LA Networks is pleased to present this information, along with a hands-on demo in an effort to educate network engineers about the Cisco Application Centric Infrastructure (ACI). Cisco introduced ACI as a holistic systems-based approach to infrastructure management.
The Difference Between vPC & NX-OS and vPC & ACI.
In NX-OS you have the concepts of a peer link and peer-keepalive. These concepts don’t function in the same way in ACI, and you don’t configure them in the same way either. ACI uses the fabric itself for this. So, you’ll never cable between the two leaves in the vPC domain.
Under Switch Policies>Policies, there’s a vPC Policy that’s defaulted. We use this section to effectively set up our VPC domain. One difference in ACI—Since there are no dedicated interfaces for Peer Keepalive or Peer Link, ANY two switches in the fabric can be in a VPC domain. However, you can still have just two switches in any domain. A switch can only belong to a single domain.
When it comes to interface policies, I typically create my own as a recommended best practice. You will create a VPC protection group per pair of switches that you want in a VPC domain. I advise using the lowest number leaf in the pair for your virtual domain ID (e.g., 201 and 202). Whichever is switch one, will be the vPC Primary. You only need to set the vPC Domain Policy once per fabric, and vPC Protection Group once per pair of leaves together.
- Click on Fabric.
- Click on Access Policies.
- On the Quick Start menu click on Configure and interface, PC, and vPC to start the wizard.
- Click on the + sign under the “Configured Switch Interfaces.”
- On the right, click on the pull-down menu “Switches” and select your first leaf switch (in my lab it’s 201).
- Give it a name such as Profile-Leaf-201.
- Click Save.
- Repeat this for as many leaf switches as you have.
After we configure the switch profile for a vPC, we’ll now create an Interface Policy for it. In this scenario let’s say we’re adding a storage array server to our environment, and we want it to connect to both Leaf-201 and Leaf-202 in a vPC for redundancy.
- Click on the joint vPC switch profile you just created.
- In the right pane, click on the green + sign to configure switch interfaces.
- Enter an interface. Keep in mind that we’ll be using the same ports on both switches for the vPCs. Though it’s possible to use different ports, it makes things much more difficult. So, a best practice is to use the same ports for vPCs.
- Enter an Interface Selector Name in Interface IDs. If you want to enter more ports you can enter a dash.
Before you enter the Interface Policy, you should revisit some screens to verify things are working, then you can proceed.
Now you can create interface policies for the individual switch profiles. You can take all the shortcuts you want. (See below)*
Go to the Pools drop down to create a VLAN pool that will contain the storage array. Under Pools-VLAN / Create VLAN Pool, enter pool-storage1 or whatever you want to name it.
Next, we’ll click Static Allocation instead of Dynamic Allocation because our storage array isn’t a hypervisor.
Now we’ll add some VLANS. In “Create Ranges” we’ll enter 600 to 600 because I only have one VLAN in my storage. (We can edit this at a later date if needed.)
In the Allocation Mode, it defaults to Inherit Allocation Mode from Parent. This is fine. However, I always match the Allocation Mode to the Parent.
We have Physical Domains, L2 & L3 Externals and Virtual Domains. For our purposes, we’ll stick with a Physical Domain, which is most common.
Name: phy-dom-storage 1
VLAN: [pool storage 1] static
Now the pool and VLAN are linked.
These are up under “Global.” You’ll see “Attachable Access Entity Profile.” But most people just call it AEP or Attachable Entity Profile (the Access is implied).
Name: aep-storage 1
Interfaces: phy-dom-storage 1 (Hit “Update” and the encapsulation will be pulled in automatically.)
Note: If you go back later and change the VLAN pool, it will automatically update the AEP. If you update one configuration others will update. This is one of the benefits of switching to fabric-based networks.
Now, hit “Next.” You can enter your EPGs and interfaces here, or go to the API Inspector to build out an automated flow through some kind of XML. (For our purposes, we’ll move on here.)
There are quite a few of these. Again, just like the VPC Domain, you can use the default, but I don’t like to. As ACI matures and new versions come out, some of these defaults may change.
Create CDP Interface Policy
Name: intpol-cdp-on hit “Submit” create another
You can create more under LLCDP Interface Policy or Port Channel Policy.
Create Port Channel Policy
Make it LACP Active.
Note: Under Policies in the left-hand menu dropdown, you can navigate across the top as well for the different policies.
This one’s a little different. When you right-click on Policy Group, you can create different types. We’re going to create a VPC Policy Group. This is important so the Policy Group knows that it’s for VPC. Be aware that THIS is where you attach the AEP (and therefore the VLAN pool and Domain) to the Policy Group! This may not be obvious at first, so be sure to pay attention to this step or you’ll have everything done correctly, except the domain and pool will never make it to an interface.
Create VPC Interface Policy Group
Name: intpg-storage 1-vpc
CDP Policy: intpol-cdp-on
LLDP Policy: intpol-lldp-off
Port Channel Policy: intpol-lacp-active
Attached Entity Profile: aep-storage 1
Policy Group Leaf Profiles
In the dropdown:
intprof-leaf 201 202
Port Blocks: intpg-storage1-vpc
Attach to interface 1/1
Switch Policies>Profiles>Create Leaf Profile
Name: swprf-leaf201-202-storage 1
Blocks: (select 201 202 in dropdown)>Update
Under Leaf Profiles, scroll down to: swprofleaf201-202-storage 1
Once here, you now attach your Policy Group to the Interface Profile and everything merges together!
Now, go back to VPC Domain (left-hand menu) to check your Logical Pair ID.(It should be 201.)
You can keep drilling down in the left-hand column to verify that you’ve configured everything and that it’s propagating correctly.
Go to Faults if you have any problems.