Submit button to complete the Create L3 Domain wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
264
Task 7: Configure an OSPF Interface Policy
In this task, you will configure an OSPF Interface Policy which is used to specify the settings necessary
to bring up an OSPF adjacency.
At this point the physical interface of the leaf switch connected to the external network is ready for use.
Next, you will configure the policies necessary to route traffic through this interface.
You will configure an OSPF Interface Policy, which defines attributes of how an interface should use
OSPF. These attributes correspond to those you would configure on an interface in IOS.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Note
All students must perform this task.
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand POD## > Policies > Protocol > OSPF > OSPF
Interface.
Step 4
Right-click the OSPF Interface folder and then select Create OSPF Interface
Policy from the context menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
265
Step 5
Field
Value
Name
POD##-OSPF-INTERFACE-POLICY
(replace “##” with your assigned 2-digit Pod Number)
Network Type
Broadcast
Interface Controls – Advertise Subnet
Checked
Step 6
Discovery Lab 9
The Create OSPF Interface Policy wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
Click the Submit button to complete the Create OSPF Interface Policy wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
266
Task 8: Create an External Routed Network
In this task, you will configure an External Routed Network, which will contain all of the necessary
information to create an OSPF connection between the leaf switch and an external router.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand POD## > Networking > L3Outs.
Step 4
Right-click the L3Outs folder and then select Create L3Out from the context
menu.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
267
Step 5
Field
Value
Name
POD##-EXTERNAL-ROUTED-NETWORK
(replace “##” with your assigned 2-digit Pod Number)
VRF
POD##-VRF
(replace “##” with your assigned 2-digit Pod Number)
L3 Domain
POD##-EXTERNAL-ROUTED-DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
OSPF
Checked
OSPF Area ID
## (replace “##” with your assigned 2-digit Pod Number)
OSPF Area Type
NSSA area
Step 6
Discovery Lab 9
The Create L3Out wizard will appear. In the 1. Identity step, enter the values in
the following table and do NOT change any of the values that are not listed in the
following table.
Click Next.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
268
Step 7
Field
Value
Layer 3
SVI
Layer 2
Port
Node ID
Leaf-2 (Node 103)
Router ID
##.##.##.##
(replace “##” with your assigned 2-digit Pod Number for all four bytes in this IP address)
Interface
Eth 1/6 (on Node-103)
Encap
VLAN 3## (replace “##” with your assigned 2-digit Pod Number)
MTU (bytes)
1500 (do NOT use the Inherit option)
IP Address
172.16.##.2/24 (replace “##” with your assigned 2-digit Pod Number)
Step 8
Discovery Lab 9
In the 2. Nodes And Interfaces subsection enter the values in the following table
and do NOT change any of the values that are not listed in the following table.
Click Next.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
269
Discovery Lab 9
Step 9
In the 3. Protocols subsection, under Policy, select the POD##-OSPFINTERFACE-POLICY.
Step 10
Click Next.
Step 11
In the 4. External EPG subsection, enter the values in the following table and do
NOT change any of the values that are not listed in the following table.
Field
Value
Name
POD##-ROUTED-EXTERNAL-EPG
Consumed Contract
POD##/POD##-CONTRACT-ANY
Default EPG for all external networks
checked
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
270
Step 12
Discovery Lab 9
Click Finish.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
271
Task 9: Verify that the Leaf is Learning OSPF
Routes
In this task, you will verify what you have configured for OSPF and check the OSPF adjacency and
routes on the ACI border leaf (Leaf-2).
Activity Procedure
Complete the following steps in your Tenant:
Discovery Lab 9
Step 1
In the ACI navigation pane, expand Tenants > POD## > Networking > L3 Outs
> POD##-OSPF-EXTERNAL- ROUTED-NETWORK > Logical Node Profiles >
POD##-OSPF-EXTERNAL-ROUTED-NETWORK_nodeProfile > Configured
Nodes > topology /pod-1/node-103 > OSPF for VRF POD##:POD##-VRF.
Step 2
Select the Neighbors tab. Verify you see one OSPF neighbor in the Full State to
the external router listed for your pod.
Step 3
In the Navigation pane, expand OSPF for VRF POD##:POD##-VRF > Routes.
You should see several routes being advertised by the external routers, which
include the following:
10.1##.7.1/32
10.1##.8.1/32
10.1##.9.1/32
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
272
Discovery Lab 9
Step 4
From your Student Server desktop, start a PuTTY session with Leaf-2.
Step 5
Log in to Leaf-2 using the following information:
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Step 6
Execute the show vrf command. Verify you can see the vrf for your pod.
Note
The output of the show vrf command is useful when you need to copy and paste a VRF name into
another command.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
273
Discovery Lab 9
Step 7
Verify that the OSPF adjacency between Leaf-2 and the external router is up by
entering the show ip ospf neighbors vrf POD##:POD##-VRF command
(replace “##” with your assigned 2-digit Pod Number). You should see one entry
for your pod with the neighbor ID of 172.16.##.1. Verify the state is FULL/<DR or
BDR>.
Step 8
View the OSPF-related details of the loopback interface and the SVI interface
used by Leaf-2 to form the OSPF adjacency by entering the show ip ospf
interface vrf POD##:POD##-VRF command (replace “##” with your assigned
2-digit Pod Number).
Step 9
Execute the show ip route ospf vrf POD##:POD##-VRF command (replace
“##” with your assigned 2-digit Pod Number). Verify you see routes to the
following subnets:
10.1##.7.1/32
10.1##.8.1/32
10.1##.9.1/32
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
274
Step 10
Execute the iping –V POD##:POD##-VRF 10.1##.7.1 command (replace “##”
with your assigned 2-digit Pod Number). Verify the ping is successful.
Note
When testing connectivity through the fabric, the iping command will generate traffic and use the
VXLAN overlay as needed. However, the ping command is not able to use the VXLAN overlay.
Step 11
From your Student Server desktop, start a PuTTY session with Leaf-1.
Step 12
Log in to Leaf-1 using the following information:
Step 13
Discovery Lab 9
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Execute the show vrf command.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
275
Discovery Lab 9
Step 14
Execute the show ip route ospf vrf POD##:POD ##-VRF command (replace
“##” with your assigned 2-digit Pod Number). You will not see any routes as
OSPF is not running on Leaf-1.
Step 15
Execute the show ip route bgp vrf POD##:POD##-VRF command (replace “##”
with your assigned 2-digit Pod Number). You will see the routes to the external
networks as prefixes that have been redistributed into the BGP routing process.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
276
Task 10: Configure Contracts between the Web
EPG and the External Routed Network
In this task, you will configure Contracts to allow traffic to flow between the Web EPG and the External
Routed Network EPG.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
In the ACI navigation pane, expand Tenants > POD## > Application Profiles >
POD##-APPLICATION-PROFILE > Application EPGs > EPG POD##-WEBEPG > Contracts.
Step 2
Right-click the Contracts folder and then select Add Provided Contract from
the context menu.
Step 3
The Add Provided Contract wizard will appear. In the Contract field, select
POD##/POD##-CONTRACT-ANY from the drop-down list.
Step 4
Click the Submit button to complete the Add Provided Contract wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
277
Discovery Lab 9
Step 5
In the Navigation pane, expand Tenants > POD## > Networking > L3Outs >
POD##-EXTERNAL- ROUTED-NETWORK > EXTERNAL EPGs > POD##ROUTED-EXTERNAL-EPG.
Step 6
In the Work panel, click the Policy tab and then click the Contracts sub-tab.
Step 7
Verify you see the POD##/POD##-CONTRACT-ANY Consumed Contract
assigned from a prior step.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
278
Task 11: Associate the External Routed Network to
the Bridge Domain
In this task, you will configure the bridge domain within your Tenant to use the external routed network.
Activity Procedure
Complete the following steps:
Discovery Lab 9
Step 1
In the Navigation pane, expand Tenants > POD## > Networking > Bridge
Domains > POD##-BD.
Step 2
In the Work panel, click the Policy tab and then click the L3 Configurations
sub-tab.
Step 3
In the Work pane, in the Associated L3 Outs subsection, click the plus sign + to
create a new entry. In the L3 OUT field, select POD##/POD##-EXTERNALROUTED-NETWORK from the drop-down list
Step 4
Click the Update button.
Step 5
In the Navigation pane, expand Tenant POD## > Application Profiles >
POD##-APPLICATION-PROFILE and then click the Topology tab in the Work
pane. You should now see the updated diagram for the application profile and
that it includes the new connectivity to the external routed network.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
279
Note
Discovery Lab 9
You may need to drag and drop the icons to see the same visual appearance as shown here.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
280
Task 12: Advertise Subnets to the External Routed
Network
In this task, you will configure the bridge domain within your Tenant to advertise routes to the external
routed network.
Activity Procedure
Complete the following steps:
Step 1
In the Navigation pane, expand Tenants > POD## > Networking > Bridge
Domains > POD##-BD > Subnets > 10.##.3.254/24.
Step 2
In the Work pane, change the Scope setting to Advertised Externally.
Step 3
Click the Submit button. A Policy Usage Warning will appear indicating the
other objects that will be affected by the changes.
Step 4
Click the Submit Changes button.
Step 5
From your Student Server desktop, start a PuTTY session with Leaf-2.
Step 6
Log in to Leaf-2 using the following information:
Step 7
Discovery Lab 9
Login as: admin
Password: 1234QWer (note that “QW” is capitalized)
Execute the show vrf command.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
281
Discovery Lab 9
Step 8
Execute the show endpoint vrf POD##:POD##-VRF command (replace “##”
with your assigned 2-digit Pod Number). This command will display the endpoints
identified by the APIC within your VRF.
Step 9
Verify you see an entry with the IP address of ##.##.##.##. This is the loopback
interface created for the OSPF process for your tenant.
Step 10
Return to the VMware vSphere Client tab in your browser.
Step 11
Click on the Hosts and Clusters icon.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
282
Step 12
Virtual Machine
IP Address
Default Gateway
Pod##-App
10.##.1.1 /24
10.##.1.254
Pod##-DB
10.##.2.1 /24
10.##.2.254
Pod##-Web
10.##.3.1 /24
10.##.3.254
Step 13
Right-click the Pod##-Web VM and then select Open Remote Console from the
context menu.
Note
If you still have the Pod##-Web VM Remote Console open from a prior lab, you do not have to
open it again. Look at your task bar and click on it if it is present.
Step 14
The console window for Pod##-Web will appear. You will see the Web server’s
desktop.
Step 15
Open a Command Prompt window within your Web server.
Step 16
Verify that your Web Server can ping the IP address of the first route learned via
OSPF using the ping 10.1##.7.1 command (replace “##” with your assigned
2-digit Pod Number).
Step 17
Verify that your Web Server can ping the IP address of the second route learned
via OSPF using the ping 10.1##.8.1 command (replace “##” with your assigned
2-digit Pod Number).
Step 18
Verify that your Web Server can ping the IP address of the third route learned via
OSPF using the ping 10.1##.9.1 command (replace “##” with your assigned
2-digit Pod Number).
Step 19
Open your resource guide and note the credentials for the external router
ACI-ROUTER.
Step 20
Open a new PuTTY session to the ACI-ROUTER at:
Step 21
Discovery Lab 9
Navigate to 192.168.R0.51 > Datastore-@ > Cluster-@ (replace “@” with your
assigned vCenter letter). You should see three virtual machines which are
assigned to your Pod (replace “##” with your assigned Pod number):
IP address: 192.168.R0.43
User: student
Password: 1234QWer
Verify you can see your Pod Web server subnet advertised to the external router
ACI-ROUTER with the command show ip route | include N2.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
283
Discovery Lab 9
Note
Your App and DB subnets were intentionally not routed externally to demonstrate a secure data
center not exposing all servers.
Step 22
Verify you can ping your Web server at 10.##.3.1.
Step 23
Verify you can trace to your Web server at 10.##.3.1. Note that you pass through
the hop of your OSPF neighbor in your tenant.
Step 24
Verify you can connect via TCP port 80 to your Web server with the command
telnet 10.##.3.1 80.
Note
This TCP port 80 test is very primitive and will be slow. After several seconds, click on the screen
and verify you see at least some HTML code returning. This HTML, even with a 400 Bad Request
error, is showing port 80 is accessible from this outside router into your web server.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
284
Discovery Lab 9
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
285
NterOne ACI Bonus Labs
Overview
The following labs are not a part of the formal Cisco DCACI lab guide. These labs are extra and can be
done at the students discretion. All of these bonus labs are performed on the physical ACI Rack.
NterOne Bonus Labs
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
286
Discovery Lab 10:
Monitoring and Diagnosing ACI
Overview
Complete this lab activity to become familiar with configuring ACI to send messages to a Syslog server.
Upon completing this guided lab, you will be able to:
Configure ACI to log to a Syslog Server.
View Faults Using the Cisco APIC GUI.
View events using the Cisco APIC GUI.
Use the API Inspector.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
287
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Warning
BONUS – Discovery Lab 10
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Domain: DefaultAuth (if prompted)
You may need to disable the Windows Firewall in your pod desktop for these Supplementary labs.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
288
Task 1: Configuring Syslog Monitoring
In this task, you will configure syslog monitoring.
Activity Procedure
Complete the following steps:
Warning
The Windows operating system you are using for your pod desktop will allow only one Syslog
Server to run at any one time. If you are sharing the same pod desktop with another student for
user student and student2, you will need to coordinate to take turns only running one Syslog
server at a time. Close the Syslog server when you are done.
Step 1
On your Student Server desktop, start the 3CDaemon application by doubleclicking it. You can keep 3CDaemon open for the rest of the class.
Step 2
On your Student Server desktop open a Command Prompt and note your
192.168.x.x IP address from ipconfig. This is the same IP address of your pod
Syslog server. Keep this window open as you will need this IP address in later
steps.
Note
You will likely see other IP addresses on your Windows desktop. Do not use or change them.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
289
Step 3
Return to the APIC GUI running in your Chrome browser.
Step 4
In the Menu bar, click Admin.
Step 5
In the Submenu bar, click External Data Collectors.
Step 6
In the Navigation pane, expand Monitoring Destinations > Syslog.
Step 7
Right-click the Syslog folder and then select Create Syslog Monitoring
Destination Group from the context menu.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
290
Step 8
The Create Syslog Monitoring Destination Group wizard will appear. In STEP
1. > Profile, in the Name field type POD##-SYSLOG-GROUP (replace “##” with
your assigned 2-digit Pod Number).
Step 9
Click the Next button.
Step 10
In 2. > Remote Destinations, in the Remote Destinations subsection, click the
plus sign + to create a new entry.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
291
Step 11
The Create Syslog Remote Destination wizard will appear. Enter the values in
the following table for your assigned pod.
Field
Value
Host Name/IP:
IP Address of your pod desktop Syslog Server
Name
POD##-SYSLOG-SERVER
(replace “##” with your assigned 2-digit Pod Number)
Admin State
Enabled
Management EPG
default (Out-of-Band)
Step 12
Click the OK button to complete the Create Syslog Remote Destination wizard.
Step 13
Click the Finish button to complete the Create Syslog Monitoring Destination
Group wizard.
Note
In the previous steps, you configured the syslog server. In the next steps, you will configure a
syslog policy that will result in the generation of syslog messages to the syslog server.
Step 14
In the ACI Menu bar, click Fabric.
Step 15
In the Submenu bar, click Fabric Policies.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
292
Step 16
In the Navigation pane, expand Policies > Monitoring > default >
CallHome/Smart Callhome/SNMP/Syslog/TACACS.
Note
You can also access Monitoring Policies under individual tenants and Fabric Access Policies.
Step 17
In the Work pane, in the Source Type setting, choose Syslog.
Step 18
In the far right-hand side of the Work pane click the plus sign + to create a new
entry.
Step 19
The Create Syslog Source wizard will appear. Enter the values in the following
table.
Field
BONUS – Discovery Lab 10
Value
Name
POD##-SYSLOG-SOURCE
(replace “##” with your assigned 2-digit Pod Number)
Min Severity
information
Include
(check all boxes)
Dest. Group
POD##-SYSLOG-GROUP
(replace “##” with your assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
293
Step 20
Click the Submit button to complete the Create Syslog Source wizard.
Step 21
Return to the 3CDaemon window.
Step 22
Click the Syslog Server tab to display syslog messages from the APIC.
Note
Keep the Syslog Server open. You can refer back to it in later labs when events take place that
send log messages.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
294
Task 2: View Faults Using the Cisco APIC GUI
In this task, you will view faults using the Cisco APIC GUI.
When troubleshooting issues with Cisco Application Centric Infrastructure (ACI), the first step will be to
inspect any faults recorded in the Cisco ACI. The logged faults are presented in many places in the
GUI. They are filtered to show only those faults that are relevant to the current GUI context. Wherever a
Faults tab appears in the GUI Work pane, you can view the relevant entries from the fault log.
A fault object is placed in the Management Information Tree (MIT) as a child of the port object. If the
same condition is detected multiple times, no additional instances of the fault object are created. Fault
records are never modified after they are created and they are deleted only when their number exceeds
the maximum value that is specified in the fault retention policy.
Activity Procedure
Complete the following steps:
Step 1
In ACI, to view a summary of fault statistics for the overall system, click System
from the main menu.
Step 2
Select Dashboard.
Note
The Dashboard tables display the fault counts by domain and by type.
Note
This is just an example. Your Fault Counts output will be different. Read the entries in the
Dashboard.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
295
Step 3
In the Menu bar, click Tenants.
Step 4
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 5
Select the Dashboard tab in the Work Pane. Read all the entries for your tenant.
Note
The Work pane will display a Dashboard specific to a Tenant.
Step 6
In the Work pane, click the Faults tab. Take a moment to review any recorded
faults.
Note
If you have performed all of the previous lab exercises properly there should not be any faults
listed.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
296
Note
By clicking specific ACI constructs (e.g., Application Profiles, Bridge Domains, etc.), in the
Navigation pane, you will have access to the Faults tab which records all faults that are specific to
the current GUI context.
Step 7
In the Menu bar, click Admin.
Step 8
In the Submenu bar, click Historical Record Policies.
Step 9
In the Navigation pane, select Controller Policies.
Step 10
In the Work pane, note the retention policy settings that appear for the following
logs:
BONUS – Discovery Lab 10
Audit Logs Retention Policy
Events Retention Policy
Fault Records Retention Policy
Health Records Retention Policy
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
297
Note
The Controller Policies folder is the location where you manage the sizes of the different controller
policies. These policies are for issues that are specific to the controller.
The maximum size range is 1,000 to 500,000 records; the default is 100,000 records. The Purge
Window Size is the maximum number of records to be deleted in a single swipe once the number
of records in the log is greater than the Maximum Size. The Purge Window Size default is designed
to minimize impact on performance when records are purged.
Step 11
BONUS – Discovery Lab 10
In the Navigation pane, expand Switch Policies. This is the location where you
can manage the size of the various switch log retention policies. Note the entries
and make no changes.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
298
Task 3: View Events Using the Cisco APIC GUI
In this task, you will view events using the Cisco Application Policy Infrastructure Controller (APIC) GUI.
The APIC maintains a comprehensive, up-to-date, run-time representation of the administrative and
operational state of the Cisco ACI Fabric in the form of a collection of managed objects (MOs). Any
configuration or state change in any MO is considered an event. Most events are part of the normal
workflow and there is no need to record their occurrence or to bring them to the attention of the user
unless they meet one of the following criteria:
The event is an anomaly, such as a fault being raised.
The event is defined in the model as requiring notification.
The event follows a user action that needs to be auditable.
Many places in the GU present the logged events. The events are filtered to show only those events
that are relevant to the current GUI context. Wherever a History tab appears in the GUI work pane, you
can view the relevant log entries from the event log, health log, or audit log.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Admin, and then in the Submenu bar, click AAA.
Step 2
In the Navigation pane, click the Authentication folder.
Step 3
In the right-hand work pane, click the AAA tab.
Step 4
Below the AAA tab, click the History tab.
Step 5
Under the History tab, click the Events subtab to view the Events.
Step 6
Double-click any event entry to view more details about the event if an entry
exists.
Note
By clicking specific ACI constructs – for example, Application Profiles, Bridge Domains, Private
Networks – in the Navigation pane, you will have access to the History tab. This tab records the
history that is specific to the current GUI context.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
299
Task 4: Using the API Inspector
In this task, you will use the API Inspector. By using the built-in API Inspector tool, you can capture API
messaging as you perform tasks in the Cisco Application Policy Infrastructure Controller (APIC) GUI.
The captured messages provide examples of the API operation that you can use to develop external
applications that will use the API.
Activity Procedure
Complete the following steps:
Step 1
In the upper-right corner of the APIC window, click the Help and tools icon to
view the drop-down menu.
Step 2
In the drop-down menu, choose the Show API Inspector.
Note
The API Inspector opens in a new browser window.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
300
Step 3
Arrange the APIC browser window side-by-side with the API Inspector window to
make it easier to read both windows
Step 4
In the API Inspector window, select the Newest at the top check box.
Note
This action allows you to interact with the APIC GUI and simultaneously observe the API calls that
are made in reaction to your interactions with the GUI.
Note
In the Filters toolbar of the API Inspector window, note how you can choose the types of API log
messages to display. The displayed messages are color-coded according to the selected message
types. This table shows the available message types:
Log Type
BONUS – Discovery Lab 10
Description
debug
Displays debug messages. This type includes most API commands and
responses.
info
Displays informational messages.
warn
Displays warning messages.
error
Displays error messages.
fatal
Displays fatal messages.
all
Checking this check box causes all other check boxes to become
checked. Unchecking any other check box causes this check box to be
unchecked.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
301
Step 5
In the APIC GUI, click Tenants from the Menu bar, and then navigate to ALL
TENANTS > common.
Step 6
In the Navigation pane, right-click Application Profiles, and then choose Create
Application Profile from the context menu.
Note
Note how the HTTP GET messages are showing up in the API Inspector window.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
302
Step 7
In the Name field, type POD##-TEMP, and then click Submit.
Step 8
In the API Inspector, enter POST in the Search field and press enter.
Note
Note that there is a POST method request that instructs the API to create a new application profile
in the Common Tenant.
The request payload will be in the JSON format. The following is an example of the request:
Step 9
BONUS – Discovery Lab 10
Maximize your API Inspector window. Highlight only the content of the POST
payload which is in JSON format.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
303
Step 10
Open the Notepad++ application on your desktop.
Step 11
Copy and paste the payload into a new document in Notepad++.
Note
The URL and JSON array that are recovered from the API Inspector could be used to make REST
calls to configure the fabric.
Step 12
Click Close on the API Inspector when you are done.
BONUS – Discovery Lab 10
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
304
Discovery Lab 11: Use Visore
to Explore an ACI Tenant
Overview
Complete this lab activity to become familiar with monitoring and troubleshooting tools in the Cisco
Application Policy Infrastructure Controller (APIC) GUI. Upon completing this guided lab, you will be
able to:
Use the Managed Object Browser (Visore).
BONUS – Discovery Lab 11
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
305
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
BONUS – Discovery Lab 11
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Domain: DefaultAuth (if prompted)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
306
Task 1: Use the Managed Object Browser (Visore)
In this task, you will use the Managed Object Browser to validate the AAA configuration.
The Managed Object Browser, or Visore, is a utility that is built into the Cisco Application Policy
Infrastructure Controller (APIC). It provides a read only graphical view of the managed objects (MOs)
using a browser. The Visore utility uses the APIC REST API query methods to browse MOs that are
active in the ACI Fabric, allowing you to see the query that was used to obtain the information.
You cannot use the Visore utility to perform configuration changes.
Note
Only the Firefox, Chrome, and Safari browsers are supported for Visore access.
Activity Procedure
Complete the following steps:
Step 1
From your Student Server desktop, start the Chrome browser.
Step 2
Open another tab and navigate to https://192.168.R0.1/visore.html
(replace “R” with your ACI Rack Number).
Step 3
If needed, log in to the APIC using the following credentials:
Step 4
BONUS – Discovery Lab 11
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Click Login.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
307
Step 5
The APIC Object Store Browser will appear. In the Class or DN field, type
aaaLoginDomain, and then click the Run Query button.
Step 6
The query results show all Login Domains.
Step 7
Click the blue “>” symbol at the end of the dn field.
Note
This action will take you to the details of that DN, if it exists in the object tree.
Note
Clicking > sends a query to the APIC for the children of the MO (managed object).
Clicking < sends a query for the parent of the MO.
BONUS – Discovery Lab 11
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
308
Step 8
Click the Show URL of response and last query link to display the API call that
executed the query.
Note
Note how this is another way to display the JSON or XML of any Managed Object (MO) in ACI.
Step 9
Click Close when you are done reading the JSON output.
BONUS – Discovery Lab 11
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
309
Discovery Lab 12:
Configure Tenant Span
Overview
Complete this lab activity to become familiar with monitoring and troubleshooting tools in the Cisco
Application Policy Infrastructure Controller (APIC) GUI. Upon completing this guided lab, you will be
able to:
Setup Visibility and Troubleshooting using the Cisco APIC GUI.
Setup SPAN using the Cisco APIC GUI.
View captured SPAN packets with Wireshark.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
310
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
BONUS – Discovery Lab 12
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Domain: DefaultAuth (if prompted)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
311
Task 1: Using the Operations Tab in APIC
In this task, you will use the Operations tab in Cisco Application Policy Infrastructure Controller (APIC).
Activity Procedure
Complete the following steps:
Warning
The Cisco ACI leaf switches used in this lab support a maximum of 4 unidirectional or 2
bidirectional infra/tenant SPAN sessions. If you have a full class, this will likely exceed these limits
for this lab. Coordinate with your instructor to delete your SPAN session after this lab to free the
SPAN sessions for other students.
Step 1
To create some traffic, open the command prompt in your Web VM and perform
a continuous ping to your pod App VM at 10.##.1.1.
Step 2
Return to the APIC GUI running in your Chrome browser.
Step 3
In the Menu bar, click Operations.
Step 4
In the Submenu bar, click Visibility and Troubleshooting.
Step 5
In the Session Name field type POD##-SESSION (replace “##” with your
assigned 2-digit Pod Number).
Note
You will not see this entry initially, but note that even though there is a pull-down box, you can type
in the new entry for your pod.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
312
Step 6
Under the Targets section, in the Source field, enter 10.##.1.1 (the IP address of
Pod##-App) and then click the Search button.
Step 7
You should see a single search result. Click it, which will cause the row to turn
grey.
Step 8
In the Destination field, enter 10.##.3.1 (the IP address of Pod##-Web) and then
click the Search button.
Step 9
You should see a single search result. Click it, which will cause the row to turn
grey.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
313
Step 10
Click Submit in the lower right side of the page.
Step 11
Be patient as the topology loads.
Step 12
Click Traceroute in the Navigation Pane. From the Protocol drop-down menu,
choose icmp. Press the Play button in the top left part of the window.
Step 13
Click OK if a warning pops up.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
314
Step 14
Be patient as the results load. The interface will display the result of a traceroute.
Observe that the Traceroute Status is complete and that the arrows in the
screen are green.
Step 15
Click the Stop button to end the traceroute.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
315
Task 2: Configure SPAN
In this task, you will configure SPAN and send packets to Wireshark for packet inspection.
Activity Procedure
Complete the following steps in your tenant:
Step 1
In ACI, navigate to Tenants > POD## > Networking > Bridge Domains >
POD##-BD > Subnets.
Step 2
Right-click on Subnets and select Create Subnet.
Step 3
Enter the Gateway IP of 10.##.10.254/24.
Step 4
Click Submit.
Step 5
Return to the VMware vSphere Client tab in your browser. Log in again as
needed.
BONUS – Discovery Lab 12
URL: https://192.168.R0.51
Getting Started Option: LAUNCH VSPHERE CLIENT (HTML5)
Username: root@vsphere.local
Password: 1234QWer
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
316
Note
You may see the older VMware vSphere client icon on your desktop. Do NOT use this app as it has
been deprecated by VMware for the newer version of software used in this lab environment.
Step 6
Select the Hosts and Clusters icon in the upper right.
Step 7
Right-click the Pod##-Wireshark VM and then select Edit Settings… from the
context menu.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
317
Step 8
Highlight Network adapter 1. On the pull-down, select Browse…
Step 9
Select the WEB-EPG for your assigned pod. You will likely need to hover the
mouse over the entries to see the full name.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
318
Step 10
Click OK.
Step 11
Select the Connected check box.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
319
Step 12
Click OK.
Step 13
Give the process several seconds to complete. Then, right-click the Pod##Wireshark VM and select Power > Power On.
Step 14
Right-click the Pod##-Wireshark VM and select Open Remote Console. Click
Open VMware Console if prompted again.
Step 15
Click Connect Anyway if you are prompted with an Invalid Security Certificate
pop-up window.
Step 16
If you are prompted with an error on connecting to vCenter, enter the vCenter
credentials:
BONUS – Discovery Lab 12
Username: root@vsphere.local
password: 1234QWer
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
320
Step 17
BONUS – Discovery Lab 12
Be patient as the Windows 10 VM loads. Click inside the console to see the
Windows desktop. Log in to Windows as needed with the credentials:
User: Student
Password: 1234QWer
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
321
Step 18
Open a Command Prompt in your Pod##-Wireshark VM.
Step 19
Type ipconfig to view your pre-configured IP address.
Step 20
Verify you can ping your default gateway, which is the Subnet you previously
configured in ACI.
Step 21
On your Pod##-Wireshark VM, double-click to start Wireshark.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
322
Step 22
In Wireshark, navigate to Capture > Options….
Step 23
Select the one Ethernet interface as needed and click Start.
Step 24
Return to ACI. Navigate to Operations > Visibility & Troubleshooting.
Step 25
As needed, select the Session Name of POD##-SESSION you created in the
last task.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
323
Step 26
Click Submit.
Step 27
After the topology loads, click SPAN.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
324
Step 28
Enter the following values. Replace ## with your assigned pod number.
Field
Step 29
BONUS – Discovery Lab 12
Value
Destination Type
EPG
Dest EPG: Tenant
POD##
Application Profile
POD##-APPLICATION
EPG
POD##-APP-EPG
Destination IP
10.##.10.1
Source IP Prefix:
255.255.255.0
Click the Start button.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
325
Step 30
In vCenter, return to the command prompt of your Web VM. Ping the App server
at 10.##.1.1.
Note
If you still have a continuous ping from the previous configuration, let it run.
Step 31
Return to your Pod##-Wireshark VM.
Step 32
Stop the packet capture.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
326
Step 33
Verify you can see the ICMP packets. Highlight any one of the ICMP packets.
Note the content contains a Generic Routing Encapsulation (GRE) header for the
ERSPAN session. Note the source and destination IPs of the ping you
performed.
Warning
The Cisco ACI leaf’s used in this lab support a maximum of 4 unidirectional or 2 bidirectional
infra/tenant SPAN sessions. If you have a full class, this will likely exceed these limits for this lab.
Coordinate with your instructor to stop and delete your SPAN session after this lab to free the
SPAN sessions for other students.
BONUS – Discovery Lab 12
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
327
Discovery Lab 13:
Configure RBAC using
Local and Radius Users
RADIUS Accounts
Overview
Complete this lab activity to become familiar with configuring role-based access control (RBAC) and
integration with AAA services.
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides
centralized Authentication, Authorization, and Accounting management for users who connect and use
a network service. RADIUS runs on UDP ports 1812 and 1813. Cisco ACI has support for RADIUS on a
fabric wide basis.
Upon completing this guided lab, you will be able to:
Configure a local security domain.
Configure local users and roles for your tenant security domain.
Create a RADIUS security domain and map to your tenant.
Create an AAA login domain for RADIUS authentication.
Test RADIUS authentication and authorization.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
328
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
BONUS – Discovery Lab 13
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Domain: DefaultAuth (if prompted)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
329
Task 1: Verify the RADIUS Provider
In this task, you will verify the ACI RADIUS provider or configure one as needed. The RADIUS provider
used in this lab environment is a Microsoft Windows Server pre-configured as a RADIUS server.
Activity Procedure
Complete the following steps:
Step 1
Return to the APIC GUI running in your Chrome browser.
Step 2
In the Menu bar, click Admin.
Step 3
In the Submenu bar, click AAA > Authentication.
Step 4
Select the RADIUS tab.
Step 5
If you see an existing RADIUS Provider to 10.0.0.29, you do not have to create
it again. A RADIUS Provider is required only once per ACI fabric. If the provider
is not present, then continue with the remaining steps in this task.
Step 6
Click the tools icon on the far right and then select Create RADIUS Provider
from the context menu.
Step 7
The Create RADIUS Provider wizard will appear. Enter the values in the
following table and do NOT change any of the values that are not listed in the
following table.
BONUS – Discovery Lab 13
Field
Value
Host Name (or IP Address)
10.0.0.29
Key / Confirm Key
1234QWer
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
330
Step 8
BONUS – Discovery Lab 13
Click the Submit button to complete the Create RADIUS Provider wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
331
Task 2: Create a Security Domain and Map It to
Your Tenant
In this task, you will configure a new security domain and map it to your tenant.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Admin.
Step 2
In the Submenu bar, click AAA.
Step 3
Navigate to the Security folder.
Step 4
Right-click the Security folder and then select Create Security Domain from the
context menu.
Step 5
The Create Security Domain wizard will appear. In the Name field type POD##SD-LOCAL (replace “##” with your assigned 2-digit Pod Number).
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
332
Step 6
Click the Submit button to complete the Create Security Domain wizard.
Step 7
In the Menu bar, click Tenants.
Step 8
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 9
In the Navigation pane, click your Tenant POD##, and then click the Policy tab in
the Work pane.
Step 10
In the Security Domains subsection, click the plus sign to create a new entry.
In the Name drop-down list select POD##-SD-LOCAL.
Step 11
Click the Update button.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
333
Task 3: Configure Local Users and Roles for your
Tenant Security Domain
In this task, you will create tenant-specific admin and audit users with the appropriate roles and map
them to your tenant security domain. You will implement Role Based Access Control (RBAC) for two
users and then test their access by logging into both.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Admin.
Step 2
In the Submenu bar, click AAA.
Step 3
Navigate to the Users folder.
Step 4
Right-click the Users folder and then select Create Local User from the context
menu.
Step 5
The Create Local User wizard will appear. In 1. User Identity, enter the
following credentials:
BONUS – Discovery Lab 13
Username: POD##-ADMIN-LOCAL (replace “##” with your assigned 2-digit
Pod Number)
Password: !234QWer (note that “QW” is capitalized) (the number 1 has been
replaced with an !)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
334
Step 6
Click the Next button.
Step 7
In 2. Security, in the Security Domain sub-section, click the checkbox next to
POD##-SD-LOCAL.
Step 8
Click the Next button.
Step 9
In 3. Roles, in the Domain POD##-SD-LOCAL sub-section, click the plus sign +
to add a Role Name and Role Privilege Type.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
335
Step 10
Step 11
BONUS – Discovery Lab 13
Add each of the following Role Names. Change the Role Privilege Type to
Write for all ten Role Names. Click Update for each entry and click the plus sign
+ to add each new entry.
aaa
admin
fabric-admin
nw-svc-admin
nw-svc-params
ops
read-all
tenant-admin
tenant-ext-admin
vmm-admin
Click the Finish button to complete the Create Local User wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
336
Step 12
Right-click the Users folder and then select Create Local User from the context
menu.
Step 13
The Create Local User wizard will appear. In 1. User Identity, enter the values
in the following table and do NOT change any of the values that are not listed in
the following table.
Field
Value
Login ID
POD##-AUDIT-LOCAL (replace “##” with your assigned 2-digit Pod Number)
Password / Confirm
Password
!234QWer (the number 1 has been replaced with an !)
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
337
Step 14
Click the Next button.
Step 15
In 2. Security, in the Security Domain sub-section, click the checkbox next to
POD##-SD-LOCAL.
Step 16
Click the Next button.
Step 17
In 3. Roles, in the Domain POD##-SD-LOCAL sub-section, click the plus sign +
to add a Role Name and Role Privilege Type.
Step 18
Add each of the following Role Names. Change the Role Privilege Type to
Write for all ten Role Names. Click Update for each entry and click the plus sign
+ to add each new entry.
BONUS – Discovery Lab 13
aaa
admin
fabric-admin
nw-svc-admin
nw-svc-params
ops
read-all
tenant-admin
tenant-ext-admin
vmm-admin
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
338
Step 19
BONUS – Discovery Lab 13
Click the Finish button to complete the Create Local User wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
339
Task 4: Verify the Configuration of the Local User
Accounts
In this task, you will log in to the APIC GUI using the accounts that you just created in order to verify
that the correct rights have been granted to each account.
Activity Procedure
Complete the following steps:
Step 1
In the upper right-hand corner of the APIC GUI, click the far right icon named
Manage my profile and then click Logout from the drop-down menu.
Step 2
Log in to the APIC using the following credentials:
BONUS – Discovery Lab 13
Username: POD##-ADMIN-LOCAL (replace “##” with your assigned 2-digit
Pod Number)
Password: !234QWer (note that “QW” is capitalized) (the number 1 has been
replaced with an !)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
340
Step 3
BONUS – Discovery Lab 13
Click the Do not show on login button if prompted. Then click Get Started.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
341
Step 4
The first screen that you will see is the Dashboard. Notice how there is nothing
visible as the POD##-ADMIN-LOCAL account does not have system-wide rights.
Also notice how many of the Menu bar selections are greyed out.
Step 5
In the Menu bar, click Tenants.
Step 6
In the Submenu bar, click ALL TENANTS. Notice how there are only two
Tenants listed, common and POD##.
Step 7
Double-click on the tenant POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 8
Navigate to various portions of your Tenant. Notice how you have the ability to
change the configuration of your Tenant. Make no actual changes to your
Tenant.
Step 9
In the upper right-hand corner of the APIC GUI, click the Manage my profile
icon on the far right of POD##-ADMIN-LOCAL, and then select View My
Permissions from the drop-down menu.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
342
Step 10
The User Permissions window will appear. This window will display all of the
permissions that have been granted to the user account with which you are
currently logged in.
Step 11
Click the Close button.
Step 12
Logout of the APIC GUI.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
343
Step 13
Step 14
BONUS – Discovery Lab 13
Log in to the APIC using the following credentials:
Username: POD##-AUDIT-LOCAL (replace “##” with your assigned 2-digit
Pod Number)
Password: !234QWer (note that “QW” is capitalized) (the number 1 has been
replaced by an !)
Click the Do not show on login button if prompted. Then click Get Started.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
344
Step 15
The first screen that you will see is the Dashboard. Notice how there is nothing
visible as the POD##-AUDIT-LOCAL account does not have system-wide rights.
Also notice how many of the Menu bar selections are greyed out.
Step 16
In the Menu bar, click Tenants.
Step 17
In the Submenu bar, click ALL TENANTS. Notice how there are only two
Tenants listed, common and POD##.
Step 18
Double-click POD## (replace “##” with your assigned 2-digit Pod Number).
Step 19
Navigate to various portions of your Tenant. Notice how you have the ability to
view and change the configuration of your Tenant. Make no actual changes.
Step 20
Click ALL TENANTS.
Step 21
Click the common Tenant.
Step 22
Navigate to various portions of the common Tenant. Notice how you have the
ability to view but not change the configuration of the common Tenant.
Step 23
In the upper right-hand corner of the APIC GUI, click the Manage my profile
icon on the far right of POD##-ADMIN-LOCAL, and then select View My
Permissions from the drop-down menu.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
345
Step 24
The User Permissions window will appear. This window will display all of the
permissions that have been granted to the user account with which you are
currently logged in.
Step 25
Click the Close button.
Step 26
Logout of the APIC GUI.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
346
Task 5: Create a RADIUS Security Domain and Map
It to your Tenant
In this task, you will configure a new RADIUS security domain and map it to your tenant.
Activity Procedure
Complete the following steps:
Step 1
Log in to the APIC GUI using the credentials:
Username: admin
Password: 1234QWer
Step 2
In the Menu bar, click Admin.
Step 3
In the Submenu bar, click AAA.
Step 4
Navigate to the Authentication folder.
Step 5
Select the RADIUS tab in the right-hand work pane.
Step 6
Notice the Radius host that was created in a previous task.
Step 7
Navigate to the Authentication folder.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
347
Step 8
Right-click the Authentication folder and then select Create Login Domain
from the context menu.
Step 9
The Create Login Domain wizard will appear. Enter the values in the following
table.
Field
Value
Name
POD##_RADIUS_LOGIN_DOMAIN
(replace “##” with your assigned 2-digit Pod Number)
Realm
RADIUS
Note
BONUS – Discovery Lab 13
The name of the Login Domain may not use the dash character. However, you may use the
underscore character.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
348
Step 10
In the Providers section, click the + sign to add a Radius Provider.
Step 11
Select 10.0.0.29 from the name pull-down menu and enter 1 from the Priority
pull-down menu. Click the Update button and then click Submit.
Step 12
Click Submit.
Step 13
Navigate to the Security folder.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
349
Step 14
Right-click the Security folder and then select Create Security Domain from the
context menu.
Step 15
The Create Security Domain wizard will appear. In the Name field type POD##SD-RADIUS (replace “##” with your assigned 2-digit Pod Number).
Note
It is important that you enter this value correctly because it is a value that is used by the RADIUS
server to assign av pairs to the login account.
Step 16
BONUS – Discovery Lab 13
Click the Submit button to complete the Create Security Domain wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
350
Step 17
In the Menu bar, click Tenants.
Step 18
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 19
In the Navigation pane, click POD##, and then click the Policy tab in the Work
pane.
Step 20
In the Security Domains subsection, click the plus sign + to create a new entry.
In the Name drop-down list select POD##-SD-RADIUS.
Step 21
Click the Update button. There should now be two security domains listed,
POD##-SD-LOCAL and POD##-SD-RADIUS.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
351
Task 6: Create a RADIUS User Accounts
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Admin.
Step 2
In the Submenu bar, click AAA.
Step 3
Navigate to the Users folder.
Step 4
Right-click the Users folder and then select Create Local User from the context
menu.
Step 5
The Create Local User wizard will appear. In 1. User Identity, enter the values
in the following table and do NOT change any of the values that are not listed in
the following table.
Field
Value
Login ID
POD##-ADMIN-RAD
(replace “##” with your assigned 2-digit Pod Number)
Password / Confirm Password
1234QWer
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
352
Step 6
Click the Next button.
Step 7
In 2. Security, in the Security Domain sub-section, click the checkbox next to
POD##-SD-RADIUS.
Step 8
Click the Next button.
Step 9
In 3. Roles, in the Domain POD##-SD-RADIUS sub-section, click the plus sign +
to add a Role Name and Role Privilege Type.
Step 10
Add each of the following Role Names. Change the Role Privilege Type to
Write for all ten Role Names. Click Update for each entry and click the plus sign
+ to add each new entry.
Step 11
BONUS – Discovery Lab 13
aaa
admin
fabric-admin
nw-svc-admin
nw-svc-params
ops
read-all
tenant-admin
tenant-ext-admin
vmm-admin
Click the Finish button to complete the Create Local User wizard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
353
Task 7: Verify the Configuration of the RADIUS
User Accounts
In this task, you will log in to the APIC GUI using the RADIUS accounts in order to verify that the correct
rights have been granted to each account.
Activity Procedure
Complete the following steps:
Step 1
In the upper right-hand corner of the APIC GUI, click the far right icon named
Manage my profile and then click Logout from the drop-down menu.
Step 2
Log in to the APIC using the following credentials:
BONUS – Discovery Lab 13
Username: POD##-ADMIN-RAD (replace “##” with your assigned 2-digit Pod
Number)
Password: 1234QWer (note that “QW” is capitalized)
Domain: POD##_RADIUS_LOGIN_DOMAIN (replace “##” with your
assigned 2-digit Pod Number)
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
354
Step 3
BONUS – Discovery Lab 13
Click the Do not show on login button if prompted. Then click Get Started.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
355
Step 4
The first screen that you will see is the Dashboard. Notice how there is little
shown as the POD##-ADMIN-RAD account does not have system-wide rights.
Also notice how many of the Menu bar selections are greyed out.
Step 5
In the Menu bar, click Tenants. In the Submenu bar, click ALL TENANTS.
Notice the only Tenant listed is POD##.
Step 6
Double-click POD## (replace “##” with your assigned 2-digit Pod Number).
Step 7
Navigate to various portions of your Tenant. Notice how you have the ability to
change the configuration of your Tenant. Make no actual changes to your tenant.
Step 8
In the upper right-hand corner of the APIC GUI, click the Manage my profile
icon on the far right of POD##-ADMIN-RAD, and then select View My
Permissions from the drop-down menu.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
356
Step 9
The User Permissions window will appear. Note all of the permissions that have
been granted to the user account with which you are currently logged in.
Step 10
Click the Close button.
Step 11
Logout of the APIC GUI.
BONUS – Discovery Lab 13
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
357
Discovery Lab 14: Configure the
APIC Using the ACI Cobra SDK
(Python)
Overview
The Python API provides a Python programming interface to the underlying REST API, allowing you to
develop your own applications to control the APIC and the network fabric, enabling greater flexibility in
infrastructure automation, management, monitoring, and programmability.
Complete this lab activity to become familiar with the ability to configure the APIC controller with the
ACI Cobra SDK using Python.
The Cisco ACI Python Cobra software development kit (SDK) are downloadable files from Cisco that
enables network automation and programmability using python programming.
Upon completing this guided lab, you will be able to:
Configure the Communication Policy.
Review a Python script.
Use a Python Script to create a Tenant.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
358
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
BONUS – Discovery Lab 14
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Domain: DefaultAuth (if prompted)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
359
Task 1: Enable HTTP Access for the APIs to use
TCP port 80
In this task, you will enable HTTP access to the APICs so that the APIs are accessible via HTTP TCP
port 80.
While TCP port 80 is totally unsecure compared to HTTPS TCP port 443, port 80 allows for an easier
entry to learning and practicing ACI APIs. These settings are insecure and are not recommended for a
production environment.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Fabric.
Step 2
In the Submenu bar, click Fabric Policies.
Step 3
Navigate to Policies > Pod > Management Access > default.
Step 4
In the Work pane, in the HTTP section, verify that the Admin State is set to
Enabled and the Redirect is set to Disabled. You do not have to change this
setting again if it is already done.
Note
Within this ACI lab environment, if these settings are incorrect, this lab exercise will not function
properly. These settings are insecure and are not recommended for a production environment.
You may see a note on port 80 being depricated in later releases.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
360
Step 5
If needed, click the Submit button to commit the configuration changes. A Policy
Usage Warning will appear indicating the other objects that will be affected by
the changes.
Step 6
Click the Submit Changes button.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
361
Task 2: Review an Existing Python Script
In this task, you will review a Python script that can be used to create a new Tenant configuration by
leveraging the Cobra SDK.
Note
Executing a Python script on the Windows 10 operating system demands Administrative access.
Activity Procedure
Complete the following steps:
Step 1
On your Student Server, open Explorer and navigate to the S: drive under
This PC.
Step 2
Navigate to the S:\DCAC9K folder.
Step 3
Locate your pod-specific Python script, which is named POD##-PYTHON
(replace “##” with your assigned Pod number).
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
362
Step 4
Right-click on your pod-specific Python script, and then select Edit with
Notepad++ from the context menu.
Step 5
The Notepad++ application will start and display the contents of your podspecific Python script.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
363
Step 6
BONUS – Discovery Lab 14
Review the opened Python script. This script will be used in the next Task to
create a Tenant. Keep this file open in Notepad++.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
364
Task 3: Use a Python Script to Create a Tenant
In this task, you will use a Python script to create a new Tenant in ACI.
Activity Procedure
Complete the following steps:
Step 1
From Notepad++, click File > Save As….
Step 2
Select the c:\Python27 directory on your Student PC and click Save.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
365
Step 3
From your Windows Student Desktop, select the Command Prompt, right-click
and More > Run as administrator.
Note
All recent versions of Microsoft Windows requires administrative access to run executable
programs such as a Python script.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
366
Step 4
BONUS – Discovery Lab 14
Change into the C:\Python27 directory. Verify you can see your Python script.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
367
Step 5
Using the Python PIP command note the Cisco ACI Python packages that have
already been downloaded into this Windows PC.
Step 6
Run the python script for your assigned pod from the Command Prompt. Enter in
the following when prompted:
BONUS – Discovery Lab 14
APIC login username: admin
APIC URL: http://192.168.R0.1 (R is your assigned rack number)
APIC Password: 1234QWer
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
368
Note
You may need to close your browser tab to the APIC, open and log in again as admin.
Step 7
If this Python script executes successfully, it will not display any output. Return to
your APIC and verify your new tenant was created from this Python script.
Note
The Python script that you used only creates a new Tenant and does not configure any other
objects or properties.
BONUS – Discovery Lab 14
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
369
Discovery Lab 15:
Configure the APIC Using the
Cisco APIC REST to Python
Adapter (ARYA)
Overview
The Cisco APIC REST to Python Adapter (ARYA) is a tool developed by Cisco Advanced Services.
The ARYA tool enables you to generate code directly from what resides in the APIC object model.
Complete this lab activity to become familiar with the ability to use the ARYA to configure the APIC.
Upon completing this guided lab, you will be able to:
Save the configuration of an object within the APIC as an XML file.
Use ARYA to create a Python script.
Use Notepad++ to edit a Python script.
Create a new object within the APIC using the Python script.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
370
Task 0: Log in to the APIC Controller
In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note
This lab must be performed on the ACI-Physical Equipment as shown in the Labtyme portal.
Activity Procedure
Complete the following steps:
Step 1
Verify that you are currently logged in to your Student Server.
Step 2
From your Student Server desktop, start the Chrome browser.
Step 3
Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4
Log in to the APIC using the following credentials:
Step 5
BONUS – Discovery Lab 15
Username: admin
Password: 1234QWer (note that “QW” is capitalized)
Domain: DefaultAuth (if prompted)
At this point you should see the APIC Dashboard.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
371
Task 1: Save an Object as an XML File
In this task, you will save the configuration of a Subnet object as an XML file, which you will later
transform into a Python script using ARYA.
Activity Procedure
Complete the following steps:
Step 1
In the Menu bar, click Tenants.
Step 2
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 3
In the Navigation pane, expand Tenant POD## > Networking > Bridge
Domains > POD##-BD > Subnets > 10.##.1.254/24.
Step 4
Right-click the 10.##.1.254/24 object and then select Save as … from the context
menu.
Step 5
The Save As wizard will appear. Enter the values in the following table.
BONUS – Discovery Lab 15
Field
Value
Content
Only Configuration
Scope
Subtree
Export Format
XML
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
372
Step 6
Click the Download button. This will save a file named subnet-[10.##.1.25424].xml to the Downloads folder on your Student Server. Press Keep if you are
prompted.
Step 7
On your Student Server, open Explorer and navigate to the Downloads
directory.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
373
Step 8
BONUS – Discovery Lab 15
Right-click the XML file you just created (subnet-[10.##.1.254-24].xml) and
select Cut. Then, Paste the file into the C:\arya folder.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
374
Task 2: Use ARYA to Create a Python Script
In this task, you will use ARYA to create a Python script, which you will then use to configure a new
subnet object.
Activity Procedure
Complete the following steps:
Step 1
BONUS – Discovery Lab 15
From your Windows Student Desktop, select the Command Prompt, right-click
and select More > Run as administrator.
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
375
Step 2
The Command Prompt window will appear. Use the “cd C:\arya” command to
change to the arya directory.
Step 3
Note the content of this directory.
Step 4
Delete the file student.py if it is present from a prior student.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
376
Step 5
You will now use ARYA to create a Python script based on the XML file that you
downloaded from the APIC GUI. Enter the following command into the Command
Prompt (replace “##” with your assigned 2-digit Pod Number and replace “R” with
your ACI Rack Number).
python arya.py -f C:\arya\subnet-[10.##.1.254_24].xml -i 192.168.R0.1 -u admin -p
1234QWer > C:\arya\student.py
Note
You may want to copy and paste the command to a text editor, modify the command, and then
copy and paste the edited command into the Command Prompt window.
Step 6
If the syntax of the command is correct, all that will happen is that you will see
the command prompt return after the ARYA utility finishes running.
C:\arya>python arya.py -f C:\arya\subnet-[10.##.1.254_24].xml -i 192.168.R0.1 -u admin -p
1234QWer > C:\arya\student.py
C:\arya>
Note
The right angle bracket (>) between the password and “student.py” is used to pipe the Python file
that is generated by ARYA. If you make a mistake on the command, it will still create a file that is
called student.py with zero bytes. Delete that file before troubleshooting your CLI input.
Step 7
Return to Windows Explorer. Verify you see a new file named student.py in the
C:\arya folder.
Step 8
Right-click the student.py file, and then select Edit with Notepad++ from the
context menu.
Step 9
The Notepad++ application will start and open the student.py file for editing.
Study the contents of this Python script.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
377
Step 10
BONUS – Discovery Lab 15
In the Menu bar select Search > Replace….
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
378
Step 11
The Replace window will appear. The entries you see may be cached from a
prior student. Fully replace “10.##.1.254” with “10.##.9.254” (replace “##” with
your assigned 2-digit Pod Number).
Step 12
Click the Replace All button, and then click the Close button.
Step 13
Save the file by selecting File > Save from the Menu bar. Keep Notepad++
open.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
379
Task 3: Configure the APIC Using the Modified
Python Script
In this task, you will create a new Subnet within your Tenant using the Python script that you created in
the previous task.
Activity Procedure
Complete the following steps:
Step 1
Return to the Command Prompt that you started as an administrator and execute
the modified student.py script by entering the python student.py command.
C:\arya>python student.py
Traceback (most recent call last):
File "student.py", line 9, in <module>
'need to be changed')
RuntimeError: Please review the auto generated code before executing the output. Some
placeholders will need to be changed
Note
The execution of the script will fail and the RuntimeError displayed at the end of the output will
indicate the reason.
Step 2
Return to the Notepad++ application.
Step 3
There are three lines of code that prevent the script from running. These lines are
intentionally inserted by ARYA to prevent accidental execution of the script.
These three lines are near the top of the script and start with “raise
RuntimeError”. Find these lines and add a # in front of them to comment them
out.
Step 4
Save the file by selecting File > Save from the Menu bar.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
380
Step 5
Return to the Command Prompt and execute the modified student.py script by
entering the python student.py command.
C:\arya>python student.py
C:\Python27\lib\site-packages\requests-2.7.0py2.7.egg\requests\packages\urllib3\connectionpool.py:768: InsecureRequestWarning: Unverified
HTTPS request is being made. Adding certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Traceback (most recent call last):
File "student.py", line 28, in <module>
fvSubnet = cobra.model.fv.Subnet(fvBD, name='', descr='', ctrl='', ip='10.##.9.254/24',
preferred='no', virtual='no')
File "c:\python27\lib\site-packages\acimodel-1.1_4f-py2.7.egg\cobra\model\fv.py", line 59019,
in
init
Mo. init (self, parentMoOrDn, markDirty, *namingVals, **creationProps)
File "c:\python27\lib\site-packages\acicobra-1.1_4f-py2.7.egg\cobra\mit\mo.py",
line 15, in __init
BaseMo. init (self, parentMoOrDn, markDirty, *namingVals, **creationProps)
File "c:\python27\lib\site-packages\acicobra-1.1_4fpy2.7.egg\cobra\internal\base\moimpl.py", line 226, in
init
propMeta = props[name]
File "c:\python27\lib\site-packages\acicobra-1.1_4f-py2.7.egg\cobra\mit\meta.py", line 152,
in
getitem
return self._props[propName]
KeyError: 'virtual'
Note
Once again, the execution of the script will fail. In this case the type of error is a KeyError, which
means that there is one or more keys within a command within the script that the Python interpreter
does not understand. The KeyError indicates which key is causing the error, and the output
indicates which line within the script contains this key. In this example, the “virtual” key is contained
around line 28 or 30. You may see the error in a slightly different line, like line 30. Look closely.
Note
The primary cause of a KeyError is a mismatch between the version of the APIC software that is
currently in use (in this case version 5) and the version of the ACI modules that are being used by
Python (in this case version 1.2). If the version of the Python ACI modules is lower than the version
of the APIC software (which is the case here) there will be new features and attributes that the
older Python modules cannot comprehend. The instructions to install and manage the Cisco APIC
Python SDK (Cobra) can be found at cisco.com.
Step 6
Return to the Notepad++ application.
Step 7
Locate the line (in this example line 28) that contains the “virtual” key.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
381
Step 8
Delete all of the following text from the line but delete nothing else:
,
,
,
,
virtual=’no’
userdom=’:all:’
nameAlias=’’,
annotation=’’
Step 9
Save the file by selecting File > Save from the Menu bar.
Step 10
Return to the Command Prompt and execute the modified student.py script by
entering the python student.py command.
C:\arya>python student.py
C:\Python27\lib\site-packages\requests-2.7.0py2.7.egg\requests\packages\urllib3\connectionpool.py:768: InsecureRequestWarning: Unverified
HTTPS request is being made. Adding certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
<?xml version="1.0" encoding="UTF-8"?>
<fvBD status='created,modified' name='POD11-BD'><fvSubnet name='' descr='' ctrl=''
ip='10.11.9.254/24' preferred='no' status='created,modified'></fvSubnet></fvBD>
C:\Python27\lib\site-packages\requests-2.7.0py2.7.egg\requests\packages\urllib3\connectionpool.py:768: InsecureRequestWarning: Unverified
HTTPS request is being made. Adding certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Note
The script should execute properly. If you see an error go back and review the contents of the
student.py script.
Note
The InsecureRequestWarning that keeps appearing is due to the fact HTTP (instead of HTTPS,
which is secure) is being used to deliver the command to the APIC. This is acceptable in this lab
environment. In a production environment, you should configure your Python interpreter to use
secure communications with the APICs.
Step 11
Return to the APIC GUI running in your Chrome browser.
Step 12
In the Menu bar, click Tenants.
Step 13
In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod
Number).
Step 14
In the Navigation pane, expand Tenant POD## > Networking > Bridge
Domains > POD##-BD > Subnets.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
382
Step 15
You should see a new Subnet named 10.##.9.254/24 added to your Tenant.
This new Subnet was created by the Python script you just executed.
Note
This was a simple example of how to use Python in conjunction with ARYA to create a new object
that is similar to an existing object. Larger and more complex objects can be created as well using
the same process.
Caution
Always be extremely careful using Python to make changes to the configuration of the APIC.
Python will allow you to overwrite existing objects; it will not present an “are you sure you want to
do this?” prompt. You should always test your scripts in a lab environment (if possible) before using
them in a production environment.
BONUS – Discovery Lab 15
| © 2023 Cisco Systems, Inc.
DCACI Lab Guide
383
