- 52
- 205 721
Joseph Ezerski
Приєднався 22 лют 2016
A series of nerdy networking videos, mostly focusing on the operations of Cisco's ACI. Hope you find some of it useful to your own work. I also post related useful scripts and files to my Github repo at github.com/joezersk.
Install proper certificates on your Cisco Nexus Dashboard cluster
A quick how-to and overview on installing your own certificates on Nexus Dashboard. I used ND 3.2 but this process also works on earlier versions.
#
Relevant Commands used in this video (for easy copy/paste)
Generate ND private key:
openssl genrsa -out nd.key 2048
Generate CSR with key and cfg file:
openssl req -new -key nd.key -out nd.csr -config san.cfg
File format for san.cfg:
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
countryName = NL
stateOrProvinceName = Noord-Holland
localityName = Amsterdam
organizationName = Your Company
organizationalUnitName = DCNBU
commonName = your-nd.company.com
emailAddress = no-replay@company.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = fqdn.yourcompany.com
IP.1 = 10.76.101.135
#IP.2 = 10.76.101.136
#IP.3 = 10.76.101.137
#
Relevant Commands used in this video (for easy copy/paste)
Generate ND private key:
openssl genrsa -out nd.key 2048
Generate CSR with key and cfg file:
openssl req -new -key nd.key -out nd.csr -config san.cfg
File format for san.cfg:
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
countryName = NL
stateOrProvinceName = Noord-Holland
localityName = Amsterdam
organizationName = Your Company
organizationalUnitName = DCNBU
commonName = your-nd.company.com
emailAddress = no-replay@company.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = fqdn.yourcompany.com
IP.1 = 10.76.101.135
#IP.2 = 10.76.101.136
#IP.3 = 10.76.101.137
Переглядів: 57
Відео
Deploying vAPIC in a directly connected topology (L2) Part 2
Переглядів 664Рік тому
This is the second of two videos demonstrating the design and deployment of the virtual APIC cluster in an L2 Directly Connected Topology. The earlier video introduces the concepts, requirements and design considerations. This video shows an actual deployment.
Deploying vAPIC in a directly connected topology (L2) Part 1
Переглядів 768Рік тому
This is the first of two videos demonstrating the design and deployment of the virtual APIC cluster in an L2 Directly Connected Topology. This video introduces the concepts, requirements and design considerations. The 2nd video will show an actual deployment.
Nexus Dashboard Insights - Firmware Update Analysis in Action
Переглядів 1,3 тис.2 роки тому
Continuing on with major features of Nexus Dashboard Insights 6.x, this video shows the Firmware Update Analysis in action. This one is nice because it goes a long way to giving situational awareness before and after a fabric upgrade. The outcome equates to better and smoother firmware upgrades of DC fabrics while minimizing traffic disruption and staying ahead of any lurking issues. Hope you f...
Nexus Dashboard Insights - Overcoming Information Overload
Переглядів 1,6 тис.2 роки тому
This is a good starting point for those new to Nexus Dashboard Insights 6.x. It is a powerful tool to collect and analyze massive amounts of data and help you make sense of it. Any system that collects and analyzes lots of data sources will naturally have a tendency to show you as much of it as possible…sometimes more than you want to see. This short video is meant to help guide you to tuning i...
Demystifying Nexus Dashboard Deployments - Part 2 (Demo)
Переглядів 6 тис.3 роки тому
In part two of this two part series, I take you through a live setup of a Nexus Dashboard cluster pointing out things to be aware of for first time setup. Refer to the earlier video for the architecture fundamentals and design choices.
Demystifying Nexus Dashboard Deployments - Part 1
Переглядів 9 тис.3 роки тому
In part one of this two part series, I go over the basic architecture fundamentals of Nexus Dashboard, talk about various topologies you can choose from, and then give a little of my own recommendations for success. In the companion video, I take you through a live setup of a Nexus Dashboard cluster.
Deploying ACI Remote Leaf using Routable TEP (2020)
Переглядів 4,7 тис.3 роки тому
This is an important update to the series of short videos demonstrating a working example of an ACI Remote Leaf design. All other videos prior to this one use an outdated and obsolete method of configuration. PLEASE IGNORE ALL EARLIER REMOTE LEAF VIDEOS. I left them up for posterity and general reference. This video is the current example (as of Sept 2020) of how to configure Remote Leaf in ACI...
Installing vASE Part One: Prerequisites, and vASE OVA Installation (updated)
Переглядів 5904 роки тому
A quick 2 part video series showing you the basic requirements and how to install the virtual Application Services Engine (ASE). Furthermore, we also show how to install the new k8s version of the Multi-Site Orchestrator App on top of this. Update: Had to fix the part where you set a DNS domain when deploying the vASE OVA. Sorry 'bout that.
Installing vASE Part Two: Install k8s version of MSO.aci
Переглядів 2994 роки тому
In this 2nd of the series, I show you how to install the version of the Multi-Site Orchestrator (MSO) built for use with the vASE.
Install Network Insights on ASE Part 3 - Installing Network Insights
Переглядів 3174 роки тому
This third in a series of three short videos demonstrates and explains how to upload and install the Network Insights Apps on the Application Services Engine and get them running. I do this on a real ACI fabric with a CASE cluster.
Install Network Insights on ASE Part 2 Install ASE Cluster
Переглядів 4154 роки тому
This second in a series of three short videos shows and explains a live installation of the Application Services Engine cluster with a real ACI Fabric. It also shows how to get the basic first time setup configuration working for you.
Install Network Insights on ASE Part 1 The Setup
Переглядів 9064 роки тому
This first in a series of three short videos talks about the Application Services Engine, what it is, what it does, and what you need as a basis to get it connected.
Deploy vAPIC Part Two - Actually doing it on a live system.
Переглядів 1,3 тис.4 роки тому
This is the second and final in a series videos showing the steps in how to deploy vAPIC on a real ACI system. Hope it proves useful.
Deploy vAPIC Part One - The Background and Pre-Req
Переглядів 1,6 тис.4 роки тому
This first in a series of two videos goes over just what vAPIC is in the context of ACI Mini, plus basic requirements and design considerations before we move to actual deployment on a real system in part two.
ACI - Deploying vPod - Part 3 - The Test
Переглядів 8575 років тому
ACI - Deploying vPod - Part 3 - The Test
ACI - Deploying vPod - Part 2 - The Configuration
Переглядів 6065 років тому
ACI - Deploying vPod - Part 2 - The Configuration
ACI Multisite with Multipod - Tenant and Network Deployment Options
Переглядів 1,6 тис.5 років тому
ACI Multisite with Multipod - Tenant and Network Deployment Options
ACI Multisite with Multipod - Setting up the ISN
Переглядів 4,5 тис.5 років тому
ACI Multisite with Multipod - Setting up the ISN
ACI Multisite with Multipod - Deploy MSO Cluster
Переглядів 3,5 тис.5 років тому
ACI Multisite with Multipod - Deploy MSO Cluster
ACI Smart License - Device Led Conversion
Переглядів 7 тис.6 років тому
ACI Smart License - Device Led Conversion
OBSOLETE: Deploying ACI Remote Leaf Part Four: ACI Multipod Deployment Configuration (v2)
Переглядів 1,5 тис.6 років тому
OBSOLETE: Deploying ACI Remote Leaf Part Four: ACI Multipod Deployment Configuration (v2)
OBSOLETE: Deploying ACI Remote Leaf Part Three: ACI Multipod Deployment Setup (v2)
Переглядів 1,8 тис.6 років тому
OBSOLETE: Deploying ACI Remote Leaf Part Three: ACI Multipod Deployment Setup (v2)
OBSOLETE: Deploying ACI Remote Leaf Part Two: Single ACI Pod Deployment (v2)
Переглядів 3 тис.6 років тому
OBSOLETE: Deploying ACI Remote Leaf Part Two: Single ACI Pod Deployment (v2)
OBSOLETE: Deploying ACI Remote Leaf Part One: Getting Ready (v2)
Переглядів 3,5 тис.6 років тому
OBSOLETE: Deploying ACI Remote Leaf Part One: Getting Ready (v2)
CNAE Part 5 - Using the offline script
Переглядів 6246 років тому
CNAE Part 5 - Using the offline script
Thanks for your illustration... A question is raised: Your Nexus Leaf Switches are NX-Mode !? Aren't that in ACI _mode ?
very useful video
Thank you very much. I make these videos to help others follow the path of learning. I also make them so I can be sure I understand how everything works in my own lab and try to work through the common questions or challenges that I encounter so you won't have to.
hi joseph, thanks for your video. Does nx-os switch require running same ACI version as vAPIC?
Hello Charles. No, the NX-OS switch is completely independent. No version requirements other than me recommending you run a fairly modern release of NX-OS, not something 10 years old.
Hello Joseph can you provide details on your lab environment? Does Cisco provide lab licenses at a discounted rate? I would love to build out a similar environment in my homelab.
Sorry for the late reply. In Europe, we take long summer vacations :). In my lab it really is quite simple. I have one spine, and three leafs, but you could get by with two leafs if you wanted. I use the 3rd leaf as my external border gateway, but honestly, it is overkill. In this video, I also have Multi-pod set up, but that is also optional. It requires a bit more hardware in the form of 2x IPN devices (simple N9K-FX switches running NX-OS) and an additional spine and leaf for the 2nd pod. If you check my other videos on Multipod, you will see how I have it set up. Not sure if this is what you hoped, but if you have more questions, I am happy to add more detail.
"Lets pretend that whole VLAN 5 thing never happened" - Lol
Yeah, I have already blocked it out in my memory :)
Hello joseph, what if we want to use Firmware Update Analysis feature for version 5.2(8d)? because there's no option for 5.2(8d) on "select firmware" step. Thankyou
Hi Fakri, and sorry the late reply. You need two things for this to work. First, you need to have already uploaded the firmware to your APICs. 2nd, for recent versions of code, you need to have the NDI metadata file that includes support. Usually being on the latest is the best way. Normally the metadata is upgraded automatically when you upgrade NDI. However, you can also do this manually by downloading it from dcappcenter.cisco.com (log in required for this function) and it will generate a dedicated metadata file just for you (takes a few minutes) which you can manually upload to your NDI. Now, having said all that, it is also common that we release new ACI versions of code but the metadata support lags by a few months. We do push on the product team to speed this up :). I think your case is this...the metadata may not be there yet. Last point...we just released ND 3.0.1 and NDI 6.3 which I think has support for 5.2.x
cool bro, great explanation
Thank you too! I do these in the hopes you all find it useful in your day to day.
Thanks a lot for this video. Nicely explained.
Why is there an option for Physical for Controller Type at around the 11:30 mark?
This is because we also use this same process if you have a physical APIC. In ACI 6.0 we updated the day-zero APIC set up for everything to use the Web style process instead of console. Consistent whether you have physical or virtual APICs.
Keep doing more videos on this ACI topic... Thanksman.
Thanks a lot for this important piece of information.
thanks a lot
Hi if we want to add standby node, what step we must do?
Hello Ahmad, you can add an additional node (worker or standby) if you login to your Nexus Dashboard and go to the admin console >> System Resources >> Nodes, there is a button to 'add node'
Since there were no links in the video or in the video description: Part 1: ua-cam.com/video/tEtMhJKnwRM/v-deo.html Part 2: ua-cam.com/video/yEV0LKDf8EA/v-deo.html
Since there were no links in the video or in the video description: Part 1: ua-cam.com/video/tEtMhJKnwRM/v-deo.html Part 3: ua-cam.com/video/b42rxUjj1fo/v-deo.html
Since there were no links in the video or in the video description: Part 2: ua-cam.com/video/yEV0LKDf8EA/v-deo.html Part 3: ua-cam.com/video/b42rxUjj1fo/v-deo.html
What is the difference between Cisco ASE and Nexus Dashboard?
Same hardware, new software and a new name. ND is the evolution of ASE.
@@josephezerski5124 Thank you Joseph.
what is the difference between Cisco ASE and Nexus Dashboard????
Honestly, same hardware, better software (with ND). I should take these ASE specific videos down since no one is deploying ASEs in place of ND. To be clear, if you bought ASE hardware you can re-use it by installing the ND software load on it.
this is so cool... thank you so much... I wish i can ifnd videos with more examples.
What about if you have only one leg on FW? FW is used as L3out, so basically all the default route goes there. But I have traffic between two EPGs that I want to redirect traffic through FW. How can I make it work?
From ACI 5.2 you can have L3outs with PBR. Check the whitepaper section here: www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html#PBRdestinationinanL3Out
Great video!
Joseph, I really liked the way you presented. Thank you so much, will you guide us a detailed videos on Intersight and NDFC or DCNM too please.
What a great video, right to the main point!!! Thanks and follow. !!!
Joseph your video only shows how to deploy ND with an ACI fabric, what about a VXLAN fabric only, Non ACI
Hi Albert. I don't (yet) have a working NXOS VXLAN fabric in my lab. However, the updated install guides for NDFC cover how to connect all of this. I am trying to get something up and running and then I will record a video for that solution.
By the way, it requires SEVEN (7) VMs to run this in the new Nexus Dashboard Fabric Controller (12.x--brand new IOS, DCNM stopped in 11.5). I sat through a demo like this on NDFC and the Cisco SME was apologizing the whole way through. I feel sorry for the dumb Enterprise customers that will pay the $500K for this (software and professional services to install it) and then never even log into it.
Hello Lee. The VMs themselves are free to download. The NDI solution is a license based model per leaf, so it is a pay as you grow approach that can address all sizes of customers.
Also, forgot to add that it is possible to install a reduced scale virtual ND cluster for testing / lab trials. For example, you can have a single app node cluster (yes, one VM) for NDO or NDFC. For NDI, you can install a 3 app-node cluster and test (I think) up to 20-25 leafs. To be clear, this would be for testing and seeing if it meets your needs. For production you must follow the public scale docs for the apps you want to run.
why no passwords/key option for NTP ?
Fantastic.
Great video!! thanks for sharing.
Great walkthrough and nice additions to NDI 6.0. In the process of deploying three installations globally, so the addition of “multi-site” ND is surely welcomed
Thanks Lars. You are right indeed! Multi-site checks are there in a very basis sense, but more is coming in the next NDI 6.1 release.
Waiting since long time for this video. Thanks Joseph
Thanks Sajid. I realize I have been slow to upload newer stuff. I'll try to pick up the pace!
@@josephezerski5124 Really appreciated. Please some videos on cloud APIC
good video ! If you install both NDO and NDI on ND, when adding sites in ND, for the same site, you need to add the apic oob mgmt ip (for NDO) and apic inb ip (for NDI) ? So u see two site entries in ND for a particular site ?
The way ND works is you add the "site" only one time and then make that site available to apps like NDO and NDI. IOn the background when the site is first added, as part of discovery, ND will learn both the inband and OOB of the fabric. So in NDO when you move the site to "managed" ND already knows how to reach the site.
Hi Joseph.. Could you please make video on how to configure trunk port using postman..
My man, THANK YOU!!!!!
great video... Thanks for uploading...
Hi, Do you know if it is possible to do this with 3 vAPICs (without any physical APIC). I want to run this against NEXUS-9000v leafs and spines (all VMs)
Hello Ananth. Sorry but this is not possible. You need at least one physical. You can however freely download and deploy the ACI Simulator which gets you the result you are after.
This is a freaking awesome series of videos. Thank you!!
Thanks Nathan. Comments like this really motivate me to try for more useful videos.
Very Good explanation as well as video
Question, what source address is used for registering ACI with Cisco Smart License?
It will be the IP address of the APIC making the request. I just tested myself by sniffing the oobmgmt interface. 08:46:34.779923 IP apic-ams.cisco.com.38644 > tools1.cisco.com.https: Flags [P.], seq 517:859, ack 5207, win 320, length 342 apic-ams.cisco.com is my lab APIC's oobmgmt IP address, and tools1 is the smart license server
Hi Joseph, great post, thankyou... do you have new version of this script, i see you shared V3 on github. is that still vallid on newest version of APIC and SCVMM?
Yes, it still works for me. I am running SCVMM and HyperV 2016 in my lab. I have not tested later versions. My git repo will have the latest, but I have not touched this script in a few years, so YMMV. Good luck!
Thank you for making this video.l
Do you have any examples of setting up the iPN on Cat 9ks?
Hi Vivian. I do, as I use N9Ks in my lab for the IPN. I put the relevant parts of the multi-pod config in my git repo here: github.com/joezersk/aci-multipod/blob/master/92160-EAST-running-configv2.txt
I am planning to deploy IPN using the GRE tunnel, any suggestion about MTU size, ? . An urgent reply would be highly appreciated.
Hi Khan. Not sure how well PIM BiDir RP will work and you may have to set up multiple tunnels between all your IPN devices. You will also have to account for the encapsulation overhead of GRE, so whatever your transit network is, you will need something larger than 1500. Add 50 bytes for VXLAN encap and ~24 bytes for GRE. To be honest, I strongly do NOT recommend GRE in any case. It is a software driven process that puts all the load in the general purpose CPU of whatever device is handling the tunnel end point. It means that even with low amounts of traffic, the CPU on that device will approach 100% fairly quickly.
@@josephezerski5124 Hi, I have deployed IPN using GRE tunnels 3 weeks ago, and it is up and running now. All remote spines and leaf switches of POD2 are now registered with the APIC. My topology consists of Nexus and Cat9k, since we didn't want to go for MPLS-VPN so we decided to deploy it with GRE tunnels. I don't know what to say at the moment about the performance but let's see what comes up in the future.
Awesome explanation 👌👍👍👍
Hi Joseph, Great series, I was trying to install the cisco application service engine app and noticed it was no longer on the app page, do you know what took its place? I still see NIR and NIA
Hi Quentin. Sorry for the late reply. With the SE code v1.1.3 we changed how we do it. You no longer need the that little applet. We rolled it into the SW powering the SE now. This also allows us not to have to connect the SEs directly to ACI ports. They can be routed many hops away, which also allows us to collect telemetry from multiple different DCs, so an improvement.
how did you figure out the syntax for adding the nodes?
I googled "Configuring the Cisco APIC Using the REST API". That's my great programming secret....I am very good with copy/paste and can't write code for sh%t. In that doc is an example of the syntax and I just changed the serials and names to what I needed and then posted. Nearly every AC I config guide has some section on using the API with code examples....but that is not nearly scalable enough, so what I mostly do these days is use the APIC's built-in API Inspector, config what I need manually once, then copy the resulting code from the Inspector.
why the same address of the loopback in the rp ??? Interface loopback99 vrf member tn-infra ip address 12.1.1.1/32 ip router ospf a1 area 0.0.0.0 ip pim sparse-mode ! ip pim rp-address 12.1.1.1 group-list 225.0.0.0/8 bidir ip pim rp-address 12.1.1.1 group-list 239.255.255.240/28 bidir ------------------------- why not as below 12.1.1.2, many of cisco ref guides show that it should be different, even you mentioned this in your comment but your config using the same address "Hello, Els. For the phantom RP, the loopback address will be the same on all IPN devices. The only difference is the length of the subnet mask. It becomes more of a routing game with longest prefix-match. If the primary with the more specific mask fails, the next one with the less specific mask will take over. There is a recent config guide on multipod that explains that here: @t" ip pim rp-address 12.1.1.2 group-list 225.0.0.0/8 bidir ip pim rp-address 12.1.1.2 group-list 239.255.255.240/28 bidir
Great video!! It's clear and explanation are perfect. In my case, I'm trying to connect 2 remote leaves but when I connect them, they never get IP and remain in "discovering status". The RLeaf got name and OSPF IP interface , and I can contact APIC from this. OSPF is ok on my IPN... I'm quite confuse and I don't know how to debug the situation. Do you have an idea ?
There are a few ways to look at this. First is, we did a lot of improvements in remote leaf in ACI 4.1.2 and later that remove the need for all this VLAN-5 business. I only bring it up to remove that mess from any consideration. Second, if you are stuck in discovery state, the things to check are: 1. Is the remote leaf showing up in the fabric membership tab waiting to be registered? Usually when they show up it means that DHCP relay is working. If they don't show up, can you check that the WAN router that is fronting the remote leaf has a route to the TEP address of the APIC (either the main TEP or the remote routable TEP we added in 4.1.2. Check that the interface on that router sub-int has the DHCP config to send it to APIC. 2. You can also check the APIC DHCP logs to look at the exchange with the remote leaf. You can see the location of the file below. I grep for the serial number of the remote leaf as my search parameter. apic-ams# pwd /var/log/dme/log apic-ams# egrep ISC dhcpd.bin.log | egrep "FDO222309KT" 3. Make sure you using VLAN-4 on your sub-interface on the WAN router fronting the RL. It *must be vlan 4* I usually find that when you cannot discover it is a routing issue between the RL and the APIC that needs to provide the config file in the DHCP exchange. Hope that helps
Thank you, Joseph. Keep making an overview and configuration videos on Cisco ACI.
Is the routing staying within the aci multisite fabric ( routing using the spines) or is it leaving the aci fabric and then routing over?
Hi. Not sure I fully understand the question. I'll take a try. It depends on where the source and destination end points are living. Let's assume they live in different sites....we create an MP-BGP control plane connection between the spines in each site. This is just a very easy way to share MAC and IP reachability across sites. So, it the source EP is in site-1, the local spines will know the destination EP is in another site, and will use VxLAN to encapsulate the original packet and send it over to the remote spine's special TEP address (officially called the Overlay Unicast TEP) which is simply a /32 address that represents a given pod in a given site. This is routed over the Intersite Network (can also be the same as the Interpod network) which is just a generic L3 routed network. So to answer your question, in the example I give here, the packet is routed across the IPN/ISN to the remote spine and back. Hope that helps.
Hi Joseph, what is the minimum subnet for App Subnet & Services Subnet ? is it mandatory /16? Vlan Range, what is the minimum vlan range, can i use one Vlan ? If the gateway on DC FW not configured on Fabric , is it still i will take the full function of SE, or some feature i will lose it? Thanks
Hi Mohammed. I'd just stick with /16 for both. This is because the applet creates a special tenant and VRF just for the service engine needs, so you can freely use large subnet masks with no worries. In ASE 1.1.2, you need 5 VLANs, any sequential range. I am not sure I understand the last question.... Having said all this so far....things are changing quite a bit in ASE v1.1.3. SO much so, that these videos here will soon be obsolete and I will upload new ones showing the way forward.
Joseph Ezerski Hi Joseph, Thanks for your reply for the fist question can I use less than /16 For the last question , if the custom doesn’t configure any gateway on the fabric (layer 2) all the gateways on FW, do you think SE will help the customer for troubleshooting or some of the feature can’t be used ? Thanks