Beruflich Dokumente
Kultur Dokumente
Cisco dCloud
Requirements
Topology
Get Started
Scenario 4. Micro-segmentation
What’s Next?
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 54
Lab Guide
Cisco dCloud
Limitations
Certain features of Cisco APIC 4.1 are outside the scope of this demonstration, because the demonstration
uses a simulated fabric rather than a physical fabric:
• The simulator will need to be rebooted for left running for more than a few days.
Customization Options
To demonstrate Fabric Discovery to the customer instead of using the discovered Fabric in the demo, reset the
APIC Simulator (see Appendix A) and then see Appendix B to discover the Fabric.
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 54
Lab Guide
Cisco dCloud
This Lab is intended to introduce Cisco ACI when integrated with VMware Virtual Infrastructure.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 54
Lab Guide
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of
the solution. Most components are fully configurable with predefined administrative user accounts. You can see
the IP address and user account credentials to use to access a component by clicking the component icon in
the Topology menu of your active session and in the scenario steps that require their use.
Figure 1 shows the virtual demonstration topology, which consists of the following virtual machines:
dCloud Topology
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 54
Lab Guide
Cisco dCloud
Get Started
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How]
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the
local RDP client on your laptop [Show Me How]
• Workstation 1: 198.18.133.36, Username: dcloud\demouser, Password: C1sco12345
3. The fabric discovery is automatically started at demo setup. Double-click the APIC Login icon and
log in (admin/C1sco12345).
4.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 54
Lab Guide
Cisco dCloud
5. Review the Welcome pop-up, specifically the sections on Getting Started, Explore and Support.
6. Click Close.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 54
Lab Guide
Cisco dCloud
NOTE: The fabric discovery can take up to 15 minutes to complete. If you log in before 15 minutes have
passed, all devices may not be discovered. The following error message may display:
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 54
Lab Guide
Cisco dCloud
NOTE: If you prefer to skip this section, then follow the process detailed at the end of this scenario.
Steps
1. On the desktop, double-click the vSphere Web Client shortcut to open the vSphere Web Client.
Click Use Windows login credentials and click Login.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 54
Lab Guide
Cisco dCloud
6. In the Nodes with Health less than or equal to 99 listing, double click Spine1.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 54
Lab Guide
Cisco dCloud
8. In the menu, expand and click Leaf2 to see the Summary information for that Leaf.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 54
Lab Guide
Cisco dCloud
9. Click System and point out the fault counts and controller status sections.
10. Click Tenants and show that three tenants are configured.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 54
Lab Guide
Cisco dCloud
ACI fabric virtual machine manager (VMM) domains enables an administrator to configure connectivity policies
for VM controllers. The essential components of an ACI VMM domain policy include the following:
• VMM Domain Profile: groups VM controllers with similar networking policy requirements. For example, VM
controllers can share VLAN pools and application endpoint groups (EPGs). The APIC communicates with the
controller to publish network configurations such as port groups that are then applied to the virtual
workloads. The VMM domain profile includes the following essential components:
o Credential: associates a valid VM controller user credential with an APIC VMM domain.
o Controller: specifes how to connect to a VM controller that is part of a policy enforcement
domain. For example, the controller specifies the connection to a VMware vCenter that is
part a VMM domain.
• EPG Association: endpoint groups regulate connectivity and visibility among the endpoints within the scope
of the VMM domain policy. VMM domain EPGs behave as follows:
o The APIC pushes these EPGs as port groups into vCenter to a VMware Distributed Switch.
o An EPG can span multiple VMM domains, and a VMM domain can contain multiple EPGs.
• Attachable Entity Profile Association: associates a VMM domain with the physical network infrastructure.
An attachable entity profile (AEP) is a network interface template that enables deploying VM controller
policies on a large set of leaf switch ports. An AEP specifies which switches and ports are available, and
how they are configured.
• VLAN Pool Association: a VLAN pool specifies the VLAN IDs or ranges used for VLAN encapsulation that
the VMM domain consumes.
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 54
Lab Guide
Cisco dCloud
7. Now provide the details of the vCenter to be connected to ACI. Click the plus sign for vCenter.
• Enter dCloud-DC for the name.
• Enter 198.18.133.30 for the Host Name.
• Enter dCloud-DC for the Datacenter.
• Select defaultAccP the for the Associated Credentials.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 54
Lab Guide
Cisco dCloud
NOTE: The UCS Service Profiles are configured so that the interfaces that are connected to the ACI fabric have
been configured with the VLAN ranges defined in the dCloud_VLAN_Pool. As VMware Port Profiles are pushed
in from ACI, these VLANs from this pool are allocated.
10. Switch to the vSphere tab and notice that My-vCenter displays.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 54
Lab Guide
Cisco dCloud
12. On the Select Task window, select Add Hosts. Click Next.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 54
Lab Guide
Cisco dCloud
13. On the Select Hosts window, select New hosts. Select All and click OK.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 54
Lab Guide
Cisco dCloud
16. In Manage physical network adapters, highlight the first vmnic2 and click Assign Uplink.
17. Click Auto Assign and click OK.
18. Highlight the second vmnic2 and click Assign Uplink. Click Auto Assign and click Ok.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 54
Lab Guide
Cisco dCloud
21. Leave the defaults for Analyze Impact and click Next.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 54
Lab Guide
Cisco dCloud
25. Return to the APIC tab. Expand VMM Domains > My-vCenter > Controllers > dCloud-DC > Hypervisors.
NOTE: If the ESXi hosts are not listed, then there was an issue in the creation of the VMM Domain Profile, and
APIC is not connected to vCenter. Verify the credentials in VMM Domains > VMware > My-vCenter > vCenter
Credentials.
26. Expand one of the ESXi hosts to see the virtual machines listed.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 54
Lab Guide
Cisco dCloud
NOTE: If you have followed the manual process, please skip this section and go to Scenario 2.
Steps
3. In the vSphere tab, notice that the ACI domain and switches are created automatically.
4. In the APIC tab, notice that the ACI domain and switches are created automatically.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 54
Lab Guide
Cisco dCloud
In traditional networking environments, making a routing protocol change on a router or Layer 3 switch could
potentially affect hundreds of unique VLANs/subnets. This introduces a warranted level of caution around
change control and application impact. Leveraging the ACI policy model, the physical hardware is abstracted
from the logical constructs. The tenant object gives us the ability to draw a box around the logical and concrete
objects that we use to provide a unified view of the configuration dependencies for underlay and overlay
networks.
A tenant in the ACI object model represents the highest-level object. Inside, you can differentiate between the
objects that define the tenant networking, such as private networks (VRFs), bridge domains and subnets; and
the objects that define the tenant policies such as application profiles and endpoint groups.
The system provides the following four kinds of tenants:
• User tenants are defined by the administrator according to the needs of users. They contain policies that
govern the operation of resources such as applications, databases, web servers, network-attached storage,
virtual machines, and so on.
• The common tenant is provided by the system but can be configured by the fabric administrator. It contains
policies that govern the operation of resources accessible to all tenants, such as firewalls, load balancers,
Layer 4 to Layer 7 services, intrusion detection appliances, and so on.
• The infrastructure tenant is provided by the system but can be configured by the fabric administrator. It
contains policies that govern the operation of infrastructure resources such as the fabric VXLAN overlay. It
also enables a fabric provider to selectively deploy resources to one or more user tenants. Infrastructure
tenant polices are configurable by the fabric administrator.
• The management tenant is provided by the system but can be configured by the fabric administrator. It
contains policies that govern the operation of fabric management functions used for in-band and out-of-
band configuration of fabric nodes.
• There are four methodologies for setting up your ACI policies, as can be seen in the following
illustration:
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 54
Lab Guide
Cisco dCloud
•
• Options B and C are the recommended methodologies. In option B, subnets can be used by any Tenant,
option C subnets are cannot be shared between tenants.
• This lab uses option B, which has VRFs and Bridge Domains already created in the Common Tenant.
Bridge Domains are named according to the IP Subnet name, to make them easily understood, and is a
recommended approach.
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 54
Lab Guide
Cisco dCloud
3. Expand My-vCenter and point out the distributed switch, which is the integration point for ACI into
VMware. The VMware ESXi hosts connect to the vSphere Distributed Switch, and they communicate
through the ACI leafs.
8. Click Submit.
9.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 54
Lab Guide
Cisco dCloud
In ACI, the tenant policies are where you define applications. An application could consist of a combination of
physical servers or virtual machines that we will call servers from now on. For example, a website could use a
3-tier application model, comprised of web servers, application servers and database servers. When a user
browses the web site, they might actually be communicating with a virtual IP address on a load balancer that in
turn can distribute the web request to a number of different web servers. The web servers in turn communicate
with core applications that can be divided amongst several application servers for load balancing or high
availability purposes. Finally, the application servers communicate with the database which could also be a
cluster of servers.
1. Right click the dCloud tenant. Select Create Application Profile.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 54
Lab Guide
Cisco dCloud
• Name: 192.168.21.x_24
5. Switch back to the vSphere Web Client. Show that nothing has been pushed at this point.
6. Return to APIC and double click on the dCloud tenant.
7. Expand Application Profiles > 192.168.20.x_24.
8. Right-click Application EPGs in the side menu.
9. Select Create Application EPG.
NOTE: Aligning the naming of Application Profiles and Bridge Domains used from the Common tenant makes
it simple to understand what is happening.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 54
Lab Guide
Cisco dCloud
Value Proposition: Note the use of the naming of the Bridge Domains, Application Profiles and EPGs which
result in easy to interpret Port Group naming in vCenter.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 54
Lab Guide
Cisco dCloud
In brief, contracts consist of 1 or more subjects. Each subject contains 1 or more filters. Each filter contains 1 or
more entries. Each Entry is equivalent to a line in an Access Control List (ACL) that is applied on the leaf switch
to which the endpoint within the endpoint group is attached.
In detail, contracts are comprised of the following items:
• Subjects — A group of filters for a specific application or service.
• Filters — Used to classify traffic based upon layer 2 to layer 4 attributes (such as Ethernet type, protocol
type, TCP flags and ports).
• Actions — Action to be taken on the filtered traffic.
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 54
Lab Guide
Cisco dCloud
4. This lists ports that are created in the common tenant. They can be consumed in other tenants to allow
traffic to pass.
5. Click on one of the ports to see the filter definitions and details.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 54
Lab Guide
Cisco dCloud
NOTE: The long name ensures it is simple to understand what the contract does.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 54
Lab Guide
Cisco dCloud
13. In the Name drop down, select the one with tcp_src_port_any_to_dst_port_80.
NOTE: Filters are pre-created in the common tenants, and can therefore be easily re-used amongst Tenants
and Application Profiles.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 54
Lab Guide
Cisco dCloud
19. In the menu, expand Application Profiles > 192.168.20.x_24 > Application EPGs.
20. Right click on the port group and select Add Provided Contract.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 54
Lab Guide
Cisco dCloud
23. In the menu, expand Application Profiles > 192.168.21.x_24 > Application EPGs.
24. Right click on the port group and select Add Provided Contract.
25. Select the newly added contract in the Contract field.
26. Click Submit.
27. From the menu, click 192.168.20.x_24.
28. Click Topology to see the topology of the port groups and endpoint group we just added.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 54
Lab Guide
Cisco dCloud
The Cisco ACI vCenter plug-in for the VMware vSphere Web Client, adds a new view to the GUI called Cisco
ACI Fabric. The plug-in does not change existing integration of ACI with vCenter, it allows you to configure an
EPG, uSeg EPG, contract, tenant, VRF, and bridge domain from the VMware vSphere Web Client. The vCenter
plug-in is stateless, fetches everything from Cisco APIC and does not store any information.
The Cisco ACI vCenter plug-in provides the possibility to create, read, update and delete (CRUD) the following
object on the ACI Fabric:
• Tenant
• Application Profile
• EPG / uSeg EPG
• Contract
• VRF
• Bridge Domain
1. In the VMware vSphere Web Client, click Home.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 54
Lab Guide
Cisco dCloud
6. The table shows that the ACI controllers are all fit.
Value Proposition: It is possible from Tenants, Application Profiles, Contracts etc to be configure via the
vSphere Web Client. A html version of the ACI plugin is in development.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 54
Lab Guide
Cisco dCloud
Scenario 4. Micro-segmentation
Microsegmentation with Cisco ACI provides the ability to automatically assign endpoints to logical security
zones called endpoint groups (EPGs) based on various network-based or virtual machine (VM)-based
attributes. This scenario contains conceptual information about Microsegmentation with Cisco ACI and
instructions for configuring microsegment (uSeg) EPGs.
Endpoint groups (EPGs) are used to group virtual machines (VMs) within a tenant and apply filtering and
forwarding policies to them. Microsegmentation with Cisco ACI adds the ability to group endpoints in existing
application EPGs into new microsegment (uSeg) EPGs and configure network or VM-based attributes for those
uSeg EPGs. This enables you to filter with those attributes and apply more dynamic policies. Microsegmentation
with Cisco ACI also allows you to apply policies to any endpoints within the tenant.
Value Proposition:: Microsegmentation with Cisco ACI Within a Single EPG or Multiple EPGs in the Same
Tenant
You might assign web servers to an EPG so that you can apply the similar policies. By default, all endpoints
within an EPG can freely communicate with each other. However, if this web EPG contains a mix of production
and development web servers, you might not want to allow communication between these different types of
web servers. Microsegmentation with Cisco ACI allows you to create a new EPG and auto-assign endpoints
based on their VM name attribute, such as "Prod-xxxx" or "Dev-xxx".
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 54
Lab Guide
Cisco dCloud
16. Right click on Application EPGs and select Create Application EPG.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 54
Lab Guide
Cisco dCloud
21. Right click Domains (VMs and Bare-Metals) and select Add VMM Domain Association.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 54
Lab Guide
Cisco dCloud
26. Switch to the vSphere tab and notice that the new portgroup is created.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 54
Lab Guide
Cisco dCloud
29. In the Network Adapter drop down, select Show more networks.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 54
Lab Guide
Cisco dCloud
33. In the Network Adapter drop down, select Show more networks.
34. Select dCloud MicroSegMicroSeg from the listing.
35. Click OK. Click OK again.
36. Right click on the Win10ent server and click Edit Settings.
37. In the Network Adapter drop down, select Show more networks.
NOTE: The added servers would be displayed here, but as this demo uses a simulated ACI fabric, they are not
detected and unfortunately will not appear here.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 54
Lab Guide
Cisco dCloud
NOTE: The added servers would be displayed here, but as this demo uses a simulated ACI fabric, they are not
detected and unfortunately will not appear here.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 54
Lab Guide
Cisco dCloud
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 54
Lab Guide
Cisco dCloud
NOTE: The added servers would be displayed here, but as this demo uses a simulated ACI fabric, they are not
detected and unfortunately will not appear here.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 54
Lab Guide
Cisco dCloud
2. Select Servers from the menu bar, then select Enable Status Polling.
3. Expand the menu against apic-fcs-412g and select Reset. This will perform a hard reboot of the simulator.
As it is does not retain its configuration after a reboot, a clean reboot is unnecessary.
NOTE: It will take up to 5 minutes before you can login and rebuild the Fabric using one of the Fabric Discovery
methods in Appendix B.
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 54
Lab Guide
Cisco dCloud
NOTE: The ACI full fabric discovery can take up to 15 minutes. The apic3 controller will be discovered after all
the devices are discovered. You can monitor the progress by selecting Topology from the Inventory pane in the
APIC GUI. While the discovery is taking place, you can complete Scenario 1, which ends in the APIC Topology
window showing the discovered elements.
Steps
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 54
Lab Guide
Cisco dCloud
What’s Next?
Check out the related information to learn more:
• Cisco Application Centric Infrastructure Multi-Site Lab v2
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 54