Відео

Thank you very much. I make these videos to help others follow the path of learning. I also make them so I can be sure I understand how everything works in my own lab and try to work through the common questions or challenges that I encounter so you won't have to.

Hello Charles. No, the NX-OS switch is completely independent. No version requirements other than me recommending you run a fairly modern release of NX-OS, not something 10 years old.

Sorry for the late reply. In Europe, we take long summer vacations :). In my lab it really is quite simple. I have one spine, and three leafs, but you could get by with two leafs if you wanted. I use the 3rd leaf as my external border gateway, but honestly, it is overkill. In this video, I also have Multi-pod set up, but that is also optional. It requires a bit more hardware in the form of 2x IPN devices (simple N9K-FX switches running NX-OS) and an additional spine and leaf for the 2nd pod. If you check my other videos on Multipod, you will see how I have it set up. Not sure if this is what you hoped, but if you have more questions, I am happy to add more detail.

Yeah, I have already blocked it out in my memory :)

Hi Fakri, and sorry the late reply. You need two things for this to work. First, you need to have already uploaded the firmware to your APICs. 2nd, for recent versions of code, you need to have the NDI metadata file that includes support. Usually being on the latest is the best way. Normally the metadata is upgraded automatically when you upgrade NDI. However, you can also do this manually by downloading it from dcappcenter.cisco.com (log in required for this function) and it will generate a dedicated metadata file just for you (takes a few minutes) which you can manually upload to your NDI. Now, having said all that, it is also common that we release new ACI versions of code but the metadata support lags by a few months. We do push on the product team to speed this up :). I think your case is this...the metadata may not be there yet. Last point...we just released ND 3.0.1 and NDI 6.3 which I think has support for 5.2.x

Thank you too! I do these in the hopes you all find it useful in your day to day.

This is because we also use this same process if you have a physical APIC. In ACI 6.0 we updated the day-zero APIC set up for everything to use the Web style process instead of console. Consistent whether you have physical or virtual APICs.

Hello Ahmad, you can add an additional node (worker or standby) if you login to your Nexus Dashboard and go to the admin console >> System Resources >> Nodes, there is a button to 'add node'

Same hardware, new software and a new name. ND is the evolution of ASE.

@@josephezerski5124 Thank you Joseph.

Honestly, same hardware, better software (with ND). I should take these ASE specific videos down since no one is deploying ASEs in place of ND. To be clear, if you bought ASE hardware you can re-use it by installing the ND software load on it.

From ACI 5.2 you can have L3outs with PBR. Check the whitepaper section here: www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html#PBRdestinationinanL3Out

Hi Albert. I don't (yet) have a working NXOS VXLAN fabric in my lab. However, the updated install guides for NDFC cover how to connect all of this. I am trying to get something up and running and then I will record a video for that solution.

Hello Lee. The VMs themselves are free to download. The NDI solution is a license based model per leaf, so it is a pay as you grow approach that can address all sizes of customers.

Also, forgot to add that it is possible to install a reduced scale virtual ND cluster for testing / lab trials. For example, you can have a single app node cluster (yes, one VM) for NDO or NDFC. For NDI, you can install a 3 app-node cluster and test (I think) up to 20-25 leafs. To be clear, this would be for testing and seeing if it meets your needs. For production you must follow the public scale docs for the apps you want to run.

Thanks Lars. You are right indeed! Multi-site checks are there in a very basis sense, but more is coming in the next NDI 6.1 release.

Thanks Sajid. I realize I have been slow to upload newer stuff. I'll try to pick up the pace!

@@josephezerski5124 Really appreciated. Please some videos on cloud APIC

The way ND works is you add the "site" only one time and then make that site available to apps like NDO and NDI. IOn the background when the site is first added, as part of discovery, ND will learn both the inband and OOB of the fabric. So in NDO when you move the site to "managed" ND already knows how to reach the site.

Hello Ananth. Sorry but this is not possible. You need at least one physical. You can however freely download and deploy the ACI Simulator which gets you the result you are after.

Thanks Nathan. Comments like this really motivate me to try for more useful videos.

It will be the IP address of the APIC making the request. I just tested myself by sniffing the oobmgmt interface. 08:46:34.779923 IP apic-ams.cisco.com.38644 > tools1.cisco.com.https: Flags [P.], seq 517:859, ack 5207, win 320, length 342 apic-ams.cisco.com is my lab APIC's oobmgmt IP address, and tools1 is the smart license server

Yes, it still works for me. I am running SCVMM and HyperV 2016 in my lab. I have not tested later versions. My git repo will have the latest, but I have not touched this script in a few years, so YMMV. Good luck!

Hi Vivian. I do, as I use N9Ks in my lab for the IPN. I put the relevant parts of the multi-pod config in my git repo here: github.com/joezersk/aci-multipod/blob/master/92160-EAST-running-configv2.txt

Hi Khan. Not sure how well PIM BiDir RP will work and you may have to set up multiple tunnels between all your IPN devices. You will also have to account for the encapsulation overhead of GRE, so whatever your transit network is, you will need something larger than 1500. Add 50 bytes for VXLAN encap and ~24 bytes for GRE. To be honest, I strongly do NOT recommend GRE in any case. It is a software driven process that puts all the load in the general purpose CPU of whatever device is handling the tunnel end point. It means that even with low amounts of traffic, the CPU on that device will approach 100% fairly quickly.

@@josephezerski5124 Hi, I have deployed IPN using GRE tunnels 3 weeks ago, and it is up and running now. All remote spines and leaf switches of POD2 are now registered with the APIC. My topology consists of Nexus and Cat9k, since we didn't want to go for MPLS-VPN so we decided to deploy it with GRE tunnels. I don't know what to say at the moment about the performance but let's see what comes up in the future.

Hi Quentin. Sorry for the late reply. With the SE code v1.1.3 we changed how we do it. You no longer need the that little applet. We rolled it into the SW powering the SE now. This also allows us not to have to connect the SEs directly to ACI ports. They can be routed many hops away, which also allows us to collect telemetry from multiple different DCs, so an improvement.

I googled "Configuring the Cisco APIC Using the REST API". That's my great programming secret....I am very good with copy/paste and can't write code for sh%t. In that doc is an example of the syntax and I just changed the serials and names to what I needed and then posted. Nearly every AC I config guide has some section on using the API with code examples....but that is not nearly scalable enough, so what I mostly do these days is use the APIC's built-in API Inspector, config what I need manually once, then copy the resulting code from the Inspector.

There are a few ways to look at this. First is, we did a lot of improvements in remote leaf in ACI 4.1.2 and later that remove the need for all this VLAN-5 business. I only bring it up to remove that mess from any consideration. Second, if you are stuck in discovery state, the things to check are: 1. Is the remote leaf showing up in the fabric membership tab waiting to be registered? Usually when they show up it means that DHCP relay is working. If they don't show up, can you check that the WAN router that is fronting the remote leaf has a route to the TEP address of the APIC (either the main TEP or the remote routable TEP we added in 4.1.2. Check that the interface on that router sub-int has the DHCP config to send it to APIC. 2. You can also check the APIC DHCP logs to look at the exchange with the remote leaf. You can see the location of the file below. I grep for the serial number of the remote leaf as my search parameter. apic-ams# pwd /var/log/dme/log apic-ams# egrep ISC dhcpd.bin.log | egrep "FDO222309KT" 3. Make sure you using VLAN-4 on your sub-interface on the WAN router fronting the RL. It *must be vlan 4* I usually find that when you cannot discover it is a routing issue between the RL and the APIC that needs to provide the config file in the DHCP exchange. Hope that helps

Hi. Not sure I fully understand the question. I'll take a try. It depends on where the source and destination end points are living. Let's assume they live in different sites....we create an MP-BGP control plane connection between the spines in each site. This is just a very easy way to share MAC and IP reachability across sites. So, it the source EP is in site-1, the local spines will know the destination EP is in another site, and will use VxLAN to encapsulate the original packet and send it over to the remote spine's special TEP address (officially called the Overlay Unicast TEP) which is simply a /32 address that represents a given pod in a given site. This is routed over the Intersite Network (can also be the same as the Interpod network) which is just a generic L3 routed network. So to answer your question, in the example I give here, the packet is routed across the IPN/ISN to the remote spine and back. Hope that helps.

Hi Mohammed. I'd just stick with /16 for both. This is because the applet creates a special tenant and VRF just for the service engine needs, so you can freely use large subnet masks with no worries. In ASE 1.1.2, you need 5 VLANs, any sequential range. I am not sure I understand the last question.... Having said all this so far....things are changing quite a bit in ASE v1.1.3. SO much so, that these videos here will soon be obsolete and I will upload new ones showing the way forward.

Joseph Ezerski Hi Joseph, Thanks for your reply for the fist question can I use less than /16 For the last question , if the custom doesn’t configure any gateway on the fabric (layer 2) all the gateways on FW, do you think SE will help the customer for troubleshooting or some of the feature can’t be used ? Thanks