58. ACI Bring up process Theory part 01
Let us discuss the ACI bring up process, and you can see the various steps here while we are doing the ACI bring up. First of all, we should connect all these Leaf spines and the Epic controllers. So all the equipment has been racked and stacked. All fabric links between the leaf and spine have been connected. All management and console connections have been made. So make sure that all the interfaces are connected properly. And what’s the rule behind connecting these interfaces? They are connected like this. Epic should be dual connected through. So here you can see that I have Epic connected to a dual home through the Leaf switch, and they are using the 10 gigabit interface. Now, very interesting that we have something called infrastructure Van’s for example, I will use 40 93. That is not recommended to use 40 93, but for example, I’m using infra VLAN 40 93 that should bemoan overlapping with the existing VLAN in my ACI infrastructure.
So I’m not going to use this villa inside any of the local or global-scoped villas in the ACI. Infra the tip that is the tunnel endpoint IP. We’ll discuss more and more about the TEP addresses in the upcoming sections. We need to understand what is meaning of Endpoint and how with help of endpoint, the traffic is flowing from one tip to other tip. That is actually the VTIP Vxlantanell endpoint at the moment, say ten l endpoint, slight loopback address to the Leaf nodes. So I have to say, tip addresses here. Now, this tip address pool should not overlap the existing IP address pool. And that’s true. So suppose if I am giving the tip address pool, say, for example, ten ones, so say ten 10 00:16, then you should not use these addresses inside the infra. Same thing like for VLAN, something like for tape addresses. We should give some unique subnets or the VLAN for these. Now the Epic discovery process discovers the IP address of the other Epics in the cluster using the LLDP-based discovery mechanism. So that’s the other thing that we have to understand here.
That is how this discovery process is happening. In the upcoming video, we’ll discuss more about this. But what is happening in general? That epic will discover the leaf, and then the leaf will discover the spine, and then this process will continue. Okay? All right, let’s see what other mechanisms and theories lie behind this. The Epic communicates with the Cisco ACI fabric through a VLAN that is associated with Tenant Infrastructure. And for that we are using infra VLAN that’s okay. At the time of the bring-up process, it will ask you what is your inbound travel path, what is your TEP address, what is your OOB address, what is your gateway, et cetera. Here in the diagram, you can see the sequence of the boot-up process. So far, they are using the LLDP process. After that, you can see the DHCP discovery request. A DHCP process is going on, and then we have the HTTP process to get the firmware, and then we have the IFM management policies for policy elements. So first of all, they will discover the devices with the LLDP mechanism, and the infrastructure VLAN number is chosen at the time of provisioning. Yes. While the booting up the system, it will ask you this VLAN is used for internal connectivity between the Epic, spine, leaf and the switches.
Yeah. So Epic they will search leaf, leaf, then as pine and then this process will carry on. Cisco ACI uses a layer-three link in the fabric. So inside the ACI fabric where I have leaf and spine obviously here I have the fabric. They are using the L three because all these are L three links. Inside the fabric, everything is meticulously managed by Cisco ACI. The traffic is carried tagged with the infrastructure Van’s suppose if you want to extend, if you want to go outside from your fabric, then you are using the Infra VLAN. And what’s the example for this? So the example for this is when you are using an application virtual switch. So from your ACF fabric, you want to go outside at that time, and at that time, you have to use the Infra Van, and actually, that’s a very important point here. So suppose in other hand, if you have to deploy As switch, what is the requirement? So the requirement is that you are going to use the infra VLAN for AVS integration. So the infrastructure VLAN must be extended between the leaf and the ABS software switch. That’s correct. So I’m going to use InfraVillan for my ABS integration application’s virtual switch integration. Okay, let’s cover other points as well. Cisco ACI fabric uses LLDP based and the DSCP based fabric discovery to automatically discover the fabric switch nodes, assign the TEP address and install the firmware to the switches.
That’s the same diagram that we have seen here. So now you can mark that between Epic and the switch, what type of protocol has been used? So they are using LLDP, they are using DHCP, they are using HTTP methods, and then they are pushing the policy with the IFM mechanism. Some of the things you can see, the two way means two way communication. We have epic switch and epic switch. LLDP, DHCP, et cetera. But IFM is like one way from EpicI am pushing the policy to the switches. All right, so now we are understanding more about this ACI bring up and we need to highlight these things while we are doing this study. So I can list out the number of important points while we are bringing up the fabric. Next point. The tip address pool is a critical part of configuration. You should choose a non-overlapping app event. Yes. So for example, I have choose ten 1000:16 TP, your tenor endpoint addresses the node get IP address from the Epic.
Then it asks you to download the firmware through the HTTP get method. All right, that is also okay and straightforward. Let’s carry on and see the last slide related to this. So what are the other things we have here? Epic R, from a cube bit to ten gigabytes Nick. Okay, we know this thing. We have done the connectivity like this. These nodes should be connected to different leaf nodes for redundancy. So I have my Epic Controller, and I have connected. You can connect like this. All right. Epic connectivity is automatically configured for active backup teaming, which means that only one interface is active at any given time. You can verify this, but do not modify it from the bash shell. So you can go to the bash shell. You can see that who is the active, who is the backup. Assuming that the infrared villain is 4093, then what type of interfaces do we have? We have a bond-zero interface. This is the Nick bonding interface for the inbound connection to the leaf switch. No IP address is assigned to this interface. So let’s stop here. And in the next section, I will log into the Epic, and I’ll show you all these interfaces. and then that will make sense. That is the type of interface we have while we are doing the bring-up process. So let’s stop here.
59. Bring up process Part 02
Let us continue where we left off. So what type of bonds you have means what type of nicks and the bonding they have. Assuming that the VLAN ID is 4093, the network interfaces are as follows: First of all, I have a zero bond. This is the nick bonding interface for in-band connections. It don’t don’t have any IP address. Then I have bond into my intra VLAN. This sub-interface connects to the leaf switch. The VLAN ID is 40 93.During the initial broker process, we have to specify that this interface obtains dynamic IP from the tip tunnel endpoint addresses. All right? And apart from that, apart from that you’ll find that we have, say, bond one. This is Nick bonding. So if we have Nick bonding, then you will see a bond for UB management. No IP is assigned to this. And then finally, you have the UB Management/Auto band Management IP to access the EPIC. When bringing up the epic, you enter the management IP for UB management. So what are the things you are giving? Say, for example, you are giving the infra VLAN, you are giving the TEP pool, you are giving the Oop Management IP pool, you are giving the gateway, et cetera. So at that time, you have to give this IP address, and the management interface will take that IP address. So let us log into the Epic, say, EpicOne controller, and let us verify these things. At least we can see most of the interfaces in our Epic Controller.
So let me go here and first of all, let me type, say, acidiagine FNB. Read what this command will do. With help of this command you can see that whatever leaps you have, what is the serial number, what is the TEP address? So here I am using pool, say for example, 100, zero, eight. And then we have 32 addresses for all the leaves and their spines. So these are my tips that I can see here. And this acedia FNV, that is the fabric node vector read. This command is actually very useful to get these addresses. Let us suppose if you want to SSH to any of the leaf of the switch or leaf of this pine, then you can go and give the IP, say for example, the username and the IPad then you can give the password and your end. Okay, so like that, we can do the SSX. Anyway, let’s go and verify what types of interfaces we have. So I can go and check interface configuration when I can go and grip the interface. But let’s see. So I can see here that I have interfaces, first of all, related to Epic interfaces (Epic one, E three, and Loopback 0). But we have the bond zero.
So here you can see the zero bond zero. I don’t have an IP address. Then bond zero four, I have the TEP address correct. That is ten 0001 that is assigned automatically from the fabric. Then I have zero-five where I have this address. And then we have the loopback interface and the host IP or loopback IP for the system. So actually, the system that we have logged into at the moment is a simulator. This is the Epic simulator that you can download from the Cisco site and use, and you can check out a few of the reference interfaces we have. It’s very much like what we have in production, but still, it’s a simulation where you can go and verify most of the things related to Epic or ACI infrastructure. All right, so let’s just stop here, and the next section will explain more about the bring-up process.
60. ACI Fabric Discovery
ACI fabric discovery is a very simple process. Once you connect all the spine with the leaves and the Epic controller, then what you can do, you can power on the first Epic controller, open the SIMC that with virtual KVM or the KVM we have and then we have to provide the initial question and answer things. So what are the things it will ask you? Okay, I want to know the cluster information. So is it ACI fabric one, two, three like that you can see, you can give the number. So suppose this is a fabric of three. I can go and assign yeah, I have three devices in the cluster so you can give that then what is the controller ID? Okay, yes. What’s the name? Enter the TEP address in the field provided by Epic. So by default, as you can see, it is 100 0 00:16. If this is overlapping with your internal IP, then you can go for the Infra VLAN. Then it will ask you about the Infra VLAN.
By default, it will be 4094. So for example, in this case, we are using 3967. Then enter the address pool for BD multicast. By default we can go and enter it will take this default address. If you have any addresses, you can put them here. Then again it is asking about out of band management, out of band IPP for default address is this. If you want, you can change it. What’s the gateway, and that’s it? Once you give all this information, after that you have to give the password. Once you give the password, it will push all this configuration and then reboot, which means it will start the initialization. It will take approximately five minutes to do the initialization. Then, what we need to do is go to the GUI itself. So here you can see that power on. Then open the SIMC virtual KVM answer initial setup Once you do this, then you can go to the browser, and then what will happen? You will find that it will start searching or registering all the leaf and the spine. So it will start searching all the leaf and spine. What we need to do there that we have to go there and provide the name for those leaf and spines. So obviously you have the serial number and name in mind that you want to provide. So once my controller starts searching all the devices one by one, what will happen? Nodes are registered by the fabric admin through Guiros API adding them into the fabric note vector database the following information is required serial number automatically detected node ID it will start from above 100node name unique to the fabric so how it looks like, let me show you that. Once this discovery process starts, it will start populating all the serial numbers. What you have to do is go ahead and provide the name. So it will search. Is it a leaf or it says spine, means the role, it will search like spine, spine and leaf, leaf, et cetera. But you need to check that, okay, this is the spine.
What’s the name? Obviously, it will automatically take the TEP addresses; it will also take the tape address, but as per the serial number, you have to put the hostname as per the data sheet that you have. So once you will do all this process, automatically, it will populate, it will search, and it will build the fabric as per the connection. So finally, by the end of the day, you will find that you have this list. And here you have the TEP addresses, the role, what’s the model, and then you have given the name and the serial number that they automatically detect. So once your fabric is built up and running inside this fabric, the ISIS will be used as an IP reachability from the spine and the leaves, or in between the spine and leaves. So here you can see the ISIS is enabled in the infra to discover routing topology and the node reachability and never exposed externally means this is ISI is something used internally.
And if you want to verify the ISIS database, the ISI’s host name, and other ISIS-related things, you can go to the spine and leaves and check that. So here you can see that, like OSPFISIS, they have built the database, built the routing table, adjusted the table, et cetera. So we can go and check these commands. All right, so now you can see that this fabric discovery process is very easy in ACI, even if you have ten notes or if you have 200 notes, it doesn’t matter. This is the way that Cisco has built this ACI fabric, and the discovery process is fairly simple. And you can build your data center, which means the basics, which means your fabric can be brought up within hours if you have even hundreds or more than hundreds of leaves and spines.
So let me go and log into the URL that we have. So let me show you that once you discover all these devices, how they look like. So what we can do now that we can go tithe fabric and inside fabric, we can go to the inventory. Inside inventory, you can see that we have options: we can check the Pod fabric setup policy, fabric membership, duplicate IP, disable the interface, and decommission. I can go inside the membership building. Here you can see that, okay, I have a serial number because this is the simulator. This is you can say the emulator to learn theca fabric serial numbers are some nonrelated serial numbers. But in general, in your environment, in the production environment, you’ll see the serial numbers, those unique serial numbers that will become, with the devices, normal, like in normal Cisco routers or normal Cisco switches. All right, so I can see here the serial number and the model, and then I have to go and give the name, like leaf one or leaf two. Spine one is fine, two is fine, etc. We can see the TEP address. So this is the way that fabric can be baked.
61. ACI Constructs
Now we have construct of ACI means what are the building blocks for ACI on the top view if you see that in ACI actually have two types of applications. Of components what are the components we have in Acetone should be logical, other one should be physical. Now we know all these SD solutions whatever we have in the market that you have the control plane, you have the data plane. So let me draw here so you can understand more on this have at means you that adding the who is doing forwarding, awarding think, o”Okayn think that okay, that devices, “under then you ices and then you can abstract thosoverlay. to the overlay. So that means if you have some physical connectivity, those physical connectivity, it can be seen in other view. Or maybe I have dictate physical of that phis between connection and the underlays. these underlay. So that’s the reason you will find that okay in all the SD solution for example, ACI also you have two Ones logical, which e is throne partial means logical panel be will ebegphysical. is the physical.
Attribute waste means suppose HR. So I have endpoint groups; they have the common name of HR. So I have 25 endpoint groups. Like that. It’s like that. You have some common term or common name in between them. So you can have the attribute-based endpoint group as well. Now again, if you go deeper into the ACI fabric and the structure, you’ll find, okay, all these endpoint groups are mapped to the bridge domain, correct? So bridge domain means you are getting some common subnet web service https endpoints that have this subnet; it’s just an example. And for http endpoint you have this subnet 1010.Other is ten 1011 different endpoint. If you want to communicate by default, they will not. You need a contract.
Contract. You need to define subjects and the filter. Filters are nothing but ACL entries. So here you can see contact group of subject, define scope, global tenant AP, group of filter, unidirectional bidirectional that is the subject inside subject you can define the ACL entries. So these suppose if you want to allow ICMP or say http port AP or http port four three. So you have to create the ACL lines and define who is the provider and who is the consumer. So for example, the provider is app, consumer is web. So that relation you have to create along with your ACL entries. So that was the thing that we have discussed so far. In continuing this or adding this, we have totaled three videos for ACI. just that you understand ACI before doing the programming related to Ensile. And next module onwards, we have the programming related to ensile to create various logical entities inside the ACI fabric.
62. Fabric Access Policies
Next, we have a fabric access policy. Before understanding fabric access policy, I want to make it clear that in the ACI fabric we have a leaf and a spine structure, correct? So we know that thing that we have leaf connected with the spine.
Let me change the color. Maybe it’s not visible. So we have this type of structure along with the database. So we have a leaf connected with a spine, then we have leaps, then we have a spine, and they are connected like this, correct? So all the leaves are connected to a spine, and vice versa. Now, somewhere here, you have the database as well, and that’s the network you have. So you have the management plan as your Epic controller. You have your leaf and spine as a collapsed data and control plane. Now, the important thing here is to understand where these policies fit in. So we have a fabric policy. Inside your fabric policy, you will find that you have a fabric policy. So I have a fabric policy, and then I have a fabric access policy.
This one is the fabric access policy. So whenever you are going to create the policies here so maybe these leaf switches, they are connected with Nexus Nine K, maybe they are connected with physical or virtual world. Here you have fabric access policy. You’re creating the policy for the endpoints, correct? In between the leaf and a spine somewhere, you are creating the fabric policy. So I have a leaf; I have a spine. In between, I have policies related to fabric policy. Now, since this is the hardware, so what is my say? For example, underlay for a moment. So since these guys are the underlay that I have, And on top of these underlays, what I can do is create multiple logical views, correct? So these are the underlays. I can think of this as an underlay. And then on top of that, I can create multiple logical networks.
Technically, those are multiple virtual networks. So virtual network. Virtual Network. Now, these virtual networks that we are creating on top of, say, an underlay So these are the underlays. And then I have the overlay. These are nothing, but in ACI, their term is a Tenant. So nothing is nothing. But the virtual network Now, since the tenant is a Virtual Network or the abstraction from the physical hardware in terms of logical plus the Virtual Network, then this Tenant may represent a customer, a business unit, any logical entity. It may represent all these things.
Now, this tenant is nothing but the logical but your physical configuration you have to do here’s that’s why if you see the entire configuration inside the ACI, what you will find is that you have something called the physical configuration. So you’re creating interface profiles, switch policies, global policies, et cetera. But somewhere you have the Virtual Network or you have the logical configuration as well. Like inside Tenant. You are creating an application profile. Then the application profile says under “endpoint group inside” that you have the endpoint.
Those are physically connected here. So apart from that, not only do we have the application profile, but we also have the bridge domains, the VRF, and the contract, like the rule in between the endpoints, it’s like that. But we have the physical infrastructure on top of that. You are doing the abstraction, and you are creating the logical network per customer or business unit, et cetera. It depends on what type of logic or what type of virtual network you want. Now here, if you see and we have so many slides to make or to explain this clearly. So this is something like what we used to do. So we used to log into the switch.
We used to go inside the interface, say Ethernet. If it is a switch port, were giving switchboard, if it is switchboard mode, access, switchboard mode trunk. Those things we used to assign, correct, whatVLANs, they want to participate, et cetera. What interface policy, it has a link policy, CDP, LSAP, LLDP, STP and so many correct. So these things are very familiar. The only thing that we are doing in this case in the ACA is the way that we are configuring is different. The way we are configuring is something like template based. We are creating the template, and then we are associating those templates with that configuration. That’s the difference we have. But what is the overall scenario? We know that you have something called, say, physical devices. We are creating multiple instances, say instance ABC as a virtual network, a virtual network, and these underlays. So this will be the overlay. On top of that, this is the background from which you are taking the abstraction. They are combined called as a fabric. And we are talking about ACA fabric, correct? So now we can debate, okay, what is the glue between—who is connecting the underlay with the overlay? So that’s why we have an attachable entity policy, sometimes called an AEP or an accessible attachable entity profile or policy. Here’s some glue in between the underlay and the overlay.
And then things will connect, and then they will walk. Okay, so this is actually key. Here is a look inside the ACI. In the next section, the “upcoming section,” we’ll talk more about the theories only. But if you understand the theory that from where the traffic is coming so suppose I have my ACI fabric. So from which endpoint the traffic is coming, how and what is happening inside the ACI fabric, and then how it is going outside, So either your traffic is moving inside the single fabric or maybe you have two data centers, and then you have ACI displays. ACI places this.
So how the data will come as a source here and destination here, how it can go. That may be use case number two. The third use case you may have is that your source is inside. You are going outside to the cloud, or maybe you are going outside to the van, and then you may go somewhere to the branches, et cetera. So how we can go outside? So those things will be there. So within ACI, outside to the ACI, from one ACI fabric to the other ACI fabric with the DCI connections and all this traffic flow you can understand once you ‘veto understand the basics behind the scene. All right, so let’s just stop here. The next section will continue from there.