ACI Advanced Monitoring and Troubleshooting, 1st edition

Sadiq Memon
Carlo Schmidt
Joseph Ristaino

eTextbook

$57.99

Available for purchase from all major ebook resellers, including InformIT.com.
To request a review copy, click on the "Request a Review Copy" button.

Print

$47.99

A print text (hardcover or paperback)
Free shipping
Also available for purchase as an ebook from all major ebook resellers, including InformIT.com

ACI Advanced Monitoring and Troubleshooting provides a solid conceptual foundation and in-depth technical knowledge for monitoring and troubleshooting virtually any problem encountered during testing, deployment, or operation of Cisco Application Centric Infrastructure (ACI) infrastructure. Authored by leading ACI support experts at Cisco, it covers all students will need to learn to keep an ACI deployment working optimally. Coverage includes:

Core ACI concepts and components, including Nexus 9000 Series platforms, APIC controllers, and protocols
In-depth insight into ACI’s policy model
ACI fabric design options: single and multiple data centers, stretched vs. multiple fabrics, and multi-pod/multi-site
Automation, orchestration, and the cloud in ACI environments
ACI topology and hardware/software specifications
End host and network connectivity
VMM integration
Network management configuration, including SNMP, AAA, and SPAN
Monitoring ACI fabrics and health
Getting immediate results through the NX-OS command line interface
Troubleshooting use cases: fabric discovery, APIC, management access, contracts, external connectivity, leaf/spine connectivity, end-host connectivity, VMM problems, ACI multi-pod/multi-site problems, and more

Comprehensive, insider guidance for optimizing ACI in any nextgen datacenter environment
Easy, step-by-step guidance for building your own ACI fabric
Walks through detailed real-world ACI use cases, including failure scenarios with proven remedial actions
Reviews management, monitoring, automation, and orchestration for software defined datacenters
By a team of Cisco experts who’ve been helping enterprise clients succeed with ACI since its launch

Foreword by Yusuf Bhaiji xxviii

Foreword by Ronak Desai xxix

Introduction xxx

PART I: INTRODUCTION TO ACI

Chapter 1 Fundamental Functions and Components of Cisco ACI 1

ACI Building Blocks 8

Hardware Specifications 8

ACI Key Concepts 14

Control Plane 15

Data Plane 17

VXLAN 17

Tenant 18

VRF 19

Application Profile 20

Endpoint Group 21

Contracts 22

Bridge Domain 24

External Routed or Bridged Network 25

Summary 26

Review Key Topics 26

Review Questions 27

Chapter 2 Introduction to the ACI Policy Model 31

Key Characteristics of the Policy Model 32

Management Information Tree (MIT) 33

Benefits of a Policy Model 37

Logical Constructs 37

Tenant Objects 38

VRF Objects 39

Application Profile Objects 40

Endpoint Group Objects 41

Bridge Domain and Subnet Objects 43

Bridge Domain Options 45

Contract Objects 46

Labels, Filters, and Aliases 48

Contract Inheritance 49

Contract Preferred Groups 49

vzAny 50

Outside Network Objects 51

Physical Construct 52

Access Policies 52

Switch Policies 53

Interface Policies 54

Global Policies 55

Managed Object Relationships and Policy Resolution 57

Tags 58

Default Policies 58

How a Policy Model Helps in Diagnosis 60

Summary 63

Review Key Topics 63

Review Questions 64

Chapter 3 ACI Command-Line Interfaces 67

APIC CLIs 68

NX-OS–Style CLI 68

Bash CLI 74

ACI Fabric Switch CLIs 78

iBash CLI 78

VSH CLI 81

VSH_LC CLI 83

Summary 84

Reference 84

Chapter 4 ACI Fabric Design Options 85

Physical Design 85

Single- Versus Multiple-Fabric Design 87

Multi-Pod 97

Multi-Site 116

Remote Leaf 131

Hardware and Software Support 134

ACI Multi-Pod and Remote Leaf Integration 143

Logical Design 149

Design 1: Container-as-a-Service Using the OpenShift Platform and Calico CNI 149

Design 2: Vendor-Based ERP/SAP Hana Design with ACI 165

Design 3: vBrick Digital Media Engine Design with ACI 175

Summary 180

Review Key Topics 181

Review Questions 181

Chapter 5 End Host and Network Connectivity 185

End Host Connectivity 185

VLAN Pool 186

Domain 186

Attachable Access Entity Profiles (AAEPs) 186

Switch Policies 187

Interface Policies 188

Virtual Port Channel (VPC) 191

Port Channel 197

Access Port 201

Best Practices in Configuring Access Policies 206

Compute and Storage Connectivity 207

L4/L7 Service Device Connectivity 210

Network Connectivity 213

Connecting an External Bridge Network 213

Connecting an External Routed Network 218

Diagnosing Connectivity Problems 242

Summary 245

Review Questions 245

Chapter 6 VMM Integration 249

Virtual Machine Manager (VMM) 249

VMM Domain Policy Model 250

VMM Domain Components 250

VMM Domains 250

VMM Domain VLAN Pool Association 252

VMware Integration 257

Prerequisites for VMM Integration with AVS or VDS 257

Guidelines and Limitations for VMM Integration with AVS or VDS 257

ACI VMM Integration Workflow 258

Publishing EPGs to a VMM Domain 258

Connecting Virtual Machines to the Endpoint Group Port Groups on vCenter 259

Verifying VMM Integration with the AVS or VDS 259

Microsoft SCVMM Integration 260

Mapping ACI and SCVMM Constructs 261

Mapping Multiple SCVMMs to an APIC 262

Verifying That the OpFlex Certificate Is Deployed for a Connection from the SCVMM to the APIC 262

Verifying VMM Deployment from the APIC to the SCVMM 263

OpenStack Integration 263

Extending OpFlex to the Compute Node 264

ACI with OpenStack Physical Architecture 264

OpFlex Software Architecture 265

OpenStack Logical Topology 265

Mapping OpenStack and ACI Constructs 266

Kubernetes Integration 272

Planning for Kubernetes Integration 272

Prerequisites for Integrating Kubernetes with Cisco ACI 273

Provisioning Cisco ACI to Work with Kubernetes 274

Preparing the Kubernetes Nodes 277

Installing Kubernetes and Cisco ACI Containers 279

Verifying the Kubernetes Integration 280

OpenShift Integration 281

Planning for OpenShift Integration 282

Prerequisites for Integrating OpenShift with Cisco ACI 283

Provisioning Cisco ACI to Work with OpenShift 284

Preparing the OpenShift Nodes 287

Installing OpenShift and Cisco ACI Containers 290

Updating the OpenShift Router to Use the ACI Fabric 291

Verifying the OpenShift Integration 291

VMM Integration with ACI at Multiple Locations 292

Multi-Site 292

Remote Leaf 295

Summary 298

Chapter 7 L4/L7 Service Integration 299

Service Insertion 299

The Service Graph 300

Managed Mode Versus Un-Managed Mode 301

L4–L7 Integration Use Cases 302

How Contracts Work in ACI 303

The Shadow EPG 306

Configuring the Service Graph 307

Service Graph Design and Deployment Options 312

Policy-Based Redirect (PBR) 322

PBR Design Considerations 323

PBR Design Scenarios 324

Configuring the PBR Service Graph 325

Service Node Health Check 326

Common Issues in the PBR Service Graph 328

L4/L7 Service Integration in Multi-Pod and Multi-Site 332

Multi-Pod 332

Multi-Site 338

Review Questions 342

Chapter 8 Automation and Orchestration 343

The Difference Between Automation and Orchestration 343

Benefits of Automation and Orchestration 344

REST API 349

Automating Tasks Using the Native REST API: JSON and XML 351

API Inspector 351

Object (Save As) 353

Visore (Object Store Browser) 355

MOQuery 357

Automation Use Cases 364

Automating Tasks Using Ansible 372

Ansible Support in ACI 375

Installing Ansible and Ensuring a Secure Connection 378

APIC Authentication in Ansible 382

Automation Use Cases 384

Orchestration Through UCS Director 392

Management Through Cisco UCS Director 392

Automation and Orchestration with Cisco UCS Director 393

Automation Use Cases 395

Summary 402

Review Questions 402

PART II: MONITORING AND MANAGEMENT BEST PRACTICES

Chapter 9 Monitoring ACI Fabric 405

Importance of Monitoring 405

Faults and Health Scores 407

Faults 407

Health Scores 411

ACI Internal Monitoring Tools 415

SNMP 415

Syslog 420

NetFlow 426

ACI External Monitoring Tools 430

Network Insights 430

Network Assurance Engine 437

Tetration 453

Monitoring Through the REST API 473

Monitoring an APIC 475

Monitoring Leafs and Spines 482

Monitoring Applications 499

Summary 505

Review Questions 506

Chapter 10 Network Management and Monitoring Configuration 509

Out-of-Band Management 509

Creating Static Management Addresses 510

Creating the Management Contract 510

Choosing the Node Management EPG 513

Creating an External Management Entity EPG 513

Verifying the OOB Management Configuration 515

In-Band Management 517

Creating a Management Contract 517

Creating Leaf Interface Access Policies for APIC INB Management 518

Creating Access Policies for the Border Leaf(s) Connected to L3Out 520

Creating INB Management External Routed Networks (L3Out) 522

Creating External Management EPGs 524

Creating an INB BD with a Subnet 527

Configuring the Node Management EPG 529

Creating Static Management Addresses 530

Verifying the INB Management Configuration 530

AAA 533

Configuring Cisco Secure ACS 533

Configuring Cisco ISE 542

Configuring AAA in ACI 547

Recovering with the Local Fallback User 550

Verifying the AAA Configuration 550

Syslog 551

Verifying the Syslog Configuration and Functionality 555

SNMP 556

Verifying the SNMP Configuration and Functionality 562

SPAN 566

Access SPAN 567

Fabric SPAN 571

Tenant SPAN 572

Ensuring Visibility and Troubleshooting SPAN 575

Verifying the SPAN Configuration and Functionality 576

NetFlow 577

NetFlow with Access Policies 580

NetFlow with Tenant Policies 582

Verifying the NetFlow Configuration and Functionality 585

Summary 587

PART III: ADVANCED FORWARDING AND TROUBLESHOOTING TECHNIQUES

Chapter 11 ACI Topology 589

Physical Topology 589

APIC Initial Setup 593

Fabric Access Policies 595

Switch Profiles, Switch Policies, and Interface Profiles 595

Interface Policies and Policy Groups 596

Pools, Domains, and AAEPs 597

VMM Domain Configuration 601

VMM Topology 601

Hardware and Software Specifications 603

Logical Layout of EPGs, BDs, VRF Instances, and Contracts 605

L3Out Logical Layout 606

Summary 608

Review Key Topics 608

References 609

Chapter 12 Bits and Bytes of ACI Forwarding 611

Limitations of Traditional Networks and the Evolution of Overlay Networks 611

High-Level VXLAN Overview 613

IS-IS, TEP Addressing, and the ACI Underlay 615

IS-IS and TEP Addressing 615

FTags and the MDT 618

Endpoint Learning in ACI 626

Endpoint Learning in a Layer 2–Only Bridge Domain 627

Endpoint Learning in a Layer 3–Enabled Bridge Domain 635

Fabric Glean 640

Remote Endpoint Learning 641

Endpoint Mobility 645

Anycast Gateway 647

Virtual Port Channels in ACI 649

Routing in ACI 651

Static or Dynamic Routes 651

Learning External Routes in the ACI Fabric 656

Transit Routing 659

Policy Enforcement 661

Shared Services 664

L3Out Flags 668

Quality of Service (QoS) in ACI 669

Externally Set DSCP and CoS Markings 671

CoS Preservation in ACI 672

Multi-Pod 674

Multi-Site 680

Remote Leaf 684

Forwarding Scenarios 686

ARP Flooding 686

Layer 2 Known Unicast 688

ARP Optimization 690

Layer 2 Unknown Unicast Proxy 690

L3 Policy Enforcement When Going to L3Out 693

L3 Policy Enforcement for External Traffic Coming into the Fabric 695

Route Leaking/Shared Services 695

Consumer to Provider 695

Provider to Consumer 698

Multi-Pod Forwarding Examples 698

ARP Flooding 700

Layer 3 Proxy Flow 700

Multi-Site Forwarding Examples 703

ARP Flooding 703

Layer 3 Proxy Flow 705

Remote Leaf 707

ARP Flooding 707

Layer 3 Proxy Flow 710

Summary 713

Review Key Topics 713

References 714

Review Questions 714

Chapter 13 Troubleshooting Techniques 717

General Troubleshooting 717

Faults, Events, and Audits 718

moquery 722

iCurl 724

Visore 726

Infrastructure Troubleshooting 727

APIC Cluster Troubleshooting 727

Fabric Node Troubleshooting 734

How to Verify Physical- and Platform-Related Issues 737

Counters 737

CPU Packet Captures 743

SPAN 748

Troubleshooting Endpoint Connectivity 751

Endpoint Tracker and Log Files 752

Enhanced Endpoint Tracker (EPT) App 756

Rogue Endpoint Detection 758

Troubleshooting Contract-Related Issues 759

Verifying Policy Deny Drops 764

Embedded Logic Analyzer Module (ELAM) 765

Summary 769

Review Key Topics 769

Review Questions 769

Chapter 14 The ACI Visibility & Troubleshooting Tool 771

Visibility & Troubleshooting Tool Overview 771

Faults Tab 772

Drop/Stats Tab 773

Ingress/Egress Buffer Drop Packets 774

Ingress Error Drop Packets Periodic 774

Storm Control 774

Ingress Forward Drop Packets 775

Ingress Load Balancer Drop Packets 776

Contract Drops Tab 777

Contracts 777

Contract Considerations 778

Events and Audits Tab 779

Traceroute Tab 780

Atomic Counter Tab 782

Latency Tab 785

SPAN Tab 786

Network Insights Resources (NIR) Overview 787

Summary 790

Chapter 15 Troubleshooting Use Cases 791

Troubleshooting Fabric Discovery: Leaf Discovery 792

Troubleshooting APIC Controllers and Clusters: Clustering 795

Troubleshooting Management Access: Out-of-Band EPG 799

Troubleshooting Contracts: Traffic Not Traversing a Firewall as Expected 801

Troubleshooting Contracts: Contract Directionality 804

Troubleshooting End Host Connectivity: Layer 2 Traffic Flow Through ACI 807

Troubleshooting External Layer 2 Connectivity: Broken Layer 2 Traffic Flow Through ACI 812

Troubleshooting External Layer 3 Connectivity: Broken Layer 3 Traffic Flow Through ACI 814

Troubleshooting External Layer 3 Connectivity: Unexpected Layer 3 Traffic Flow Through ACI 816

Troubleshooting Leaf and Spine Connectivity: Leaf Issue 821

Troubleshooting VMM Domains: VMM Controller Offline 826

Troubleshooting VMM Domains: VM Connectivity Issue After Deploying the VMM Domain 829

Troubleshooting L4–L7: Deploying an L4–L7 Device 832

Troubleshooting L4–L7: Control Protocols Stop Working After Service Graph Deployment 834

Troubleshooting Multi-Pod: BUM Traffic Not Reaching Remote Pods 837

Troubleshooting Multi-Pod: Remote L3Out Not Reachable 839

Troubleshooting Multi-Site: Using Consistency Checker to Verify State at Each Site 841

Troubleshooting Programmability Issues: JSON Script Generates Error 844

Troubleshooting Multicast Issues: PIM Sparse Mode Any-Source Multicast (ASM) 846

Summary 860

Appendix A Answers to Chapter Review Questions 861

Index 873

Sadiq Memon, CCIE No. 47508, is a Lead Solutions Integration Architect (Automotive) with Cisco Customer Experience (CX). He has over 30 years of diversified experience in information technology with specialization and expertise in data center and enterprise networking. Sadiq joined Cisco in 2007, and as a Cisco veteran of over 13 years, he has worked with various large enterprise customers, including automotive, financials, manufacturing, and government in designing, implementing, and supporting end-to-end architectures and solutions. Sadiq was part of the Cisco Advanced Services Tiger Team during the early ACI incubation period. He has published a series of short videos covering ACI configuration on YouTube and has presented ACI/Cloud-related topics at Cisco Live! Sadiq was the technical editor for the Cisco Press book Deploying ACI and possesses multiple IT industry certifications from leading companies such as Cisco (CCIE, CCNA), VMware (VCP-DCV), Microsoft, and Citrix. Sadiq holds a bachelor's degree in computer systems engineering from NED University of Engineering & Technology, Karachi, Pakistan.

Joseph Ristaino, CCIE No. 41799, is a Technical Leader with the ACI Escalation Team in RTP, North Carolina. He joined Cisco in 2011 after graduating from Wentworth Institute of Technology with a bachelor's degree in computer networking. Joseph started with Cisco on the Server Virtualization TAC team, specializing in UCS and virtualization technologies. He has in-depth knowledge of compute/networking technologies and has been supporting customers for over eight years as they implement and manage data center deployments around the globe. Joseph now works closely with the ACI Technical Support teams to provide assistance on critical customer issues that go unsolved and has been working on ACI since its inception in 2014. Joseph lives with his wife in Durham, North Carolina.

Carlo Schmidt, CCIE No. 41842, is a Data Center Solutions Architect. He works with global enterprises, designing their next-generation data centers. Carlo started at Cisco in 2011, on the Data Center Switching TAC team. In that role, he focused on Nexus platforms and technologies such as FCoE, fabric path, and OTV. In 2016, he migrated to the ACI TAC team, where he specialized in customer problem resolution as well as improving product usability. In 2019 Carlo decided to take his knowledge and lessons learned from his eight years in Cisco TAC to a presales role as a Solutions Architect. Carlo is based out of Research Triangle Park, North Carolina.

Need help? Get in touch

Privacy and cookies

By watching, you agree Pearson can share your viewership data for marketing and analytics for one year, revocable by deleting your cookies.

Video transcript (PDF | 16KB)

Pearson eTextbook: What’s on the inside just might surprise you

They say you can’t judge a book by its cover. It’s the same with your students. Meet each one right where they are with an engaging, interactive, personalized learning experience that goes beyond the textbook to fit any schedule, any budget, and any lifestyle.

ACI Advanced Monitoring and Troubleshooting, 1st edition

eTextbook

Print

Pearson eTextbook: What’s on the inside just might surprise you

Digital Learning NOW

Explore

Products & Services

Support

Extend Your Learning

About us