ACI Advanced Monitoring and Troubleshooting, 1st edition
BRAND: PEARSON
Publisher: | Cisco Press |
Author: | Sadiq Memon; Carlo Schmidt; Joseph Ristaino |
Edition: | (October 22, 2020) © 2021 |
eBook ISBN: | 9780135264706 |
Print ISBN: | 9781587145056 |
Type: | 1 Year Subscription. Dành cho Cá nhân |
eBook edition. 1 Year Subscription. Dành cho Cá nhân | Trường ĐH, Nhóm, Thư Viện: Gọi 0915920514 để báo giá Pearson, Vital Source eBook hoặc mua Sách In
See what in the box
Mô tả sản phẩm
Giám sát và khắc phục sự cố nâng cao ACI cung cấp nền tảng khái niệm vững chắc và kiến thức kỹ thuật chuyên sâu để giám sát và khắc phục sự cố hầu như mọi sự cố gặp phải trong quá trình thử nghiệm, triển khai hoặc vận hành cơ sở hạ tầng Cơ sở hạ tầng lấy ứng dụng làm trung tâm (ACI) của Cisco. Được biên soạn bởi các chuyên gia hỗ trợ ACI hàng đầu tại Cisco, cuốn sách bao gồm tất cả những gì sinh viên cần học để duy trì hoạt động triển khai ACI một cách tối ưu. Bảo hiểm bao gồm:
Các khái niệm và thành phần ACI cốt lõi, bao gồm nền tảng Nexus 9000 Series, bộ điều khiển APIC và giao thức
Cái nhìn sâu sắc về mô hình chính sách của ACI
Các tùy chọn thiết kế vải ACI: trung tâm dữ liệu đơn và nhiều, kéo dài so với nhiều loại vải và nhiều nhóm/nhiều vị trí
Tự động hóa, điều phối và đám mây trong môi trường ACI
Cấu trúc liên kết ACI và thông số kỹ thuật phần cứng/phần mềm
Kết thúc kết nối máy chủ và mạng
Tích hợp VMM
Cấu hình quản lý mạng, bao gồm SNMP, AAA và SPAN
Giám sát vải và sức khỏe ACI
Nhận kết quả ngay lập tức thông qua giao diện dòng lệnh NX-OS
Khắc phục sự cố các trường hợp sử dụng: khám phá cấu trúc, APIC, quyền truy cập quản lý, hợp đồng, kết nối bên ngoài, kết nối lá/cột sống, kết nối máy chủ cuối, sự cố VMM, sự cố nhiều nhóm/đa trang ACI, v.v.
Foreword by Yusuf Bhaiji xxviii
Foreword by Ronak Desai xxix
Introduction xxx
PART I: INTRODUCTION TO ACIChapter 1 Fundamental Functions and Components of Cisco ACI 1
ACI Building Blocks 8
Hardware Specifications 8
ACI Key Concepts 14
Control Plane 15
Data Plane 17
VXLAN 17
Tenant 18
VRF 19
Application Profile 20
Endpoint Group 21
Contracts 22
Bridge Domain 24
External Routed or Bridged Network 25
Summary 26
Review Key Topics 26
Review Questions 27
Chapter 2 Introduction to the ACI Policy Model 31
Key Characteristics of the Policy Model 32
Management Information Tree (MIT) 33
Benefits of a Policy Model 37
Logical Constructs 37
Tenant Objects 38
VRF Objects 39
Application Profile Objects 40
Endpoint Group Objects 41
Bridge Domain and Subnet Objects 43
Bridge Domain Options 45
Contract Objects 46
Labels, Filters, and Aliases 48
Contract Inheritance 49
Contract Preferred Groups 49
vzAny 50
Outside Network Objects 51
Physical Construct 52
Access Policies 52
Switch Policies 53
Interface Policies 54
Global Policies 55
Managed Object Relationships and Policy Resolution 57
Tags 58
Default Policies 58
How a Policy Model Helps in Diagnosis 60
Summary 63
Review Key Topics 63
Review Questions 64
Chapter 3 ACI Command-Line Interfaces 67
APIC CLIs 68
NX-OS–Style CLI 68
Bash CLI 74
ACI Fabric Switch CLIs 78
iBash CLI 78
VSH CLI 81
VSH_LC CLI 83
Summary 84
Reference 84
Chapter 4 ACI Fabric Design Options 85
Physical Design 85
Single- Versus Multiple-Fabric Design 87
Multi-Pod 97
Multi-Site 116
Remote Leaf 131
Hardware and Software Support 134
ACI Multi-Pod and Remote Leaf Integration 143
Logical Design 149
Design 1: Container-as-a-Service Using the OpenShift Platform and Calico CNI 149
Design 2: Vendor-Based ERP/SAP Hana Design with ACI 165
Design 3: vBrick Digital Media Engine Design with ACI 175
Summary 180
Review Key Topics 181
Review Questions 181
Chapter 5 End Host and Network Connectivity 18
5
End Host Connectivity 185
VLAN Pool 186
Domain 186
Attachable Access Entity Profiles (AAEPs) 186
Switch Policies 187
Interface Policies 188
Virtual Port Channel (VPC) 191
Port Channel 197
Access Port 201
Best Practices in Configuring Access Policies 206
Compute and Storage Connectivity 207
L4/L7 Service Device Connectivity 210
Network Connectivity 213
Connecting an External Bridge Network 213
Connecting an External Routed Network 218
Diagnosing Connectivity Problems 242
Summary 245
Review Questions 245
Chapter 6 VMM Integration 24
9
Virtual Machine Manager (VMM) 249
VMM Domain Policy Model 250
VMM Domain Components 250
VMM Domains 250
VMM Domain VLAN Pool Association 252
VMware Integration 257
Prerequisites for VMM Integration with AVS or VDS 257
Guidelines and Limitations for VMM Integration with AVS or VDS 257
ACI VMM Integration Workflow 258
Publishing EPGs to a VMM Domain 258
Connecting Virtual Machines to the Endpoint Group Port Groups on vCenter 259
Verifying VMM Integration with the AVS or VDS 259
Microsoft SCVMM Integration 260
Mapping ACI and SCVMM Constructs 261
Mapping Multiple SCVMMs to an APIC 262
Verifying That the OpFlex Certificate Is Deployed for a Connection from the SCVMM to the APIC 262
Verifying VMM Deployment from the APIC to the SCVMM 263
OpenStack Integration 263
Extending OpFlex to the Compute Node 264
ACI with OpenStack Physical Architecture 264
OpFlex Software Architecture 265
OpenStack Logical Topology 265
Mapping OpenStack and ACI Constructs 266
Kubernetes Integration 272
Planning for Kubernetes Integration 272
Prerequisites for Integrating Kubernetes with Cisco ACI 273
Provisioning Cisco ACI to Work with Kubernetes 274
Preparing the Kubernetes Nodes 277
Installing Kubernetes and Cisco ACI Containers 279
Verifying the Kubernetes Integration 280
OpenShift Integration 281
Planning for OpenShift Integration 282
Prerequisites for Integrating OpenShift with Cisco ACI 283
Provisioning Cisco ACI to Work with OpenShift 284
Preparing the OpenShift Nodes 287
Installing OpenShift and Cisco ACI Containers 290
Updating the OpenShift Router to Use the ACI Fabric 291
Verifying the OpenShift Integration 291
VMM Integration with ACI at Multiple Locations 292
Multi-Site 292
Remote Leaf 295
Summary 298
Chapter 7 L4/L7 Service Integration 299
Service Insertion 299
The Service Graph 300
Managed Mode Versus Un-Managed Mode 301
L4–L7 Integration Use Cases 302
How Contracts Work in ACI 303
The Shadow EPG 306
Configuring the Service Graph 307
Service Graph Design and Deployment Options 312
Policy-Based Redirect (PBR) 322
PBR Design Considerations 323
PBR Design Scenarios 324
Configuring the PBR Service Graph 325
Service Node Health Check 326
Common Issues in the PBR Service Graph 328
L4/L7 Service Integration in Multi-Pod and Multi-Site 332
Multi-Pod 332
Multi-Site 338
Review Questions 342
Chapter 8 Automation and Orchestration 343
The Difference Between Automation and Orchestration 343
Benefits of Automation and Orchestration 344
REST API 349
Automating Tasks Using the Native REST API: JSON and XML 351
API Inspector 351
Object (Save As) 353
Visore (Object Store Browser) 355
MOQuery 357
Automation Use Cases 364
Automating Tasks Using Ansible 372
Ansible Support in ACI 375
Installing Ansible and Ensuring a Secure Connection 378
APIC Authentication in Ansible 382
Automation Use Cases 384
Orchestration Through UCS Director 392
Management Through Cisco UCS Director 392
Automation and Orchestration with Cisco UCS Director 393
Automation Use Cases 395
Summary 402
Review Questions 402
PART II: MONITORING AND MANAGEMENT BEST PRACTICESChapter 9 Monitoring ACI Fabric 405
Importance of Monitoring 405
Faults and Health Scores 407
Faults 407
Health Scores 411
ACI Internal Monitoring Tools 415
SNMP 415
Syslog 420
NetFlow 426
ACI External Monitoring Tools 430
Network Insights 430
Network Assurance Engine 437
Tetration 453
Monitoring Through the REST API 473
Monitoring an APIC 475
Monitoring Leafs and Spines 482
Monitoring Applications 499
Summary 505
Review Questions 506
Chapter 10 Network Management and Monitoring Configuration 509
Out-of-Band Management 509
Creating Static Management Addresses 510
Creating the Management Contract 510
Choosing the Node Management EPG 513
Creating an External Management Entity EPG 513
Verifying the OOB Management Configuration 515
In-Band Management 517
Creating a Management Contract 517
Creating Leaf Interface Access Policies for APIC INB Management 518
Creating Access Policies for the Border Leaf(s) Connected to L3Out 520
Creating INB Management External Routed Networks (L3Out) 522
Creating External Management EPGs 524
Creating an INB BD with a Subnet 527
Configuring the Node Management EPG 529
Creating Static Management Addresses 530
Verifying the INB Management Configuration 530
AAA 533
Configuring Cisco Secure ACS 533
Configuring Cisco ISE 542
Configuring AAA in ACI 547
Recovering with the Local Fallback User 550
Verifying the AAA Configuration 550
Syslog 551
Verifying the Syslog Configuration and Functionality 555
SNMP 556
Verifying the SNMP Configuration and Functionality 562
SPAN 566
Access SPAN 567
Fabric SPAN 571
Tenant SPAN 572
Ensuring Visibility and Troubleshooting SPAN 575
Verifying the SPAN Configuration and Functionality 576
NetFlow 577
NetFlow with Access Policies 580
NetFlow with Tenant Policies 582
Verifying the NetFlow Configuration and Functionality 585
Summary 587
PART III: ADVANCED FORWARDING AND TROUBLESHOOTING TECHNIQUESChapter 11 ACI Topology 589
Physical Topology 589
APIC Initial Setup 593
Fabric Access Policies 595
Switch Profiles, Switch Policies, and Interface Profiles 595
Interface Policies and Policy Groups 596
Pools, Domains, and AAEPs 597
VMM Domain Configuration 601
VMM Topology 601
Hardware and Software Specifications 603
Logical Layout of EPGs, BDs, VRF Instances, and Contracts 605
L3Out Logical Layout 606
Summary 608
Review Key Topics 608
References 609
Chapter 12 Bits and Bytes of ACI Forwarding 611
Limitations of Traditional Networks and the Evolution of Overlay Networks 611
High-Level VXLAN Overview 613
IS-IS, TEP Addressing, and the ACI Underlay 615
IS-IS and TEP Addressing 615
FTags and the MDT 618
Endpoint Learning in ACI 626
Endpoint Learning in a Layer 2–Only Bridge Domain 627
Endpoint Learning in a Layer 3–Enabled Bridge Domain 635
Fabric Glean 640
Remote Endpoint Learning 641
Endpoint Mobility 645
Anycast Gateway 647
Virtual Port Channels in ACI 649
Routing in ACI 651
Static or Dynamic Routes 651
Learning External Routes in the ACI Fabric 656
Transit Routing 659
Policy Enforcement 661
Shared Services 664
L3Out Flags 668
Quality of Service (QoS) in ACI 669
Externally Set DSCP and CoS Markings 671
CoS Preservation in ACI 672
Multi-Pod 674
Multi-Site 680
Remote Leaf 684
Forwarding Scenarios 686
ARP Flooding 686
Layer 2 Known Unicast 688
ARP Optimization 690
Layer 2 Unknown Unicast Proxy 690
L3 Policy Enforcement When Going to L3Out 693
L3 Policy Enforcement for External Traffic Coming into the Fabric 695
Route Leaking/Shared Services 695
Consumer to Provider 695
Provider to Consumer 698
Multi-Pod Forwarding Examples 698
ARP Flooding 700
Layer 3 Proxy Flow 700
Multi-Site Forwarding Examples 703
ARP Flooding 703
Layer 3 Proxy Flow 705
Remote Leaf 707
ARP Flooding 707
Layer 3 Proxy Flow 710
Summary 713
Review Key Topics 713
References 714
Review Questions 714
Chapter 13 Troubleshooting Techniques 717
General Troubleshooting 717
Faults, Events, and Audits 718
moquery 722
iCurl 724
Visore 726
Infrastructure Troubleshooting 727
APIC Cluster Troubleshooting 727
Fabric Node Troubleshooting 734
How to Verify Physical- and Platform-Related Issues 737
Counters 737
CPU Packet Captures 743
SPAN 748
Troubleshooting Endpoint Connectivity 751
Endpoint Tracker and Log Files 752
Enhanced Endpoint Tracker (EPT) App 756
Rogue Endpoint Detection 758
Troubleshooting Contract-Related Issues 759
Verifying Policy Deny Drops 764
Embedded Logic Analyzer Module (ELAM) 765
Summary 769
Review Key Topics 769
Review Questions 769
Chapter 14 The ACI Visibility & Troubleshooting Tool 771
Visibility & Troubleshooting Tool Overview 771
Faults Tab 772
Drop/Stats Tab 773
Ingress/Egress Buffer Drop Packets 774
Ingress Error Drop Packets Periodic 774
Storm Control 774
Ingress Forward Drop Packets 775
Ingress Load Balancer Drop Packets 776
Contract Drops Tab 777
Contracts 777
Contract Considerations 778
Events and Audits Tab 779
Traceroute Tab 780
Atomic Counter Tab 782
Latency Tab 785
SPAN Tab 786
Network Insights Resources (NIR) Overview 787
Summary 790
Chapter 15 Troubleshooting Use Cases 791
Troubleshooting Fabric Discovery: Leaf Discovery 792
Troubleshooting APIC Controllers and Clusters: Clustering 795
Troubleshooting Management Access: Out-of-Band EPG 799
Troubleshooting Contracts: Traffic Not Traversing a Firewall as Expected 801
Troubleshooting Contracts: Contract Directionality 804
Troubleshooting End Host Connectivity: Layer 2 Traffic Flow Through ACI 807
Troubleshooting External Layer 2 Connectivity: Broken Layer 2 Traffic Flow Through ACI 812
Troubleshooting External Layer 3 Connectivity: Broken Layer 3 Traffic Flow Through ACI 814
Troubleshooting External Layer 3 Connectivity: Unexpected Layer 3 Traffic Flow Through ACI 816
Troubleshooting Leaf and Spine Connectivity: Leaf Issue 821
Troubleshooting VMM Domains: VMM Controller Offline 826
Troubleshooting VMM Domains: VM Connectivity Issue After Deploying the VMM Domain 829
Troubleshooting L4–L7: Deploying an L4–L7 Device 832
Troubleshooting L4–L7: Control Protocols Stop Working After Service Graph Deployment 834
Troubleshooting Multi-Pod: BUM Traffic Not Reaching Remote Pods 837
Troubleshooting Multi-Pod: Remote L3Out Not Reachable 839
Troubleshooting Multi-Site: Using Consistency Checker to Verify State at Each Site 841
Troubleshooting Programmability Issues: JSON Script Generates Error 844
Troubleshooting Multicast Issues: PIM Sparse Mode Any-Source Multicast (ASM) 846
Summary 860
Appendix A Answers to Chapter Review Questions 861Index 873
Giám sát và khắc phục sự cố nâng cao ACI cung cấp nền tảng khái niệm vững chắc và kiến thức kỹ thuật chuyên sâu để giám sát và khắc phục sự cố hầu như mọi sự cố gặp phải trong quá trình thử nghiệm, triển khai hoặc vận hành cơ sở hạ tầng Cơ sở hạ tầng lấy ứng dụng làm trung tâm (ACI) của Cisco. Được biên soạn bởi các chuyên gia hỗ trợ ACI hàng đầu tại Cisco, cuốn sách bao gồm tất cả những gì sinh viên cần học để duy trì hoạt động triển khai ACI một cách tối ưu. Bảo hiểm bao gồm:
Các khái niệm và thành phần ACI cốt lõi, bao gồm nền tảng Nexus 9000 Series, bộ điều khiển APIC và giao thức
Cái nhìn sâu sắc về mô hình chính sách của ACI
Các tùy chọn thiết kế vải ACI: trung tâm dữ liệu đơn và nhiều, kéo dài so với nhiều loại vải và nhiều nhóm/nhiều vị trí
Tự động hóa, điều phối và đám mây trong môi trường ACI
Cấu trúc liên kết ACI và thông số kỹ thuật phần cứng/phần mềm
Kết thúc kết nối máy chủ và mạng
Tích hợp VMM
Cấu hình quản lý mạng, bao gồm SNMP, AAA và SPAN
Giám sát vải và sức khỏe ACI
Nhận kết quả ngay lập tức thông qua giao diện dòng lệnh NX-OS
Khắc phục sự cố các trường hợp sử dụng: khám phá cấu trúc, APIC, quyền truy cập quản lý, hợp đồng, kết nối bên ngoài, kết nối lá/cột sống, kết nối máy chủ cuối, sự cố VMM, sự cố nhiều nhóm/đa trang ACI, v.v.
Foreword by Yusuf Bhaiji xxviii
Foreword by Ronak Desai xxix
Introduction xxx
PART I: INTRODUCTION TO ACIChapter 1 Fundamental Functions and Components of Cisco ACI 1
ACI Building Blocks 8
Hardware Specifications 8
ACI Key Concepts 14
Control Plane 15
Data Plane 17
VXLAN 17
Tenant 18
VRF 19
Application Profile 20
Endpoint Group 21
Contracts 22
Bridge Domain 24
External Routed or Bridged Network 25
Summary 26
Review Key Topics 26
Review Questions 27
Chapter 2 Introduction to the ACI Policy Model 31
Key Characteristics of the Policy Model 32
Management Information Tree (MIT) 33
Benefits of a Policy Model 37
Logical Constructs 37
Tenant Objects 38
VRF Objects 39
Application Profile Objects 40
Endpoint Group Objects 41
Bridge Domain and Subnet Objects 43
Bridge Domain Options 45
Contract Objects 46
Labels, Filters, and Aliases 48
Contract Inheritance 49
Contract Preferred Groups 49
vzAny 50
Outside Network Objects 51
Physical Construct 52
Access Policies 52
Switch Policies 53
Interface Policies 54
Global Policies 55
Managed Object Relationships and Policy Resolution 57
Tags 58
Default Policies 58
How a Policy Model Helps in Diagnosis 60
Summary 63
Review Key Topics 63
Review Questions 64
Chapter 3 ACI Command-Line Interfaces 67
APIC CLIs 68
NX-OS–Style CLI 68
Bash CLI 74
ACI Fabric Switch CLIs 78
iBash CLI 78
VSH CLI 81
VSH_LC CLI 83
Summary 84
Reference 84
Chapter 4 ACI Fabric Design Options 85
Physical Design 85
Single- Versus Multiple-Fabric Design 87
Multi-Pod 97
Multi-Site 116
Remote Leaf 131
Hardware and Software Support 134
ACI Multi-Pod and Remote Leaf Integration 143
Logical Design 149
Design 1: Container-as-a-Service Using the OpenShift Platform and Calico CNI 149
Design 2: Vendor-Based ERP/SAP Hana Design with ACI 165
Design 3: vBrick Digital Media Engine Design with ACI 175
Summary 180
Review Key Topics 181
Review Questions 181
Chapter 5 End Host and Network Connectivity 18
5
End Host Connectivity 185
VLAN Pool 186
Domain 186
Attachable Access Entity Profiles (AAEPs) 186
Switch Policies 187
Interface Policies 188
Virtual Port Channel (VPC) 191
Port Channel 197
Access Port 201
Best Practices in Configuring Access Policies 206
Compute and Storage Connectivity 207
L4/L7 Service Device Connectivity 210
Network Connectivity 213
Connecting an External Bridge Network 213
Connecting an External Routed Network 218
Diagnosing Connectivity Problems 242
Summary 245
Review Questions 245
Chapter 6 VMM Integration 24
9
Virtual Machine Manager (VMM) 249
VMM Domain Policy Model 250
VMM Domain Components 250
VMM Domains 250
VMM Domain VLAN Pool Association 252
VMware Integration 257
Prerequisites for VMM Integration with AVS or VDS 257
Guidelines and Limitations for VMM Integration with AVS or VDS 257
ACI VMM Integration Workflow 258
Publishing EPGs to a VMM Domain 258
Connecting Virtual Machines to the Endpoint Group Port Groups on vCenter 259
Verifying VMM Integration with the AVS or VDS 259
Microsoft SCVMM Integration 260
Mapping ACI and SCVMM Constructs 261
Mapping Multiple SCVMMs to an APIC 262
Verifying That the OpFlex Certificate Is Deployed for a Connection from the SCVMM to the APIC 262
Verifying VMM Deployment from the APIC to the SCVMM 263
OpenStack Integration 263
Extending OpFlex to the Compute Node 264
ACI with OpenStack Physical Architecture 264
OpFlex Software Architecture 265
OpenStack Logical Topology 265
Mapping OpenStack and ACI Constructs 266
Kubernetes Integration 272
Planning for Kubernetes Integration 272
Prerequisites for Integrating Kubernetes with Cisco ACI 273
Provisioning Cisco ACI to Work with Kubernetes 274
Preparing the Kubernetes Nodes 277
Installing Kubernetes and Cisco ACI Containers 279
Verifying the Kubernetes Integration 280
OpenShift Integration 281
Planning for OpenShift Integration 282
Prerequisites for Integrating OpenShift with Cisco ACI 283
Provisioning Cisco ACI to Work with OpenShift 284
Preparing the OpenShift Nodes 287
Installing OpenShift and Cisco ACI Containers 290
Updating the OpenShift Router to Use the ACI Fabric 291
Verifying the OpenShift Integration 291
VMM Integration with ACI at Multiple Locations 292
Multi-Site 292
Remote Leaf 295
Summary 298
Chapter 7 L4/L7 Service Integration 299
Service Insertion 299
The Service Graph 300
Managed Mode Versus Un-Managed Mode 301
L4–L7 Integration Use Cases 302
How Contracts Work in ACI 303
The Shadow EPG 306
Configuring the Service Graph 307
Service Graph Design and Deployment Options 312
Policy-Based Redirect (PBR) 322
PBR Design Considerations 323
PBR Design Scenarios 324
Configuring the PBR Service Graph 325
Service Node Health Check 326
Common Issues in the PBR Service Graph 328
L4/L7 Service Integration in Multi-Pod and Multi-Site 332
Multi-Pod 332
Multi-Site 338
Review Questions 342
Chapter 8 Automation and Orchestration 343
The Difference Between Automation and Orchestration 343
Benefits of Automation and Orchestration 344
REST API 349
Automating Tasks Using the Native REST API: JSON and XML 351
API Inspector 351
Object (Save As) 353
Visore (Object Store Browser) 355
MOQuery 357
Automation Use Cases 364
Automating Tasks Using Ansible 372
Ansible Support in ACI 375
Installing Ansible and Ensuring a Secure Connection 378
APIC Authentication in Ansible 382
Automation Use Cases 384
Orchestration Through UCS Director 392
Management Through Cisco UCS Director 392
Automation and Orchestration with Cisco UCS Director 393
Automation Use Cases 395
Summary 402
Review Questions 402
PART II: MONITORING AND MANAGEMENT BEST PRACTICESChapter 9 Monitoring ACI Fabric 405
Importance of Monitoring 405
Faults and Health Scores 407
Faults 407
Health Scores 411
ACI Internal Monitoring Tools 415
SNMP 415
Syslog 420
NetFlow 426
ACI External Monitoring Tools 430
Network Insights 430
Network Assurance Engine 437
Tetration 453
Monitoring Through the REST API 473
Monitoring an APIC 475
Monitoring Leafs and Spines 482
Monitoring Applications 499
Summary 505
Review Questions 506
Chapter 10 Network Management and Monitoring Configuration 509
Out-of-Band Management 509
Creating Static Management Addresses 510
Creating the Management Contract 510
Choosing the Node Management EPG 513
Creating an External Management Entity EPG 513
Verifying the OOB Management Configuration 515
In-Band Management 517
Creating a Management Contract 517
Creating Leaf Interface Access Policies for APIC INB Management 518
Creating Access Policies for the Border Leaf(s) Connected to L3Out 520
Creating INB Management External Routed Networks (L3Out) 522
Creating External Management EPGs 524
Creating an INB BD with a Subnet 527
Configuring the Node Management EPG 529
Creating Static Management Addresses 530
Verifying the INB Management Configuration 530
AAA 533
Configuring Cisco Secure ACS 533
Configuring Cisco ISE 542
Configuring AAA in ACI 547
Recovering with the Local Fallback User 550
Verifying the AAA Configuration 550
Syslog 551
Verifying the Syslog Configuration and Functionality 555
SNMP 556
Verifying the SNMP Configuration and Functionality 562
SPAN 566
Access SPAN 567
Fabric SPAN 571
Tenant SPAN 572
Ensuring Visibility and Troubleshooting SPAN 575
Verifying the SPAN Configuration and Functionality 576
NetFlow 577
NetFlow with Access Policies 580
NetFlow with Tenant Policies 582
Verifying the NetFlow Configuration and Functionality 585
Summary 587
PART III: ADVANCED FORWARDING AND TROUBLESHOOTING TECHNIQUESChapter 11 ACI Topology 589
Physical Topology 589
APIC Initial Setup 593
Fabric Access Policies 595
Switch Profiles, Switch Policies, and Interface Profiles 595
Interface Policies and Policy Groups 596
Pools, Domains, and AAEPs 597
VMM Domain Configuration 601
VMM Topology 601
Hardware and Software Specifications 603
Logical Layout of EPGs, BDs, VRF Instances, and Contracts 605
L3Out Logical Layout 606
Summary 608
Review Key Topics 608
References 609
Chapter 12 Bits and Bytes of ACI Forwarding 611
Limitations of Traditional Networks and the Evolution of Overlay Networks 611
High-Level VXLAN Overview 613
IS-IS, TEP Addressing, and the ACI Underlay 615
IS-IS and TEP Addressing 615
FTags and the MDT 618
Endpoint Learning in ACI 626
Endpoint Learning in a Layer 2–Only Bridge Domain 627
Endpoint Learning in a Layer 3–Enabled Bridge Domain 635
Fabric Glean 640
Remote Endpoint Learning 641
Endpoint Mobility 645
Anycast Gateway 647
Virtual Port Channels in ACI 649
Routing in ACI 651
Static or Dynamic Routes 651
Learning External Routes in the ACI Fabric 656
Transit Routing 659
Policy Enforcement 661
Shared Services 664
L3Out Flags 668
Quality of Service (QoS) in ACI 669
Externally Set DSCP and CoS Markings 671
CoS Preservation in ACI 672
Multi-Pod 674
Multi-Site 680
Remote Leaf 684
Forwarding Scenarios 686
ARP Flooding 686
Layer 2 Known Unicast 688
ARP Optimization 690
Layer 2 Unknown Unicast Proxy 690
L3 Policy Enforcement When Going to L3Out 693
L3 Policy Enforcement for External Traffic Coming into the Fabric 695
Route Leaking/Shared Services 695
Consumer to Provider 695
Provider to Consumer 698
Multi-Pod Forwarding Examples 698
ARP Flooding 700
Layer 3 Proxy Flow 700
Multi-Site Forwarding Examples 703
ARP Flooding 703
Layer 3 Proxy Flow 705
Remote Leaf 707
ARP Flooding 707
Layer 3 Proxy Flow 710
Summary 713
Review Key Topics 713
References 714
Review Questions 714
Chapter 13 Troubleshooting Techniques 717
General Troubleshooting 717
Faults, Events, and Audits 718
moquery 722
iCurl 724
Visore 726
Infrastructure Troubleshooting 727
APIC Cluster Troubleshooting 727
Fabric Node Troubleshooting 734
How to Verify Physical- and Platform-Related Issues 737
Counters 737
CPU Packet Captures 743
SPAN 748
Troubleshooting Endpoint Connectivity 751
Endpoint Tracker and Log Files 752
Enhanced Endpoint Tracker (EPT) App 756
Rogue Endpoint Detection 758
Troubleshooting Contract-Related Issues 759
Verifying Policy Deny Drops 764
Embedded Logic Analyzer Module (ELAM) 765
Summary 769
Review Key Topics 769
Review Questions 769
Chapter 14 The ACI Visibility & Troubleshooting Tool 771
Visibility & Troubleshooting Tool Overview 771
Faults Tab 772
Drop/Stats Tab 773
Ingress/Egress Buffer Drop Packets 774
Ingress Error Drop Packets Periodic 774
Storm Control 774
Ingress Forward Drop Packets 775
Ingress Load Balancer Drop Packets 776
Contract Drops Tab 777
Contracts 777
Contract Considerations 778
Events and Audits Tab 779
Traceroute Tab 780
Atomic Counter Tab 782
Latency Tab 785
SPAN Tab 786
Network Insights Resources (NIR) Overview 787
Summary 790
Chapter 15 Troubleshooting Use Cases 791
Troubleshooting Fabric Discovery: Leaf Discovery 792
Troubleshooting APIC Controllers and Clusters: Clustering 795
Troubleshooting Management Access: Out-of-Band EPG 799
Troubleshooting Contracts: Traffic Not Traversing a Firewall as Expected 801
Troubleshooting Contracts: Contract Directionality 804
Troubleshooting End Host Connectivity: Layer 2 Traffic Flow Through ACI 807
Troubleshooting External Layer 2 Connectivity: Broken Layer 2 Traffic Flow Through ACI 812
Troubleshooting External Layer 3 Connectivity: Broken Layer 3 Traffic Flow Through ACI 814
Troubleshooting External Layer 3 Connectivity: Unexpected Layer 3 Traffic Flow Through ACI 816
Troubleshooting Leaf and Spine Connectivity: Leaf Issue 821
Troubleshooting VMM Domains: VMM Controller Offline 826
Troubleshooting VMM Domains: VM Connectivity Issue After Deploying the VMM Domain 829
Troubleshooting L4–L7: Deploying an L4–L7 Device 832
Troubleshooting L4–L7: Control Protocols Stop Working After Service Graph Deployment 834
Troubleshooting Multi-Pod: BUM Traffic Not Reaching Remote Pods 837
Troubleshooting Multi-Pod: Remote L3Out Not Reachable 839
Troubleshooting Multi-Site: Using Consistency Checker to Verify State at Each Site 841
Troubleshooting Programmability Issues: JSON Script Generates Error 844
Troubleshooting Multicast Issues: PIM Sparse Mode Any-Source Multicast (ASM) 846
Summary 860
Appendix A Answers to Chapter Review Questions 861Index 873