Dcac9k Lab Guide PDF

DCAC9K
Configuring Cisco
Nexus 9000 Series
Switches in ACI Mode
Version 1.2 Revision A
Lab Guide
DCAC9K
Lab Guide
Overview
This guide presents the instructions and other information concerning the lab activities for this course.
Outline
This guide includes these activities:
 Lab 0: Accessing the NterOne Lab Devices
 Lab 1: Initial ACI Fabric Configuration Tasks
 Lab 2: Configure a Tenant, VRF, and Bridge Domain
 Lab 3: Configure Policy Filters and Contracts
 Lab 4: Deploy a Three-Tier Application Profile
 Lab 5: Configure a VMware VMM Domain
 Lab 6: Configure Baseline Interface Policies
 Lab 7: Configure VMware ESXi Hosts to Use the APIC DVS
 Lab 8: Associate an EPG to a VMware vCenter Domain
 Lab 9: Associate Virtual Machines with ACI DVS Port Groups
 Lab 10: Configure the APIC Using the REST API (Postman)
 Lab 11: Configure the APIC Using the ACI Cobra SDK (Python)
 Lab 12: Configure the APIC Using the Cisco APIC REST to Python Adapter (ARYA)
 Lab 13: Configure Inter-Tenant Connectivity
 Lab 14: Configure External Layer 3 Connectivity using OSPF Routing
 Lab 15: Configure External Layer 2 Connectivity - Extending a Bridge Domain
 Lab 16: Configure External Layer 2 Connectivity - Extending an EPG
 Lab 17: Configure a Service Graph in Managed Mode
 Lab 18: Configure RBAC Using Local and RADIUS Accounts
 Lab 19: Monitor and Troubleshoot ACI
Lab 0: Accessing the NterOne Lab Devices
The purpose of this lab exercise is to make you familiar with the NterOne lab environment and how to
successfully connect to the various devices that you will use during this class.
Task 1: Understanding your NterOne Lab Environment

Before you can begin configuring you lab devices you must understand how the NterOne lab environment is
constructed and how it is accessed.
Your Student Server

Before you can gain access to the NterOne lab devices you must first successfully log in to a Student Server.
 Once you have successfully logged in to a Student Server you will be able to use the applications
installed on the Student Server to access the lab devices for your class.
 Student Server names and account credentials will be given to you by your instructor.
 Two students may log in to the same Student Server using different accounts; in this case each
student will have a unique Desktop which is not shared with the other student.
The Student Servers are often referred to by a one-digit number (the Student Server Number) which is part of
the DNS and IP address of the Student Server.
Lab Devices and Pods

During this class you will be using the ACI Lab Rack. The ACI Lab Rack contains the following equipment:
 One (1) Cisco Application Policy Infrastructure Controllers (APICs)
 One (1) Cisco Nexus C9336PQ Switch running in ACI mode (Spine switch)
 Two (2) Cisco Nexus C9396PX Switches running in ACI mode (Leaf switches)
 Eight (8) Cisco UCS C200 M3 C-Series Servers
You will have access to all of these devices; however you will be assigned a single Pod within the UCS Lab
Rack:
 A Pod is a portion of the ACI Lab Rack that is configured by one or two students.
 A Pod Number is used to uniquely identify each Pod. The Pod Number (“##”) is a value between 11
and 26.
 You will be assigned to a Pod for a given lab exercise, possibly with another student depending on
the class size.
 During the lab exercises you will be asked to configure the devices in your Pod. Do not configure
any devices outside your assigned Pod unless specifically instructed to do so.
Configuring Cisco Nexus 9000 Series Switches in ACI Mode (DCAC9K) Lab Guide v1.2 rev A Page 3
©2016 NterOne Corporation
Letter Variables
The Lab Guide for your class uses letter variables (similar to algebra) to represent digits within a command
or command output. Usually, whenever you see one of the capital letters in the following table you should
replace that letter with the correct value; the Lab Guide should also point out when a letter variable is being
used. The variables will be displayed with a font color of red.
For example, if you are currently assigned to Pod 23, and if you are instructed to configure an IP address of
192.168.1.##, the IP address that you should use would be 192.168.1.23. The following table lists all of the
letter variables that are commonly used in the Lab Guide.
Letter Variable Possible Values Description

R 1, 2, or 3 Your ACI Rack Number
## 11 through 26 Your Pod Number
@ A, B, C, or D Your vCenter Server
@@ A1, A2, B1, B2, C1, C2, D1, or D2 Your ESXi Host
You should determine the value of each of these variables before you start each lab exercise. If you do not
use the correct values you may not be able to complete the lab exercise and you may also cause another
student’s lab devices to malfunction.
Remote Desktop Connection

The application that you must use to log in to your Student Server is Remote Desktop Connection (RDC).
 This is the only application that can be used to log in to your Student Server.
 The shortcut to RDC is typically found on Windows-based systems by clicking Start  All
Programs  Accessories  Remote Desktop Connection. Another way to find RDC is to use the
“Search programs and files” function in the Windows Start menu.
or
 Students using Apple-based computers can download the Microsoft Remote Desktop app from
https://itunes.apple.com/us/app/id715768417?mt=12 .
 Students using Linux-based computers can download rdesktop from http://www.rdesktop.org/ .
Task 2: Connect to your Assigned Student Server using Remote
Desktop Connection (RDC)
Follow the steps in this Task in order to log in to a Student Server.
Step 1 Your instructor will give you the information you need to log in to a Student Server. The following
table is provided for you to record these values.
Student Server Name / IP Address User Name Password
Step 2 Log in to your personal/work computer.

Step 3 Verify that your computer is able to access the Internet. A simple test to verify this would be to
use a browser to access www.nterone.com .
Step 4 Verify that your computer has a Remote Desktop Connection (RDC) client installed. Use the
information on the previous page if you are having difficulty finding RDC on your computer.
Step 5 Start the Remote Desktop Connection application. The following window should appear.
Note The following steps use the Microsoft version of RDC; if you are using an Apple- or Linux-based
computer the screens that you will see will be different.
Step 6 In the Computer field enter the DNS name or IP address of the Student Server that has been
assigned to you.
Step 7 Click the Connect button. The Windows Security window should appear.
Note If this step fails after several seconds, please contact your class instructor for assistance.
Note If you are able to access the Internet but are unable to access any of the NterOne Student
Servers you will need to determine if there is a firewall somewhere preventing your computer
from accessing the NterOne Student Servers. This is a common problem for students who are
using a computer at their place of employment, in which case you may need to contact your
company’s IT department for assistance.
Step 8 Click on the “Use another account” section of the window.

Step 9 Enter the User name and Password needed to connect to the Student Server.
Step 10 Click the OK button. A window should appear which will look similar to the window below
Step 11 Click the check box next to “Don’t ask me again for connections to this computer” and then
click “Yes”.
Step 12 After a few seconds the login process should finish and the desktop of your Student Server
should appear which will look similar to the window below.
Step 13 The most commonly used applications such as Chrome will have shortcut to them on the
Desktop. Other applications may also be found using the Start menu.
Step 14 The process to connect to your Student Server is complete.
Task 3: Log In to the APIC-1 Management Application

This procedure details the steps you will use to start the APIC management application and log in to the
APIC-1. This procedure assumes that you have successfully accessed your Student Server.
Step 15 From the desktop of your Student Server start the Chrome application.
Step 16 Navigate to the following URL: https://192.168.R0.1 (replace “R” with your ACI Rack
Number).
Step 17 You will be warned by Chrome that the connection is not private.
Note Please never worry if you see any message like this about your connection not being private in
these labs. Of course, click Proceed… and “agree” with all browser security requests.
Step 18 Click the link labeled Advanced. Chrome will warn you that the security certificate provided by
the APIC is not trusted.
Step 19 Click the link labeled Proceed to 192.168.R0.1 (unsafe). You should now see the APIC sign in
prompt.
Step 20 Login to the APIC with the credentials below:

 Username: admin
 Password: 1234QWer (note that “QW” is capitalized)
 Mode: Advanced
Note Only use the Advanced Mode throughout this class.
Step 21 You may see the warning message depicted below. If you do not see this warning message, skip
ahead to Step 25.
Step 22 Click the YES button.
Step 23 The Deployment Warning Settings window will appear. Click the check box next at the end
of “(Global) Show Deployment Warning on Delete/Modify”.
Step 24 Click the SUBMIT button.

Step 25 Once you are logged in, you are presented with the Dashboard. You are logged in with global
administrative rights and your view includes all system components.
Note The ACI Rack that you are using contains only one APIC, which is why the red warning message
is displayed at the top of the application. This warning message will be present throughout this
class.
Step 26 Note the layout of the GUI interface. The top portion is referred to as the Menu bar.
Step 27 Once a tab is selected from the Menu bar, a Submenu bar will appear below the Menu bar.
Step 28 The Navigation pane displays on the left side of the APIC GUI, below the Submenu bar. This
pane provides centralized navigation to all elements of the submenu category. When you
choose a component in the Navigation pane, the object displays in the Work pane that displays
on the right side of the APIC GUI. This pane displays details about the component selected in
the Navigation pane.
Step 29 The upper right-hand corner of the APC GUI indicates the user account with which you logged
in to the APIC GUI. Click the down arrow next to the account name and select Settings from
the drop-down menu.
Step 30 The Application Settings window will appear. These settings affect how the APIC GUI
responds as you use it. Enter the values in the following table.
Field Value
Remember Tree Selection Checked
Preserve Tree Divider Position Checked
Disable Notification on Success Checked
Disable Deployment Warning at Login Unchecked
Step 31 Click the OK button.
Lab 1: Initial ACI Fabric Configuration Tasks
Overview
The instructor will register the switches to the APIC controller and then discover the rest of the fabric. This
activity will guide you through this process, and then familiarize you with the fabric topology portion of the
APIC GUI. The instructor will also perform tasks that are typically performed when the ACI fabric is being
initially configured.
Upon completing this guided lab, you will be able to:
 Register Nexus 9000 switches to the ACI fabric
 Configure out-of-band (OOB) access to the fabric switches
 Configure DNS
 Configure NTP
 Enable HTTP access to the APIC
 Configure MP-BGP route reflectors
Task 0: Log in to the APIC Controller

In this task, you will log in to the APIC controller using the graphical user interface (GUI).
Note It is critical and important in every way to refer to the NterOne Resource Guide for this class
provided by your instructor. Study it. Use it. Refer to it. These labs demand you use the
Resource Guide. Again and again.
Activity Procedure
Complete these steps:
Step 1 Verify that you are currently logged in to your Student Server.
Step 2 From your Student Server desktop, start the Chrome browser.
Step 3 Navigate to https://192.168.R0.1 (replace “R” with your ACI Rack Number).
Step 4 Log in to the APIC using the following credentials:
 Username: admin
 Mode: Advanced
Step 5 At this point you should see the APIC Dashboard.
STOP! This Task will be performed by the Instructor; students do NOT perform this Task.
Task 1: Register the Fabric Switches (Instructor Demo)

In this task, the instructor will register the Nexus 9000 Switches to the fabric managed by APIC-1.
Note Tasks that are designated as “Instructor Demo” are only performed once per ACI fabric.
Activity Procedure
STOP! The following steps will be performed by the Instructor; students do NOT perform this
Task.
Step 6 In the Menu bar, click Fabric.

Step 7 In the Submenu bar, click Inventory.
Step 8 Click the next to Fabric Membership in the Navigation pane to expand the view, and notice
the single switch entry under the Fabric Membership folder. This is the leaf switch that the
APIC is connected to, which is not yet registered.
Note The APICs and the ACI switches use Link Layer Discovery Protocol (LLDP) to discover
connected devices. Devices that are discovered are not automatically added to the fabric; an
administrator must determine which devices should be added to the fabric and then manually
register them.
Step 9 Choose Fabric Membership by clicking on that entry. The Work pane will show a switch with
a serial number that starts with the letters “SAL”, and ID of 0. Observe that its role is leaf.
Note Unregistered switches are assigned the Node ID of 0. By default, switches detected by the fabric
are not added to the fabric automatically, they must be added manually.
Step 10 To register this leaf switch, double-click the row in the Work pane; this will allow you to
modify the values of the row. Enter the values in the following table.
Field Value
NODE ID 101
NODE NAME Leaf-1
Note The Node ID has to be greater than 100 because the APIC reserves the node IDs 1 through 100
for future APICs that may be added to the fabric.
Step 11 Click the UPDATE button.

Step 12 The APIC will now begin discovering the fabric along with other APICs. Wait 30 to 60 seconds
for the APIC GUI to see other switches in the fabric. You should see an additional switch
appear in the Fabric Membership view.
Note Observe that the Leaf switch now has a private (RFC 1918) IP address assigned. This address
range is configured on the APIC when first installed, and managed by the APIC for infrastructure
communication across the ACI fabric.
Note The fabric will discover another switch. Notice under the ROLE that these are spine switches
with their Node ID set to 0.
Step 13 Register the Cisco Nexus 9336PQ spine switch. Enter the values in the following table.
Field Value
NODE ID 102
NODE NAME Spine-1
Step 14 With the spine switch now registered, please wait an additional 30 to 60 seconds for the fabric
to discover the second leaf switch.
Step 15 Register the Cisco Nexus 9396PX leaf switch. Enter the values in the following table.
Field Value
NODE ID 103
NODE NAME Leaf-2
Step 16 In the Navigation pane, click the Topology folder. You should see the complete ACI fabric,
which includes one spine switch, two leaf switches, and one APIC.
Step 17 From your Student Server desktop, start a PuTTY session with APIC-1. There should be a
shortcut on the desktop for APIC-1.
Step 18 Log in to APIC-1 using the following information:

 Login as: admin
login as: admin

Application Policy Infrastructure Controller
admin@192.168.30.1's password: 1234QWer
Last login: Sat Apr 16 11:59:49 2016
apic1#
Step 19 Execute the show switch command. This command will display a summary of the fabric
switches that are registered with the APIC. The output should show three fabric switches and
contain information similar to what was seen earlier in the GUI.
Step 20 Execute the acidiag fnvread command. This command will display similar information about
the fabric switches.
apic1# acidiag fnvread

ID Name Serial Number IP Address Role Pod ID
State LastUpdMsgId
-----------------------------------------------------------------------------------
-----------------------
101 Leaf-1 SAL1944S69H 172.19.64.95/32 leaf 1
active 0
102 Spine-1 SAL18391DWR 172.19.64.94/32 spine 1
active 0
103 Leaf-2 SAL1947THQA 172.19.64.93/32 leaf 1
active 0
Total 3 nodes
Note The acidiag command is useful troubleshooting command that allows you to gather information
about the entire ACI fabric from the APIC command line.
Step 21 Execute the show controller command. This command will display a summary of the APICs
that are connected to this fabric.
Note The IP addresses assigned in your environment may not match the output. It is a pseudo-
random assignment.
Step 22 Execute the show controller detail command. This command will display additional details
about the APIC.
apic1# show controller detail

ID : 1*
Name : apic1
UUID : 70987b86-02f6-11e6-b6f8-1516d7032dca
Address : 172.19.0.1
In-Band IPv4 Address : 0.0.0.0
In-Band IPv6 Address : fc00::1
OOB IPv4 Address : 192.168.R0.1
OOB IPv6 Address : fe80::fe5b:39ff:fe2d:4f5a
Serial Number : FCH1835V0RY
Version : 1.2(2h)
Commissioned : in-service
Registered : available
Valid Certificate : yes
Validity Start : 2014-10-31T05:51:47.000+00:00
Validity End : 2024-10-31T06:01:47.000+00:00
Up Time : 01:01:39:51.000
Health : fully-fit
Task 2: Configure Out-of-Band (OOB) Management (Instructor Demo)

In this task, the instructor will configure the out-of-band (OOB) management settings so that the Nexus
switches can be accessed directly via SSH.
Activity Procedure
Task.
Step 23 Return to the APIC GUI running in your Chrome browser.

Step 24 In the Menu bar, click Tenants.
Step 25 In the Submenu bar, click mgmt.
Step 26 In the Navigation pane, expand Tenant mgmt > Security Policies > Out-Of-Band Contracts.
Step 27 Right-click the Out-Of-Band Contracts folder and then select Create Out-Of-Band Contract
from the context menu.
Step 28 The Create Out-Of-Band Contract wizard will appear. Enter the values in the following table;
do NOT change any of the values that are not listed in the following table.
Field Value
Name OOB-CONTRACT
Scope VRF
Step 29 In the Subjects subsection, click the plus sign to create a new entry.
Step 30 The Create Contract Subject wizard will appear. In the Name field, type SUBJECT-ANY.
Step 31 In the Filters subsection, click the plus sign to create a new entry.
Step 32 In the Name drop-down list, select common/default.

Step 34 Click the OK button to complete the Create Contract Subject wizard.
Step 35 Click the SUBMIT button to complete the Create Out-Of-Band Contract wizard.
Step 36 In the Navigation pane, expand Tenant mgmt > Node Management EPGs.
Step 37 Right-click the Node Management EPGs folder and then select Create Out-of-Band
Management EPG from the context menu.
Step 38 The Create Out-of-Band Management EPG wizard will appear. In the Name field, type
OOB-MGMT-EPG.
Step 39 In the Provided Out-of-Band Contracts subsection, click the plus sign to create a new entry.
Step 40 In the OOB Contract drop-down list, select OOB-CONTRACT.
Step 42 Click the SUBMIT button to complete the Create Out-of-Band Management EPG wizard.
Step 43 In the Navigation pane, expand Tenant mgmt > Node Management Addresses > Static Node
Management Addresses.
Step 44 Right-click the Static Node Management Addresses folder and then select Create Static
Node Management Addresses from the context menu.
Step 45 The Create Static Node Management Addresses wizard will appear. Enter the values in the
following table.
Field Value
Node Range (From) 101
Node Range (To) 103
Config: Out-Of-Band Addresses Checked
Out-Of-Band Management EPG OOB-MGMT-EPG
Out-Of-Band Starting IP Address 192.168.R0.101/24 (replace “R” with your ACI Rack Number)
Out-Of-Band IPv4 Gateway 192.168.R0.254 (replace “R” with your ACI Rack Number)
Step 46 Click the SUBMIT button to complete the Create Static Node Management Addresses
wizard. A warning message will appear indicating that the management IP addresses of the
selected range of nodes will be changed.
Step 47 Click the YES button.
Step 48 You should now see the IP addresses that have been assigned to the Nexus switches in the
Work pane.
Step 49 In the Navigation pane, expand Tenant mgmt > External Management Network Instance
Profiles.
Step 50 Right-click the External Management Network Instance Profiles folder and then select
Create External Management Network Instance Profile from the context menu.
Step 51 The Create External Management Network Instance Profile wizard will appear. In the
Name field, type EMNIP.
Step 52 In the Consumed Out-of-Band Contracts subsection, click the plus sign to create a new entry.
Step 53 In the Out-of-Band Contract drop-down list, select OOB-CONTRACT.
Step 55 In the Subnets subsection, click the plus sign to create a new entry.
Step 56 In the IP field, enter 10.0.0.0/8.
Step 58 In the Subnets subsection, click the plus sign to create a new entry.
Step 59 In the IP field, enter 192.168.R0.0/24 (replace “R” with your ACI Rack Number).
Step 61 Click the SUBMIT button to complete the Create External Management Network Instance
Profile wizard.
Step 62 At this point you have allowed access to the management ports of the Nexus switches from two
different subnets. Next, you will verify that you can connect directly to the Nexus switches.
Step 63 From your Student Server desktop, start a PuTTY session with the Leaf-1 switch. There should
be a shortcut on the desktop for Leaf-1.
Step 64 Log in to Leaf-1 using the following information:

 Login as: admin
login as: admin
Using keyboard-interactive authentication.

Password: 1234QWer
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Leaf-1#
Task 3: Configure DNS for the APIC (Instructor Demo)

In this task, the instructor will configure the APIC to use DNS for name resolution.
Activity Procedure
Task.

Step 67 In the Submenu bar, click Fabric Policies.
Step 68 In the Navigation pane, expand Global Policies > DNS Profiles > default.
Step 69 In the DNS Providers subsection, click the plus sign to create a new entry.
Step 70 In the ADDRESS field, type 192.168.R0.40 (replace “R” with your ACI Rack Number).
Step 71 Click the check box under Preferred.
Step 73 In the DNS Domains pane click the plus sign to create a new entry.
Step 74 In the NAME field, type dc.local.
Step 75 Click the check box under Default.
Step 77 Click the SUBMIT button at the bottom of the Work pane. A Policy Usage Warning will
appear indicating the other objects that will be affected by the changes.
Step 78 Click the SUBMIT CHANGES button.
Step 79 Return to the PuTTY window containing your session to APIC.
Step 80 To verify that DNS name resolution is functioning properly enter the ping leaf-1.dc.local
command. After a few seconds press <Ctrl>+<C> to stop the ping.
apic1# ping leaf-1.dc.local

PING leaf-1.dc.local (192.168.30.101) 56(84) bytes of data.
64 bytes from 192.168.30.101: icmp_seq=1 ttl=64 time=0.220 ms
--- leaf-1.dc.local ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 13618ms
rtt min/avg/max/mdev = 0.111/0.155/0.220/0.038 ms
Step 81 Enter the ping leaf-1 command; make sure not to include the domain name. After a few
seconds press <Ctrl>+<C> to stop the ping.
apic1# ping leaf-1

PING Leaf-1 (172.19.64.95) 56(84) bytes of data.
64 bytes from Leaf-1 (172.19.64.95): icmp_seq=1 ttl=64 time=0.156 ms
--- Leaf-1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4060ms
rtt min/avg/max/mdev = 0.112/0.160/0.250/0.048 ms
Note The APIC used the IP address of 192.168.R0.101 for leaf-1.dc.local, and it used 172.19.64.95
for leaf-1. The IP address 192.168.R0.101 is the out-of-band address, while 172.19.64.95 is the
infrastructure address assigned to leaf-1 when it was connected to the fabric.
Task 4: Configure DNS for the Fabric Switches (Instructor Demo)

In this task, the instructor will configure the fabric switches to use DNS for name resolution.
Activity Procedure
Task.
Step 82 In the Navigation pane, expand Global Policies > DNS Profiles.
Step 83 Right-click the DNS Profiles folder and then select Create DNS Profile from the context
menu.
Step 84 The Create DNS Profile wizard will appear. Enter the values in the following table.
Field Value
Name DNS-PROFILE
Management EPG OOB-MGMT-EPG (Out-of-Band)
Step 85 In the DNS Domains pane click the plus sign to create a new entry.
Step 86 In the NAME field, type dc.local.
Step 87 Click the check box under Default.
Step 89 In the DNS Providers subsection, click the plus sign to create a new entry.
Step 90 In the ADDRESS field, type 192.168.R0.40 (replace “R” with your ACI Rack Number).
Step 91 Click the check box under Preferred.
Step 93 Click the SUBMIT button to complete the Create DNS Profile wizard.
Step 95 In the Submenu bar, click mgmt.
Step 96 In the Navigation pane, expand Tenant mgmt > Networking > VRFs > oob.
Step 97 Near the bottom of the Work pane, in the DNS Labels field, type DNS-PROFILE.
Step 100 Return to the PuTTY window containing your session to Leaf-1.
Step 101 To verify that DNS name resolution is functioning properly enter the ping leaf-2.dc.local
command. After a few seconds press <Ctrl>+<C> to stop the ping.
Leaf-1# ping leaf-2.dc.local

PING leaf-2.dc.local (192.168.30.103): 56 data bytes
^C--- leaf-2.dc.local ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.182/0.235/0.314/0.044 ms
Task 5: Configure a RADIUS Provider (Instructor Demo)

In this task, the instructor will configure a RADIUS provider which will be used in future lab exercises.
Activity Procedure
Note The following steps will be performed by the Instructor; students do NOT perform this
Task.
Step 103 In the Menu bar, click Admin.
Step 104 In the Submenu bar, click AAA.
Step 105 Navigate to RADIUS Management > RADIUS Providers.
Step 106 Right-click the RADIUS Providers folder and then select Create RADIUS Provider from the
context menu.
Step 107 The Create RADIUS Provider wizard will appear. Enter the values in the following table; do
NOT change any of the values that are not listed in the following table.
Field Value
Host Name (or IP Address) 192.168.R0.41 (replace “R” with your ACI Rack Number)
Key / Confirm Key 1234QWer
Step 108 Click the SUBMIT button to complete the Create RADIUS Provider wizard.
Task 6: Configure a Local User Account (Instructor Demo)
In this task, the instructor will configure a local user account to be used as a second account that has full
administrative privileges to the fabric.
Activity Procedure
Task.

Step 111 Navigate to Security Management > Local Users.
Step 112 Right-click the Local Users folder and then select Create Local User from the context menu.
Step 113 The Create Local User wizard will appear. In STEP 1 > Security, in the Security Domain
subsection, click the checkbox next to all.
Step 114 Click the NEXT button. In STEP 2 > Roles, select Read Write for each of the roles listed.
Step 115 Click the NEXT button. In STEP 3 > User Identity, enter the values in the following table; do
Field Value
Login ID admin2
Password / Confirm Password 1234QWer
Step 116 Click the FINISH button to complete the wizard.
Task 7: Configure the Date and Time Format and NTP (Instructor
Demo)
In this task, the instructor will configure the date and time format of the clock and the NTP server used by the
fabric.
Activity Procedure
Task.

Step 119 Navigate to Pod Policies > Policies > Date and Time > default.
Step 120 In the Work pane, in the Time Zone drop-down list, select America/New_York.
Step 123 In the Navigation pane, right-click the Date and Time folder and then select Create Date and
Time Policy from the context menu.
Step 124 The Create Date and Time Policy wizard will appear. In STEP 1 > Identity, in the Name file,
type DATE-TIME-POLICY.
Step 125 Click the NEXT button.
Step 126 In STEP 2 > NTP Servers, click the plus sign to create a new entry and enter the values in the
following table.
Field Value
Name 192.168.R0.40 (replace “R” with your ACI Rack Number)
Preferred Checked
Management EPG OOB-MGMT-EPG (Out-of-Band)
Step 127 Click the OK button to complete the Create Providers wizard.
Step 128 Click the FINISH button to complete the Create Date and Time Policy wizard.
Step 129 In the Navigation pane, expand the Pod Policies > Policies > Policy Groups folder.
Step 130 Right-click the Policy Groups folder and then select Create Pod Policy Group from the
context menu.
Step 131 The Create Pod Policy Group wizard will appear. Enter the values in the following table; do
Field Value
Name POD-POLICY-GROUP
Date Time Policy DATE-TIME-POLICY
Step 132 Click the SUBMIT button to complete the Create Pod Policy Group wizard.
Step 133 Navigate to Pod Policies > Profiles > default.
Step 134 In the Work pane, in the Fabric Policy Group drop-down list, select POD-POLICY-GROUP.
Step 137 The necessary date and time settings for the fabric are now configured. You can view the date
and time for the fabric at the bottom of the APIC GUI. It may take several seconds for the
correct time to be displayed.
Step 138 Return to the PuTTY window containing your session to Leaf-1.
Step 139 To verify that NTP is functioning properly on the switch enter the show ntp peer-status
command. You should see that there is a single peer, and the peer is selected for
synchronization.
Leaf-1# show ntp peer-status

Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay vrf
-------------------------------------------------------------------------------
*192.168.R0.40 0.0.0.0 6 16 37 0.00043 management
Note It may take a few minutes for the switch to synchronize with the peer.
Step 140 Use the show clock command to verify that the clock on the switch is set correctly.
Leaf-1# show clock

10:36:59.840334 EDT Thu Sep 03 2015
Task 8: Enable HTTP Access for the XML API (Instructor Demo)
In this task, you will enable HTTP access to the APICs so that the XML API is accessible via HTTP.
Activity Procedure
Note The following steps will be performed by the Instructor; students do NOT perform this
Task.

Step 143 Navigate to Pod Policies > Policies > Management Access > default.
Step 144 In the HTTP section, in the Admin State drop-down list, select Enabled.
Step 145 Click the SUBMIT button to commit the configuration changes. A Policy Usage Warning will
Task 9: Configure MP-BGP Route Reflectors (Instructor Demo)

In this task, the instructor will configure MP-BGP Route Reflectors.
Internal to the ACI fabric, MP-BGP is implemented between leaf and spine switches to propagate external
routes within the ACI fabric; all the leaf and spine switches are in one single BGP AS. The border leaf uses
MP-BGP to advertise the external routes to the spine switches, which act as BGP route reflectors to avoid the
full mesh requirements of BGP. Routes are only propagated by spines to leaf switches where the Private
Networks are instantiated.
Note Private Networks are only instantiated on a leaf when an EPG for that Private Network has
endpoints connected off the leaf.
MP-BGP is not enabled by default in ACI fabric. You will configure a BGP policy, specifying the BGP AS
number and specific spine nodes as BGP route reflectors. Once configured the APIC will automatically
configure iBGP peering between leaf and spine and specify leaf switches as route reflector clients. APIC also
automatically generates the required configuration for route redistribution on the border leaf.
Activity Procedure
Task.

Step 149 In the Navigation pane, select Pod Policies > Policies > BGP Route Reflector default.
Step 150 In the Work pane, set the Autonomous System Number to 100.
Note The iBGP ASN must match the external router configuration if iBGP will be configured between
the ACI Fabric and an external network. If using static routes, OSPF, or EIGRP between the ACI
Fabric and an external network, the iBGP ASN value can be any valid value.
Step 151 In the Route Reflector Nodes subsection, click the plus sign to start the Create Route
Reflector Node Policy EP wizard.
Step 152 In the Spine Node drop-down menu, select 102 (Spine-1).
Step 153 Click the SUBMIT button to complete the wizard. Node ID 102 will now be listed in the Route
Reflector Nodes subsection.
Step 154 Click the SUBMIT button in the Work pane. A Policy Usage Warning will appear indicating
the other objects that will be affected by the changes.
Note This configuration applies to the entire fabric, and is not enforced per Tenant. BGP will be
automatically enabled on any leaf switch which has an external Layer 3 network attached, as
well as any leaf switch where the Private Network associated with the Layer 3 external network
are instantiated (leafs which do not have the Private Network associated preserve the hardware
resources by not running BGP or not storing the routes).
Note Once the border leaf forms a neighbor relationship, it will propagate Tenant routes to the
external router. Users have control of which Tenant subnets to advertise to external routers.
When specifying subnets under the bridge domain for a given Tenant, the user has the choice to
specify the scope (private, public, or shared) of a subnet.
Note For security and separation, MP-BGP maintains separate BGP routing tables for each ACI
Private Network.
Step 156 To verify that the BGP route reflectors are functioning, navigate to Fabric > Inventory > Pod
1 > Spine-1 > Protocols > BGP > BGP for VRF overlay-1 > Sessions. You should see that
there are two established BGP sessions, one to each leaf switch.
Step 157 From your Student Server desktop, start a PuTTY session with Spine-1. There should be a
shortcut on the desktop for Spine-1.
Step 158 Log in to Spine-1 using the following information:
 Login as: admin
Step 159 Verify that the BGP sessions to the leaf switches are established by entering the show bgp
sessions vrf overlay-1 command.
Spine-1# show bgp sessions vrf overlay-1

Total peers 2, established peers 2
ASN 100
VRF overlay-1, local ASN 100
peers 2, established peers 2, local router-id 172.19.208.94
State: I-Idle, A-Active, O-Open, E-Established, C-Closing, S-Shutdown
Neighbor ASN Flaps LastUpDn|LastRead|LastWrit St Port(L/R) Notif(S/R)

172.19.208.95 100 0 00:02:31|never |never E 179/48420 0/0
172.19.208.93 100 0 00:02:30|never |never E 179/52730 0/0
Lab 2: Configure a Tenant, VRF, and Bridge
Domain
Overview
Complete this lab activity to create the basic network constructs to allow communication into the ACI Fabric.
All of the labs will leverage the multi-tenancy capabilities that allow ACI to scale. ACI is designed to scale
from smaller commercial environments, which may use a single Tenant to large cloud providers with support
for 64,000 Tenants and above. A single Enterprise can also leverage Tenants to enforce administrative and
operational separation between different internal businesses or processes.
 Create a Tenant
 Create a VRF
 Create a Bridge Domain
 Create Subnets

Activity Procedure
 Username: admin
Task 1: Create a Tenant

In this task, you will create a Tenant using the APIC wizard. A tenant is a container for policies to exercise
domain-based access control. A tenant represents a unit of isolation from a policy perspective, but it does not
represent a private network. Tenants can represent a customer in a service provider setting, an organization, a
domain in an enterprise setting, or just a convenient grouping of policies.
Activity Procedure
Note By default there are three pre-existing tenants: common, infra, and mgmt.
The common tenant contains system generated pre-configured policies that govern the
operation of resources accessible to all tenants, such as firewalls, load balancers, Layer 4 to
Layer 7 services, intrusion detection appliances, and so on. Common tenant polices are
configurable by the fabric administrator.
The infra (infrastructure) tenant contains policies that govern the operation of infrastructure
resources such as the fabric VXLAN overlay. It also enables a fabric provider to selectively
deploy resources to one or more user tenants.
The management tenant contains policies that govern the operation of fabric management
functions used for in-band and out-of-band configuration of fabric nodes. The management
tenant contains an out-of-bound address space for the APIC/fabric internal communications that
is outside the fabric data path that provides access through the management port of the
switches. The management tenant enables discovery and automation of communications with
virtual machine controllers.
Step 7 In the Submenu bar, click Add Tenant.
Step 8 The Create Tenant wizard will appear. Enter the values in the following table; do NOT change
any of the values that are not listed in the following table.
Field Value
Name POD## (replace “##” with your assigned 2-digit Pod Number)
Description (enter your name and/or nickname)
Note Throughout all labs, ## refers to your pod, as assigned by your instructor. Pay very close
attention in all labs to be sure you in YOUR pod.
For all NterOne ACI labs, your Tenant = your Pod.
Step 9 Click the SUBMIT button to complete the Create Tenant wizard.
Step 10 The APIC GUI will take you to the Quick Start folder of the Tenant that you just created.
Task 2: Create a VRF
In this task, you will create a VRF within your Tenant.
A VRF is a unique Layer 3 forwarding and application policy domain. One or more bridge domains are
associated with a VRF. All of the endpoints within the Layer 3 domain must have unique IP addresses.
In ACI nomenclature, the terms Context, Private Network, and VRF are synonymous. Just as a router can
have multiple VRFs configured, an ACI tenant can have multiple Contexts associated with it.
Activity Procedure
Step 11 In the Navigation pane, expand Tenant POD## > Networking > VRFs.
Step 12 Right-click the VRFs folder and then select Create VRF from the context menu.
Step 13 The Create VRF wizard will appear. In STEP 1 > VRF, enter the values in the following
table; do NOT change any of the values that are not listed in the following table.
Field Value
Name POD##-VRF (replace “##” with your assigned 2-digit Pod Number)
Create a Bridge Domain Unchecked
Step 14 Click the FINISH button.
Note What does Policy Enforcement mean? By default policy enforcement is enforced on a context,
and is performed by either the ingress or egress Leaf. As traffic enters the leaf switch the packet
fabric header is marked with the EPG of the source endpoint. The leaf switch then performs a
forwarding lookup on the packet destination IP address within the tenant space. A unicast (/32)
or subnet prefix (not /32) hit provides the EPG of the destination endpoint destination subnet
prefix, and either the local interface or the remote leaf switch VTEP IP address where the
destination endpoint subnet prefix is present.
Note A miss causes the packet to be sent to the forwarding proxy in the spine switch, which performs
a forwarding table lookup. If this is a miss, the packet is dropped. If it is a hit, the packet is sent
to the egress leaf switch that contains the destination endpoint. Because the egress leaf switch
knows the EPG of the source and destination, it performs the security policy enforcement.
Note On the egress leaf switch, the source IP address and source EPG information will be stored in
the local forwarding table through learning. Because most flows are bidirectional, a return packet
populates the forwarding table on both sides of the flow, which enables the traffic to be ingress
filtered in both directions
Task 3: Create a Bridge Domain

In this task, you will create a bridge domain.
Activity Procedure
Step 15 In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains.
Step 16 Right-click the Bridge Domains folder and then select Create Bridge Domain from the
context menu.
Step 17 The Create Bridge Domain wizard will appear. In STEP 1 > Main, enter the values in the
following table; do NOT change any of the values that are not listed in the following table.
Field Value
Name POD##-BD (replace “##” with your assigned 2-digit Pod Number)
VRF POD##/POD##-VRF (replace “##” with your assigned 2-digit Pod Number)
Step 18 Click the NEXT button. In STEP 2 > L3 Configurations, do not make any changes.
Step 19 Click the NEXT button. In STEP 3 > Advanced/Troubleshooting, do not make any changes.
Step 20 Click the FINISH button to complete the Create Bridge Domain wizard.
Task 4: Create Subnets within the Bridge Domain

In this task, you will create subnets within the bridge domain.
Activity Procedure
Step 21 In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains > POD##-
BD > Subnets.
Step 22 Right-click the Subnets folder and then select Create Subnet from the context menu.
Step 23 The Create Subnet wizard will appear. Enter the values in the following table; do NOT change
Field Value
Name 10.##.1.254/24 (replace “##” with your assigned 2-digit Pod Number)
Field Value
Scope Private to VRF
Note The Scope of a subnet defines the network visibility of the subnet. The scope can be:
Private to VRF – Defines subnets under a BD to only be used in that Tenant (will not be leaked).
Advertised Externally – Defines subnets under an endpoint group to route leak to other Tenants in the
Fabric.
Shared between VRFs – Defines subnets under an endpoint group to route leak for shared services
(endpoint groups in a different VRF).
Step 24 Click the SUBMIT button. The subnet you just created will be visible in the Subnets
subsection.
Step 25 Repeat the previous three steps to create a subnet with the Gateway IP of 10.##.2.254/24
(replace “##” with your assigned 2-digit Pod Number)
Step 26 Repeat the previous three steps to create a subnet with the Gateway IP of 10.##.3.254/24
Step 27 In the Navigation pane, in the Subnets folder, be sure you see the three Subnets listed. Make
sure the second octet of the IP address is your Pod ##, which is the same number as your
Tenant. The screen shot here is an example for pod 11.
Lab 3: Configure Policy Filters and Contracts
Overview
To build the foundation of the Application Profile, it is necessary to create Filters within a Tenant that
Contracts will use. Those Contracts will then be associated with EPGs that will make up the Application
Profile.
Complete this lab activity to become familiar with the configuration of Filters that the Contracts will
consume.
 Create Filters
 Create Contracts

Activity Procedure
 Username: admin
Task 1: Create Filters

In this task, you will create filters to be used in the various contracts that you will create in the next Task.
Activity Procedure
Step 7 In the Submenu bar, click POD## (replace “##” with your assigned 2-digit Pod Number).
Step 8 In the Navigation pane, expand Tenant POD## > Security Policies > Filters.
Step 9 Right-click the Filters folder and then select Create Filter from the context menu.
Step 10 The Create Filter wizard will appear. In the Name field type POD##-FILTER-ANY (replace
“##” with your assigned 2-digit Pod Number).
Step 11 In the Entries subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field Value
Name ANY
EtherType Unspecified

Step 13 Click the SUBMIT button to complete the Create Filter wizard. You should now see the filters
you just created in the Filters folder.
Step 15 The Create Filter wizard will appear. In the Name field type POD##-FILTER-PORT-80
(replace “##” with your assigned 2-digit Pod Number).
following table.
Field Value
Name PORT-80
EtherType IP
IP Protocol tcp
Match Only Fragment Unchecked
Stateful Checked
Source Port / Range – From 1024
Source Port / Range – To 65535
Destination Port / Range – From 80
Destination Port / Range – To 80
TCP Session Rules Unspecified
following table.
Field Value
Name PORT-81
EtherType IP
IP Protocol tcp
Stateful Checked

following table.
Field Value
Name PORT-82
EtherType IP
IP Protocol tcp
Stateful Checked
Field Value

Step 30 The Create Filter wizard will appear. In the Name field type POD##-FILTER-ICMP (replace
“##” with your assigned 2-digit Pod Number).
following table.
Field Value
Name ICMP
EtherType IP
IP Protocol icmp

you just created in the Filters folder. At this point there should be five filters listed in the
Contracts folder.
Task 2: Create Contracts
In this task, you will create Contracts that will use the Filters that you created in the previous task. You will
apply these contracts in the subsequent lab exercises.
Activity Procedure
Step 34 In the Navigation pane, expand Tenant POD## > Security Policies > Contracts.
Step 35 Right-click the Contracts folder and then select Create Contract from the context menu.
Step 36 The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-ANY
Step 37 In the Subjects subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field Value
Name SUBJECT-ANY
Apply Both Directions Checked
Reverse Filter Ports Checked
Step 38 In the Filter Chain subsection, click the plus sign to create a new entry. In the drop-down list,
select POD##-FILTER-ANY.
Step 39 Click the UPDATE button, and then click the OK button.
Step 40 Click the SUBMIT button to complete the Create Contract wizard. You should now see the
contract you just created in the Contracts folder.
Step 42 The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-DB-
APP (replace “##” with your assigned 2-digit Pod Number).
following table.
Field Value
Name SUBJECT-ANY
Field Value
Step 48 The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-APP-
WEB (replace “##” with your assigned 2-digit Pod Number).
following table.
Field Value
Name SUBJECT-ANY
Step 52 Click the SUBMIT button to complete the Create Contract wizard. At this point there should
be three contracts listed in the Contracts folder.
Lab 4: Deploy a Three-Tier Application Profile
Overview
With the Filters and Contracts from the previous lab, you can now build an Application Profile. The
Application Profile allows your environment to build a template of network attributes and policies that can be
dynamically instantiated and seamlessly inserted.
Application Profiles are a powerful tool for building out application connectivity and policy using repeatable
processes. Application connectivity is defined based on the services tiers or components provide and the tiers
they consume. Contracts define the policy for those connections and can be used for provider or consumer
relationships.
Complete this lab activity to become familiar with the configuration of an Application Profile.
 Build an Application Profile for a Three-Tier Application

Activity Procedure
 Username: admin
Task 1: Create Application Profile

In this task, you will create an Application Profile.
Activity Procedure
Step 8 In the Navigation pane, expand Tenant POD## > Application Profiles.
Step 9 Right-click the Application Profiles folder and then select Create Application Profile from
the context menu.
Step 10 The Create Application Profile wizard will appear. In the Name field type POD##-
APPLICATION-PROFILE (replace “##” with your assigned 2-digit Pod Number).
Step 11 In the EPGs subsection, click the plus sign to create a new EPG. Enter the values in the
Field Value
Name POD##-DB-EPG (replace “##” with your assigned 2-digit Pod Number)
BD POD##-BD (replace “##” with your assigned 2-digit Pod Number)
Provided Contract POD##-CONTRACT-DB-APP (replace “##” with your assigned 2-digit Pod Number)

Step 13 In the EPGs subsection, click the plus to create a new EPG. Enter the values in the following
Field Value
Name POD##-APP-EPG (replace “##” with your assigned 2-digit Pod Number)
Field Value
Provided Contract POD##-CONTRACT-APP-WEB (replace “##” with your assigned 2-digit Pod Number)
Consumed Contract POD##-CONTRACT-DB-APP (replace “##” with your assigned 2-digit Pod Number)

Step 15 In the EPGs subsection, click the plus to create a new EPG. Enter the values in the following
Field Value
Name POD##-WEB-EPG (replace “##” with your assigned 2-digit Pod Number)
Consumed Contract POD##-CONTRACT-APP-WEB (replace “##” with your assigned 2-digit Pod Number)
Step 16 Click the OK button. You should now see three EPGs listed in the EPGs pane.
Step 17 Click the SUBMIT button to complete the Create Application Profile wizard.
Step 18 In the Navigation pane, expand the Application Profiles folder, and then click the POD##-
APPLICATION-PROFILE object. In the Work pane, the first tab that is presented is the
Topology tab. This tab displays a diagram that logically represents the application profile.
Note You may need to drag-and-drop the various icons in order to create a diagram that is easier to
view.
Step 19 In the Navigation pane, expand Tenant POD## > Security Policies > Contracts > POD##-
CONTRACT-APP-WEB. In the Work pane, the first tab that is presented is the Topology tab.
This tab displays a diagram that logically represents the contract and its relationship with the
end point groups.
Note The arrows from an EPG to a Contract indicate a provided contract.

The arrows from a Contract to an EPG represent a consumed contract.
Lab 5: Configure a VMware VMM Domain
Overview
The ACI is able to integrate with various hypervisor technologies. This lab demonstrates the capability of
integrating into VMware's vCenter technology and will allow the APIC to create policies that the VMware
virtual environment can use.
In this lab section, you will register the APIC to your virtual environment, which will be using VMware's
vCenter Server. This lab will walk you through this registration process, which will allow the APIC to push
application policies down to the virtual machines in your pod. This tight integration will be shown in another
lab; this lab will focus on building the connection between the APIC and VMware's vCenter Server.
Complete this lab activity to become familiar with registering a VMware domain in ACI.
 Register APIC to VMware vCenter Server, creating a Distributed Virtual Switch inside VMware's
Network construct
 Create vCenter Credentials and a Server object
 Verify that the ACI DVS has been created and the connection between APIC and vCenter Server is
established
Task 0: Log in to the APIC Controller and the VMware vSphere Client
In this task, you will log in to the APIC controller using the graphical user interface (GUI) and you will log
in to your assigned VMware vCenter server using the VMware vSphere Client.
Activity Procedure
 Username: admin
Step 6 From your Student Server desktop, start the VMware vSphere Client. Log in to your assigned
vCenter server using the following credentials:
 IP address / Name: vcenter-@.dc.local (replace “@” with your assigned vCenter letter).
 Username: root
Step 7 At this point you should see the vCenter-@ - vSphere Client window.
Task 1: Create a VLAN Pool

In this task, you will create VLAN pool that will be used by the VMM domain you will create in a
subsequent Task.
Note A VLAN pool specifies the VLAN IDs or ranges used for VLAN encapsulation that the VMM
domain consumes. Each time you associate an EPG to a VMM domain a VLAN ID is taken from
the VLAN pool and assigned to the virtual machine group that is created within the VMM domain
(e.g. a port group within the ACI DVS within a vCenter).
Activity Procedure
Step 10 In the Submenu bar, click Access Policies.
Step 11 In the Navigation pane, expand Pools > VLAN.
Step 12 Right-click the VLAN folder and then select Create VLAN Pool from the context menu.
Step 13 The Create VLAN Pool wizard will appear. Enter the values in the following table.
Field Value
Name POD##-VMM-VLAN-POOL (replace “##” with your assigned 2-digit Pod Number)
Allocation Mode Dynamic Allocation
Step 14 In the Encap Blocks subsection, click the plus sign to create a new VLAN range. Enter the
values in the following table.
Field Value
Range (From) 3##0 (replace “##” with your assigned 2-digit Pod Number)
Range (To) 3##9 (replace “##” with your assigned 2-digit Pod Number)
Step 16 Click the SUBMIT button to complete the Create VLAN Pool wizard. You should now see the
VLAN you just created in the VLAN folder.
Task 2: Create a VMM Domain

In this task, you will create a VMM domain which will integrate the ACI fabric with your assigned vCenter
server.
Activity Procedure
Step 17 In the Menu bar, click VM Networking.
Step 18 In the Navigation pane, right-click the VMware folder, and then select Create vCenter
Domain from the context menu.
Step 19 The Create vCenter Domain wizard will appear. Enter the values in the following table; do
Field Value
Name POD##-VMM-DOMAIN (replace “##” with your assigned 2-digit Pod Number)
Virtual Switch VMware vSphere Distributed Switch
VLAN Pool POD##-VMM-VLAN-POOL (replace “##” with your assigned 2-digit Pod Number)
Step 20 In the vCenter Credentials subsection, click the plus sign to create a new vCenter credential.
Enter the values in the following table.
Field Value
Name VCENTER-CREDENTIAL
Username root

Step 22 In the vCenter/vShield subsection, click the plus sign to create a new vCenter connection.
Enter the values in the following table; do NOT change any of the values that are not listed in
the following table.
Field Value
Type vCenter
Name VCENTER-CONTROLLER
Host Name vcenter-@.dc.local (replace “@” with your assigned vCenter letter)
Datacenter Datacenter-@ (replace “@” with your assigned vCenter CAPITAL letter)
Associated Credential VCENTER-CREDENTIAL
Note The name of the Datacenter must exactly match the name as it appears in the vSphere Client,
otherwise the APIC will not be able to locate and configure the correct Datacenter in the vCenter
Server. In this lab the “D” at the beginning of the name and the vCenter letter are capitalized; the
rest of the name is in lower case.
Step 24 Click the SUBMIT button to complete the Create vCenter Domain wizard. You should now
see the VMM domain you just created in the VMware folder.
Task 3: Verify the APIC Connection to the vCenter Server

In this task, you will verify the APIC connection to your assigned vCenter server.
Activity Procedure
Note The following steps demonstrate how you can also verify the connection between the APIC and
the vCenter server by using the vSphere client to view that the ACI DVS has been created.
Step 25 Return to the VMware vSphere Client application.

Step 26 Press Ctrl-Shift-N to shift to the Networking section.
Step 27 Expand the Datacenter and POD##-VMM-DOMAIN folders. You will notice that a new DVS
has been created named POD##-VMM-DOMAIN and there are two default port groups: one
port group for DVS uplinks and another port group named quarantine.
Step 28 The APIC now has a connection to the VMware vCenter Server.
Lab 6: Configure Baseline Interface Policies
Overview
In this lab, you will create interface policies that will be used by several of the subsequent lab exercises. The
interface policies are examples of baseline policies that you would use in a live ACI environment.
Note The Instructor of the class should perform this lab exercise using Pod Number “00”. The
policies will be used in subsequent lab exercises during instructor demonstrations.
Activity Procedure
 Username: admin
Task 1: Create Link Level Interface Policies

In this task, you will create two Link Level Interface Policies:
 A Link Level Policy for leaf switch interfaces that will be configured for a speed of 1 Gbps
 A Link Level Policy for leaf switch interfaces that will be configured for a speed of 10 Gbps
Activity Procedure
Step 8 Navigate to Interface Policies > Policies > Link Level.
Step 9 Right-click the Link Level folder and then select Create Link Level Policy from the context
menu.
Step 10 The Create Link Level Policy wizard will appear. Enter the values in the following table; do
Field Value
Name POD##-1G-LINK-LEVEL-POLICY (replace “##” with your assigned 2-digit Pod Number)
Auto Negotiation Off
Speed 1 Gbps
Step 11 Click the SUBMIT button to complete the Create Link Level Policy wizard.
Step 12 Right-click the Link Level folder and then select Create Link Level Policy from the context
menu.
Step 13 The Create Link Level Policy wizard will appear. Enter the values in the following table; do
Field Value
Name POD##-10G-LINK-LEVEL-POLICY (replace “##” with your assigned 2-digit Pod Number)
Auto Negotiation Off
Speed 10 Gbps
Step 14 Click the SUBMIT button to complete the Create Link Level Policy wizard.
Task 2: Create CDP Interface Policies
In this task, you will create two CDP Interface Policies:
 A CDP Interface Policy for leaf switch interfaces that will be configured to enable CDP
 A CDP Interface Policy for leaf switch interfaces that will be configured to disable CDP
Activity Procedure
Step 15 Navigate to Interface Policies > Policies > CDP Interface.
Step 16 Right-click the CDP Interface folder and then select Create CDP Interface Policy from the
context menu.
Step 17 The Create CDP Interface Policy wizard will appear. Enter the values in the following table.
Field Value
Name POD##-ENABLE-CDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod Number)
Admin State Enabled
Step 18 Click the SUBMIT button to complete the Create CDP Interface Policy wizard.
Step 19 Right-click the CDP Interface folder and then select Create CDP Interface Policy from the
context menu.
Step 20 The Create CDP Interface Policy wizard will appear. Enter the values in the following table.
Field Value
Name POD##-DISABLE-CDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod Number)
Admin State Disabled
Step 21 Click the SUBMIT button to complete the Create CDP Interface Policy wizard.
Task 3: Create LLDP Interface Policies

In this task, you will create two LLDP Interface Policies:
 An LLDP Interface Policy for leaf switch interfaces that will be configured to enable LLDP
 An LLDP Interface Policy for leaf switch interfaces that will be configured to disable LLDP
Activity Procedure
Step 22 Navigate to Interface Policies > Policies > LLDP Interface.
Step 23 Right-click the LLDP Interface folder and then select Create LLDP Interface Policy from
the context menu.
Step 24 The Create LLDP Interface Policy wizard will appear. Enter the values in the following table.
Field Value
Name POD##-ENABLE-LLDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod Number)
Receive
Enabled
State
Transmit
Enabled
State
Step 25 Click the SUBMIT button to complete the Create LLDP Interface Policy wizard.
Step 26 Right-click the LLDP Interface folder and then select Create LLDP Interface Policy from
the context menu.
Step 27 The Create LLDP Interface Policy wizard will appear. Enter the values in the following table.
Field Value
Name POD##-DISABLE-LLDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod Number)
Receive
Disabled
State
Transmit
Disabled
State
Step 28 Click the SUBMIT button to complete the Create LLDP Interface Policy wizard.
Task 4: Create PortChannel Policies

In this task, you will create two PortChannel Policies:
 A PortChannel Policy for leaf switch interfaces that will be added to a port channel that uses LACP
in active mode
 A PortChannel Policy for leaf switch interfaces that will be added to a port channel that does not use
LACP (“static” mode)
Activity Procedure
Step 29 Navigate to Interface Policies > Policies > PortChannel Policies.
Step 30 Right-click the PortChannel Policies folder and then select Create PortChannel Policy from
the context menu.
Step 31 The Create PortChannel Policy wizard will appear. Enter the values in the following table; do
Field Value
Name POD##-ACTIVE-PORTCHANNEL-POLICY (replace “##” with your assigned 2-digit Pod Number)
Mode LACP Active
Step 32 Click the SUBMIT button to complete the Create PortChannel Policy wizard.
Step 33 Right-click the PortChannel Policies folder and then select Create PortChannel Policy from
the context menu.
Step 34 The Create PortChannel Policy wizard will appear. Enter the values in the following table; do
Field Value
Name POD##-STATIC-PORTCHANNEL-POLICY (replace “##” with your assigned 2-digit Pod Number)
Mode Static Channel – Mode On
Step 35 Click the SUBMIT button to complete the Create PortChannel Policy wizard.
Lab 7: Integrate VMware ESXi Hosts into the ACI
Fabric
Overview
In this lab, you will focus on adding the two ESXi hosts to the ACI DVS. This action will allow the APIC
EPG to be associated with VMware's virtual environment. This section will use the VMware vSphere client
to be able to add the host to the ACI DVS.
This lab will complete the foundation to allow the APIC to create EPGs, which will cause VMware port-
groups to be created that the virtual machines can utilize. This setup will provide integration for the APIC to
distribute policies to the VMware virtual environment.
Complete this lab activity to become familiar with associating VMware ESXi hosts with ACI DVS.
 Add an ESXi hosts to the ACI DVS
Activity Procedure
 Username: admin
 Username: root
Task 1: Create an Attachable Access Entity Profile

In this task, you will create an Attachable Access Entity Profile that will contain the VMM domain that you
created previously.
Note An attachable entity profile (AEP) represents a group of external entities with similar
infrastructure policy requirements. The infrastructure policies consist of physical interface
policies, for example, Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP),
maximum transmission unit (MTU), and Link Aggregation Control Protocol (LACP). A VM
Management (VMM) domain automatically derives the physical interfaces policies from the
interface policy groups that are associated with an AEP.
Activity Procedure
Note WARNING: Only one student per vCenter server may perform the steps in this Task.
Note WARNING: Identify which student will complete this Task. If you are not the student
selected to complete this Task, do not make any configuration changes in the APIC GUI.

Step 10 Navigate to Global Policies > Attachable Access Entity Profiles.
Step 11 Right-click the Attachable Access Entity Profiles folder and then select Create Attachable
Access Entity Profile from the context menu.
Step 12 The Create Attachable Access Entity Profile wizard will appear. In STEP 1 > Profile, enter
the values in the following table.
Field Value
Name VCENTER-@-AEP (replace “@” with your assigned vCenter letter)
Enable Infrastructure VLAN Checked
Step 13 Click the NEXT button. In STEP 2 > Association to Interfaces enter the values in the
Field Value
vSwitch
Specify
Policies
Field Value
POD##-ENABLE-CDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod
CDP Policy
Number)
POD##-DISABLE-LLDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod
LLDP Policy
Number)
Step 14 Click the FINISH button to complete the Create Attachable Access Entity Profile wizard.
Task 2: Add the VMM Domain to the AEP

In this task, you will add the VMM domain that you created previously to the vCenter AEP.
Activity Procedure
Note All students should perform this task.
Step 15 Navigate to Global Policies > Attachable Access Entity Profiles > VCENTER-@-AEP.
Step 16 In the Work pane, in the Domains (VMM, Physical or External) Associated to Interfaces
subsection, click the plus sign to associate your VMM domain.
Step 17 A Policy Usage Warning will appear indicating the other objects that will be affected by the
changes. Click the CONTINUE button.
Step 18 In the NAME drop-down list, select POD##-VMM-DOMAIN (replace “##” with your
assigned two-digit Pod Number).
Task 3: Create an Interface Policy Group

In this task, you will create an Interface Policy Group that will be used in a subsequent Task.
Activity Procedure
Note WARNING: Only one student per ESXi Host may perform the steps in this Task.
Step 20 Navigate to Interface Policies > Policy Groups.

Step 21 Right-click the Policy Groups folder and then select Create Access Port Policy Group from
the context menu.
Step 22 The Create Access Port Policy Group wizard will appear. Enter the values in the following
Field Value
ESXI-@@-INTERFACE-POLICY-GROUP (replace “@@” with your assigned ESXi
Name
host ID)
Field Value
POD##-10G-LINK-LEVEL-POLICY (replace “##” with your assigned 2-digit Pod
Link Level Policy
Number)
POD##-ENABLE-CDP-INTERFACE-POLICY (replace “##” with your assigned 2-digit
CDP Policy
Pod Number)
POD##-DISABLE-LLDP-INTERFACE-POLICY (replace “##” with your assigned 2-
LLDP Policy
digit Pod Number)
Attached Entity Profile VCENTER-@-AEP (replace “@” with your assigned vCenter letter)
Step 23 Click the SUBMIT button to complete the Create Access Port Policy Group wizard.
Task 4: Create an Interface Profile

In this task, you will create an Interface Profile that will be used in a subsequent Task.
Activity Procedure
Note WARNING: Only one student per ESXi Host may perform the steps in this Task.
Step 24 Navigate to Interface Policies > Profiles.

Step 25 Right-click the Profiles folder and then select Create Interface Profile from the context menu.
Step 26 The Create Interface Profile wizard will appear. In the Name field, type ESXI-@@-
INTERFACE-PROFILE (replace “@@” with your assigned ESXi host ID).
WARNING: Slow down and be VERY careful with the following entries. Follow the table exactly!
Step 27 In the Interface Selectors subsection, click the plus sign to create a new entry. The Create
Access Port Selector wizard will appear. Enter the values in the following table; do NOT
change any of the values that are not listed in the following table.
Field Value
Name INTERFACE-SELECTOR
ESXi-A1: 1/33
ESXi-A2: 1/34
ESXi-B1: 1/35
ESXi-B2: 1/36
Interface ID
ESXi-C1: 1/37
ESXi-C2: 1/38
ESXi-D1: 1/39
ESXi-D2: 1/40
Interface Policy ESXI-@@-INTERFACE-POLICY-GROUP (replace “@@” with your assigned ESXi host
Group ID)
Step 28 Click the OK button to complete the Create Access Port Selector wizard.
Step 29 Click the SUBMIT button to complete the Create Interface Profile wizard.
Task 5: Create a Switch Profile
In this task, you will create a Switch Profile that will be used in a subsequent Task.
Activity Procedure
Note Only one student per ESXi Host may perform the steps in this Task.
Note Identify which student will complete this Task. If you are not the student selected to
complete this Task, do not make any configuration changes in the APIC GUI.
Step 30 Navigate to Switch Policies > Profiles.

Step 31 Right-click the Profiles folder and then select Create Switch Profile from the context menu.
Step 32 The Create Switch Profile wizard will appear. In STEP 1 > PROFILE, in the Name field,
type ESXI-@@-SWITCH-PROFILE (replace “@@” with your assigned ESXi host ID).
WARNING: Slow down and be VERY careful with the following entries. Follow the table exactly!
Step 33 In the Switch Selectors subsection, click the plus sign to create a new entry. Enter the values in
Field Value
Name SWITCH-SELECTOR
ESXi-A1: 101
ESXi-A2: 103
ESXi-B1: 101
ESXi-B2: 103
Blocks
ESXi-C1: 101
ESXi-C2: 103
ESXi-D1: 101
ESXi-D2: 103
Step 35 Click the NEXT> button. In STEP 2 > Associations, in the Interface Selector Profiles pane,
select ESXI-@@-INTERFACE-PROFILE (replace “@@” with your assigned ESXi host
ID).
Step 36 Click the FINISH button to complete the Create Switch Profile wizard.
Step 37 From your Student Server desktop, start a PuTTY session with Leaf-1. There should be a
shortcut on the desktop for Leaf-1.
 Login as: admin
 Login as: admin
WARNING Slow down and be VERY careful verifying the following entries. Be sure to review the NterOne
Resource Guide right now. Note the drawing that shows only one cable from each ESXi host to
a leaf switch, and that the other ESXi host connects to the other leaf switch.
Step 41 Execute the show interface e1/XX brief command using the interface number corresponding to
your ESXi host. This command will show you the status of the interface connected to your
ESXi host. The interface should be in the up state, however there will not be any traffic between
the leaf switch and the ESXi host until the ESXi host has been configured to use the interface.
ESXi-A1: Leaf-1 1/33
ESXi-A2: Leaf-2 1/34
ESXi-B1: Leaf-1 1/35
ESXi-B2: Leaf-2 1/36
Interface ID
ESXi-C1: Leaf-1 1/37
ESXi-C2: Leaf-2 1/38
ESXi-D1: Leaf-1 1/39
ESXi-D2: Leaf-2 1/40
Leaf-1# show interface e1/XX brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth1/XX 0 eth trunk up none 10G(D) --
Task 6: Add ESXi Hosts to the ACI DVS

In this task, you will add ESXi hosts to the ACI DVS that has been created by the APIC within the vCenter
server.
Activity Procedure
Note All students should perform this Task.

Step 44 Navigate to vCenter-@ > Datacenter-@ > POD##-VMM-DOMAIN > POD##-VMM-
DOMAIN.
Step 45 Right-click the POD##-VMM-DOMAIN distributed switch and select Add Host… from the
context menu.
Step 46 The Add Host to vSphere Distributed Switch wizard will appear. The first step of the wizard
is Select Host and Physical Adapters.
WARNING Slow down and be VERY careful with the following entries. Follow the table exactly!
Step 47 You will be selecting one vmnic interface from both of the hosts listed; these vmnics will be
connected to your VMM domain distributed virtual switch. There will be several physical
adapters listed under each host. Use the following table to determine the vmnic interfaces that
you should select; select the same vmnic interface on both hosts.
Pod Number First ESXi Host Vmnic Interface Second ESXi Host Vmnic Interface
11 esxi-a1.dc.local vmnic5 esxi-a2.dc.local vmnic5
15 esxi-b1.dc.local vmnic5 esxi-b2.dc.local vmnic5
Pod Number First ESXi Host Vmnic Interface Second ESXi Host Vmnic Interface
19 esxi-c1.dc.local vmnic5 esxi-c2.dc.local vmnic5
23 esxi-d1.dc.local vmnic5 esxi-d2.dc.local vmnic5
Step 48 Click the Next button.

Step 49 The Network Connectivity step will appear. Click the Next button.
Step 50 The Virtual Machine Networking step will appear. Click the Next button.
Step 51 The Ready to Complete step will appear.
Step 52 Click the Finish button.
Step 53 Click the Hosts tab in the Work pane. You should see your ESXi hosts listed there and in a
connected state.
Step 54 Return to the PuTTY session to your leaf switch.

Step 55 Execute the show cdp neighbors command. You should see that the leaf switch is receiving
CDP information from the ESXi host. It may take a few minutes for the CDP entries to appear.
Leaf-1# show cdp neighbors
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge

S - Switch, H - Host, I - IGMP, r - Repeater,
V - VoIP-Phone, D - Remotely-Managed-Device,
s - Supports-STP-Dispute
Device-ID Local Intrfce Hldtme Capability Platform Port ID

esxi-@@.dc.local Eth1/?? 143 S VMware ESX vmnic?
Lab 8: Associate EPGs to a VMware VMM Domain
Overview
With the ESXi hosts connected to the ACI DVS from the previous Lab, you can now associate the EPGs
created in you created to the VMware virtual environment, and the VMs can now fully utilize the ACI fabric
infrastructure.
Complete this lab activity to become familiar with configuring EPGs with a VMware vSphere domain.
Activity Procedure
 Username: admin
 Username: root
Task 1: Associate the vCenter Domain to the APP EPG

In this task, you will associate the vCenter Domain to the APP EPG.
Activity Procedure
Step 10 In the Navigation pane, expand Tenant POD## > Application Profiles > POD##-
APPLICATION-PROFILE > Application EPGs > EPG POD##-APP-EPG.
Step 11 Right-click the EPG POD##-APP-EPG folder and then select Add VMM Domain
Association from the context menu.
Step 12 The Add VMM Domain Association wizard will appear. Enter the values in the following
Field Value
VMM Domain Profile VMware/POD##-VMM-DOMAIN (replace “##” with your assigned 2-digit Pod Number)
Deploy Immediacy Immediate
Resolution Immediacy Immediate
Note Resolution Immediacy controls when the policies are downloaded to the leaf. Immediate
specifies that EPG policies (including contracts and filters) are downloaded to the leaf upon
hypervisor attachment to VDS. LLDP or OpFlex permissions are used to resolve the hypervisor
to leaf node attachments. On Demand specifies that EPG policies are downloaded to the leaf
only when a pNIC attaches to the hypervisor connector and a VM is placed in the port group
(EPG).
Note Deploy Immediacy controls when the policy is pushed into the hardware policy CAM. Immediate
specifies that the policy is programmed in the hardware policy CAM as soon as the policy is
downloaded in the leaf software. On Demand specifies that the policy is programmed in the
hardware policy CAM only when the first packet is received through the data path. This process
helps to optimize the hardware space.
Step 13 Click the SUBMIT button to complete the Add VMM Domain Association wizard.
Task 2: Associate the vCenter Domain to the DB EPG

In this task, you will associate the vCenter Domain to the DB EPG.
Activity Procedure
APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG.
Step 15 Right-click the EPG POD##-DB-EPG folder and then select Add VMM Domain Association
Field Value
Task 3: Associate the vCenter Domain to the WEB EPG

In this task, you will associate the vCenter Domain to the WEB EPG.
Activity Procedure
APPLICATION-PROFILE > Application EPGs > EPG POD##-WEB-EPG.
Step 19 Right-click the EPG POD##-WEB-EPG folder and then select Add VMM Domain
Association from the context menu.
Field Value
Task 4: Verify the Creation of the ACI DVS Port Groups within vCenter
In this task, you will verify that the correct ACI DVS port groups were created within the vCenter.
Activity Procedure
Step 24 Navigate to vCenter-@ > Datacenter-@ > POD##-VMM-DOMAIN > POD##-VMM-
DOMAIN.
Step 25 There needs to be three new port groups listed under the ACI DVS, each of which will
correspond to the EPGs within your application profile. The name of each port group is a
combination of the Tenant, Application Profile, and EPG names. If the port groups don’t show
up, review your prior lab steps for any misconfigurations.
Step 26 Right-click one of the port groups that were created and then select Edit Settings … from the
context menu.
Step 27 In the Settings window that appears, in the left-hand side click VLAN. You will see the VLAN
ID that was assigned to the port group by the APIC. The VLAN ID was taken from the VLAN
pool associated with the VMM domain associated with vCenter.
Step 28 Look at the other settings of the port group which were assigned by the APIC.
 Login as: admin
Step 31 Execute the show vrf command. You should now see that a VRF has been created in the fabric
corresponding to the VRF used by your application profile (within your pod). The name of the
VRF will be the combination of the names of the Tenant and Private Network (VRF).
Leaf-1# show vrf

VRF-Name VRF-ID State Reason
black-hole 3 Up --
management 2 Up --
overlay-1 4 Up --
POD11:POD11-VRF 5 Up --
<…output omitted…>
Step 32 Execute the show vlan extended command. You should now see that VLANs have been
created corresponding to the EPGs that you have associated to the vCenter server.
Leaf-1# show vlan extended
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
13 infra:default active Eth1/1, Eth1/33
14 POD11:POD11-BD active Eth1/33
15 POD11:POD11-APPLICATION- active Eth1/33
PROFILE:POD11-APP-EPG
PROFILE:POD11-WEB-EPG
PROFILE:POD11-DB-EPG
VLAN Type Vlan-mode Encap

---- ----- ---------- -------------------------------
13 enet CE vxlan-16777209, vlan-4093
14 enet CE vxlan-16646014
15 enet CE vlan-3117
Lab 9: Associate Virtual Machines with ACI DVS
Port Groups
Overview
In this lab, you will convert the VMs from using the native vSwitch to the ACI DVS port-groups. This action
completes the integration of the APIC with the virtualized environment, providing full visibility and
manageability from the APIC to the virtualized environment. Insertion of services and policies can now be
dynamically provisioned seamlessly while being managed from a centralize management tool.
Complete this lab activity to become familiar with configuring a virtual machine with an EPG port group.
 Associate virtual machines with ACI DVS port groups
 Verify connectivity between virtual machines
Activity Procedure
 Username: admin
 Username: root
Task 1: Add the App Server VM to the ACI DVS

In this task, you will configure the network adapter within the App Server VM to use the correct ACI DVS
port group.
Activity Procedure
Step 8 Return to the VMware vSphere Client application. Be sure you are connected to your vCenter,
and not to any ESXi host directly.
Step 9 Press Ctrl-Shift-H to shift to the Hosts section.
Step 10 Navigate to vCenter-@ > Datastore-@ > Cluster-@ (replace “@” with your assigned vCenter
letter). You should see three virtual machines which are assigned to your Pod (replace “##”
with your assigned Pod number):
Virtual Machine IP Address Default Gateway

Pod##-App 10.##.1.1 /24 10.##.1.254
Pod##-DB 10.##.2.1 /24 10.##.2.254
Pod##-Web 10.##.3.1 /24 10.##.3.254
Step 11 Right-click the Pod##-App VM and then select Edit Settings… from the context menu.
Step 12 The Virtual Machine Properties for Pod##-App will appear.

Step 13 In the left-hand side of the window select Network adapter 1.
Step 14 In the right-hand side of the window, click the Network label setting and then select
POD##|POD##-APPLICATION-PROFILE|POD##-APP-EPG from the drop-down list.
Step 15 Click the OK button to save the changes to the properties of the virtual machine
Step 16 Right-click the Pod##-App VM and then select Power > Power On from the context menu.
Step 17 After a few seconds you should see the powered on icon next to the virtual machine. If you see
this, skip ahead to the next Task.
Step 18 In some cases it is possible that when you power on a virtual machine you will see a small “i”
appear on the virtual machine icon:
Step 19 If this occurs, select the virtual machine, and then select the Summary tab in the Work pane.
You will see a question presented to you regarding the state of the virtual machine.
Step 20 Select I Moved It and then click the OK button. The VM will then complete the power on
process.
Task 2: Add the DB Server VM to the ACI DVS

In this task, you will configure the network adapter within the DB Server VM to use the correct ACI DVS
port group.
Activity Procedure
Step 21 Right-click the Pod##-DB VM and then select Edit Settings… from the context menu.
Step 22 The Virtual Machine Properties for Pod##-DB will appear.
POD##|POD##-APPLICATION-PROFILE|POD##-DB-EPG from the drop-down list.
Step 26 Right-click the Pod##-DB VM and then select Power > Power On from the context menu.
Task 3: Add the Web Server VM to the ACI DVS

In this task, you will configure the network adapter within the Web Server VM to use the correct ACI DVS
port group.
Activity Procedure
Step 27 Right-click the Pod##-Web VM and then select Edit Settings… from the context menu.
Step 28 The Virtual Machine Properties for Pod##-Web will appear.
POD##|POD##-APPLICATION-PROFILE|POD##-Web-EPG from the drop-down list.
Step 32 Right-click the Pod##-Web VM and then select Power > Power On from the context menu.
Task 4: Verify Connectivity between the Pod Virtual Machines
In this task, you will verify that all of the steps necessary to configure network connectivity between the Pod
virtual machines have been taken.
Activity Procedure
Step 33 Right-click the Pod##-App VM and then select Open Console from the context menu.
Step 34 The console window for Pod##-App will appear. You will see the App server’s desktop.
Step 35 Open a Command Prompt window.

Step 36 Verify that the App server can ping the DB server using the ping 10.##.2.1 command.
Step 37 Verify that the App server can ping the Web server using the ping 10.##.3.1 command.
 Login as: admin
Step 40 Execute the show mac address-table command. You should now see the MAC addresses for
the virtual machines in your Pod.
Leaf-1# show mac address-table

Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 14 0050.569a.456e dynamic - F F eth1/33
* 15 0050.569a.5e25 dynamic - F F eth1/33
* 16 0050.569a.0a8a dynamic - F F eth1/33
* 7 88f0.313c.97f2 dynamic - F F eth1/1
Step 41 The output of the show mac address-table command does not give you much information about
the virtual machines and the port groups (EPGs) to which they belong. Execute the show
endpoint detail command to see more information about the virtual machines. In the output
you can see the MAC address of each virtual machine, the name of the port group, and the
VLAN ID assigned to the port group to which it belongs.
Leaf-1# show endpoint detail

Legend:
O - peer-attached H - vtep a - locally-aged S - static
V - vpc-attached p - peer-aged L - local M - span
s - static-arp B - bounce
+---------------+---------------+-----------------+--------------+-------------+---
---------------------------+
VLAN/ Encap MAC Address MAC Info/ Interface
Endpoint Group
Domain VLAN IP Address IP Info
Info
+---------------+---------------+-----------------+--------------+-------------+---
---------------------------+
15 vlan-3117 0050.569a.456e O eth1/34
POD11:POD11-APPLICATION-PROFILE:POD11-APP-EPG
POD11:POD11-VRF vlan-3117 10.11.1.1 O
16 vlan-3114 0050.569a.0a8a L eth1/33
POD11:POD11-APPLICATION-PROFILE:POD11-WEB-EPG
POD11:POD11-VRF vlan-3114 10.11.3.1 L
17 vlan-3111 0050.569a.5e25 L eth1/33
POD11:POD11-APPLICATION-PROFILE:POD11-DB-EPG
POD11:POD11-VRF vlan-3111 10.11.2.1 L
overlay-1 172.19.16.95 L
13/overlay-1 vxlan-16777209 a0ec.f985.1a2f L eth1/1
infra:default
Lab 10: Configure the APIC Using the REST API
(Postman)
Overview
Complete this lab activity to become familiar with the ability to configure the APIC controller with the REST
API. The goal is to highlight the ease of ACI Programmability versus using a traditional GUI approach.
 Use the Chrome plug-in Postman
 Create a complete Tenant and Application Profile configuration using the REST API

Activity Procedure
 Username: admin
Task 1: Open the Postman Plug-in for Google Chrome

In this task, you will open the Postman plug-in for Google Chrome and familiarize yourself with the Postman
application.
Activity Procedure
Step 6 In the Chrome browser, in the upper left-hand side of the window, click the Apps button.
Step 7 Icons for the Google plug-ins that have been installed in the Chrome browser will appear. Click
the Postman icon.
Step 8 The Postman application will start in another window. The following table describes the
important parts of the Postman interface.
Item Number Description

1 History Tab – a running list of all REST commands sent during this session
2 Collections Tab – a location where you can save REST commands for future use
3 HTTP Method type (POST, GET, DELETE, etc.)
4 URL of REST API call to the target device (e.g. the APIC)
5 Send button – executes the configured REST command
6 Identifies how the data sent (in item 8) will be encoded
7 Identifies the type of data being sent (in item 8) in the REST command
8 Data to be sent within the REST command
Step 9 After you send a command to the REST API of the target device (e.g. the APIC), a response (or
error) is returned from the device and displayed in the lower half of the Postman interface.
Item Number Description

1 Output style selector
2 Output format selector
3 Word Wrap toggle
4 HTML Return Code of the last REST command
5 Data returned by the device to Postman
Task 2: Create a Login Request for the APIC REST API
Before you can interact with the APIC using the REST API you must be authenticated by the APIC. Once
you are authenticated then you can read information from or make changes to the configuration of the APIC.
In this task, you will configure a login request for the APIC.
Activity Procedure
Step 10 In the Postman interface, choose POST from the HTML Methods drop-down menu.
Step 11 In the URL field, type http://192.168.R0.1/api/aaaLogin.xml (replace “R” with your ACI
Rack Number).
Note It may be simpler to enter this URL by copying and pasting it from this document into Postman.
Step 12 Click the Body tab; this is the location where the data that will be sent to the APIC will be
entered.
Step 13 Click the raw radio button to set the data encoding method.
Step 14 In the Data Type drop-down list, select XML (text/xml).
Step 15 Type the following in the text field under the raw button:
<aaaUser name="admin" pwd="1234QWer" />
Note It may be simpler to enter this text by copying and pasting it from this document into Postman.
Step 16 Click the blue Send button.
Step 17 You should see the following results, indicating a successful login to the APIC.
Note You can reuse this login sequence by selecting the correct entry in the History tab and then
clicking Send again.
Note If you incorrectly configure the login request you will see a response similar to the following
image:
Task 3: Create an Application Profile Using the REST API

In this task, you will create a complete Tenant and Application Profile configuration using the REST API.
Activity Procedure
Step 18 In the Postman window, click the plus sign to create a new tab.
Step 19 In the new tab, choose POST from the HTML Methods drop-down menu.
Step 20 In the URL field, type http://192.168.R0.1/api/mo/uni.xml (replace “R” with your ACI Rack
Number).
Step 21 Click the Body tab; this is the location where the data that will be sent to the APIC will be
entered.
Step 22 Click the raw radio button to set the data encoding method.
Step 23 In the Data Type drop-down list, select XML (text/xml).
Step 24 On your Student Server, open the students file share by double-clicking the shortcut on the
desktop. This will map the S: drive to the students file share.
Step 25 Navigate to the S:\DCAC9K folder.

Step 26 Locate your pod-specific XML file, which is named POD##-REST (replace “##” with your
assigned 2-digit Pod number).
Step 27 Right-click on your pod-specific XML file name, and then select Edit with Notepad++ from
the context menu.
Step 28 The Notepad++ application will start and display the contents of your pod-specific XML file.
Step 29 Copy all of the XML in the file, and then paste it into the raw section in the Postman interface.
Step 30 Click the Send button.

Step 31 You should see the following return code in the Body section beneath the Send button:
Note If you see the return code below, you need to re-authenticate to the APIC.
Step 34 In the Submenu bar, click ALL TENANTS. You should see a new Tenant named POD##-
REST.
Note The primary point here is to stress the benefit of the open API interface to ACI. Once you
understand the ACI dictionary tree and are comfortable with a programming interface such as
Postman, it will only take seconds to accomplish significant amounts of configuration.
Step 35 Double-click the tenant POD##-REST.

Step 36 In the Navigation pane, select Tenant POD##-REST > Application Profiles > 3-Tier_App.
You will find that a three-tier application similar to the one you created previously has been
created here.
Step 37 Spend a few minutes examining the objects that were created in the POD##-REST tenant using
the REST API.
Lab 11: Configure the APIC Using the ACI Cobra
SDK (Python)
Overview
The Python API provides a Python programming interface to the underlying REST API, allowing you to
develop your own applications to control the APIC and the network fabric, enabling greater flexibility in
infrastructure automation, management, monitoring, and programmability.
Complete this lab activity to become familiar with the ability to configure the APIC controller with the ACI
Cobra SDK using Python.
 Configure the Communication Policy
 Review a Python script
 Use a Python Script to create a Tenant

Activity Procedure
 Username: admin
Task 1: Configure the Communication Policy

In this task, you will configure the default Communication Policy to enable HTTP access to APIC.
Activity Procedure
Step 8 Navigate to Pod Policies > Policies > Management Access > default.
Step 9 In the Work pane, in the HTTP section, verify that the Admin State is set to Enabled and the
Redirect is set to Disabled.
Note Within this ACI lab environment, if these settings are incorrect, this lab exercise will not function
properly. These settings are insecure and are not recommended for a production environment.
Task 2: Review a Python Script
In this task, you will review a Python script that can be used to create a new Tenant configuration.
Activity Procedure
Step 11 Navigate to the S:\DCAC9K folder.

Step 12 Locate your pod-specific Python script, which is named POD##-PYTHON (replace “##” with
your assigned Pod number).
Step 13 Right-click on your pod-specific Python script, and then select Edit with Notepad++ from the
context menu.
Step 14 The Notepad++ application will start and display the contents of your pod-specific Python
script.
Step 15 Review the opened Python script. This script will be used in the next Task to create a Tenant.
Task 3: Use a Python Script to Create a Tenant

In this task, you will use a Python script to create a Tenant.
Activity Procedure
Step 16 Return to the File Explorer window. Right-click on your pod-specific Python script, and then
select Open with > python from the context menu.
Step 17 The Python interpreter window will appear, and it will start the Python script.
Step 18 The script will prompt you to enter the information necessary to log in to the APIC. When
prompted, enter the following information:
 APIC login username: admin
 APIC URL: http://192.168.R0.1 (replace “R” with your ACI Rack Number)
 APIC Password: 1234QWer
Note If you do not use http:// at the start of the APIC URL, the script will fail.
Step 19 The Python interpreter window will close after you enter the APIC password. This will occur
regardless of whether or not the script ran successfully.
Step 22 In the Submenu bar, click ALL TENANTS. You should see a new Tenant named
POD##-Python.
Note The Python script that you used only creates a new Tenant and does not configure any other
objects or properties.
Lab 12: Configure the APIC Using the Cisco APIC
REST to Python Adapter (ARYA)
Overview
The Cisco APIC REST to Python Adapter (ARYA) is a tool developed by Cisco Advanced Services. The
ARYA tool enables you to generate code directly from what resides in the object model.
Complete this lab activity to become familiar with the ability to use the ARYA to configure Cisco
Application Policy Infrastructure Controller (APIC).
 Save configuration from Cisco APIC as an XML file
 Use ARYA to create a Python script
 Configure the Cisco APIC using a newly created Python script

Activity Procedure
 Username: admin
Task 1: Save Configuration from APIC as an XML File

In this task, you will save configuration from Cisco APIC as an XML file, which you will later transform to
Python script.
Activity Procedure
Step 8 In the Navigation pane, select Tenant POD##.
Step 9 Right-click the Tenant POD## folder and then select Save as … from the context menu.
Step 10 The Save As wizard will appear. Enter the values in the following table.
Field Value
Content Only Configuration
Scope Subtree
Export Format XML
Step 11 Click the DOWNLOAD button. This will save a file named tn-POD##.xml to the Downloads
folder in the Student Server.
Step 13 Drag and drop (move) the XML file you just created (tn-POD##.xml) from the Downloads
folder to the C:\arya folder.
Task 2: Use ARYA to Create a Python Script

In this task, you will use ARYA to create a Python script, which you will then use to configure a new tenant.
Activity Procedure
Step 14 On your Student Server, open a Command Prompt window by double-clicking the shortcut on
the desktop.
Step 15 The Command Prompt window will appear. If the Command Prompt window does not open
to the C:\arya directory use the “cd C:\arya” command to change to that directory.
Step 16 You will now use Arya to create a Python script based on the XML file that you downloaded
from the APIC GUI. Enter the following command into the Command Prompt (replace “##”
with your assigned 2-digit Pod Number and replace “R” with your ACI Rack Number).
python arya.py -f C:\arya\tn-POD##.xml -i 192.168.R0.1 -u admin -p 1234QWer >

C:\arya\pod##.py
Note You may want to copy and paste the command to a text editor, modify the command, and then
copy and paste the edited command into the Command Prompt window.
Step 17 If the syntax of the command is correct, all that will happen is that you will see the command
prompt return after the Arya utility finishes running.
Note The right angle bracket (>) between the password and “pod##.py” is used to pipe the Python file
that is generated by Arya. If you make a mistake on the command, it will still create a file that is
called pod##.py with zero bytes. Delete that file before troubleshooting your CLI input.
Step 18 Return to Windows Explorer. You should now see a file named “pod##” in the C:\arya
folder.
Step 19 Right-click the pod## file, and then select Edit with Notepad++ from the context menu.
Step 20 The Notepad++ application will start and open the pod##.py file for editing.
Step 21 In the Menu bar select Search > Replace…
Step 22 The Replace window will appear. Replace “POD##” with “POD##-ARYA” (replace “##” with
your assigned 2-digit Pod Number).
Step 23 Click the Replace All button, and then click the Close button.
Step 24 There are three lines of code that will prevent the script from running; these lines are inserted
by Arya to prevent accidental execution of the script. These three lines are near the top of the
script and start with “raise RuntimeError” Find these lines and delete them.
Step 25 Save the file by selecting File > Save from the Menu bar.
In Summary: You downloaded an XML encoded file with the configuration of the tenant name-GUI, where
name is your Pod airport name. You then converted this XML encoded file into a python (.py) file
using arya. Now you have customized this python file by replacing the existing tenant name
(name-GUI) with a new tenant name (name-arya). Next you will configure Cisco APIC with this
new Tenant using the Python SDK.
Task 3: Configure the APIC Using a Newly Created Python Script

In this task, you will configure and create a new tenant in the APIC using a Python script that you created in
the previous task.
Activity Procedure
Step 26 Return to Windows Explorer. Verify that you are viewing the contents of the C:\arya folder.
Step 27 Right-click the pod## file, and then select Open > python from the context menu. This will
cause the python interpreter to run the script you just edited and create a new tenant named
“POD##-ARYA”.
Step 30 In the Submenu bar, click ALL TENANTS. You should see a new Tenant named
POD##-ARYA. This new tenant was created by the python script you just executed, and it
should be a duplicate of the tenant POD##, including all of the policies and settings of the
original tenant.
Lab 13: Configure Inter-Tenant Connectivity
Overview
There may be times when the ACI administrator might need to allow traffic between two tenants. Interface
contracts are a special type of contract that an ACI administrator can use to allow specific traffic by using
contract export. The contract in essence is exported in the source tenant and imported into the target tenant.
Similar to traditional contracts, the source EPG will be of type provider. However, in the target tenant, the
contract is imported as type contract interface.
Complete this lab activity to become familiar with configuring Inter-Tenant communication.
 Create and Export a Contract
 Create a Host Subnet and add a Contract to EPG in the First Tenant
 Confirm the Exported Contract, create a Host Subnet in the Second Tenant and add a Consumed
Contract Interface
Activity Procedure
 Username: admin
 Username: root
Task 1: Create a Global Contract to be Exported to the Other Tenant

In this task, you will create a Global Contract that will be exported to the Peer Pod Tenant in the next Task.
Activity Procedure
Step 12 The Create Contract wizard will appear. Enter the values in the following table.
Field Value
Name POD##-GLOBAL-CONTRACT (replace “##” with your assigned 2-digit Pod Number)
Scope Global
Note Make sure to change the scope to Global; only Global contracts may be exported to other
Tenants.
Step 13 In the Subjects subsection, click the plus sign to create a new entry. The Create Contract
Subject wizard will appear. Enter the values in the following table.
Field Value
Name SUBJECT-ANY
select POD##/POD##-FILTER-ANY.
Step 16 Click the OK button to complete the Create Contract Subject wizard.
Task 2: Export the Global Contract to the Other Tenant

In this task, you will create export the Global Contract that you just created to the Peer Pod Tenant.
Activity Procedure
Step 18 In some of the steps in this Task you will be asked to enter your Peer Pod Number. Your Peer
Pod Number is the number of the Pod that is interacting with your Pod during this lab exercise.
Use the following table to determine your Peer Pod Number.
If your Pod Number is… Then your PEER POD NUMBER is …

11 12
12 11
13 14
If your Pod Number is… Then your PEER POD NUMBER is …
14 13
15 16
16 15
17 18
18 17
19 20
20 19
21 22
22 21
23 24
24 23
25 26
26 25
Step 20 Right-click the Contracts folder and then select Export Contract from the context menu.
Step 21 The Export Contract wizard will appear. Enter the values in the following table.
Field Value
Name POD##-EXPORT-CONTRACT (replace “##” with your assigned 2-digit Pod Number)
Global Contract POD##-GLOBAL-CONTRACT (replace “##” with your assigned 2-digit Pod Number)
Tenant POD$$ (replace “$$” with your 2-digit Peer Pod Number)
Step 22 Click the SUBMIT button to complete the Export Contract wizard.
STOP! Wait until the student configuring your Peer Pod has completed all steps up to this point
before proceeding.
Step 23 In the Navigation pane, expand Tenant POD## > Security Policies > Imported Contracts. If
the student configuring your Peer Pod has completed the steps in this lab exercise up to this
point you should see an Imported Contract named POD$$-EXPORT-CONTRACT.
Task 3: Create an EPG Subnet to be Leaked to the Other Tenant

In this task, you will create an EPG Subnet within your Web EPG that will be leaked into the routing table of
your Peer Pod’s VRF. This EPG Subnet must be configured in the EPG that will be providing the exported
contract to the other Tenant.
Activity Procedure
Step 25 Right-click the EPG POD##-WEB-EPG folder and then select Create EPG Subnet from the
context menu.
Step 26 The Create EPG Subnet wizard. Enter the values in the following table; do NOT change any
of the values that are not listed in the following table.
Field Value
Default Gateway IP 10.##.3.254/24 (replace “##” with your assigned 2-digit Pod Number)
Scope – Private to VRF Checked
Scope – Advertised Externally Unchecked
Scope – Shared between VRFs Checked
Step 27 Click the SUBMIT button to complete the Create EPG Subnet wizard.
Task 4: Configure Contracts between the Web EPGs of Each Tenant

In this task, you will configure contracts between your Web EPG and your Peer Pod’s Web EPG to allow
traffic to be passed between them.
Activity Procedure
Step 29 Right-click the EPG POD##-WEB-EPG folder and then select Add Provided Contract from
the context menu.
Step 30 The Add Provided Contract wizard will appear. In the Name drop-down list select POD##/
POD##-GLOBAL-CONTRACT (replace “##” with your assigned 2-digit Pod Number).
Step 31 Click the SUBMIT button to complete the Add Provided Contract wizard.
Step 32 Right-click the EPG POD##-WEB-EPG folder and then select Add Consumed Contract
Interface from the context menu.
Note Make sure to select “Add Consumed Contract Interface”, not “Add Consumed Contract”.
Step 33 The Add Consumed Contract Interface wizard will appear. In the Name drop-down list
select POD##/ POD$$-EXPORT-CONTRACT (replace “##” with your assigned 2-digit Pod
Number and replace “$$” with your Peer Pod Number).
Step 34 Click the SUBMIT button to complete the Add Consumed Contract Interface wizard. You
should now see two different types of Contract that are being used by the Web EPG: Contract
(used within the Application Profile) and Contract Interface (used between Tenants).
APPLICATION-PROFILE. You should see that the diagram representing the objects within
your Application Profile has been updated to include the new contracts.
STOP! Wait until the student configuring your Peer Pod has completed all steps up to this point
before proceeding.
Task 5: Validate the Exported Contract Configuration

In this task, you will verify that traffic can successfully pass between the Web Server virtual machine in your
Pod and the Web Server virtual machine in your Peer Pod.
Activity Procedure

Pod##-App 10.##.1.1 /24 10.##.1.254
Pod##-DB 10.##.2.1 /24 10.##.2.254
Pod##-Web 10.##.3.1 /24 10.##.3.254
Step 39 Right-click the Pod##-Web VM and then select Open Console from the context menu.
Step 40 The console window for Pod##-Web will appear. You will see the Web server’s desktop.

Step 42 Verify that your Web Server can ping the IP address of the Peer Pod Web Server using the ping
10.$$.3.1 command (replace “$$” with your Peer Pod Number).
 Login as: admin
Step 45 Execute the show endpoint command. You should not see any new entries in this table. The
endpoints themselves have not changed, only the traffic allowed between them has changed.
Leaf-1# show endpoint

Legend:
+-------------------------+---------------+-----------------+-----------+------+
+-------------------------+---------------+-----------------+-----------+------+
POD11:POD11-VRF 10.11.1.1 tunnel4
16/POD11:POD11-VRF vxlan-15728622 0050.569a.456e B tunnel4
19 vlan-3115 0050.569a.0a8a L eth1/33
POD11:POD11-VRF vlan-3115 10.11.3.1 L eth1/33
89 vlan-3114 0050.569a.5e25 L eth1/33
22/POD12:POD12-VRF vxlan-15761386 0050.569a.8f07 B tunnel4
22/POD12:POD12-VRF vxlan-15761386 0050.569a.8e9b B tunnel4
25 vlan-3127 0050.569a.5479 L eth1/33
overlay-1 172.19.104.95 L lo0
7/overlay-1 vxlan-16777209 88f0.313c.97f2 L eth1/1
7/overlay-1 vxlan-16777209 001a.6d03.0781 L eth1/11
Step 46 Execute the show vrf command. Again, you should not see any new entries.
Note The output of the show vrf command is useful when you need to copy and paste a VRF name
into another command.
Leaf-1# show vrf

black-hole 3 Up --
overlay-1 4 Up --
Step 47 Execute the show ip route vrf POD##:POD##-VRF command (replace “##” with your
assigned 2-digit Pod Number). You should see routes to each of the subnets used by your
bridge domain as well as a route to the Peer Pod Web EPG, 10.$$.3.0/24. This prefix was
leaked into your Pod VRF by the imported global contract.
Leaf-1# show ip route vrf POD##:POD##-VRF

IP Route Table for VRF "POD##:POD##-VRF"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.##.1.0/24, ubest/mbest: 1/0, attached, direct, pervasive

*via 172.19.64.65%overlay-1, [1/0], 00:04:52, static
10.##.1.254/32, ubest/mbest: 1/0, attached
*via 10.##.1.254, vlan18, [1/0], 04:49:51, local, local
10.$$.3.0/24, ubest/mbest: 1/0, attached, direct, pervasive
Step 48 Execute the show ip route vrf POD$$:POD$$-VRF command (replace “$$” with your Peer
Pod Number). You should see routes to each of the subnets used by your Peer Pod’s bridge
domain as well as a route to your Pod’s Web EPG, 10.##.3.0/24. This prefix was leaked into
your Peer Pod’s VRF by the exported global contract.
Leaf-1# show ip route vrf POD$$:POD$$-VRF

IP Route Table for VRF "POD$$:POD$$-VRF"

10.$$.1.254/32, ubest/mbest: 1/0, attached
*via 10.$$.1.254, vlan14, [1/0], 04:51:17, local, local
Lab 14: Configure External Layer 3 Connectivity
using OSPF Routing
Overview
Complete this lab activity to become familiar with configuring L3 communications to an external network.
L3 outside connections provide IP connectivity between a Private Network of a Tenant and an external IP
network. The physical connection to the ACI Fabric is via an ACI leaf (also called a border leaf in this
context). Tenant subnets are injected into the routing protocol running between the border leaf and external
router. Users have control of which Tenant subnets they want to advertise to external routers.
 Configure External L3 network
 Create Application Profile to propagate Internal Public Routes
 Associate an L3 outside connection to a Bridge Domain
 Verify that the Leaf is Learning OSPF Routes
 Configure a contract between internal and external EPG
Activity Procedure
 Username: admin
 Username: root
Note The first step in this configuration is to create an Attachable Access Entity Profile (AEP) for the
interface connected to the external switch. The AEP will be the point to which you connect the
external routed domain you will create later in this lab exercise.
Note If you attempt to configure an external bridged or routed network without attaching it to an AEP
you will get inconsistent results as well as Faults generated within the APIC.

In this task, the Instructor will create an Attachable Access Entity Profile that will be used by each of the
students in a subsequent Task.
Activity Procedure
Task.

Field Value
Name L3-LAB-AEP
Step 11 Click the NEXT button. In STEP 2 > Association to Interfaces, do not make any changes.
Note The next step is to create an Interface Policy Group for each Fabric. The Interface Policy Group
defines how an interface on a leaf switch should operate (e.g. link speed), and the Interface
Policy Group is also the point where you indicate which AEP will use the interface.
Note An Interface Policy Group may only include one AEP.

In this task, the Instructor will create an Interface Policy Group that will be used by the leaf interface
connecting to the routed networks.
Activity Procedure
Task.

the context menu.
Field Value
Name L3-LAB-INTERFACE-POLICY-GROUP
Link Level Policy
Number)
CDP Policy
Pod Number)
POD##-ENABLE-LLDP-INTERFACE-POLICY (replace “##” with your assigned 2-
LLDP Policy
digit Pod Number)
Attached Entity Profile L3-LAB-AEP
Note The next step is to create an Interface Profile for each Fabric. The Interface Profile will identify
the specific interface number(s) on the leaf switches that will use the associated Interface Policy
Group. The Interface Profile does not identify the leaf switches where the interfaces are located;
the leaf switches are identified in the Switch Profile (created later in this lab exercise).

In this task, the Instructor will create an Interface Profile that will be used by the leaf interface connecting to
the routed networks.
Activity Procedure
Task.

Step 19 The Create Interface Profile wizard will appear. In the Name field, type L3-LAB-
INTERFACE-PROFILE.
Field Value
Interface ID 1/6
Interface Policy Group L3-LAB-INTERFACE-POLICY-GROUP
Note The next step is to create a Switch Profile for each Fabric. The Switch Profile identifies the
specific nodes (leaf switches) to which the associated Interface Profile should be applied. At the
end of this step, assuming everything was configured properly, the physical interface on the leaf
switch should be in an up state.
In this task, the Instructor will create a Switch Profile that will be used by the leaf interface connecting to the
routed networks.
Activity Procedure
Task.

Step 25 The Create Switch Profile wizard will appear. In STEP 1 > Profile, in the Name field, type
L3-LAB-SWITCH-PROFILE.
Field Value
Blocks 103

Step 28 Click the NEXT button. In STEP 2 > Associations, in the Interface Selector Profiles pane,
select L3-LAB-INTERFACE-PROFILE.
Task 5: Create a VLAN Pool for the External Routed Domain

In this task, you will create VLAN pool that will be used by the external routed domain you will create in the
next Task.
Activity Procedure
Note All students should perform this Task and all remaining Tasks in this lab exercise.

Field Value
POD##-EXTERNAL-ROUTED-DOMAIN-VLAN-POOL (replace “##” with your assigned 2-digit
Name
Pod Number)
Allocation
Static Allocation
Mode
Field Value
Range (From) 3## (replace “##” with your assigned 2-digit Pod Number)
Range (To) 3## (replace “##” with your assigned 2-digit Pod Number)
Step 38 Click the SUBMIT button to complete the Create VLAN Pool wizard.
Note In this step you will create an External Routed Domain which will be used in subsequent lab
exercises. An External Routed Domain is required in order to configure layer 3 connectivity to
external networks.
Task 6: Create an External Routed Domain (Layer 3 Domain)

In this task, you will create an External Routed Domain that will use the VLAN Pool you created in the
previous Task.
Activity Procedure
Step 41 Navigate to Physical and External Domains > External Routed Domains.
Step 42 Right-click the External Routed Domains folder and then select Create Layer 3 Domain
Step 43 The Create Layer 3 Domain wizard will appear. Enter the values in the following table; do
Field Value
POD##-EXTERNAL-ROUTED-DOMAIN (replace “##” with your assigned 2-digit
Name
Pod Number)
Associated Attachable Entity
L3-LAB-AEP
Profile
POD##-EXTERNAL-ROUTED-DOMAIN-VLAN-POOL (replace “##” with your
VLAN Pool
assigned 2-digit Pod Number)
Step 44 Click the SUBMIT button to complete the Create Layer 3 Domain wizard.
Note At this point the physical interface of the leaf switch connected to the external network is ready
for use. Next, you will configure the policies necessary to route traffic through this interface.
Note The next step is to configure an OSPF Interface Policy, which defines attributes of how an
interface should use OSPF. These attributes correspond to those you would configure on an
interface in IOS.
Task 7: Configure an OSPF Interface Policy

In this task, you will configure an OSPF Interface Policy which is used to specify the settings necessary to
bring up an OSPF adjacency.
Activity Procedure
Note All students should perform this task.

Step 47 In the Navigation pane, expand Tenant POD## > Networking > Protocol Policies > OSPF
Interface.
Step 48 Right-click the OSPF Interface folder and then select Create OSPF Interface Policy from the
context menu.
Step 49 The Create OSPF Interface Policy wizard will appear. Enter the values in the following table;
do NOT change any of the values that are not listed in the following table.
Field Value
POD##-OSPF-INTERFACE-POLICY (replace “##” with your assigned
Name
2-digit Pod Number)
Network Type Broadcast
Interface Controls – Advertise Subnet Checked
Step 50 Click the SUBMIT button to complete the Create OSPF Interface Policy wizard.
Task 8: Create an External Routed Network

In this task, you will configure an External Routed Network, which will contain all of the necessary
information to create an OSPF connection between the leaf switch and an external router.
Activity Procedure
Step 51 In the Navigation pane, expand Tenant POD## > Networking >External Routed Networks.
Step 52 Right-click the External Routed Networks folder and then select Create Routed Outside
Step 53 The Create Routed Outside wizard will appear. In STEP 1 > Identity, enter the values in the
Field Value
POD##-EXTERNAL-ROUTED-NETWORK (replace “##” with your assigned 2-digit Pod
Name
Number)
VRF POD##-VRF (replace “##” with your assigned 2-digit Pod Number)
External Routed POD##-EXTERNAL-ROUTED-DOMAIN (replace “##” with your assigned 2-digit Pod
Domain Number)
OSPF Checked
OSPF Area ID ## (replace “##” with your assigned 2-digit Pod Number)
OSPF Area Type NSSA area
Step 54 In the Nodes And Interfaces Protocol Profiles subsection, click the plus sign to create a new
entry. The Create Node Profile wizard will appear. In the Name field type POD##-
LOGICAL-NODE-PROFILE (replace “##” with your assigned 2-digit Pod Number).
Step 55 In the Nodes subsection, click the plus sign to create a new entry. The Select Node wizard will
appear. Enter the values in the following table; do NOT change any of the values that are not
listed in the following table.
Field Value
Node ID Leaf-2 (Node 103)
Router ID ##.##.##.## (replace “##” with your assigned 2-digit Pod Number)
User Router ID as Loopback Address Checked
Step 56 Click the OK button to complete the Select Node wizard
Step 57 In the OSPF Interface Profiles subsection, click the plus sign to create a new entry. The
Create Interface Profile wizard will appear. Enter the values in the following table.
Field Value
POD##-LOGICAL-INTERFACE-PROFILE (replace “##” with your assigned 2-digit Pod
Name
Number)
Authentication
MD5
Type
Authentication Key 1234QWer
OSPF Policy POD##-OSPF-INTERFACE-POLICY (replace “##” with your assigned 2-digit Pod Number)
Step 58 In the Interfaces subsection, click the SVI Tab.
Step 59 In the SVI Interfaces subsection, click the plus sign to create a new entry. The Select SVI
Interface wizard will appear. Enter the values in the following table; do NOT change any of the
values that are not listed in the following table.
Field Value
Path Type Port
Path Leaf-2 / Port 1/6
Encap vlan-3## (replace “##” with your assigned 2-digit Pod Number)
IP Address 172.16.##.2/24 (replace “##” with your assigned 2-digit Pod Number)
MTU (bytes) 1500
Step 60 Click the OK button to complete the Select SVI Interface wizard.
Step 61 Click the OK button to complete the Create Interface Profile wizard.
Step 62 Click the OK button to complete the Create Node Profile wizard.
Step 64 In STEP 2 > External EPG Networks, in the External EPG Networks subsection, click the
plus sign to create a new entry. The Create External Network wizard will appear. In the
Name field type POD##-ROUTED-EXTERNAL-EPG (replace “##” with your assigned 2-
digit Pod Number).
Step 65 In the Subnet subsection, click the plus sign to create a new entry. The Create Subnet wizard
will appear. In the IP Address field type 10.1##.0.0/16 (replace “##” with your assigned 2-digit
Pod Number).
Step 66 Click the OK button to complete the Create Subnet wizard.

Step 67 In the Subnet subsection, click the plus sign to create a new entry. The Create Subnet wizard
will appear. In the IP Address field type 172.16.##.0/24 (replace “##” with your assigned 2-
digit Pod Number).
Step 69 Click the OK button to complete the Create External Network wizard.
Step 70 Click the FINISH button to complete the Create Routed Outside wizard.
Task 9: Configure Contracts between the Web EPG and the External
Routed Network
In this task, you will configure Contracts to allow traffic to flow between the Web EPG and the External
Routed Network EPG
Activity Procedure
APPLICATION-PROFILE > Application EPGs > EPG POD##-WEB-EPG > Contracts.
Step 72 Right-click the Contracts folder and then select Add Provided Contract from the context
menu.
Step 73 The Add Provided Contract wizard will appear. In the Contract field, select POD##/POD##-
CONTRACT-ANY from the drop-down list.
Step 75 In the Navigation pane, expand Tenant POD## > Networking > External Routed Networks
> POD##-EXTERNAL-ROUTED-NETWORK > Networks > POD##-ROUTED-
EXTERNAL-EPG.
Step 76 In the Work panel, click the Policy tab and then click the Contracts sub-tab.
Step 77 In the Consumed Contracts pane, click the plus sign to create a new entry. In the NAME field,
select POD##/POD##-CONTRACT-ANY from the drop-down list.
Task 10: Associate the External Routed Network to the Bridge Domain
In this task, you will configure the bridge domain within your Tenant to use the external routed network.
Activity Procedure
BD.
Step 80 In the Work panel, click the Policy tab and then click the L3 Configurations sub-tab.
Step 81 In the Work pane, in the Associated L3 Outs subsection, click the plus sign to create a new
entry. In the L3 OUT field, select POD##/POD##-EXTERNAL-ROUTED-NETWORK
from the drop-down list
Step 82 Click the UPDATE button. A Policy Usage Warning will appear indicating the other objects
that will be affected by the changes.
APPLICATION-PROFILE and then click the Topology tab in the Work pane. You should
now see the updated diagram for the application profile and that it includes the new
connectivity to the external routed network.
Task 11: Advertise Subnets to the External Routed Network

In this task, you will configure the bridge domain within your Tenant to advertise routes to the external
routed network.
Activity Procedure
BD > Subnets > 10.##.1.254/24.
Step 86 In the Work pane, change the Scope setting to Advertised Externally.
Step 87 Click the SUBMIT button. A Policy Usage Warning will appear indicating the other objects
that will be affected by the changes.
Step 89 Repeat the previous four steps to change the scope to Advertised Externally for the subnet
10.##.2.254/24.
Step 90 Repeat the previous four steps to change the scope to Advertised Externally for the subnet
10.##.3.254/24.
Task 12: Verify That the Leaf Is Learning OSPF Routes

In this task, you will verify what you have configured for OSPF and check the OSPF adjacency and routes on
the ACI border leaf.
Activity Procedure
Step 91 In the Navigation pane, expand Tenant POD## > Networking > External Routed Networks
> POD##-EXTERNAL-ROUTED-NETWORK > Logical Node Profiles > POD##-
LOGICAL-NODE-PROFILE > Configured Nodes > topology/pod-1/node-103 > OSPF for
VRF POD##:POD##-VRF. You should see one OSPF neighbor to the external router listed.
Step 92 In the Navigation pane, expand … OSPF for VRF POD##:POD##-VRF > Routes. You
should see several routes being advertised by the external routers, which include the following:
 10.1##.7.1/32
 10.1##.8.1/32
 10.1##.9.1/32
 Login as: admin
Step 95 Execute the show vrf command.
Leaf-2# show vrf

black-hole 3 Up --
overlay-1 4 Up --
Step 96 Execute the show ip route ospf vrf POD##:POD##-VRF command (replace “##” with your
assigned 2-digit Pod Number). You should see routes to the following subnets:
 10.1##.7.1/32
 10.1##.8.1/32
 10.1##.9.1/32
Leaf-2# show ip route ospf vrf POD##:POD##-VRF

IP Route Table for VRF "POD11:POD11-VRF"
10.1##.7.1/32, ubest/mbest: 1/0

*via 172.16.##.1, vlan21, [110/5], 00:39:52, ospf-default, inter
10.1##.8.1/32, ubest/mbest: 1/0
10.1##.9.1/32, ubest/mbest: 1/0
Step 97 Execute the iping –V POD##:POD##-VRF 10.1##.7.1 command (replace “##” with your
assigned 2-digit Pod Number). The ping should be successful.
Note When testing connectivity through the fabric, the iping command will generate traffic and use the
VXLAN overlay as needed; the ping command does not use the VXLAN overlay.
Leaf-2# iping -V POD##:POD##-VRF 10.1##.7.1

PING 10.1##.7.1 (10.1##.7.1) from 172.16.##.2: 56 data bytes
64 bytes from 10.1##.7.1: icmp_seq=0 ttl=255 time=0.842 ms
--- 10.1##.7.1 ping statistics ---

5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.829/0.852/0.902 ms
Step 98 Execute the show endpoint vrf POD##:POD##-VRF detail command (replace “##” with your
assigned 2-digit Pod Number). This command will display the endpoints identified by the APIC
within your VRF. You should see an entry with the IP address of ##.##.##.## ; this indicates
that the external devices are identified as a single endpoint.
Leaf-2# show endpoint vrf POD##:POD##-VRF detail

Legend:
+---------------+---------------+-----------------+--------------+-------------+---
---------------------------+
Endpoint Group
Info
+---------------+---------------+-----------------+--------------+-------------+---
---------------------------+
POD##:POD##-VRF ##.##.##.## L
19 vlan-3101 0050.568c.a008 LV po1
POD##:POD##-APPLICATION-PROFILE:POD##-APP-EPG
POD##:POD##-VRF vlan-3101 10.##.1.1 LV
20 vlan-3102 0050.568c.a369 LpV po1
POD##:POD##-APPLICATION-PROFILE:POD##-DB-EPG
21 vlan-3134 0050.568c.e660 LpV po1
POD##:POD##-APPLICATION-PROFILE:POD##-WEB-EPG
+------------------------------------------------------------------------------+
Endpoint Summary
+------------------------------------------------------------------------------+
Total number of Local Endpoints : 4
Total number of Remote Endpoints : 0
Total number of Peer Endpoints : 0
Total number of vPC Endpoints : 3
Total number of non-vPC Endpoints : 1
Total number of MACs : 3
Total number of VTEPs : 0
Total number of Local IPs : 4
Total number of Remote IPs : 0
Total number All EPs : 4
 Login as: admin
Step 101 Execute the show ip route ospf vrf POD##:POD##-VRF command (replace “##” with your
assigned 2-digit Pod Number). You will not see any routes as OSPF is not running on Leaf-1.
Leaf-1# show ip route ospf vrf POD##:POD##-VRF

IP Route Table for VRF "POD11:POD11-VRF"
Step 102 Execute the show ip route bgp vrf POD##:POD##-VRF command (replace “##” with your
assigned 2-digit Pod Number). You will see the routes to the external networks as prefixes that
have been redistributed into the BGP routing process.
Leaf-1# show ip route bgp vrf POD##:POD##-VRF

IP Route Table for VRF "POD##:POD##-VRF"
10.##1.7.1/32, ubest/mbest: 1/0

*via 172.19.216.95%overlay-1, [200/41], 01:02:45, bgp-100, internal, tag 100
10.##1.8.1/32, ubest/mbest: 1/0
10.##1.9.1/32, ubest/mbest: 1/0
##.##.##.##/32, ubest/mbest: 1/0
172.16.##.0/24, ubest/mbest: 1/0


Pod##-App 10.##.1.1 /24 10.##.1.254
Pod##-DB 10.##.2.1 /24 10.##.2.254
Pod##-Web 10.##.3.1 /24 10.##.3.254
Step 109 Verify that your Web Server can ping the IP address of the first route learned via OSPF using
the ping 10.1##.7.1 command (replace “##” with your assigned 2-digit Pod Number).
Step 110 Verify that your Web Server can ping the IP address of the second route learned via OSPF
using the ping 10.1##.8.1 command (replace “##” with your assigned 2-digit Pod Number).
Step 111 Verify that your Web Server can ping the IP address of the third route learned via OSPF using
the ping 10.1##.9.1 command (replace “##” with your assigned 2-digit Pod Number).
Lab 15: Configure External Layer 2 Connectivity -
Extending a Bridge Domain
Overview
Complete this lab activity to become familiar with configuring an L2 connection to an external network.
A L2 outside connection is associated with a bridge domain and it is designed to extend the whole bridge
domain.
 Create an External Bridged Network
Activity Procedure
 Username: admin
 Username: root
Note The first step in this configuration is to create an Attachable Access Entity Profile (AEP) for the
interface connected to the external switch. The AEP will be the point to which you connect the
external bridged domain you will create later in this lab exercise.
Note If you attempt to configure an external bridged or routed network without attaching it to an AEP
you will get inconsistent results as well as Faults generated within the APIC.

In this task, the Instructor will create an Attachable Access Entity Profile that will be used by each of the
students in a subsequent Task.
Activity Procedure
Task.

Field Value
Name L2-LAB-AEP
Note The next step is to create an Interface Policy Group for each Fabric. The Interface Policy Group
defines how an interface on a leaf switch should operate (e.g. link speed), and the Interface
Policy Group is also the point where you indicate which AEP will use the interface.
Note An Interface Policy Group may only include one AEP.

In this task, the Instructor will create an Interface Policy Group that will be used by the leaf interface
connecting to the bridged networks.
Activity Procedure
Task.

the context menu.
Field Value
Name L2-LAB-INTERFACE-POLICY-GROUP
Link Level Policy
Number)
CDP Policy
Pod Number)
LLDP Policy
digit Pod Number)
Attached Entity Profile L2-LAB-AEP
Note The next step is to create an Interface Profile for each Fabric. The Interface Profile will identify
the specific interface number(s) on the leaf switches that will use the associated Interface Policy
Group. The Interface Profile does not identify the leaf switches where the interfaces are located;
the leaf switches are identified in the Switch Profile (created later in this lab exercise).

In this task, the Instructor will create an Interface Profile that will be used by the leaf interface connecting to
the bridged networks.
Activity Procedure
Task.

Step 19 The Create Interface Profile wizard will appear. In the Name field, type L2-LAB-
INTERFACE-PROFILE.
Field Value
Interface ID 1/5
Interface Policy Group L2-LAB-INTERFACE-POLICY-GROUP
Note The next step is to create a Switch Profile for each Fabric. The Switch Profile identifies the
specific nodes (leaf switches) to which the associated Interface Profile should be applied. At the
end of this step, assuming everything was configured properly, the physical interface on the leaf
switch should be in an up state.

In this task, the Instructor will create a Switch Profile that will be used by the leaf interface connecting to the
bridged networks.
Activity Procedure
Task.

L2-LAB-SWITCH-PROFILE.
Field Value
Blocks 103

select L2-LAB-INTERFACE-PROFILE.
 Login as: admin
Step 32 Execute the show interface e1/6 brief command. You should see that your assigned interface is
in an up state.
Leaf-2# show interface e1/5 brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth1/5 0 eth trunk up none 1000(D) --
Task 5: Create a VLAN Pool for the External Bridged Domain

In this task, you will create VLAN pool that will be used by the external bridged domain you will create in
the next Task.
Activity Procedure
Note All students should perform this Task and all remaining Tasks in this lab exercise.

Field Value
POD##-EXTERNAL-BRIDGED-DOMAIN-VLAN-POOL (replace “##” with your assigned 2-digit
Name
Pod Number)
Allocation
Static Allocation
Mode
Field Value
Note In this step you will create an External Bridged Domain which will be used in subsequent lab
exercises. An External Bridged Domain is required in order to configure layer 2 connectivity to
external networks.
Task 6: Create an External Bridged Domain (Layer 2 Domain)

In this task, you will create an External Bridged Domain that will use the VLAN Pool you created in the
previous Task.
Activity Procedure
Step 44 Navigate to Physical and External Domains > External Bridged Domains.
Step 45 Right-click the External Bridged Domains folder and then select Create Layer 2 Domain
Step 46 The Create Layer 2 Domain wizard will appear. Enter the values in the following table; do
Field Value
POD##-EXTERNAL-BRIDGED-DOMAIN (replace “##” with your assigned 2-digit
Name
Pod Number)
Associated Attachable Entity
L2-LAB-AEP
Profile
POD##-EXTERNAL-BRIDGED-DOMAIN-VLAN-POOL (replace “##” with your
VLAN Pool
Step 47 Click the SUBMIT button to complete the Create Layer 2 Domain wizard.
Task 7: Create an External Bridged Network

In this task, you will configure an External Bridged Network, which will contain all of the necessary
information to create a layer 2 connection between the leaf switch and an external VLAN.
Activity Procedure
Step 48 In the Navigation pane, expand Tenant POD## > Networking >External Bridged Networks.
Step 49 Right-click the External Bridged Networks folder and then select Create Bridged Outside
Step 50 The Create Bridged Outside wizard will appear. In STEP 1 > Identity, enter the values in the
Field Value
POD##-EXTERNAL-BRIDGED-NETWORK (replace “##” with your assigned 2-digit
Name
Pod Number)
POD##-EXTERNAL-BRIDGED-DOMAIN (replace “##” with your assigned 2-digit
External Bridged Domain
Pod Number)
Bridge Domain POD##-BD (replace “##” with your assigned 2-digit Pod Number)
Path Type Port
Path Node-103/eth1/5
Note Make sure to click the ADD button after you select the path; the path you select must appear in
the lower portion of the wizard.

Step 52 In STEP 2 > External EPG Networks, in the External EPG Networks subsection, click the
plus sign to create a new entry.
Step 53 The Create External Network wizard will appear. In the Name field type POD##-
EXTERNAL-BRIDGED-EPG (replace “##” with your assigned 2-digit Pod Number).
Step 54 Click the SUBMIT button to complete the Create External Network wizard.
Step 55 Click the FINISH button to complete the Create Bridged Outside wizard.
Task 8: Configure Contracts between the Web EPG and the External
Bridged Network
In this task, you will configure Contracts to allow traffic to flow between the Web EPG and the External
Bridged Network EPG.
Activity Procedure
APPLICATION-PROFILE > Application EPGs > EPG POD##-WEB-EPG > Contracts.
menu.
CONTRACT-ANY from the drop-down list.
Step 60 In the Navigation pane, expand Tenant POD## > Networking > External Bridged Networks
> POD##-EXTERNAL-BRIDGED-NETWORK > Networks > POD##-EXTERNAL-
BRIDGED-EPG.
Step 61 In the Work panel, click the Policy tab.
Step 62 In the Consumed Contracts pane, click the plus sign to create a new entry. In the NAME field,
select POD##-CONTRACT-ANY from the drop-down list.
APPLICATION-PROFILE.
Step 65 In the Work pane, click the Policy tab. You should see that the diagram representing the objects
within your Application Profile has been updated to include the new contracts.
Task 9: Verify That the Web EPG Can Communicate with the External
Bridged Domain
In this task, you will verify that the Web Server in your Web EPG can successfully communicate with a
device in the External Bridged Domain.
Activity Procedure

Pod##-App 10.##.1.1 /24 10.##.1.254
Pod##-DB 10.##.2.1 /24 10.##.2.254
Pod##-Web 10.##.3.1 /24 10.##.3.254
Step 72 There is a device in the external bridged network that is configured to use VLAN ##1 with the
IP address 10.##.3.2 (this is the same subnet used by your Web Server virtual machine). Verify
that your Web Server can ping this IP address using the ping 10.##.3.2 command (replace “##”
with your assigned 2-digit Pod Number).
 Login as: admin
Leaf-2# show vrf

black-hole 3 Up --
overlay-1 4 Up --
Step 76 Execute the show endpoint vrf POD##:POD##-VRF command (replace “##” with your
within your VRF. You should see an entry with the IP address of 10.##.3.2 .
Leaf-2# show endpoint vrf POD##:POD##-VRF

Legend:
+---------------+---------------+-----------------+--------------+-------------+---
---------------------------+
Endpoint Group
Info
+---------------+---------------+-----------------+--------------+-------------+---
---------------------------+
POD##:POD##-VRF ##.##.##.## L
15 vlan-3##7 0050.569a.456e L eth1/34
POD##:POD##-VRF vlan-3##7 10.##.1.1 L
16 vlan-3##4 0050.569a.0a8a O eth1/33
POD##:POD##-VRF vlan-3##4 10.##.3.1 O
17 vlan-3##1 0050.569a.5e25 O eth1/33
POD##:POD##-VRF vlan-3##1 10.##.2.1 O
24 vlan-2## 0018.1987.1d42 L eth1/5
POD##:POD##-VRF vlan-2## 10.##.3.2 L
+------------------------------------------------------------------------------+
Endpoint Summary
+------------------------------------------------------------------------------+
Step 77 Execute the show vlan extended command. You should see a new fabric VLAN that has been
created that is associated with the port connected to the external bridge domain VLAN.

---- -------------------------------- --------- -------------------------------
24 -- active Eth1/5
---- ----- ---------- -------------------------------
24 enet CE vlan-2##
Lab 16: Configure External Layer 2 Connectivity -
Extending an EPG
Overview
There are a variety of methods to configure network connectivity between devices integrated into the ACI
fabric and devices in a layer 2 network that is external to the ACI fabric. This lab exercise will focus on the
method that is referred to as extending an end point group (EPG).
When the extending an EPG method is used network connectivity is configured so that the external device is
able to be added to an application EPG within the fabric. The external device is treated as an endpoint in the
same way a virtual machine within an integrated host is treated. Policies and contracts applied to the EPG are
also applied to traffic to and from the external device.
In this lab exercise you will be configuring connectivity between your assigned interface on Leaf-1 and a
device that is reachable via layer 2. You will also be creating a new bridge domain and EPG within which
you will place the external device. This is not necessary in general, however additional functionality will be
demonstrated during the lab exercise. At the end of the lab exercise your assigned DB server VM should be
able to communicate with the external device.
Note To distinguish the “extending an EPG” method from the “extending the bridge domain” method
the terms bare metal network and bare metal server will be used in this lab exercise. These
terms refer to devices that are directly or indirectly connected to a leaf switch at layer 2. The
term “bare metal” indicates that the server is not a hypervisor/host (no virtualization is present)
and the Windows/Linux/UNIX operating system is installed directly onto the hardware. These
terms are found in many of the Cisco ACI documents.

Activity Procedure
 Username: admin
 Username: root
Task 1: Create a VLAN Pool

In this task, you will create VLAN pool that will be used by the physical domain you will create in a
subsequent Task.
Activity Procedure
Field Value
Name POD##-BARE-METAL-VLAN-POOL (replace “##” with your assigned 2-digit Pod Number)
Allocation Mode Static Allocation
Field Value
Task 2: Create a Physical Domain

The next step in configuring an external bridged network is to create a Physical Domain. The physical
domain contains the VLAN Pool containing the external VLANs, and it must be added to the correct
Attachable Access Entity Profile (AEP) that is used by the correct leaf switch interface.
In this task, you will create a Physical Domain that will used by the application EPG that you will create in a
subsequent task.
Activity Procedure
Step 19 Navigate to Physical and External Domains > Physical Domains.
Step 20 Right-click the Physical Domains folder and then select Create Physical Domain from the
context menu.
Step 21 The Create Physical Domain wizard will appear. Enter the values in the following table; do
Field Value
Name POD##-BARE-METAL-PHYSICAL-DOMAIN (replace “##” with your assigned 2-digit Pod Number)
VLAN Pool POD##-BARE-METAL-VLAN-POOL (replace “##” with your assigned 2-digit Pod Number)
Step 22 Click the SUBMIT button to complete the Create Physical Domain wizard.

In this task, you will create an Attachable Access Entity Profile that will contain the physical domain that you
created previously.
Activity Procedure
Step 27 The Create Attachable Access Entity Profile wizard will appear. In STEP 1 > PROFILE,
enter the values in the following table.
Field Value
Name POD##-BARE-METAL-AEP (replace “##” with your assigned 2-digit Pod Number)
Step 28 In the Domains (VMM, Physical or External) To Be Associated to Interfaces subsection,
click the plus sign to associate your physical domain. In the NAME drop-down list, select
POD##-BARE-METAL-PHYSICAL-DOMAIN (replace “##” with your assigned two-digit
Pod Number).


In this task, you will create an Interface Policy Group that will be used in a subsequent Task.
Activity Procedure
the context menu.
Field Value
POD##-BARE-METAL-INTERFACE-POLICY-GROUP (replace “##” with your
Name
Link Level Policy
Number)
CDP Policy
Pod Number)
LLDP Policy
digit Pod Number)
Attached Entity Profile POD##-BARE-METAL-AEP (replace “##” with your assigned 2-digit Pod Number)

In this task, you will create an Interface Profile that will be used in a subsequent Task.
Activity Procedure
Step 38 The Create Interface Profile wizard will appear. In the Name field, type POD##-BARE-
METAL-INTERFACE-PROFILE (replace “##” with your assigned two-digit Pod Number).
Field Value
Interface ID 1/## (replace “##” with your assigned 2-digit Pod Number)
Interface Policy POD##-BARE-METAL-INTERFACE-POLICY-GROUP (replace “##” with your assigned 2-
Group digit Pod Number)

In this task, you will create a Switch Profile that will be used in a subsequent Task.
Activity Procedure
POD##-BARE-METAL-SWITCH-PROFILE (replace “##” with your assigned two-digit
Pod Number).
Field Value
Blocks 101

select POD##-BARE-METAL-INTERFACE-PROFILE (replace “##” with your assigned
two-digit Pod Number).
Task 7: Create a Bridge Domain

In this task, you will create a new Bridge Domain that will eventually contain the “bare metal server”
connected to Leaf-2. You will also create a new Subnet that will be used to communicate with the bare metal
server.
Activity Procedure
Step 51 In the Navigation pane, expand Tenant POD## > Networking > Bridge Domains.
Step 52 Right-click the Bridge Domains folder and then select Create Bridge Domain from the
context menu.
Step 53 The Create Bridge Domain wizard will appear. In STEP 1 > Main, enter the values in the
Field Value
Name POD##-BARE-METAL-BD (replace “##” with your assigned 2-digit Pod Number)
VRF POD##/POD##-VRF (replace “##” with your assigned 2-digit Pod Number)
Step 54 Click the NEXT button. In STEP 2 > L3 Configurations, in the Subnets subsection, click the
plus sign to start the Create Subnet wizard.
Step 55 The Create Subnet wizard will appear. Enter the values in the following table; do NOT change
Field Value
Gateway IP 10.##.4.254/24 (replace “##” with your assigned 2-digit Pod Number)
Scope – Private Subnet checked
Step 57 Click the NEXT button. In STEP 3 > Advanced/Troubleshooting, do not make any changes.
Step 58 Click the FINISH button to complete the Create Bridge Domain wizard.
Task 8: Create a Bare Metal EPG

In this task, you will create a Bare Metal EPG within the Bare Metal bridge domain. You will also configure
the Bare Metal EPG with the settings necessary to include the bare metal server within the EPG.
Activity Procedure
APPLICATION-PROFILE > Application EPGs.
Step 62 Right-click the Application EPGs folder and then select Create Application EPG from the
context menu.
Step 63 The Create Application EPG wizard will appear. In STEP 1 > Identity, enter the values in the
Field Value
POD##-BARE-METAL-EPG (replace “##” with your assigned 2-digit Pod
Name
Number)
POD##/POD##-BARE-METAL-BD (replace “##” with your assigned 2-digit Pod
Bridge Domain
Number)
Statically Link with
Checked
Leaves/Paths
Step 64 Click the NEXT button. In STEP 2 > Leaves/Paths, in the Physical Domain drop-down list,
select POD##-BARE-METAL-PHYSICAL-DOMAIN (replace “##” with your assigned two-
digit Pod Number).
Step 65 Click the FINISH button to complete the Create Application EPG wizard.
APPLICATION-PROFILE > Application EPGs > EPG POD##-BARE-METAL-EPG >
Static Bindings (Paths).
Step 67 Right-click the Static Bindings (Paths) folder and then select Deploy Static EPG on PC,
VPC, or Interface from the context menu.
Step 68 The Deploy Static EPG on PC, VPC, or Interface wizard will appear. Enter the values in the
following table.
Field Value
Path Type Port
Path Node 101/eth1/## (replace “##” with your assigned 2-digit Pod Number)
Deployment Immediacy Immediate
Mode Trunk
Step 69 Click the SUBMIT button to complete the Deploy Static EPG on PC, VPC, or Interface
wizard.
Task 9: Create a New Contract

In this task, you will create a new Contract that will be used (in the following Task) to allow communications
between the DB EPG and the Bare Metal EPG.
Activity Procedure
Step 72 The Create Contract wizard will appear. In the Name field type POD##-CONTRACT-DB-
BARE-METAL (replace “##” with your assigned 2-digit Pod Number).
following table.
Field Value
Name SUBJECT-ANY
Task 10: Configure Contracts between the DB EPG and the Bare Metal
EPG
In this task, you will apply the Bare Metal Contract to allow traffic to flow between the DB EPG and the
Bare Metal EPG.
Activity Procedure
APPLICATION-PROFILE > Application EPGs > EPG POD##-BARE-METAL-EPG >
Contracts.
menu.
CONTRACT-DB-BARE-METAL from the drop-down list.
APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG > Contracts.
Step 82 Right-click the Contracts folder and then select Add Consumed Contract from the context
menu.
Step 83 The Add Consumed Contract wizard will appear. In the Name drop-down list select POD##/
POD##-CONTRACT- BARE-METAL (replace “##” with your assigned 2-digit Pod
Number).
Step 84 Click the SUBMIT button to complete the Add Consumed Contract wizard.
APPLICATION-PROFILE.
Step 86 In the Work pane, click the Policy tab. You should see that the diagram representing the objects
within your Application Profile has been updated to include the new contracts.
Task 11: Verify Connectivity to the Bare Metal File Server

In this task, you will verify that your Pod DB server can communicate with the bare metal file server
connected to the leaf switch.
Activity Procedure

Pod##-App 10.##.1.1 /24 10.##.1.254
Pod##-DB 10.##.2.1 /24 10.##.2.254
Pod##-Web 10.##.3.1 /24 10.##.3.254
Step 90 Right-click the Pod##-DB VM and then select Open Console from the context menu.
Step 91 The console window for Pod##-DB will appear. You will see the DB server’s desktop.
Step 93 Verify that your DB Server can ping the bare metal file server using the ping 10.##.4.1
command (replace “##” with your assigned 2-digit Pod Number).
 Login as: admin
Leaf-1# show vrf

black-hole 3 Up --
overlay-1 4 Up --
Step 97 Execute the show endpoint vrf POD##:POD##-VRF command (replace “##” with your
within your VRF. You should see an entry with the IP address of 10.##.4.1 .
Leaf-1# show endpoint vrf POD##:POD##-VRF

Legend:
+-----------------------------------+---------------+-----------------+------------
--+-------------+
VLAN/ Encap MAC Address MAC Info/
Interface
+-----------------------------------+---------------+-----------------+------------
--+-------------+
15 vlan-3##4 0050.569a.5e25 L eth1/33
POD##:POD##-VRF vlan-3##4 10.##.2.1 L
16 vlan-3##0 0050.569a.0a8a L eth1/33
POD##:POD##-VRF vlan-3##0 10.##.3.1 L
17 vlan-3##5 0050.569a.456e O eth1/34
POD##:POD##-VRF vlan-3##5 10.##.1.1 O
23 vlan-4## 0016.c714.6b52 L eth1/##
POD##:POD##-VRF vlan-4## 10.##.4.1 L
+------------------------------------------------------------------------------+
Endpoint Summary
+------------------------------------------------------------------------------+
Step 98 Execute the show vlan extended command. You should see a new fabric VLAN that has been
created that is associated with the port connected to the bare metal server.

---- -------------------------------- --------- -------------------------------
23 POD##:POD##-APPLICATION- active Eth1/##
PROFILE:POD##-BM-EPG
---- ----- ---------- -------------------------------
23 enet CE vlan-4##
Lab 17: Configure a Service Graph in Managed
Mode
Overview
With the open architecture of the ACI solution, you can seamlessly insert any vendor's service solution such
as firewall, load-balancers, and so on into the APIC application profile.
The ACI solution from Cisco provides a powerful tool to insert any services that includes an open API to
communicate with the APIC. With the ease of scripting, deployments of any object within the APIC can now
be done in minutes (in some cases seconds), thus reducing the amount of time to deploy your application
network.
Complete this lab activity to become familiar with configuring a Service Graph to insert an ASAv in
managed mode.
 Import Device Packages (demo)
 Create Device Cluster for the ASA
 Create a Service Graph
 Create Logical Device Context for ASA
 Attach Service Graph to Contracts
Cisco ASAv Attributes / L4-L7 Device Attributes

The following table contains information related to the configuration of the Cisco ASAv virtual machine
during this lab exercise.
ASAv ASAv IP Address Contract L4-L7 Function
ASAv VM
“Physical” Security Type Device Profile
Network
Interface Level Interface Interface
Adapter
Name Name
Network Management0/0 0 192.168.R0.<##+50> N/A N/A
N/A
Adapter 1
Network GigabitEthernet0/0 50 10.##.4.254 Consumer Outside
externalIf
Adapter 2
Network GigabitEthernet0/1 100 10.##.2.254 Provider Inside
internalIf
Adapter 3

Activity Procedure
 Username: admin
Note This Task will be performed by the Instructor; students do NOT perform this Task.
Task 1: Import Device Packages (Instructor Demo)

In this Task documents the instructor will import a Device Package that contains the files necessary to
integrate the Cisco ASAv firewall virtual machine.
Activity Procedure
Note This Task will be performed by the Instructor; students do NOT perform this Task.
Step 6 In the Menu bar, click L4-L7 Services.

Step 7 In the Submenu bar, click Packages.
Step 8 In the Navigation pane, right-click the L4-L7 Service Device Types folder, and then select
Import Device Package from the context menu.
Step 9 The Import Device Package dialog window will appear. Click the BROWSE… button.
Step 10 The Open window will appear. Navigate to the S:\DCAC9K folder.
Step 11 Select the Device Package, which is named asa-device-pkg-1.2.5.5.zip.
Step 12 Click the Open button.
Step 13 Click the SUBMIT button. It will take a few seconds for the Device Package to be imported.
Step 14 When the import process is complete you will see a new entry under the L4-L7 Services
Device Types folder named CISCO-ASA-1.2
Step 15 In the Navigation pane, click the CISCO-ASA-1.2 object. The Work pane will display general
information about the Device Package.
Step 16 In the Navigation pane, expand L4-L7 Service Device Types > CISCO-ASA-1.2 > L4-L7
Service Functions > Firewall. The Work pane will display the two types of connectors that
will need to be used to implement a service graph that utilizes the ASAv (you will use these in a
subsequent Task).
Step 17 In the Navigation pane, expand L4-L7 Service Device Types > CISCO-ASA-1.2 > L4-L7
Service Function Profiles > WebPolicyForRoutedMode. The Work pane will display the
specific properties of the firewall configuration when it is used in routed mode. You will be
using this service function profile in a subsequent Task.

Step 20 Right-click the Pod##-ASAv VM and then select Power > Power On from the context menu.
Step 21 After a few seconds you should see the powered on icon next to the virtual machine.
Task 2: Modify the Bare Metal Bridge Domain

In this task, you will modify the Bare Metal Bridge Domain so that traffic will flow through the Cisco ASAv
properly. Currently the Bare Metal Bridge Domain is providing an SVI (default gateway) via the fabric for
the bare metal server and the DB server; this must be modified so that the ASAv is now the default gateway
for these devices.
Activity Procedure
Step 22 Return to the APIC GUI.
Step 25 In the Navigation pane, expand Tenant POD## >Networking > Bridge Domains > POD##-
BARE-METAL-BD.
Step 26 In the Work pane, click the L3 Configurations tab.
Step 27 In the Work pane, remove the check mark next to Unicast Routing.
Note Unchecking the Unicast Routing setting causes the APIC to disable the anycast gateway (SVI)
function for the subnets within the bridge domain.
APPLICATION-PROFILE > Application EPGs > EPG POD##-DB-EPG.
Step 31 In the Work pane, change the Bridge Domain to POD##/POD##-BARE-METAL-BD
Task 3: Create a Services Function Profile Group

In this task, you will create a Services Function Profile Group that will contain the Services Function Profile
that you will create in the following Task.
Activity Procedure
Step 34 In the Navigation pane, expand Tenant POD## > L4-L7 Services > Function Profiles.
Step 35 Right-click the Function Profiles folder and then select Create Profile Group from the
context menu.
Step 36 The Create L4-L7 Services Function Profile Group wizard will appear. In the Name field
type POD##-SERVICES-FUNCTION-PROFILE-GROUP (replace “##” with your assigned
2-digit Pod Number).
Step 37 Click the SUBMIT button to complete the Create L4-L7 Services Function Profile Group
wizard.
Task 4: Create a Services Function Profile

In this task, you will create a Services Function Profile that will define how your Pod’s Cisco ASAv virtual
machine will be configured.
Activity Procedure
Step 38 In the Navigation pane, expand Tenant POD## > L4-L7 Services > Function Profiles >
POD##-SERVICES-FUNCTION-PROFILE-GROUP.
Step 39 Right-click the POD##-SERVICES-FUNCTION-PROFILE-GROUP folder and then select
Create L4-L7 Services Function Profile from the context menu.
Step 40 The Create L4-L7 Services Function Profile wizard will appear. Enter the values in the
following table.
Field Value
POD##-SERVICES-FUNCTION-PROFILE (replace “##” with your assigned 2-digit
Name
Pod Number)
Copy Existing Profile
Checked
Parameters
Profile CISCO-ASA-1.2/WebPolicyForRoutedMode
Step 41 The lower portion of the wizard is where you define how the ASAv will behave when it is
deployed. In the next few steps you will configure the IP addresses that will be applied to the
interfaces of the ASAv.
Step 42 In the Features and Parameters section, under Features, make sure that Interfaces is
selected.
Step 43 Under the Basic Parameters tab, expand Device Config > Interface Related Configuration
(externalIf) > Interface Specific Configuration (externalIfCfg) > IPv4 Address
Configuration.
Step 44 Double-click the parameter named IPv4 Address; this will allow you to edit the IP address.
Step 45 In the Value field, type 10.##.4.254/255.255.255.0 (replace “##” with your assigned 2-digit
Pod Number).

Step 47 Under the Basic Parameters tab, expand Device Config > Interface Related Configuration
(internalIf) > Interface Specific Configuration (internalIfCfg) > IPv4 Address
Configuration.
Step 48 Double-click the parameter named IPv4 Address; this will allow you to edit the IP address.
Step 49 In the Value field, type 10.##.2.254/255.255.255.0 (replace “##” with your assigned 2-digit
Pod Number).

Step 51 Click the SUBMIT button to complete the Create L4-L7 Services Function Profile wizard.
Note In the Navigation pane, select POD##-SERVICES-FUNCTION-PROFILE. In the Work pane,

look to see if any alarms were raised after you completed the Create L4-L7 Services Function
Profile wizard. If there are faults present, DELETE the POD##-SERVICES-FUNCTION-
PROFILE and re-create it. If there are any faults present and you continue to the next Task the
lab exercise will fail.
Task 4: Create a L4-L7 Device

In this task, you will create a L4-L7 Device which contains the information required by the APIC to log in to
the Cisco ASAv and configure it.
Activity Procedure
Step 52 In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Devices.
Step 53 Right-click the L4-L7 Devices folder and then select Create L4-L7 Devices from the context
menu.
Step 54 The Create L4-L7 Devices wizard will appear. In STEP 1 > General, enter the values in the
Field Value
General Section:
Managed Checked
Field Value
POD##-MANAGED-ASAv (replace “##” with your assigned 2-digit Pod
Name
Number)
Service Type Firewall
Device Type Virtual
VMM Domain POD##-VMM-DOMAIN (replace “##” with your assigned 2-digit Pod Number)
Mode Single Node
Device Package CISCO-ASA-1.2
Model ASAv
Function Type Go To
Connectivity Section:
APIC to Device Management
Out-Of-Band
Connectivity
Credentials Section:
Username admin (make sure to use all lower-case characters)
Device 1:
192.168.R0.<##+50> (Add 50 to your assigned 2-digit Pod Number and
Management IP Address
replace “##” with the sum)
Management Port https
POD##-VMM-DOMAIN/Pod##-ASAv (replace “##” with your assigned 2-digit
VM
Pod Number)
Step 55 In the Devices Interfaces subsection, click the plus sign to create a new entry. Enter the values
in the following table.
Field Value
Name GigabitEthernet0/0
vNIC Network adapter 2
Step 57 In the Devices Interfaces subsection, click the plus sign to create a new entry. Enter the values
in the following table.
Field Value
Name GigabitEthernet0/1
vNIC Network adapter 3

Step 59 In the Cluster subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field Value
Type Consumer
Name Outside
Concrete Interfaces Device1/GigabitEthernet0/0

Step 61 In the Cluster subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field Value
Type Provider
Name Inside
Concrete Interfaces Device1/GigabitEthernet0/1

Step 63 Click the NEXT button. Do not make any changes in STEP 2 > Device Configuration.
Step 64 Click the FINISH button to complete the Create L4-L7 Devices wizard.
Step 65 In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Devices > POD##-
MANAGED-ASAv. You can see the state of the ASAv virtual machine as seen by the APIC.
Note The key field in this object is the Configuration State/Configuration Issues/Devices State field. At
this point the Device State should be stable. If the Device state is not stable this means the
APIC cannot communicate with the ASAv virtual machine via the ASAv management interface.
Verify that the ASAv is online and that you can SSH to it. If you can SSH to the ASAv and the
Device State is not stable the quickest path forward is to delete POD##-MANAGED-ASAv and
recreate it following the steps in this Task.
Note At this point it is likely that you will see faults raised in this object; that is normal (as long as the
Device State is stable). The faults will be cleared once the virtual machine is incorporated into a
service graph.
Note At this point, nothing has occurred in the ASAv virtual machine, you have just created a device
definition that will be used in a subsequent Task.
Task 5: Create a Service Graph Template

In this task, you will create a Service Graph Template, which is an object that helps define how the traffic
should flow to the Cisco ASAv.
Activity Procedure
Step 66 In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Service Graph
Templates.
Step 67 Right-click the L4-L7 Service Graph Templates folder and then select Create a L4-L7
Service Graph Template from the context menu.
Step 68 The Create a L4-L7 Service Graph Template wizard will appear. In the Graph Name field,
type POD##-SERVICE-GRAPH-TEMPLATE (replace “##” with your assigned 2-digit Pod
Number).
Step 69 In the Device Clusters section you should see one entry for the POD##-MANAGED-ASAv
firewall that you created in the previous Task. Drag and drop the firewall into the center of the
window.
Note The name under the firewall object will be highlighted and have the value “N1”. Do not change
this value.
Step 70 Enter the values in the following table.
Field Value
Firewall Routed
Profile POD##-SERVICES-FUNCTION-PROFILE (replace “##” with your assigned 2-digit Pod Number)
Step 71 Click the SUBMIT button to complete the Create a L4-L7 Service Graph Template wizard.
Task 6: Apply the Service Graph Template

In this task, you will apply the Service Graph Template to the contract between the DB EPG and the Bare
Metal EPG.
Activity Procedure
Step 72 In the Navigation pane, expand Tenant POD## > L4-L7 Services > L4-L7 Service Graph
Templates > POD##-SERVICE-GRAPH-TEMPLATE.
Step 73 Right-click the POD##-SERVICE-GRAPH-TEMPLATE folder and then select Apply L4-
L7 Service Graph Template from the context menu.
Step 74 The Apply L4-L7 Service Graph Template To EPGs wizard will appear. In STEP 1 >
Contract, enter the values in the following table.
Field Value
Consumer EPG / POD##/POD##-APPLICATION-PROFILE/epg-POD##-BARE-METAL-EPG (replace
External Network “##” with your assigned 2-digit Pod Number)
Provider EPG / External POD##/POD##-APPLICATION-PROFILE/epg-POD##-DB-EPG (replace “##” with
Network your assigned 2-digit Pod Number)
Contract Choose an Existing Contract Subject
Existing Contract With POD##-CONTRACT-DB-BARE-METAL/SUBJECT-ANY (replace “##” with your
Subjects assigned 2-digit Pod Number)
Step 75 Click the NEXT button. In STEP 2 > Graph, do not make any changes.
Step 76 Click the NEXT button. In STEP 3 > POD##-MANAGED-ASAv Parameters, do not make
any changes.
Step 77 Click the FINISH button to complete the Apply L4-L7 Service Graph Template To EPGs
wizard.
Task 7: Verify the Configuration
In this task, you will verify that the ASAv firewall has been reconfigured by the APIC, and you will verify
that the service graph is functioning by opening an SSH session from the DB server to the bare metal switch.
Activity Procedure
Step 78 From your Student Server desktop, start a PuTTY session with Pod##-ASAv using the
following credentials:
 IP Address: 192.168.R0.<##+50>
 Login as: admin
Step 79 Execute the enable command to enter enable mode.
login as: admin

admin@192.168.30.61's password: 1234QWer
Type help or '?' for a list of available commands.
Pod11-ASAv> enable
Password: 1234QWer
Pod11-ASAv#
Step 80 Execute the show interface ip brief command. This command will indicate the interfaces
present in the firewall, the state of each interface, and the IP address of each interface. You
should see that the IP address of GigabitEthernet0/0 has been set to 10##.4.254 and the IP
address of GigabitEthernet0/1 has been set to 10##.2.254 (the Management0/0 interface is the
out-of-band management interface and is part of the lab baseline).
Pod11-ASAv# show interface ip brief

Interface IP-Address OK? Method Status
Protocol
GigabitEthernet0/0 10.11.4.254 YES manual up up
GigabitEthernet0/1 10.11.2.254 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down up
Management0/0 192.168.30.61 YES manual up up
Step 81 Execute the show nameif command. This command will show you the security levels assigned
to the interfaces within the firewall.
Note The Cisco ASA series of firewalls uses the concept of a security level to help determine traffic
flows from one interface to another. By default, traffic is allowed to flow from an interface with a
higher security level to an interface with a lower security level. In order to allow traffic to flow
from an interface with a lower security level to an interface with a higher security level an access
list must be configured to allow the traffic.
Pod11-ASAv# show nameif

Interface Name Security
GigabitEthernet0/0 externalIf 50
GigabitEthernet0/1 internalIf 100
Management0/0 management 0
Step 82 Execute the ping 10.##.2.1 command. This command will verify that the inside interface of the
firewall can communicate with the DB server.
Pod11-ASAv# ping 10.11.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Step 83 Execute the ping 10.##.4.1 command. This command will verify that the outside interface of
the firewall can communicate with the DB server.
Pod11-ASAv# ping 10.11.4.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Step 84 Execute the show arp command. This command will list all of the IP address to MAC address
mappings present in the firewall’s memory.
Pod11-ASAv# show arp

management 192.168.30.1 fc5b.392d.4f5a 2739
management 192.168.30.254 001b.0de3.895c 5648
externalIf 10.11.4.1 0050.56ad.a5b3 119
internalIf 10.11.2.1 0050.569a.5e25 123

letter).
Step 88 At the bottom of the window is the Recent Tasks pane. You should see three entries there:
 One entry indicating that the POD##-VMM-DOMAIN DVS has been modified and now has two
additional port groups created by the APIC
 Two entries indicating that the Pod##-ASAv virtual machine has been modified to use these two
new port groups
Step 89 Right-click the Pod##-ASAv VM and then select Edit Settings… from the context menu.
Step 90 The Virtual Machine Properties window will appear. You should see that network adapters 2
and 3 have been reconfigured to use port groups in the Pod VMM Domain’s distributed virtual
switch.
Step 91 Click the Cancel button to close the Virtual Machine Properties window.
Step 92 Right-click the Pod##-DB VM and then select Open Console from the context menu.
Step 93 The console window for Pod##-DB will appear. You will see the DB server’s desktop.
Note At this point the configuration of the service graph is complete. Next, you will use PuTTY to verify
that you can open a TCP/IP session from the DB Server, which is “inside” the firewall, to the
bare metal server, which is “outside” the firewall.
Step 95 From your DB Server desktop, start a PuTTY session.

Step 96 Open an SSH session to the bare metal server using the following information:
 IP Address: 10.##.4.1 (replace “##” with your assigned 2-digit Pod Number)
 Login as: student
Step 97 If you are able to start an SSH session that indicates the service graph is functioning properly.
Note Actually, there is no bare metal server, a virtual router has been configured to duplicate the
network connectivity of a bare metal server.
Lab 18: Configure RBAC Using Local and
RADIUS Accounts
Overview
Complete this lab activity to become familiar with configuring role-based access control and integration with
AAA services.
 Configure a local security domain
 Configure local users and roles for your tenant security domain
 Create a RADIUS security domain and map to your tenant
 Create an AAA login domain for RADIUS authentication
 Test RADIUS authentication and authorization

Activity Procedure
 Username: admin
Task 1: Create a Security Domain and Map It to Your Tenant

In this task, you will configure a new security domain and map it to your tenant.
Activity Procedure
Step 8 Navigate to Security Management > Security Domains.
Step 9 Right-click the Security Domains folder and then select Create Security Domain from the
context menu.
Step 10 The Create Security Domain wizard will appear. In the Name field type POD##-SD-LOCAL
Step 11 Click the SUBMIT button to complete the Create Security Domain wizard.
Step 14 In the Navigation pane, click Tenant POD##, and then click the POLICY tab in the Work
pane.
Step 15 In the Security Domains subsection, select POD##-SD-LOCAL.
Step 16 Click the SUBMIT button at the bottom of the Work pane.
Task 2: Configure Local Users and Roles for your Tenant Security
Domain
In this task, you will create tenant-specific admin and audit users with the appropriate roles and map them to
your tenant security domain.
Activity Procedure
Step 19 Navigate to Security Management > Local Users.
subsection, click the checkbox next to POD##-SD-LOCAL.
Step 22 Click the NEXT button. In STEP 2 > Roles, select READ WRITE for each of the roles listed.
Field Value
Login ID POD##-ADMIN-LOCAL (replace “##” with your assigned 2-digit Pod Number)
Step 24 Click the FINISH button to complete the Create Local User wizard.
subsection, click the checkbox next to POD##-SD-LOCAL.
Step 27 Click the NEXT button. In STEP 2 > Roles, select READ ONLY for each of the roles listed.
Field Value
Login ID POD##-AUDIT-LOCAL (replace “##” with your assigned 2-digit Pod Number)
Step 29 Click the FINISH button to complete the Create Local User wizard.
Task 3: Verify the Configuration of the Local User Accounts

In this task, you will log in to the APIC GUI using the accounts that you just created in order to verify that
the correct rights have been granted to each account.
Activity Procedure
Step 30 In the upper right-hand corner of the APIC GUI, click the down arrow to the right of welcome,
admin, and then select Logout from the drop-down menu.

 Username: POD##-ADMIN-LOCAL (replace “##” with your assigned 2-digit Pod Number)
 Mode: Advanced
Step 32 The first screen that you will see is the Dashboard. Notice how there is nothing visible; the
POD##-ADMIN-LOCAL account does not have system-wide rights. Also notice how many of
the Menu bar selections are greyed out.
Step 34 In the Submenu bar, click ALL TENANTS. Notice how there are only two Tenants listed,
common and POD##.
Step 35 Double-click POD## (replace “##” with your assigned 2-digit Pod Number).
Step 36 Navigate to various portions of your Tenant. Notice how you have the ability to change the
configuration of your Tenant.
POD##-ADMIN-LOCAL, and then select AAA > View My Permissions from the drop-down
menu.
Step 38 The User Permissions window will appear. This window will display all of the permissions
that have been granted to the user account with which you are currently logged in.
Step 39 Click the CLOSE button.

Step 40 Log out of the APIC GUI.
 Username: POD##-AUDIT-LOCAL (replace “##” with your assigned 2-digit Pod Number)
 Mode: Advanced
POD##-AUDIT-LOCAL account does not have system-wide rights. Also notice how many of

Step 44 In the Submenu bar, click ALL TENANTS. Notice how there are only two Tenants listed,
common and POD##.
Step 46 Navigate to various portions of your Tenant. Notice how you have the ability to view the
configuration of your Tenant, however you cannot make any changes to the configuration.
POD##-AUDIT-LOCAL, and then select AAA > View My Permissions from the drop-down
menu.

Task 4: Create a RADIUS Security Domain and Map It to your Tenant

In this task, you will configure a new RADIUS security domain and map it to your tenant. The cisco-av-pair
that is configured in Cisco ISE references this security domain to apply permissions to the remote RADIUS
user on a tenant-by-tenant basis.
Activity Procedure
Step 51 Log in to the APIC GUI using the admin account.
Step 54 Navigate to RADIUS Management > RADIUS Provider Groups.
Step 55 Right-click the RADIUS Provider Groups folder and then select Create RADIUS Provider
Group from the context menu.
Step 56 The Create RADIUS Provider Group wizard will appear. In the Name field, type
POD##_RADIUS_PROVIDER_GROUP (replace “##” with your assigned 2-digit Pod
Number).
Note The name of the RADIUS Provider Group may not use the dash character; however you may
use the underscore character.
Step 57 In the Providers subsection, click the plus sign to create a new entry. Enter the values in the
following table.
Field Value
Name 192.168.R0.41 (replace “R” with your ACI Rack Number)
Priority 1

Step 59 Click the SUBMIT button to complete the Create RADIUS Provider Group wizard.
Step 60 Navigate to AAA Authentication > Login Domains.
Step 61 Right-click the Login Domains folder and then select Create Login Domain from the context
menu.
Step 62 The Create Login Domain wizard will appear. Enter the values in the following table.
Field Value
POD##_RADIUS_LOGIN_DOMAIN (replace “##” with your assigned 2-digit Pod
Name
Number)
Realm RADIUS
Field Value
POD##_RADIUS_PROVIDER_GROUP (replace “##” with your assigned 2-digit Pod
RADIUS Provider Group
Number)
Note The name of the Login Domain may not use the dash character; however you may use the
underscore character.
Step 63 Click the SUBMIT button to complete the Create Login Domain wizard.
Step 64 Navigate to Security Management > Security Domains.
Step 65 Right-click the Security Domains folder and then select Create Security Domain from the
context menu.
Step 66 The Create Security Domain wizard will appear. In the Name field type POD##-SD-
RADIUS (replace “##” with your assigned 2-digit Pod Number).
Note It is important that you enter this value correctly because it is a value that is used by the RADIUS
server to assign av pairs to the login account.
Step 67 Click the SUBMIT button to complete the Create Security Domain wizard.
Step 70 In the Navigation pane, click Tenant POD##, and then click the POLICY tab in the Work
pane.
Step 71 In the Security Domains subsection, select POD##-SD-RADIUS.
Step 72 Click the SUBMIT button at the bottom of the Work pane.
Task 5: Verify the Configuration of the RADIUS User Accounts

In this task, you will log in to the APIC GUI using the RADIUS accounts in order to verify that the correct
rights have been granted to each account.
Activity Procedure
admin, and then select Logout from the drop-down menu.

 Username: POD##-ADMIN-RAD (replace “##” with your assigned 2-digit Pod Number)
 Domain: POD##_RADIUS_LOGIN_DOMAIN (replace “##” with your assigned 2-digit Pod
Number)
 Mode: Advanced
Step 75 The first screen that you will see is the DASHBOARD. Notice how there is nothing visible; the
POD##-ADMIN-RAD account does not have system-wide rights. Also notice how many of the
Menu bar selections are greyed out.

Step 77 In the Submenu bar, click ALL TENANTS. Notice how there is only one Tenant listed,
POD##.
Step 79 Navigate to various portions of your Tenant. Notice how you have the ability to change the
configuration of your Tenant.
POD##-ADMIN-RAD, and then select AAA > View My Permissions from the drop-down
menu.

 Username: POD##-AUDIT-RAD (replace “##” with your assigned 2-digit Pod Number)
 Domain: POD##_RADIUS_LOGIN_DOMAIN (replace “##” with your assigned 2-digit Pod
Number)
 Mode: Advanced
POD##-AUDIT-LOCAL account does not have system-wide rights. Also notice how many of

Step 87 In the Submenu bar, click ALL TENANTS. Notice how there is only one Tenant listed,
POD##.
Step 89 Navigate to various portions of your Tenant. Notice how you have the ability to view the
configuration of your Tenant, however you cannot make any changes to the configuration.
POD##-AUDIT-RAD, and then select AAA > View My Permissions from the drop-down
menu.

Lab 19: Monitor and Troubleshoot ACI
Overview
Complete this lab activity to become familiar with monitoring and troubleshooting tools in the Cisco
Application Policy Infrastructure Controller (APIC) GUI.
 View faults using the Cisco APIC GUI
 View events using the Cisco APIC GUI
 Use the API Inspector
 Use the Managed Object Browser (Visore)
 Configure Syslog Monitoring
 Use the Operations tab in the Cisco APIC GUI

Activity Procedure
 Username: admin
Task 1: View Faults Using the Cisco APIC GUI

In this task, you will view faults using the Cisco APIC GUI.
When troubleshooting issues with Cisco Application Centric Infrastructure (ACI), the first step will be to
inspect any faults recorded in the Cisco ACI. The logged faults are presented in many places in the GUI.
They are filtered to show only those faults that are relevant to the current GUI context. Wherever a Faults tab
appears in the GUI Work pane, you can view the relevant entries from the fault log.
A fault object is placed in the Management Information Tree (MIT) as a child of the port object. If the same
condition is detected multiple times, no additional instances of the fault object are created. Fault records are
never modified after they are created and they are deleted only when their number exceeds the maximum
value that is specified in the fault retention policy.
Activity Procedure
Step 6 To view a summary of fault statistics for the overall system, click SYSTEM from the main
menu.
Step 7 In the Dashboard, the dashboard tables display the fault counts by domain and by type.
Note This is just an example. Your Fault Counts output will be different.
Step 8 Next, you will view the faults that are related to a Tenant. In the Menu bar, click Tenants.
Step 10 In the Navigation pane, select Tenant POD##. The Work pane will display a Dashboard
specific to the Tenant.
Step 11 In the Work pane, click the FAULTS tab. Take a moment to review any recorded faults.
Note If you have performed all of the previous lab exercises properly there should not be any faults
listed 
Step 12 By clicking specific ACI constructs (e.g. Application Profiles, Bridge Domains, etc.), in the
Navigation pane, you will have access to the Faults tab which records all faults that are specific
to the current GUI context.
Step 14 In the Submenu bar, click Historical Record Policies.
Step 15 In the Navigation pane, select Controller Policies.
Step 16 In the Work pane, retention policy settings appear for the following logs:
 Audit Logs Retention Policy
 Events Retention Policy
 Fault Records Retention Policy
 Health Records Retention Policy
Note The Controller Policies folder is the location where you manage the sizes of the different
controller policies. These policies are for issues that are specific to the controller.
Note The maximum size range is 1,000 to 500,000 records; the default is 100,000 records. The Purge
Window Size is the maximum number of records to be deleted in a single swipe once the
number of records in the log is greater than the Maximum Size. The Purge Window Size default
is designed to minimize impact on performance when records are purged.
Step 17 In the Navigation pane, expand Switch Policies. This is the location where you can manage the
size of the various switch log retention policies.
Task 2: View Events Using the Cisco APIC GUI
In this task, you will view events using the Cisco Application Policy Infrastructure Controller (APIC) GUI.
The APIC maintains a comprehensive, up-to-date, run-time representation of the administrative and
operational state of the Cisco ACI Fabric in the form of a collection of managed objects (MOs). Any
configuration or state change in any MO is considered an event. Most events are part of the normal workflow
and there is no need to record their occurrence or to bring them to the attention of the user unless they meet
one of the following criteria:
 The event is an anomaly, such as a fault being raised
 The event is defined in the model as requiring notification
 The event follows a user action that needs to be auditable
Many places in the GU present the logged events. The events are filtered to show only those events that are
relevant to the current GUI context. Wherever a History tab appears in the GUI work pane, you can view the
relevant log entries from the event log, health log, or audit log.
Activity Procedure
Step 18 In the Menu bar, click Admin, and then in the Submenu bar, click AAA.
Step 19 In the Navigation pane, click the AAA Authentication folder.
Step 20 In the Navigation pane, expand the Security Management folder.
Step 21 In the Work pane, click the HISTORY tab.
Step 22 Under the HISTORY tab, click the AUDIT LOG subtab to view the audit log.
Step 23 Double-click a log entry to view more details about the event if an entry exists.
Step 24 By clicking specific ACI constructs—for example, Application Profiles, Bridge Domains,
Private Networks—in the Navigation pane, you will have access to the History tab. This tab
records the history that is specific to the current GUI context.
Task 3: Using the API Inspector

In this task, you will use the API Inspector. By using the built-in API Inspector tool, you can capture API
messaging as you perform tasks in the Cisco Application Policy Infrastructure Controller (APIC) GUI. The
captured messages provide examples of the API operation that you can use to develop external applications
that will use the API.
Activity Procedure
Step 25 In the upper right corner of the APIC window, click the welcome, admin message to view the
drop-down menu.
Step 26 In the drop-down menu, choose the Show API Inspector. The API Inspector opens in a new
browser window.
Step 27 Arrange the APIC browser window side-by-side with the API Inspector window, and then click
the Newest at the top check box.
Note This action allows you to interact with the APIC GUI and simultaneously observe the API calls
that are made in reaction to your interactions with the GUI.
Step 28 In the Filters toolbar of the API Inspector window, choose the types of API log messages to
display.
The displayed messages are color-coded according to the selected message types. This table shows the
available message types:
Log
Description
Type
debug Displays debug messages. This type includes most API commands and responses.
info Displays informational messages.
warn Displays warning messages.
error Displays error messages.
fatal Displays fatal messages.
Checking this check box causes all other check boxes to become checked. Unchecking any other check
all
box causes this check box to be unchecked.
Step 29 In the APIC GUI, click Tenants from the Menu bar, and then click the common Tenant.
Step 30 In the Navigation pane, right-click Application Profiles, and then choose Create Application
Profile from the context menu.
Step 31 In the Name field, type POD##-TEMP, and then click SUBMIT.
Step 32 In the API Inspector, observe that there is a POST method request that instructs the API to
create a new application profile in the Common Tenant. That the request will be in the JSON
format. The JSON format is not obvious in the API Inspector window. The following is an
example of the request:
01:44:49 DEBUG - method: POST url:

https://apic1.dc.local/api/node/mo/uni/tn-common/ap-ATL-TEMP.json
payload{"fvAp":{"attributes":{"dn":"uni/tn-common/ap-ATL-TEMP",
"name":"ATL-TEMP","rn":"ap-ATL-TEMP","status":"created"},"children":[]}}
response: {"imdata":[]}
Step 33 Open the Notepad++ application on your desktop. Copy and paste the payload into a new
document.
Step 34 Press and hold down the Ctrl key followed by the “A” key to select all.
Step 35 Click the Plugins menu.
Step 36 Click JSON Viewer, and then Format JSON. Your output should now appear in JSON array
format.
You can use the URL and JSON array that are recovered from the API Inspector to make REST calls to
configure the fabric.
Task 4: Use the Managed Object Browser (Visore)

In this task, you will use the Managed Object Browser to validate the AAA configuration.
The Managed Object Browser, or Visore, is a utility that is built into the Cisco Application Policy
Infrastructure Controller (APIC). It provides a graphical view of the managed objects (MOs) using a browser.
The Visore utility uses the APIC REST API query methods to browse MOs that are active in the ACI Fabric,
allowing you to see the query that was used to obtain the information.
You cannot use the Visore utility to perform configuration operations.
Note Only the Firefox, Chrome, and Safari browsers are supported for Visore access.
Activity Procedure
Step 38 Open another tab Navigate to https://192.168.R0.1/visore.html (replace “R” with your ACI
Rack Number).
 Username: admin
Step 40 The APIC Object Store Browser will appear. In the Class or DN field, type
aaaProviderGroup, and then click the Run Query button.
Note If a window pops up saying “You did not specify a property name,” click OK.
Step 41 The query results show a number of AAA Provider Groups that are named
aaaRadiusProviderGroup with the format POD##_RADIUS_PROVIDER_GROUP. These
are the RADIUS Provider Groups that were created in the previous lab exercise.
Step 42 Click the green “>” symbol at the end of the dn field. This action will take you to the details of
that DN, if it exists in the object tree.
Note Clicking > sends a query to the APIC for the children of the MO (managed object).
Clicking < sends a query for the parent of the MO.
Step 43 In the dn field of the MO description table, click the icons to display statistics, faults, or health
information for the MO.
Step 44 Click the Display URI of last query link to display the API call that executed the query.
Step 45 Click the Display last response link to display the API response data structure from the query.
Task 5: Configuring Syslog Monitoring

In this task, you will configure syslog monitoring.
Activity Procedure
Step 46 On your Student Server desktop, start the 3CDaemon application. You will be using this later in
this lab exercise.

Step 49 In the Submenu bar, click External Data Collectors.
Step 50 In the Navigation pane, expand Monitoring Destinations > Syslog.
Step 51 Right-click the Syslog folder and then select Create Syslog Monitoring Destination Group
from the context menu
Step 52 The Create Syslog Monitoring Destination Group wizard will appear. In STEP 1 > Profile,
in the Name field type POD##-SYSLOG-GROUP (replace “##” with your assigned 2-digit
Pod Number).
Step 53 Click the NEXT button. In STEP 2 > Remote Destinations, in the Create Remote
Destinations subsection, click the plus sign to create a new entry.
Step 54 The Create Syslog Remote Destination wizard will appear. Enter the values in the following
table.
Field Value
IP Address – To NterOne Lab (this can be found on your Student Server desktop in
the upper right-hand corner)
Host
Name POD##-SYSLOG-SERVER (replace “##” with your assigned 2-digit Pod Number)
Admin State Enabled
Management EPG default (Out-of-Band)
Step 55 Click the OK button to complete the Create Syslog Remote Destination wizard.
Step 56 Click the FINISH button to complete the Create Syslog Monitoring Destination Group wizard.
Note In the previous steps, you configured the syslog server. In the next steps, you will configure a
syslog policy that will result in the generation of syslog messages to the syslog server.

Step 59 In the Navigation pane, expand Monitoring Policies > default > CallHome/SNMP/Syslog.
Note You can also access Monitoring Policies under individual tenants and Fabric Access Policies.
Step 60 In the Work pane, in the Source Type setting, choose Syslog.
Step 61 In the far right-hand side of the Work pane click the plus sign to create a new entry.
Step 62 The Create Syslog Source wizard will appear. Enter the values in the following table.
Field Value
Name POD##-SYSLOG-SOURCE (replace “##” with your assigned 2-digit Pod Number)
Min Severity debugging
Include (check all boxes)
Dest. Group POD##-SYSLOG-GROUP (replace “##” with your assigned 2-digit Pod Number)
Step 63 Click the OK button to complete the Create Syslog Source wizard.
Step 64 Return to the 3CDaemon window.
Step 65 Click the Syslog Server tab to display syslog messages from the APIC.
Note It may take some time for syslog messages to appear.
Task 6: Using the Operations Tab in APIC

In this task, you will use the Operations tab in Cisco Application Policy Infrastructure Controller (APIC).
Activity Procedure
Step 67 In the Menu bar, click Operations.
Step 68 In the Submenu bar, click Visibility and Troubleshooting.
Step 69 In the Session Name field type POD##-SESSION (replace “##” with your assigned 2-digit
Pod Number).
Step 70 In the Source field, enter 10.##.1.1 (the IP address of Pod##-App) and then click the Search
button.
Step 71 You should see a single search result. Click it, which will cause the row to turn grey.
Step 72 In the Destination field, enter 10.##.3.1 (the IP address of Pod##-Web) and then click the
Search button.
Step 73 You should see a single search result. Click it, which will cause the row to turn grey.
Step 74 Click START in the lower right side of the page.

Step 75 After a few seconds, the Faults screen appears. Observe any possible faults on the system.
Step 76 Click Drops/Stats in the Navigation Pane. Observe that there have been some drops in the
system due to you changing the configuration of the fabric.
Step 77 Click Contracts in the Navigation Pane. You should see packets from pinging between the
virtual machines from the previous lab exercises.
Step 78 Click Traceroute in the Navigation Pane. From the Protocol drop-down menu, choose icmp.
Press the Play button in the top left part of the window.
Step 79 Click OK if a warning pops up.
Step 80 After a few seconds, the interface will display the result of a traceroute. Observe that the
Traceroute Status is complete and that the arrows in the screen are green.
Step 81 Click the Stop button to end the traceroute.

Dcac9k Lab Guide PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Dcac9k Lab Guide PDF

Transféré par

Droits d'auteur :

Formats disponibles

DCAC9K

Task 1: Understanding your NterOne Lab Environment

Your Student Server

Lab Devices and Pods

Letter Variable Possible Values Description

Remote Desktop Connection

Student Server Name / IP Address User Name Password

Step 2 Log in to your personal/work computer.

Step 8 Click on the “Use another account” section of the window.

Task 3: Log In to the APIC-1 Management Application

Step 20 Login to the APIC with the credentials below:

Note Only use the Advanced Mode throughout this class.

Step 24 Click the SUBMIT button.

Task 0: Log in to the APIC Controller

Task 1: Register the Fabric Switches (Instructor Demo)

Step 6 In the Menu bar, click Fabric.

Step 11 Click the UPDATE button.

Step 18 Log in to APIC-1 using the following information:

login as: admin

apic1# acidiag fnvread

apic1# show controller detail

Task 2: Configure Out-of-Band (OOB) Management (Instructor Demo)

Step 23 Return to the APIC GUI running in your Chrome browser.

Step 33 Click the UPDATE button.

Step 64 Log in to Leaf-1 using the following information:

login as: admin

Using keyboard-interactive authentication.

Task 3: Configure DNS for the APIC (Instructor Demo)

Step 65 Return to the APIC GUI running in your Chrome browser.

apic1# ping leaf-1.dc.local

--- leaf-1.dc.local ping statistics ---

apic1# ping leaf-1

--- Leaf-1 ping statistics ---

Task 4: Configure DNS for the Fabric Switches (Instructor Demo)

Leaf-1# ping leaf-2.dc.local

Task 5: Configure a RADIUS Provider (Instructor Demo)

Task 6: Configure a Local User Account (Instructor Demo)

Step 109 In the Menu bar, click Admin.

Step 116 Click the FINISH button to complete the wizard.

Step 117 In the Menu bar, click Fabric.

Leaf-1# show ntp peer-status

Leaf-1# show clock

Step 141 In the Menu bar, click Fabric.

Task 9: Configure MP-BGP Route Reflectors (Instructor Demo)

Step 147 In the Menu bar, click Fabric.

Spine-1# show bgp sessions vrf overlay-1

Neighbor ASN Flaps LastUpDn|LastRead|LastWrit St Port(L/R) Notif(S/R)

Task 0: Log in to the APIC Controller

Task 1: Create a Tenant

Step 7 In the Submenu bar, click Add Tenant.

Task 3: Create a Bridge Domain

Task 4: Create Subnets within the Bridge Domain

Task 0: Log in to the APIC Controller

Task 1: Create Filters

Step 12 Click the UPDATE button.

Step 22 Click the UPDATE button.

Step 27 Click the UPDATE button.

Step 32 Click the UPDATE button.

Task 0: Log in to the APIC Controller

Task 1: Create Application Profile

Step 12 Click the UPDATE button.

Step 14 Click the OK button.

Note The arrows from an EPG to a Contract indicate a provided contract.