Request full copy

ACI Advanced Monitoring and Troubleshooting, 1st edition

Published by Cisco Press (November 12, 2020) © 2021

  • Sadiq Memon
  • Carlo Schmidt
  • Joseph Ristaino
$47.99

  • A print text (hardcover or paperback) 
  • Free shipping
  • Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
ACI Advanced Monitoring and Troubleshooting provides a solid conceptual foundation and in-depth technical knowledge for monitoring and troubleshooting virtually any problem encountered during testing, deployment, or operation of Cisco Application Centric Infrastructure (ACI) infrastructure. Authored by leading ACI support experts at Cisco, it covers all students will need to learn to keep an ACI deployment working optimally. Coverage includes:
  • Core ACI concepts and components, including Nexus 9000 Series platforms, APIC controllers, and protocols
  • In-depth insight into ACI’s policy model
  • ACI fabric design options: single and multiple data centers, stretched vs. multiple fabrics, and multi-pod/multi-site
  • Automation, orchestration, and the cloud in ACI environments
  • ACI topology and hardware/software specifications
  • End host and network connectivity
  • VMM integration
  • Network management configuration, including SNMP, AAA, and SPAN
  • Monitoring ACI fabrics and health
  • Getting immediate results through the NX-OS command line interface
  • Troubleshooting use cases: fabric discovery, APIC, management access, contracts, external connectivity, leaf/spine connectivity, end-host connectivity, VMM problems, ACI multi-pod/multi-site problems, and more
  • Comprehensive, insider guidance for optimizing ACI in any nextgen datacenter environment
  • Easy, step-by-step guidance for building your own ACI fabric
  • Walks through detailed real-world ACI use cases, including failure scenarios with proven remedial actions
  • Reviews management, monitoring, automation, and orchestration for software defined datacenters
  • By a team of Cisco experts who’ve been helping enterprise clients succeed with ACI since its launch
Foreword by Yusuf Bhaiji     xxviii

Foreword by Ronak Desai     xxix

Introduction     xxx

PART I:  INTRODUCTION TO ACI

Chapter 1  Fundamental Functions and Components of Cisco ACI     1

ACI Building Blocks     8

    Hardware Specifications     8

ACI Key Concepts     14

    Control Plane     15

    Data Plane     17

    VXLAN     17

    Tenant     18

    VRF     19

    Application Profile     20

    Endpoint Group     21

    Contracts     22

    Bridge Domain     24

    External Routed or Bridged Network     25

Summary     26

Review Key Topics     26

Review Questions     27

Chapter 2  Introduction to the ACI Policy Model     31

Key Characteristics of the Policy Model     32

    Management Information Tree (MIT)     33

    Benefits of a Policy Model     37

Logical Constructs     37

Tenant Objects     38

VRF Objects     39

Application Profile Objects     40

Endpoint Group Objects     41

Bridge Domain and Subnet Objects     43

    Bridge Domain Options     45

Contract Objects     46

    Labels, Filters, and Aliases     48

    Contract Inheritance     49

    Contract Preferred Groups     49

    vzAny     50

Outside Network Objects     51

Physical Construct     52

    Access Policies     52

    Switch Policies     53

    Interface Policies     54

    Global Policies     55

Managed Object Relationships and Policy Resolution     57

Tags     58

Default Policies     58

How a Policy Model Helps in Diagnosis     60

Summary     63

Review Key Topics     63

Review Questions     64

Chapter 3  ACI Command-Line Interfaces     67

APIC CLIs     68

    NX-OS–Style CLI     68

    Bash CLI     74

ACI Fabric Switch CLIs     78

    iBash CLI     78

    VSH CLI     81

    VSH_LC CLI     83

Summary     84

Reference     84

Chapter 4  ACI Fabric Design Options     85

Physical Design     85

    Single- Versus Multiple-Fabric Design     87

    Multi-Pod     97

    Multi-Site     116

    Remote Leaf     131

    Hardware and Software Support     134

    ACI Multi-Pod and Remote Leaf Integration     143

Logical Design     149

    Design 1: Container-as-a-Service Using the OpenShift Platform and Calico CNI     149

Design 2: Vendor-Based ERP/SAP Hana Design with ACI     165

Design 3: vBrick Digital Media Engine Design with ACI     175

Summary     180

Review Key Topics     181

Review Questions     181

Chapter 5  End Host and Network Connectivity     185

End Host Connectivity     185

    VLAN Pool     186

    Domain     186

    Attachable Access Entity Profiles (AAEPs)     186

    Switch Policies     187

    Interface Policies     188

    Virtual Port Channel (VPC)     191

    Port Channel     197

    Access Port     201

    Best Practices in Configuring Access Policies     206

    Compute and Storage Connectivity     207

    L4/L7 Service Device Connectivity     210

Network Connectivity     213

    Connecting an External Bridge Network     213

    Connecting an External Routed Network     218

Diagnosing Connectivity Problems     242

Summary     245

Review Questions     245

Chapter 6  VMM Integration     249

Virtual Machine Manager (VMM)     249

    VMM Domain Policy Model     250

    VMM Domain Components     250

    VMM Domains     250

    VMM Domain VLAN Pool Association     252

VMware Integration     257

    Prerequisites for VMM Integration with AVS or VDS     257

    Guidelines and Limitations for VMM Integration with AVS or VDS     257

    ACI VMM Integration Workflow     258

    Publishing EPGs to a VMM Domain     258

    Connecting Virtual Machines to the Endpoint Group Port Groups on vCenter     259

    Verifying VMM Integration with the AVS or VDS     259

Microsoft SCVMM Integration     260

    Mapping ACI and SCVMM Constructs     261

    Mapping Multiple SCVMMs to an APIC     262

    Verifying That the OpFlex Certificate Is Deployed for a Connection from the SCVMM to the APIC     262

    Verifying VMM Deployment from the APIC to the SCVMM     263

OpenStack Integration     263

    Extending OpFlex to the Compute Node     264

    ACI with OpenStack Physical Architecture     264

    OpFlex Software Architecture     265

    OpenStack Logical Topology     265

    Mapping OpenStack and ACI Constructs     266

Kubernetes Integration     272

    Planning for Kubernetes Integration     272

    Prerequisites for Integrating Kubernetes with Cisco ACI     273

    Provisioning Cisco ACI to Work with Kubernetes     274

    Preparing the Kubernetes Nodes     277

    Installing Kubernetes and Cisco ACI Containers     279

    Verifying the Kubernetes Integration     280

OpenShift Integration     281

    Planning for OpenShift Integration     282

    Prerequisites for Integrating OpenShift with Cisco ACI     283

    Provisioning Cisco ACI to Work with OpenShift     284

    Preparing the OpenShift Nodes     287

    Installing OpenShift and Cisco ACI Containers     290

    Updating the OpenShift Router to Use the ACI Fabric     291

    Verifying the OpenShift Integration     291

VMM Integration with ACI at Multiple Locations     292

    Multi-Site     292

    Remote Leaf     295

Summary     298

Chapter 7  L4/L7 Service Integration     299

Service Insertion     299

The Service Graph     300

    Managed Mode Versus Un-Managed Mode     301

    L4–L7 Integration Use Cases     302

    How Contracts Work in ACI     303

    The Shadow EPG     306

    Configuring the Service Graph     307

    Service Graph Design and Deployment Options     312

Policy-Based Redirect (PBR)     322

    PBR Design Considerations     323

    PBR Design Scenarios     324

    Configuring the PBR Service Graph     325

    Service Node Health Check     326

    Common Issues in the PBR Service Graph     328

L4/L7 Service Integration in Multi-Pod and Multi-Site     332

    Multi-Pod     332

    Multi-Site     338

Review Questions     342

Chapter 8  Automation and Orchestration     343

The Difference Between Automation and Orchestration     343

    Benefits of Automation and Orchestration     344

REST API     349

Automating Tasks Using the Native REST API: JSON and XML     351

    API Inspector     351

    Object (Save As)     353

    Visore (Object Store Browser)     355

    MOQuery     357

    Automation Use Cases     364

Automating Tasks Using Ansible     372

    Ansible Support in ACI     375

    Installing Ansible and Ensuring a Secure Connection     378

    APIC Authentication in Ansible     382

    Automation Use Cases     384

Orchestration Through UCS Director     392

    Management Through Cisco UCS Director     392

    Automation and Orchestration with Cisco UCS Director     393

    Automation Use Cases     395

Summary     402

Review Questions     402

PART II:  MONITORING AND MANAGEMENT BEST PRACTICES

Chapter 9  Monitoring ACI Fabric     405

Importance of Monitoring     405

Faults and Health Scores     407

Faults     407

Health Scores     411

ACI Internal Monitoring Tools     415

    SNMP     415

    Syslog     420

    NetFlow     426

ACI External Monitoring Tools     430

    Network Insights     430

    Network Assurance Engine     437

    Tetration     453

Monitoring Through the REST API     473

    Monitoring an APIC     475

Monitoring Leafs and Spines     482

    Monitoring Applications     499

Summary     505

Review Questions     506

Chapter 10  Network Management and Monitoring Configuration     509

Out-of-Band Management     509

    Creating Static Management Addresses     510

    Creating the Management Contract     510

    Choosing the Node Management EPG     513

    Creating an External Management Entity EPG     513

    Verifying the OOB Management Configuration     515

In-Band Management     517

    Creating a Management Contract     517

    Creating Leaf Interface Access Policies for APIC INB Management     518

    Creating Access Policies for the Border Leaf(s) Connected to L3Out     520

    Creating INB Management External Routed Networks (L3Out)     522

    Creating External Management EPGs     524

    Creating an INB BD with a Subnet     527

    Configuring the Node Management EPG     529

    Creating Static Management Addresses     530

    Verifying the INB Management Configuration     530

AAA     533

    Configuring Cisco Secure ACS     533

    Configuring Cisco ISE     542

    Configuring AAA in ACI     547

    Recovering with the Local Fallback User     550

    Verifying the AAA Configuration     550

Syslog     551

    Verifying the Syslog Configuration and Functionality     555

SNMP     556

    Verifying the SNMP Configuration and Functionality     562

SPAN     566

    Access SPAN     567

    Fabric SPAN     571

    Tenant SPAN     572

    Ensuring Visibility and Troubleshooting SPAN     575

    Verifying the SPAN Configuration and Functionality     576

NetFlow     577

    NetFlow with Access Policies     580

    NetFlow with Tenant Policies     582

    Verifying the NetFlow Configuration and Functionality     585

Summary     587

PART III:  ADVANCED FORWARDING AND TROUBLESHOOTING TECHNIQUES

Chapter 11  ACI Topology     589

Physical Topology     589

APIC Initial Setup     593

Fabric Access Policies     595

    Switch Profiles, Switch Policies, and Interface Profiles     595

    Interface Policies and Policy Groups     596

    Pools, Domains, and AAEPs     597

VMM Domain Configuration     601

    VMM Topology     601

Hardware and Software Specifications     603

Logical Layout of EPGs, BDs, VRF Instances, and Contracts     605

    L3Out Logical Layout     606

Summary     608

Review Key Topics     608

References     609

Chapter 12  Bits and Bytes of ACI Forwarding     611

Limitations of Traditional Networks and the Evolution of Overlay Networks     611

High-Level VXLAN Overview     613

IS-IS, TEP Addressing, and the ACI Underlay     615

    IS-IS and TEP Addressing     615

    FTags and the MDT     618

Endpoint Learning in ACI     626

    Endpoint Learning in a Layer 2–Only Bridge Domain     627

    Endpoint Learning in a Layer 3–Enabled Bridge Domain     635

    Fabric Glean     640

    Remote Endpoint Learning     641

    Endpoint Mobility     645

    Anycast Gateway     647

    Virtual Port Channels in ACI     649

Routing in ACI     651

    Static or Dynamic Routes     651

    Learning External Routes in the ACI Fabric     656

    Transit Routing     659

Policy Enforcement     661

    Shared Services     664

    L3Out Flags     668

Quality of Service (QoS) in ACI     669

    Externally Set DSCP and CoS Markings     671

CoS Preservation in ACI     672

Multi-Pod     674

Multi-Site     680

Remote Leaf     684

Forwarding Scenarios     686

    ARP Flooding     686

    Layer 2 Known Unicast     688

    ARP Optimization     690

    Layer 2 Unknown Unicast Proxy     690

    L3 Policy Enforcement When Going to L3Out     693

    L3 Policy Enforcement for External Traffic Coming into the Fabric     695

Route Leaking/Shared Services     695

    Consumer to Provider     695

    Provider to Consumer     698

Multi-Pod Forwarding Examples     698

    ARP Flooding     700

    Layer 3 Proxy Flow     700

Multi-Site Forwarding Examples     703

    ARP Flooding     703

    Layer 3 Proxy Flow     705

Remote Leaf     707

    ARP Flooding     707

    Layer 3 Proxy Flow     710

Summary     713

Review Key Topics     713

References     714

Review Questions     714

Chapter 13  Troubleshooting Techniques     717

General Troubleshooting     717

    Faults, Events, and Audits     718

    moquery     722

    iCurl     724

    Visore     726

Infrastructure Troubleshooting     727

    APIC Cluster Troubleshooting     727

    Fabric Node Troubleshooting     734

How to Verify Physical- and Platform-Related Issues     737

    Counters     737

    CPU Packet Captures     743

    SPAN     748

Troubleshooting Endpoint Connectivity     751

    Endpoint Tracker and Log Files     752

    Enhanced Endpoint Tracker (EPT) App     756

    Rogue Endpoint Detection     758

Troubleshooting Contract-Related Issues     759

    Verifying Policy Deny Drops     764

Embedded Logic Analyzer Module (ELAM)     765

Summary     769

Review Key Topics     769

Review Questions     769

Chapter 14  The ACI Visibility & Troubleshooting Tool     771

Visibility & Troubleshooting Tool Overview     771

Faults Tab     772

Drop/Stats Tab     773

    Ingress/Egress Buffer Drop Packets     774

    Ingress Error Drop Packets Periodic     774

    Storm Control     774

    Ingress Forward Drop Packets     775

    Ingress Load Balancer Drop Packets     776

Contract Drops Tab     777

    Contracts     777

    Contract Considerations     778

Events and Audits Tab     779

Traceroute Tab     780

Atomic Counter Tab     782

Latency Tab     785

SPAN Tab     786

Network Insights Resources (NIR) Overview     787

Summary     790

Chapter 15  Troubleshooting Use Cases     791

Troubleshooting Fabric Discovery: Leaf Discovery     792

Troubleshooting APIC Controllers and Clusters: Clustering     795

Troubleshooting Management Access: Out-of-Band EPG     799

Troubleshooting Contracts: Traffic Not Traversing a Firewall as Expected     801

Troubleshooting Contracts: Contract Directionality     804

Troubleshooting End Host Connectivity: Layer 2 Traffic Flow Through ACI     807

Troubleshooting External Layer 2 Connectivity: Broken Layer 2 Traffic Flow Through ACI     812

Troubleshooting External Layer 3 Connectivity: Broken Layer 3 Traffic Flow Through ACI     814

Troubleshooting External Layer 3 Connectivity: Unexpected Layer 3 Traffic Flow Through ACI     816

Troubleshooting Leaf and Spine Connectivity: Leaf Issue     821

Troubleshooting VMM Domains: VMM Controller Offline     826

Troubleshooting VMM Domains: VM Connectivity Issue After Deploying the VMM Domain     829

Troubleshooting L4–L7: Deploying an L4–L7 Device     832

Troubleshooting L4–L7: Control Protocols Stop Working After Service Graph Deployment     834

Troubleshooting Multi-Pod: BUM Traffic Not Reaching Remote Pods     837

Troubleshooting Multi-Pod: Remote L3Out Not Reachable     839

Troubleshooting Multi-Site: Using Consistency Checker to Verify State at Each Site     841

Troubleshooting Programmability Issues: JSON Script Generates Error     844

Troubleshooting Multicast Issues: PIM Sparse Mode Any-Source Multicast (ASM)     846

Summary     860

Appendix A  Answers to Chapter Review Questions     861

Index     873

Sadiq Memon, CCIE No. 47508, is a Lead Solutions Integration Architect (Automotive) with Cisco Customer Experience (CX). He has over 30 years of diversified experience in information technology with specialization and expertise in data center and enterprise networking. Sadiq joined Cisco in 2007, and as a Cisco veteran of over 13 years, he has worked with various large enterprise customers, including automotive, financials, manufacturing, and government in designing, implementing, and supporting end-to-end architectures and solutions. Sadiq was part of the Cisco Advanced Services Tiger Team during the early ACI incubation period. He has published a series of short videos covering ACI configuration on YouTube and has presented ACI/Cloud-related topics at Cisco Live! Sadiq was the technical editor for the Cisco Press book Deploying ACI and possesses multiple IT industry certifications from leading companies such as Cisco (CCIE, CCNA), VMware (VCP-DCV), Microsoft, and Citrix. Sadiq holds a bachelor's degree in computer systems engineering from NED University of Engineering & Technology, Karachi, Pakistan.

Joseph Ristaino, CCIE No. 41799, is a Technical Leader with the ACI Escalation Team in RTP, North Carolina. He joined Cisco in 2011 after graduating from Wentworth Institute of Technology with a bachelor's degree in computer networking. Joseph started with Cisco on the Server Virtualization TAC team, specializing in UCS and virtualization technologies. He has in-depth knowledge of compute/networking technologies and has been supporting customers for over eight years as they implement and manage data center deployments around the globe. Joseph now works closely with the ACI Technical Support teams to provide assistance on critical customer issues that go unsolved and has been working on ACI since its inception in 2014. Joseph lives with his wife in Durham, North Carolina.

Carlo Schmidt, CCIE No. 41842, is a Data Center Solutions Architect. He works with global enterprises, designing their next-generation data centers. Carlo started at Cisco in 2011, on the Data Center Switching TAC team. In that role, he focused on Nexus platforms and technologies such as FCoE, fabric path, and OTV. In 2016, he migrated to the ACI TAC team, where he specialized in customer problem resolution as well as improving product usability. In 2019 Carlo decided to take his knowledge and lessons learned from his eight years in Cisco TAC to a presales role as a Solutions Architect. Carlo is based out of Research Triangle Park, North Carolina.

Need help? Get in touch

Video
Play
Privacy and cookies
By watching, you agree Pearson can share your viewership data for marketing and analytics for one year, revocable upon changing cookie preferences. Disabling cookies may affect video functionality. More info...

Video transcript (PDF | 16KB) 

Pearson eTextbook: What’s on the inside just might surprise you

They say you can’t judge a book by its cover. It’s the same with your students. Meet each one right where they are with an engaging, interactive, personalized learning experience that goes beyond the textbook to fit any schedule, any budget, and any lifestyle. 

Digital Learning NOW

Extend your professional development and meet your students where they are with free weekly Digital Learning NOW webinars. Attend live, watch on-demand, or listen at your leisure to expand your teaching strategies. Earn digital professional development badges for attending a live session.

Explore webinars