DCACIA - ACI - Advanced
Examine Local and Remote Endpoint Learning
Mitigate IP and MAC Flapping with the Rogue Endpoint Feature
Configure VRF Route Leaking with L3Out
Examine Contracts and Zoning Rules
Traditional Network Implementation in Cisco ACI
Configure Policy-Based Redirect to Layer 4–Layer 7 Service Node
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Examine Local and Remote Endpoint Learning
…
Local Host validation
XXX# show system internal epm endpoint ip 10.51.196.XXX
MAC : 44ae.2502.44d8 ::: Num IPs : 1
IP# 0 : 10.51.196.95 ::: IP# 0 flags : host-tracked| ::: l3-sw-hit: Yes ::: flags2 :
Vlan id : 5 ::: Vlan vnid : 8592 ::: VRF name : XXX
BD vnid : 15007704 ::: VRF vnid : 2523137
Phy If : 0x1a028000 ::: Tunnel If : 0
Interface : Ethernet1/41
Flags : 0x80005c04 ::: sclass : 32775 ::: Ref count : 5
EP Create Timestamp : 04/29/2024 03:28XXX
EP Update Timestamp : 06/25/2024 16:07:14XXX
EP Flags : local|IP|MAC|host-tracked|sclass|timer|
::::
XXXB# show endpoint ip 10.51.196.XXXLegend:
S - static s - arp L - local O - peer-attached
V - vpc-attached a - local-aged p - peer-aged M - span
B - bounce H - vtep R - peer-attached-rl D - bounce-to-proxy
E - shared-service m - svc-mgr
+-----------------------------------+---------------+-----------------+--------------+-------------+
VLAN/ Encap MAC Address MAC Info/ Interface
Domain VLAN IP Address IP Info
+-----------------------------------+---------------+-----------------+--------------+-------------+
5 vlan-1594 44ae.2502.XXXL eth1/41
XXXT vlan-1594 10.51.196.XXXL eth1/41
XXX# show system internal epm vlan 5
+----------+---------+-----------------+----------+------+----------+-----------
VLAN ID Type Access Encap Fabric H/W id BD VLAN Endpoint
(Type Value) Encap Count
+----------+---------+-----------------+----------+------+----------+-----------
5 FD vlan 802.1Q 1594 8592 8 4 28
100G-02-OOB901-SP-AA# show coop internal info ip-db key 2523137 10.51.1XXX
IP address : 10.51.19XXX
Vrf : 2523137
Flags : 0
EP bd vnid : 15007704
EP mac : 44:AE:25:0XXX
Publisher Id : 100.1XXX
Record timestamp : 06 25 2024 19:40:08 544359704
Publish timestamp : 06 25 2024 19:40:08 546713872
Seq No: 0
Remote publish timestamp: 01 01 1970 00:00:00 0
URIB Tunnel Info
Num tunnels : 1
Tunnel address : 100.101.0.69
Tunnel ref count : 1
XXX# acidiag fnvread
ID Pod ID Name Serial Number IP Address Role State LastUpdMsg Id
------------------------------------------------------------------------------------------------------------ --
…
102 1 XXX FLM2611097G 100.101.XXX/32 leaf active 0
…
Total 32 nodes
XXX# show vlan extended
VLAN Name Encap Ports
---- -------------------------------- ---------------- ------------------------
1 TXXXM vxlan-14909412 Eth1/1, Eth1/2, Eth1/3,
XXX Eth1/4, Eth1/5, Eth1/6,
Eth1/7, Eth1/8, Eth1/37
2 XXX vlan-1590 Eth1/1, Eth1/2, Eth1/3,
XXX Eth1/4, Eth1/5, Eth1/6,
Eth1/7, Eth1/8, Eth1/37
…
Remote Host validation
XXX# show endpoint ip 10.51.1XXX
Legend:
S - static s - arp L - local O - peer-attached
V - vpc-attached a - local-aged p - peer-aged M - span
B - bounce H - vtep R - peer-attached-rl D - bounce-to-proxy
E - shared-service m - svc-mgr
+-----------------------------------+---------------+-----------------+--------------+-------------+
VLAN/ Encap MAC Address MAC Info/ Interface
Domain VLAN IP Address IP Info
+-----------------------------------+---------------+-----------------+--------------+-------------+
XXX 10.51XXX6 tunnel34
XXX# show interface tunnel 34
Tunnel34 is up
MTU 9000 bytes, BW 0 Kbit
Transport protocol is in VRF "overlay-1"
Tunnel protocol/transport is ivxlan
Tunnel source 100.101.0.69/32 (lo0)
Tunnel destination 100.1XXX
Last clearing of "show interface" counters never
Tx
0 packets output, 1 minute output rate 0 packets/sec
Rx
0 packets input, 1 minute input rate 0 packets/sec
XXX# acidiag fnvread | grep "100.1XXX0"
119 1 XXX XXX 100.101XXX0/32 leaf active 0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Mitigate IP and MAC Flapping with the Rogue Endpoint Feature
Endpoint loop protection; disable learning across bridge domain, instead of error disable port; 1800 seconds up endpoint no longer as rogue
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Enable Transit Routing
Configure Access Policies for the BGP_L3Out
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Implement VRF Route Leaking
Configure VRF Route Leaking in Shared Services Scenario
Configure VRF Route Leaking in Two-Way Consumer/Provider Relationship
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configure VRF Route Leaking with L3Out
Configure VRF Route Leaking with L3Out as Provider
Within your tenant Sales, go to Application Profiles > eCommerce_AP > Application EPGs > Exchange_EPG > Subnets. Choose subnet 172.29.1.254/24 and delete it.
Go to Application Profiles > eCommerce_AP > Application EPGs > Exchange_EPG. Delete FileServices_Ct as provided contract and assign Exchange_Ct as consumed contract.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Examine Contracts and Zoning Rules
Show zoning-rule scope ___ src-epg ___ dst-epg ___
Delete
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Traditional Network Implementation in Cisco ACI
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Configure Policy-Based Redirect to Layer 4–Layer 7 Service Node
In this lab, you will deploy the Cisco Adaptive Security Virtual Appliance (ASAv) as a firewall service in the Cisco ACI fabric. You will use policy-based redirect (PBR) to bend the traffic from DB_EPG to BACKUP_EPG to go through the Cisco ASAv as shown in the following figure.
Cisco ACI will configure VLANs on the leaf interfaces connected to Cisco ASAv along with the required redirection rules on leaf switches. Cisco ACI will not touch the Cisco ASAv configuration, being out of its management scope.
In the logical view shown above, traffic between DB_VM and BACKUP_VM would be normally routed by Cisco ACI without ACI Service Graph PBR, because Cisco ACI is the default gateway. You will use Cisco ACI Service Graph PBR to selectively force the traffic to go through Cisco ASAv.
…. Unfinished
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Deploy Multi-Pod Fabric
The correct answers are DHCP relay support, Increased MTU support, and OSPF support between the spine switches and IPN routers. In Cisco Multi-Pod deployment, the IPN must support PIM Bidir, OSPF support between spine switches and IPN routers, DHCP relay, increased MTU, and so on. However, it is not required to support PIM ASM, EIGRP, or BGP between the spine switches and IPN routers.
The correct answer is BGP in each pod runs in the same BGP AS. The MP-BGP that runs directly between spine switches in each pod is in the same BGP AS. Thus, the pods cannot use different BGP AS. Also, the IPN devices do not participate in this BGP session, but it just provides TEP reachability to establish BGP sessions between each spine switch. Finally, you can use route reflector nodes in each pod (recommended for resiliency) so that the spine nodes only peer with the remote route reflector nodes, and a full mesh of MP-BGP session is then established only between the route reflectors.
IPN
POD 1
POD 2
Finish and ok
Register POD2 SWs
OOB Mgmt for POD 2
Review topology of two PODs
Add hosts to Pod2 leaf
Enable multicasting on IPN
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ACI Multi-Site Deployment
YouTube video
Nexus Dashboard Orchestrator (NDO) 4.1 with ACI Multisite Lab (New)
Initiate MSO