JUMP SERVER# HOW TO CREATE THE JAMP SERVER WITH ACI SETUP : Now, We will create the jump server and it is defined as an intermediary device responsible for funneling traffic through firewalls using a supervised secure channel. You can easily access to every required server by this and you'll have COMPLETE access to your files-&-folder on any other computer from wherever you are. By creating a barrier between networks, jump servers create an added layer of security against outsiders wanting to maliciously access sensitive company data. For best performance make sure UDP packets are allowed between machines on ports 35384-35484.
# FIRST, Configure the Tenants : A Tenants is a group of users who share a common access with specific privileges to the software instance and tenant in ACI represets a management domain.
Practical : Create Tenant for processing of jump server.
apic1# configure
apic1(config)# tenant Management
apic1(config-tenant)# exit
# SECOND, Configure the Virtual Routing Forwarding (VRF) : VRF contains layers 3 routing instance, tables and IP's. VRF must have a unique within their tenant but don't need to be globally unique. VRF are joined to be tenant in which they are created and can't be separated from their tenant. In other words, It is technology included in IP network routers that enables multiple instances of a routing table to exist in a virtual router and work simultaneously.
Practical : Create vrf for forwarding the membership traffic with required bridge-domain.
apic1# configure
apic1(config)# tenant Management
apic1(config-tenant)# vrf context VRF-JumpSrv
apic1(config-tenant-vrf)# exit
apic1(config-tenant)# vrf context VRF-HR-Mgmt
apic1(config-tenant-vrf)# exit
apic1(config-tenant)# vrf context VRF-DC-Mgmt
apic1(config-tenant-vrf)# exit
apic1(config-tenant)# vrf context VRF-STRG-Mgmt
apic1(config-tenant-vrf)# exit
# THIRD, Configure the Bridge-Domain (BD) : Bridge-Domain is a logical contract that allows you to segment traffice on a per-tenant basis. Each BD has its own set of forwarding rules and can be configured to provide different levels of security and isolation.
Practical : To enable the interface and configuration of bridge-domain.
apic1# configure
apic1(config)# tenant Mangement
apic1(config-tenant-)# bridge-domain BD-JumpSrv
apic1(config-tenant-bd)# vrf member VRF-JumpSrv
apic1(config-tenant-bd)# exit
Note: - We will configure default gateway of Jump Server in Mangaement tanent.
apic1(config)# tenant Mangement
apic1(config-tenant)# interface bridge-domain BD-JumpSrv-ID
apic1(config-tenant-interface)# ip address 10.27.107.1/24 secondary scope public
apic1(config-tenant-interface)# ip shared address 10.27.107.1/24 consumer application any epg any
apic1(config-tenant-interface)# ip shared address 10.27.107.1/24 provider application JUMP-SERVER epg SRV-JUMP-SERVER scope public
apic1(config-tenant-interface)# exit
apic1# configure
apic1(config)# tenant Mangement
apic1(config-tenant-)# bridge-domain BD-HR-Mgmt
apic1(config-tenant-bd)# vrf member VRF-HR-Mgmt
apic1(config-tenant-bd)# exit
apic1(config-tenant-)# bridge-domain BD-DC-Mgmt
apic1(config-tenant-bd)# vrf member VRF-DC-Mgmt
apic1(config-tenant-bd)# exit
apic1(config-tenant-)# bridge-domain BD-STRG-Mgmt
apic1(config-tenant-bd)# vrf member VRF-STRG-Mgmt
apic1(config-tenant-bd)# exit
# FOURTH, Configure the Contracts : Contracts are used to control traffic flow within the ACI fabric between EPG's. Its are assigned a scope of global, Tenant, VRF or Application profile which limit the accessibility of the Contract.
1) Practical : Create the filters for accessing with requried contract.
apic1# configure
apic1(config)# tenant Management
apic1(config-tenant)# access-list Management-filter-any
apic1(config-tenant-any)# match raw any
apic1(config-tenant-any)# exit
2) Practical : Create contract with Filters
apic1(config-tenant)# contract CONTRACT-JUMP-SERVER
apic1(config-tenant)# scope exportable
apic1(config-tenant-contract)# subject SUB-JUMP-SERVER
apic1(config-tenant-contract-subj)# access-group default both
apic1(config-tenant-contract-subj)# sdwn-sla default
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
apic1(config-tenant)# contract CONTRACT-HR-Mgmt
apic1(config-tenant)# scope exportable
apic1(config-tenant-contract)# subject SUB-HR-Mgmt
apic1(config-tenant-contract-subj)# access-group Management-filter-any both
apic1(config-tenant-contract-subj)# sdwn-sla default
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
apic1(config-tenant)# contract CONTRACT-DC-Mgmt
apic1(config-tenant)# scope exportable
apic1(config-tenant-contract)# subject SUB-DC-Mgmt
apic1(config-tenant-contract-subj)# access-group Management-filter-any both
apic1(config-tenant-contract-subj)# sdwn-sla default
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
apic1(config-tenant)# contract CONTRACT-STRG-MGMT
apic1(config-tenant)# scope exportable
apic1(config-tenant-contract)# subject SUB-JUMP-SERVER
apic1(config-tenant-contract-subj)# access-group Management-filter-any both
apic1(config-tenant-contract-subj)# sdwn-sla
apic1(config-tenant-contract-subj)# exit
apic1(config-tenant-contract)# exit
# FIFTH, Configure the Application Network Profile Itis the different aspects to the tenancy, governing security, quality of services (qos), SLA's and Layer 4 to 7 services. Its are so intrinsically linked tO EPG's that it is harder to create theseare separate tasks. And : End Point Groups (EPG's) is a set of devices (or VMs) that share the same policy requirements. ACI uses a “white list model.” Remember…that's the default behavior. It can be changed.
Communication Between EPGs
a) Endpoints inside an EPG can talk to each other.
b) Endpoint Groups (EPGs) cannot communicate with each other.
c) To allow EPGs to speak with each other we connect them using contracts.
Practical : Associate Contrcts to EGP
apic1# configure
apic1(config)# tenant Management
apic1(config)# apic1(config-tenant)# application JUMP-SERVER
apic1(config-tenant-app)# epg EGP-JumpSrv
apic1(config-tenant-app-epg)# bridge-domain member BD-JumpSrv-ID
apic1(config-tenant-app-epg)# contract consumer CONTRACT-JUMP-SERVER
apic1(config-tenant-app-epg)# contract provider CONTRACT-STRG-MGMT
apic1(config-tenant-app-epg)# endpoint ip 10.27.107.1/24
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)#exit
apic1(config-tenant)#exit
apic1(config-tenant-app)# epg EGP-HR-Mgmt
apic1(config-tenant-app-epg)# bridge-domain member BD-HR-Mgmt
apic1(config-tenant-app-epg)# contract consumer CONTRACT-JUMP-SERVER
apic1(config-tenant-app-epg)# contract provider CONTRACT-HR-MGMT
apic1(config-tenant-app-epg)# endpoint ip 10.27.107.1/24
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)#exit
apic1(config-tenant)#exit
apic1(config-tenant-app)# epg EGP-DC-Mgmt
apic1(config-tenant-app-epg)# bridge-domain member BD-DC-Mgmt
apic1(config-tenant-app-epg)# contract consumer CONTRACT-JUMP-SERVER
apic1(config-tenant-app-epg)# contract provider CONTRACT-DC-MGMT
apic1(config-tenant-app-epg)# endpoint ip 10.27.107.1/24
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)#exit
apic1(config-tenant)#exit
Practical : Associate port and vlan to EGP
apic1(config)#leaf 101
apic1(config-leaf)# interface ethernet 1/4
apic1(config-leaf-if)# switchport trunk allowed vlan ID tenant Management application JUMP-SERVER epg EGP-HR-Mgmt
apic1(config-leaf-if)# switchport trunk allowed vlan ID tenant Management application JUMP-SERVER epg EGP-DC-Mgmt
apic1(config-leaf-if)# switchport trunk allowed vlan ID tenant Management application JUMP-SERVER epg EGP-STRG-Mgmt
apic1(config-leaf)# exit
Be updated into yourself and improve lives through DDZ.
0 Comments