Friday, 9 August 2024

DCACIA - ACI - Advanced

 

DCACIA - ACI - Advanced


 

 

Examine Local and Remote Endpoint Learning

Mitigate IP and MAC Flapping with the Rogue Endpoint Feature

Enable Transit Routing

Implement VRF Route Leaking

Configure VRF Route Leaking with L3Out

Examine Contracts and Zoning Rules

Traditional Network Implementation in Cisco ACI

Configure Policy-Based Redirect to Layer 4–Layer 7 Service Node

Deploy Multi-Pod Fabric

ACI Multi-Site Deployment

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Examine Local and Remote Endpoint Learning

 

 

 

Local Host validation

 

XXX# show system internal epm endpoint ip 10.51.196.XXX                                                            

MAC : 44ae.2502.44d8 ::: Num IPs : 1

IP# 0 : 10.51.196.95 ::: IP# 0 flags : host-tracked| ::: l3-sw-hit: Yes ::: flags2 :

Vlan id : 5 ::: Vlan vnid : 8592 ::: VRF name : XXX

BD vnid : 15007704 ::: VRF vnid : 2523137

Phy If : 0x1a028000 ::: Tunnel If : 0

Interface : Ethernet1/41

Flags : 0x80005c04 ::: sclass : 32775 ::: Ref count : 5

EP Create Timestamp : 04/29/2024 03:28XXX

EP Update Timestamp : 06/25/2024 16:07:14XXX

EP Flags : local|IP|MAC|host-tracked|sclass|timer|

 

::::

XXXB# show endpoint ip  10.51.196.XXX

Legend:

 S - static           s - arp              L - local            O - peer-attached

 V - vpc-attached     a - local-aged       p - peer-aged        M - span

 B - bounce           H - vtep             R - peer-attached-rl D - bounce-to-proxy

 E - shared-service   m - svc-mgr

+-----------------------------------+---------------+-----------------+--------------+-------------+

      VLAN/                           Encap           MAC Address       MAC Info/       Interface

      Domain                          VLAN            IP Address        IP Info

+-----------------------------------+---------------+-----------------+--------------+-------------+

5                                         vlan-1594    44ae.2502.XXXL                     eth1/41

XXXT                  vlan-1594      10.51.196.XXXL                     eth1/41

 

 

 

 

XXX# show system internal  epm vlan 5

 

 

+----------+---------+-----------------+----------+------+----------+-----------

   VLAN ID    Type      Access Encap     Fabric    H/W id  BD VLAN    Endpoint

                        (Type Value)     Encap                          Count

+----------+---------+-----------------+----------+------+----------+-----------

 5            FD vlan 802.1Q       1594 8592       8      4          28

 

 

 

100G-02-OOB901-SP-AA# show coop internal info ip-db key 2523137  10.51.1XXX                            

 

IP address : 10.51.19XXX

Vrf : 2523137

Flags : 0

EP bd vnid : 15007704

EP mac :  44:AE:25:0XXX

Publisher Id : 100.1XXX

Record timestamp : 06 25 2024 19:40:08 544359704

Publish timestamp : 06 25 2024 19:40:08 546713872

Seq No: 0

Remote publish timestamp: 01 01 1970 00:00:00 0

URIB Tunnel Info

Num tunnels : 1

        Tunnel address : 100.101.0.69

        Tunnel ref count : 1

 

 

XXX# acidiag fnvread

      ID   Pod ID                 Name    Serial Number         IP Address    Role        State   LastUpdMsg                                                                     Id

------------------------------------------------------------------------------------------------------------                                                                     --

     102        1 XXX      FLM2611097G    100.101.XXX/32    leaf         active   0

     …

Total 32 nodes

 

 

 

 

XXX# show vlan extended

 

 VLAN Name                             Encap            Ports

 ---- -------------------------------- ---------------- ------------------------

 1    TXXXM vxlan-14909412   Eth1/1, Eth1/2, Eth1/3,

      XXX                           Eth1/4, Eth1/5, Eth1/6,

                                                        Eth1/7, Eth1/8, Eth1/37

 2    XXX vlan-1590        Eth1/1, Eth1/2, Eth1/3,

    XXX                     Eth1/4, Eth1/5, Eth1/6,

                                                        Eth1/7, Eth1/8, Eth1/37

 …

 

 

Remote Host validation

 

XXX# show endpoint ip  10.51.1XXX

Legend:

 S - static           s - arp              L - local            O - peer-attached

 V - vpc-attached     a - local-aged       p - peer-aged        M - span

 B - bounce           H - vtep             R - peer-attached-rl D - bounce-to-proxy

 E - shared-service   m - svc-mgr

+-----------------------------------+---------------+-----------------+--------------+-------------+

      VLAN/                           Encap           MAC Address       MAC Info/       Interface

      Domain                          VLAN            IP Address        IP Info

+-----------------------------------+---------------+-----------------+--------------+-------------+

XXX                                10.51XXX6                      tunnel34

 

 

XXX# show interface tunnel 34

Tunnel34 is up

    MTU 9000 bytes, BW 0 Kbit

    Transport protocol is in VRF "overlay-1"

    Tunnel protocol/transport is ivxlan

    Tunnel source 100.101.0.69/32 (lo0)

    Tunnel destination 100.1XXX

    Last clearing of "show interface" counters never

    Tx

    0 packets output, 1 minute output rate 0 packets/sec

    Rx

    0 packets input, 1 minute input rate 0 packets/sec

 

 

XXX# acidiag fnvread | grep "100.1XXX0"

     119        1 XXX      XXX 100.101XXX0/32    leaf         active   0

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Mitigate IP and MAC Flapping with the Rogue Endpoint Feature

 

 

 

 

 

 

 

 

 

 

 

 

 

Endpoint loop protection; disable learning across bridge domain, instead of error disable port; 1800 seconds up endpoint no longer as rogue

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Enable Transit Routing

 

 

 

 

 

 

Configure Access Policies for the BGP_L3Out

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Implement VRF Route Leaking

 

 

Configure VRF Route Leaking in Shared Services Scenario

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configure VRF Route Leaking in Two-Way Consumer/Provider Relationship

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Configure VRF Route Leaking with L3Out

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configure VRF Route Leaking with L3Out as Provider

 

 

 

 

 

Within your tenant Sales, go to Application Profiles > eCommerce_AP > Application EPGs > Exchange_EPG > Subnets. Choose subnet 172.29.1.254/24 and delete it.

 

 

 

 

 

 

 

Go to Application Profiles > eCommerce_AP > Application EPGs > Exchange_EPG. Delete FileServices_Ct as provided contract and assign Exchange_Ct as consumed contract.

 

 

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Examine Contracts and Zoning Rules

 

 

 

 

 

 

Show zoning-rule scope ___ src-epg ___ dst-epg ___

 

 

Delete

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Traditional Network Implementation in Cisco ACI

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Configure Policy-Based Redirect to Layer 4–Layer 7 Service Node

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In this lab, you will deploy the Cisco Adaptive Security Virtual Appliance (ASAv) as a firewall service in the Cisco ACI fabric. You will use policy-based redirect (PBR) to bend the traffic from DB_EPG to BACKUP_EPG to go through the Cisco ASAv as shown in the following figure.

 

Cisco ACI will configure VLANs on the leaf interfaces connected to Cisco ASAv along with the required redirection rules on leaf switches. Cisco ACI will not touch the Cisco ASAv configuration, being out of its management scope.

 

 

 

 

In the logical view shown above, traffic between DB_VM and BACKUP_VM would be normally routed by Cisco ACI without ACI Service Graph PBR, because Cisco ACI is the default gateway. You will use Cisco ACI Service Graph PBR to selectively force the traffic to go through Cisco ASAv.

 

 

 

 

 

 

 

 

 

 

 

 

…. Unfinished

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Deploy Multi-Pod Fabric

 

 

 

 

 

The correct answers are DHCP relay supportIncreased MTU support, and OSPF support between the spine switches and IPN routers. In Cisco Multi-Pod deployment, the IPN must support PIM Bidir, OSPF support between spine switches and IPN routers, DHCP relay, increased MTU, and so on. However, it is not required to support PIM ASM, EIGRP, or BGP between the spine switches and IPN routers.

 

 

 

 

The correct answer is BGP in each pod runs in the same BGP AS. The MP-BGP that runs directly between spine switches in each pod is in the same BGP AS. Thus, the pods cannot use different BGP AS. Also, the IPN devices do not participate in this BGP session, but it just provides TEP reachability to establish BGP sessions between each spine switch. Finally, you can use route reflector nodes in each pod (recommended for resiliency) so that the spine nodes only peer with the remote route reflector nodes, and a full mesh of MP-BGP session is then established only between the route reflectors.

 

 

 

 

 

 

 

 

IPN

 

POD 1

 

 

 

 

 

 

 

POD 2

 

 

 

 

Finish and ok

 

 

Register POD2 SWs

 

 

 

 

OOB Mgmt for POD 2

 

 

Review topology of two PODs

 

 

Add hosts to Pod2 leaf

 

 

 

 

 

 

 

 

 

 

Enable multicasting on IPN

 

 

 

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

 ACI Multi-Site Deployment

 

 

YouTube video

Nexus Dashboard Orchestrator (NDO) 4.1 with ACI Multisite Lab (New)

 

 

 

 

 

 

 

 

Initiate MSO