DEPLOY TIER-3 APPLICATION# DEPLOY OF TEIR THREE APPLICATION IN ACI SETUP : Cisco Application Centric Infrastructure (ACI) is a software-defined networking (SDN) solution designed for data centers. Here, We will create the Tier three application for APIC between two Spine switches, Six Leaf switches and three APIC controller connected to each other.Let's shown as per below mentioned diagram
# FIRST, Configure the Tenants : A Tenants is a group of users who share a common access with specific privileges to the software instance and tenant in ACI represets a management domain.
Practical
apic1# configure
apic1(config)# tenant DCORG
apic1(config-tenant)# security domain DCORG_Dom1
# SECOND, Configure the Virtual Routing Forwarding (VRF) : VRF contains layers 3 routing instance, tables and IP's. VRF must have a unique within their tenant but don't need to be globally unique. VRF are joined to be tenant in which they are created and can't be separated from their tenant. In other words, It is technology included in IP network routers that enables multiple instances of a routing table to exist in a virtual router and work simultaneously.
Practical
apic1# configure
apic1(config)# tenant DCORG
apic1(config)# vrf context DCORG-vrf
apic1(config-tenant-vrf)# exit
# THIRD, Configure the Bridge-Domain (BD) : Bridge-Domain is a logical contract that allows you to segment traffice on a per-tenant basis. Each BD has its own set of forwarding rules and can be configured to provide different levels of security and isolation.
Practical
apic1# configure
apic1(config)# tenant DCORG
apic1(config-tenant-)# bridge-domain DCORG-BD
apic1(config-tenant-bd)# vrf member DCORG-vrf
apic1(config-tenant-bd)# exit
Note: -
We will configure three subnets as like above mentioned do and you can check in CMD-APIC Controller {Login by putty : admin@IP Address}
apic1(config)# tenant DCORG
apic1(config-tenant)# interface bridge-domain DCORG-BD
apic1(config-tenant-interface)# ip address 172.1.1.1/24
apic1(config-tenant-interface)# ipv6 address 2001:1:1::1/64
apic1(config-tenant-interface)# ip address 172.1.2.1/24
apic1(config-tenant-interface)# ipv6 address 2001:1:2::1/64
apic1(config-tenant-interface)# ip address 172.1.3.1/24
apic1(config-tenant-interface)# ipv6 address 2001:1:3::1/64
apic1(config-tenant-interface)# exit
# FOURTH, Configure the Contracts : Contracts are used to control traffic flow within the ACI fabric between EPG's. Its are assigned a scope of global, Tenant, VRF or Application profile which limit the accessibility of the Contract.
1) Practical : Create Filters
apic1# configure
apic1(config)# tenant DCORG
apic1(config-tenant)# access-list DCORG-filter-any
apic1(config-tenant-any)# match raw any
apic1(config-tenant-any)# exit
apic1(config-tenant)# access-list DCORG-filter-icmp
apic1(config-tenant-icmp)# match icmp
apic1(config-tenant-icmp)# exit
apic1(config-tenant)# access-list DCORG-filter-port-80
apic1(config-tenant-any)# match tcp dest 80
apic1(config-tenant-any)# exit
2) Practical : Create contract with Filters
apic1# configure
apic1(config)# tenant DCORG
apic1(config-tenant)# contract DCORG-contract-any
apic1(config-tenant-contract)# subject subject-any
apic1(config-tenant-contract-subj)# access-group DCORG-filter-any both
apic1(config-tenant-contract-subj)# sdwn-sla
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
apic1(config-tenant)# contract DCORG-contract-App-to-Web
apic1(config-tenant-contract)#subject subject-any
apic1(config-tenant-contract-subj)# access-group DCORG-filter-any both
apic1(config-tenant-contract-subj)# sdwn-sla
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
apic1(config-tenant)# contract DCORG-contract-DB-to-App
apic1(config-tenant-contract)#subject subject-any
apic1(config-tenant-contract-subj)# access-group DCORG-filter-any both
apic1(config-tenant-contract-subj)# sdwn-sla
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
# FIFTH, Configure the Application Network Profile Itis the different aspects to the tenancy, governing security, quality of services (qos), SLA's and Layer 4 to 7 services. Its are so intrinsically linked tO EPG's that it is harder to create theseare separate tasks. And : End Point Groups (EPG's) is a set of devices (or VMs) that share the same policy requirements. ACI uses a “white list model.” Remember…that's the default behavior. It can be changed.
Communication Between EPGs
a) Endpoints inside an EPG can talk to each other.
b) Endpoint Groups (EPGs) cannot communicate with each other.
c) To allow EPGs to speak with each other we connect them using contracts.
Practical : Associate Contrcts to EGP
apic1# configure
apic1(config)# tenant DCORG
apic1(config)# apic1(config-tenant)# application DCORG-Application-WebSrv
apic1(config-tenant-app)# epg DCORG-app-egp
apic1(config-tenant-app-epg)# bridge-domain member DCORG-BD
apic1(config-tenant-app-epg)# contract consumer DCORG-contract-DB-to-App
apic1(config-tenant-app-epg)# contract provider DCORG-contract-App-to-Web
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)#exit
apic1(config-tenant)#exit
apic1(config)# apic1(config-tenant)# application DCORG-Application-WebSrv
apic1(config-tenant-app)# epg DCORG-database-egp
apic1(config-tenant-app-epg)# bridge-domain member DCORG-BD
apic1(config-tenant-app-epg)# contract provider DCORG-contract-DB-to-App
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)#exit
apic1(config-tenant)#exit
apic1(config)# apic1(config-tenant)# application DCORG-Application-WebSrv
apic1(config-tenant-app)# epg DCORG-webserver-egp
apic1(config-tenant-app-epg)# bridge-domain member DCORG-BD
apic1(config-tenant-app-epg)# contract consumer DCORG-contract-App-to-Web
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)#exit
apic1(config-tenant)#exit
Practical : Associate port and vlan to EGP
apic1(config)#leaf 101
apic1(config-leaf)# interface ethernet 1/4
apic1(config-leaf-if)# switchport trunk allowed vlan 102 tenant DCORG application DCORG-Application-WebSrv epg DCORG-app-egp
apic1(config-leaf-if)# switchport trunk allowed vlan 102 tenant DCORG application DCORG-Application-WebSrv epg DCORG-database-egp
apic1(config-leaf-if)# switchport trunk allowed vlan 102 tenant DCORG application DCORG-Application-WebSrv epg DCORG-webserver-egp
apic1(config-leaf)# exit
Be updated into yourself and improve lives through DDZ.
0 Comments