Download as pdf or txt
Download as pdf or txt
You are on page 1of 153

Understanding, Verifying, and

ACI Configuration Policies
Daniel Pita, ACI Solutions TAC
• Introduction
• Quick Review of the Object Model
• Flow of Configuration
• Verification at the Different Stages of
• Case Studies and Troubleshooting Methodology
• Live Troubleshooting Activity
• Final Q & A
• Summary / Closing Remarks
Like all new tools, ACI has emerged from a need. A
need to simplify Datacenters, abstract the Network,
and focus on the Applications that run in a datacenter.

For new tools to be used properly, they must be

understood. Once understood, the user is empowered
and the possibilities are endless…
• Application Centric Infrastructure
• Deploy a physical and logical network based on the needs of my application
• Virtualizing the network infrastructure and hardware
• Stateless Switches

• How is this accomplished?

• Policies
• The Object Model
• Overlays
• ALE: Application Leaf Engine
• Use vsh_lc to interrogate ALE ASIC
• BD: Bridge Domain
• EPG: Endpoint Group
• AP: Application Profile
• VMM: Virtual Machine Management
• PI VLAN: Platform Independent VLAN
• DN = Distinguished Name
Endpoint Group
• Most basic and fundamental entity in ACI
• All endpoint will be classified into an EPG
• Policy is applied BETWEEN EPGs
Objects = Configuration

Conf t
Int e1/25
Switchport mode trunk
Switchport trunk vlan 3,4
No shut
Endpoint Verification
Application Application
Profiles EPGs
Endpoint Verification - CLI
Endpoint Verification - CLI
Show vlan extended
• First (top) section shows the PI
VLAN ID and what
Tenant:AP:EPG it maps to
• Also shows what interface the
VLAN is configured on
• Second (bottom) section
shows the
from the PI VLAN to the
system VXLAN or access
(on the wire) VLAN
Show system internal eltmc info vlan brief
Show system internal eltmc info vlan brief

• This command clearly shows the relationship between the BD_VLAN and the
FD_VLAN and their respective attributes such as the PI VLAN, BCM HW VLAN,
access encap (on the wire), the VXLAN or VNID
Path of the Packet
• EPG Classification
• VLAN Normalization
Scenario 1: Same EPG, Same Leaf
• Same EPG, Same Leaf is L2
switched in the front panel ASIC
• Same HW VLAN, no policy ALE
• Regular L2 switch behavior


1 2
IP: 4.100 IP: 4.101
MAC: 5B89 MAC: 5B90
VLAN: 356 VLAN: 356
Scenario 2: Same EPG, Different Leaf
• Same EPG, Different leaf needs
to go to the ALE for transmission Payload L3i L2i iVXLAN L3o L2o
to destination leaf
ALE Tunnel ALE
• Different HW VLAN
• Different PI VLAN
• Why ALE?
• ALE is the ASIC that
understands Policy! EP

IP: 4.100 IP: 4.101

MAC: 5B89 MAC: 5B90
VLAN: 356 VLAN: 356
33 31 31 1612790 1612790 29
29 31

Encap: HW: HW: Encap:

3449 33 31 356
What’s Next?
• Communication between EPGs requires policy
• Policy is enforced at the Private Network/VRF layer
• Policy is specified through contracts!
• One EPG is Providing the other is Consuming
• Think client/server relationship. One EPG is a server providing a service the client is
consuming the service
• Bi-Directional Communication is allowed by default
• Once again, do not confuse bi-directional communication with a provider/consumer role
• Pro-Tip: Only the client/consumer is allowed to initiate communications!
Client Server
Client/Server in a TCP flow SYN

• Source/Client/Consumer establishes connection to SYNACK

destination port 80 source port 60444
• SYN is sent ACK

• Destination/Server/Provider receives SYN and

sends SYNACK with source port 80 destination
60444 DATA

• Source/Client/Consumer sends ACK to source port

80 destination port 60444
• Source sends HTTP GET

In ACI however…
ACI Provider/Consumer
• Gotcha!
• Exactly the same. Assuming a contract is in place between the web-client EPG
and web-server EPG!
• The difference is ACI is granular enough to enforce directionality of the flow!

HTTP Contract

HTTP Subject
Web-Client HTTP Filter Web-Server
Consume 80 Provide 80
Source X
Dest 80

Sport = X Dport = 80 Sport = 80 Dport = X

Verify in GUI Tenant ACME-CL
Tenant ACME-CL Networking Private Networks Operational Tab Associated EPGs
Private Network/Context Segment ID
Tenant ACME-CL Networking Private Networks ACME-PN Policy Tab
Show zoning-rules
• Confirms contracts are create on a switch
• Shows source and destination EPG based on their PCTAG value
• From CLI show zoning-rule [scope-id]
• Scope ID is the context number
• Found under the tenant > Networking>Private Network > Policy tab as “Segment ID”
Show zoning-rule
• Displays Rule ID and the EPG PCTAG as source and destination as well as the
Show zoning-filter [filter-id]
• In depth information on the filters associated to a rule.
Show system internal policy-mgr stats | grep [scope]
• Shows Model information for a specific rule and hit counter statistics
Scenario 3: Different EPG, Same Leaf
• Different EPG, Same Leaf is Sent
to ALE for policy and for ALE
forwarding to different VXLAN


1 2
IP: 4.100 IP: 13.100
VLAN: 356 VLAN: 390
Scenario 4: Different EPG, Different Leaf
• Different EPG, Different leaf
needs to go to the ALE for
transmission to destination leaf
• Different VXLAN
ALE Tunnel ALE
• Policy enforcement:
• Generally happens
on ingress leaf when
Destination EP is known

1 2

IP: 4.230 IP: 13.100

MAC: 9055 MAC: DCF3
VLAN: 3449 VLAN: 390
Object Model Review
Types of Objects
• Logical, resolved, and concrete
• Logical = configured in the GUI by the user
• Resolved = created by the APIC as a unit/object to communicate and pass information
to the switches
• Concrete = objects used by the switches to program hardware

Logical Resolved Concrete Hardware

• Process flow
• Sequential
• Use to your advantage


NGINX/ Logical Resolved Concrete Hardware

Logical MO Concrete
Resolved Concrete
fvAp fvCtxDef
fvAEPg fvEpP l3Ctx
fvCtx fvLocale vlanCktEp
fvBD fvStPathAtt actrlArule

NGINX Policy Policy NXOS Hardware

Manager Element
• Are my interfaces UP?
• Are my VLANs provisioned on the switch? Which Platform Independent (PI)
VLAN maps to which Encapsulation VLAN?
• What endpoints are learned on this leaf? What EPG do they belong to?
• How do I start troubleshooting with only an IP address?
• Start at the Concrete/Hardware and confirm configuration.
• GUI under Fabric>Inventory
• CLI using show commands or moquery
• Pro-Tip: CLI show command syntax help is available albeit different than NXOS
• Use <esc><esc> which is equivalent to ?
• Show must always be written out completely to be parsed correctly
• <tab> and <tab><tab> work as expected

• If there is a problem check logical model.

• Make sure configuration policies exists
• No faults are present
CLI Verification Commands
• Are my VLANs provisioned on the switch? Which Platform Independent (PI)
VLAN maps to which Encapsulation VLAN
• Show vlan extended
• Show system internal eltmc info vlan brief

• What endpoints are learned on this leaf? What EPG do they belong to?
• Show endpoint detail [vrf <name> | ip | mac | int | vlan |
• If you know the IP or MAC for a particular endpoint
• Show system internal epmc endpoint [IP|MAC] [x.x.x.x|0.0.0]
• Moquery –c fvCEp | grep –A 10 –B 8 “[IP]”
• Run this command on the APIC
GUI Verification
• Fabric>Inventory
• Holds all the “show commands”
• In reality, Fabric>Inventory is reading the objects(mo and
summary) on the switches and populating an HTML5
• Pro-Tip: The CLI holds all the same information found in
the GUI
• /mit/ under the APIC or the Switches hold the actual model
and objects
• /aci/ under the APIC or Switches follows the same structure
as the GUI for easier navigation and naming!
GUI: Fabric > Inventory
vPC View From Under Fabric>Inventory
Visore and moquery
• Visore and moquery serve the same purpose, just a different front-end
• Visore is via HTTP/HTTPS through the browser
• https://<apic-address>/visore.html
• https://<switch-address>/visore.html

• Moquery is a CLI command that searches the model for a specific object
• Used on the APIC or switches
• Takes flags and arguments

Pro-Tip: objects are case sensitive!!

• Pro-Tip:
Only the
APIC will
have the ?
Link next
to the
Moquery –c fvCEp –A 8 –B 10 [ip]
Fabric Access Policies
Fabric > Access Policies
• Govern how a physical switch or switch port will be configured
• Controls layer 1 and layer 2 properties such as:
• Port Channels/vPC
• FEX association
• FEX port configuration

• Relationships and associations here impact deployment later on!

Verify in model
• On switch CLI
• /mit/uni/epp/fv-[uni--tn-<name>--ap-<name>--epg-<name>]/node-<#>
• Confirm dynamic path attachment was created.
• List directory (ls)
• Presence of “dyatt” directory or “stpath” directory
• Dyatt = dynamic path attachment and relates to VMM integration
• Stpath = static path defined under an EPG, used for baremetal endpoint connection
• Object is fvLocale
• /mit/sys/phys-[eth1--<#>]
• Relation to domain with “dom” directory
• dbgX directory summary files include statistics and counters
• Object is l1PhysIf
• /mit/sys/phys-[eth1--<#>]/phys
• Cat summary in this directory shows VLAN info and other L1/L2 information
• Object is ethpmPhysIf
On Switch
Verifying in Traditional CLI
• Show interface e1/13 [switchport]
• Show interface e1/13 trunk
• Standard commands
Port Channel with x Members
• Port Channel aggregation groups are controlled by unique interface policy
• All port blocks associated to a PC interface policy group will be bundled together
into a port channel
Verify in model and hardware
• On switch /mit/sys/aggr-[poX]/
• On APIC /mit/topology/pod-1/node-101/sys/aggr-[poX]/
• Object is pcAggrIf

Traditional CLI
• Show port-channel summary
• Show lacp neighbor
Cat summary of aggr-[poX]
vPC with x members
• Two methods
• Wizard for side-A and wizard for side-B
• Wizard for side-A and manually for side-B, reusing the switch selector
• Create new interface selector and port block, new vPC interface policy group and associate to
switch selector

• Manual configuration is one switch profile 1 switch selector with 2 switches in

the block(or any other combination! Just remember the model)
• Two interface profiles tied to two different vPC interface policy group to create the 2/4
port channels.
Verify in model and hardware
• On Switches:
• /mit/sys/aggr-[po-<#>]
• Cat summary will show the port channel information
• Directory should have a domain association inside
• Object is pcAggrIf
• /mit/sys/vpc/inst/dom-<#>
• Cat summary will show vPC domain information. Equivalent to show vpc
• /mit/sys/vpc/inst/dom-<#>/if-#
• vPC interface object. Cat summary will show the VLANs being used
• Object are vpcIf, fabricLagId, fabricProtPol
Verify in model and hardware
• On APIC:
• /mit/topology/pod-1/protpaths-101-103/pathep-[<interface policy
group name>]
• Protpath is used to reference the vPC when using a Static Path.
• Class is fabricPathEp
• /mit/uni/fabric/protpol/expgep-vpc-[node-pairs]/
• Cat summary here to see the Virtual anycast IP of the vPC pair
• LS here to see all vPC interface policy groups associated to this vPC domain.
• /mit/uni/fabric/protpol/expgep-vpc-[node-pairs]/lagid-default-
• Cat summary here to see the ID of this vPC interface
Bundle Relationship to IPG
IPG: Creates Bundles
Case Study:
EP learning on a vPC
Show system internal epmc endpoint ip <x.x.x.x>

Front Panel ASIC learning l2 show

BCM-shell trunk show

• Pro-tip: when looking at BCM output, xe ports are front panel ports and are
always offset by 1. This is because BCM starts counting at 0 whereas the front
panel and GUI starts at 1. In this case xe19 is referencing port 20
What We Confirmed


topology/pod-1/protpaths-101-103/pathep-[ACME-pod3-ucsb-A-int-pol-gro] topology/pod-1/protpaths-101-103/pathep-[ACME-pod3-ucsb-B-int-pol-gro]
Contract Model
Filter Subject


External L3 External L2
• Contracts go directly past ‘GO’
• After Logical object created from APIC API (GUI in this case) a Concrete object is
created and the rules are programmed into hardware on the leafs
• The flow is NGINX -> APIC PM -> Leaf PE -> hardware

• Object is vzBrCP
• Consumer EPG object is vzConsDef
• Provider EPG object is vzProvDef

• Found in /mit/uni/tn-<tenant-name>
• Switch object is in actrlRule
Contract Logical Object
• Confirm EPG and context is deployed on a switch
• fvEpP is concrete object on switch that relates to logical fvAEPg (EPG)
• The APIC validates if an EPG is deployable onto switches
• BD associated, context configured on that BD
• Otherwise, faults on the EPG/BD

• The Leaf validates after the APIC and before deployment on to hardware
• Path endpoint validation (port, PC, vPC)
• VLAN encapsulation validation

• Each EPG is assigned a PCTAG or source-class ID

• Can be seen in GUI under the context>operational or it can be queried in the CLI
• moquery –c fvAEPg
On Switch
Show zoning-rules
• Confirms contracts are create on a switch
• Shows source and destination EPG based on their PCTAG value
• From CLI show zoning-rule [scope-id]
• Scope ID is the context number
• Found under the tenant > Networking>Private Network > Policy tab as “Segment ID”
• In APIC CLI with moquery –c fvCtx

• In Model (on leaf):

• /mit/sys/actrl/
• This directory contains the structure of contracts with filters and scope directories.
• Cd into a scope-[#]
• /mit/sys/actrl/scope-[#]/
• This directory will contain all rules associated to this context scope ID
Case Study:
Any to Any Contracts
• Found under the Private Network
• References a collection of EPGs
• Applies contract at the context level and affects all EPGs with a BD tied to the
• Referenced in CLI as pcTag 0
• Use Case:
• Used to conserve TCAM space and as a place to easily apply large amounts of
• Example: I want everything in my tenant to be able to ping each other. vzAny will
provide and consume the icmp-contract
• Example: I need every EPG to have access to this one webserver on web-EPG. Have
web-EPG provide an http-contract and vzAny consume the http-contract
vzAny in the GUI
Case Study:
Troubleshooting Tool -
Troubleshooting Tool Contracts Tab
What We Confirmed
• Contract defined
for HTTP
between EPG1
and EPG2
• ICMP any-to-any
applied at vzAny
• Applies to all
EPGs associated sport: X dport: 80
to the VRF Icmp any to any
VMM Integration
VMM Model


Port Group/
VMM Integration
• Allows ACI and the APICs insight into VMMs and allows dynamic configuration of Virtual
Machine networks
• “Easy-Button” for provisioning networks to virtual machines
• VMM Domain policy creates a DVS with the name of the VMM Domain policy
• Objects are as follows:
• VMM Domain = vmmDomP
• Controller = vmmCtrlrP
• EPG = infraRtDomAtt (with a target class of fvAEPG)
• AAEP = infraRtDomP (with a target class of infraAttEntityP)
• This is the AAEP under fabric>access policies that is associated to an interface policy group that is then associated
to the interfaces where the Hypervisors are connected
• VLAN Pool = infraRsVlanNs (with a target class of fvnsVlanInstP)
• Port Group = vmmEpPD. Important information available with this object.
In Reality…
vmmCtrlrP infraRsVlanNs


infraRtDomAtt infraRtDomP vmmEpPD

Verify from GUI
• Check policy for faults
• Check if inventory was populated
• Good indication that at least communication between the APICs and the controller is established
and the inventory can be shared
compEpPD compHv compVm

compHpNic compRsHv

hvsRtNicAdj hvsAdj compRtHv compVNic



compEpPConn VM
Object Verification
• hvsAdj is critical. It is a hypervisor adjacency established through a discovery
protocol such as CDP or LLDP
• Without this object, leaf interfaces will not be programmed dynamically.
• hvsAdj is tied to fabricPathEp which is connected again to fvDyPathAtt.
• Dynamic Path Attachment is how VMM deployment works.
• hvsAdj is found on the APIC:
• /mit/comp/prov-Vmware/ctrlr-[<vmm-domain-name>]-
hvsAdj Child Objects
Case Study:
Adjacency Issues
Adjacency Discovery Issues
• Establishing adjacencies is very important and can hinder deployment.
• Problems arise when NIC does not support LLDP(on by default on ACI leaf
ports). If the discovery information is not exchanged, adjacencies will fail. Faults
will trigger.
• UCSB, by having the FI’s in between adds more steps to adjacencies
• FI’s also do not support LLDP down to the IOMs
• CDP must be used from the blade up to the FI
• Resolved with two options
1. Disable LLDP and enable CDP on the ports where the FI’s connect when using a UCS-B
2. Utilize the AAEP vSwitch Override policy
Override Policy Use Case
• Added a new blade and new uplinks from the FI’s to the fabric via a vPC again.
Decided this blade will have its own DVS therefore created a new VMM domain
policy to the same vCenter/datacenter
• Interface policy group used all defaults except LACP
compEpPD compHv compVm

compHpNic compRsHv

hvsRtNicAdj hvsAdj compRtHv compVNic



compEpPConn VM
DVS discovery protocol
• Why is this happening now?
• Since the interface policy group was left at defaults for LLDP and CDP this
• LLDP on by default
• CDP is off by default
• DVS was created using the active discovery protocol on the interfaces as its discovery
protocol type
• Resolution:
• Change the interface discovery protocols on the two interface policy groups
• Use the override policy on the AAEP
• We will proceed with this method
Configuring the Override Policy
Access Global Right-Click or
Fabric AAEP vSwitch
Policies Policies Actions menu
Override dialog box
DVS is updated
Most Importantly…
• Faults are gone!
Rack Server Adjacency
• After configuration:
• Check for faults in related objects and recently created objects
• Use show commands to confirm deployment/instantiation
• If show commands are not what is expected, use the sequential flow of the model to
help narrow down the issue
• Navigate the model on the APIC and on the Leafs
• Moquery or Visore for objects of importance
Summary / Closing Remarks
• ACI gives you the rope
• Need to learn how to use it and understand its
• Thank you
But wait! There’s more!

• BRKACI-1024 Dev-Ops and the Application Centric Infrastructure –

Open Standards and Open API’s
• BRKAC-1502 Simplify Operations with ACI
• BRKACI-1789 How to Perform Common Tasks in ACI
• BRKACI-2501 Operationalize ACI
• CCSACI-2552 - The Journey to Nexus 9k and ACI: NetApp Global
Engineering Cloud
Participate in the “My Favorite Speaker” Contest
• Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
For Reference
Step 0:
• Are interfaces UP?
• GUI = UP and EPG
• Fabric>inventory>pod-1>switch-x>physical interfaces>ex/x
• CLI = UP
• Show int ex/x
• CLI = trunking expected VLANs?
• Show int ex/x switchport
Step 1:
• Are both endpoints learned where they are expected.
• Show endpoint
• If not, are the VLANs programmed on the switch?
• Show vlan extended
• Are the expected objects created?
Step 2
• If both endpoints are learned. Can they ping their own gateway? Can they ping
the opposite gateway?
• To confirm ping try from the leaf:
• Tcpdump –i kpm_inb icmp host x.x.x.x
Step 3:
• Can source EP connect to destination EP?
• Same EPG, same leaf
• Same EPG, different leaf
• Different EPG, same leaf
• Different EPG, different leaf
/var/log/dme/log/nginx.bin.log /var/log/dme/log/svc_ifc_policymgr.bin.log
Logs /var/log/dme/log/svc_ifc_policymgr.log
Logical MO Concrete
Resolved Concrete
fvAp fvCtxDef
fvAEPg fvEpP l3Ctx
fvCtx fvLocale vlanCktEp
fvBD fvStPathAtt actrlArule

NGINX Policy Policy NXOS Hardware

Manager Element
Tenant Policies ACME-CL



Access Policies
• Switch Selector
• Block: 101-103
• Interface Selector A
• Port 1/20
• Interface Selector B
• Port 1/26

• Switch Selector
• Block: 104
• Interface Selector 1
• Port 1/13

• VLAN Pool 1
• Block: 356-406

• VLAN Pool 2
• Block: 3440-3450

VMM Domain
• Two VMM Domains
• 1 UCS C
• 1 blade of a B series
Fabric Access Policies
Single Attached Hypervisor Host Configuration
Use cases
• vSwitch does not support LACP so use LACP policy ON not ACTIVE
• Static path under EPG references vSwitch vPC/PC
• Path prefix represents a port channel when creating a static path
• Protpath prefix represents a vPC when creating a static path

• Static paths manually deploy an EPG/VLAN on an interface, PC, or vPC

• Can be set to expect tagged traffic
• Untagged
• Or L2 CoS
Contract Subject
• The subject is the only object that is not re-usable in the contract model.
• Subject represents an application
• Why?
• Subjects associate to Service Graphs which are uniquely built between two EPGs
• Instantiating a service graph requires configuration of parameters specific to a particular flow from
one EPG to another EPG
• VIPs, BVI, security groups, ACLs etc.
• Subjects also control two important options to allow the bi-directional communication as
well as preserve the Provider/Consumer model!
• Reverse Port Filter
• Apply in both directions
Configuring Contracts
Rule HW Programming
• To get a peak into hardware programming enter vsh_lc
• Show system internal aclqos zoning-rules
• Here we see the TCAM resource usage such as HW and SW index entries
TCAM Dump Rule 4154: HTTP EPG1 to EPG2
• Show platform internal ns table
mth_lux_slvz_DHS_SecurityGroupKeyTable0_memif_data [hw_idx]
• Consumer to Provider HW dump
• Pro-tip: Table 0 = ingress, Table 1 = egress
TCAM Dump 4153: HTTP EPG2 to EPG1
• Reply from Provider to Consumer
• Source class is still 0x8002/32770; destination class is still 0x8003/32771
TCAM Dump 4152: ICMP Any to Any
Table health command
• From vsh_lc show platform internal ns table-health
• Interesting field is SEC GRP
• Shows current TCAM usage
Contract related logs and traces
• Still under vsh_lc
• Show system internal aclqos event-history [trace | errors]
• Trace will show all major events and sessions related to rules and ACLQOS
• Errors will show errors encountered by ACLQOS

• In CLI: show system internal policy-mgr event-history [trace | errors]

Aclqos event-history trace
GUI deny hits Fabric
Common Policy
Policy for

• Change the facility filter “default” to severity “information”

GUI Deny Hits Fabric Inventory Pod-1 Leaf Node-X History Events

• Information enabled can be seen under a leaf node in Fabric>Inventory>Pod-1

• Click on the leaf, in the work pane click the History tab and then the Events sub-
GUI Contract/Filter Hits Fabric Inventory Pod-1 Leaf Node-X Rules

• Found under Fabric>Inventory>Pod-1>Leaf-node>Rules

• Click on the rule and click on the stats tab.
VMM Integration
Traffic flow!
• After the VMM Domain has been integrated to ACI, communication is proven to
be online through DVS and port groups being created, the fun can begin
• Add a hypervisor to the DVS and add the physical NICs that are connected to
the fabric as uplinks.
• Through the inventory population process, the APIC will be notified that a host
has been attached to one of its leafs
• CDP or LLDP neighbor adjacencies
• Once a VM is added to a port group, the APIC is notified and the VM is VMM
learned that a VM exists in that portgroup (EPG)
• When the VM starts sending traffic, then the VM is learned in a traditional (and
next-generation) sense. (show mac address-table and show endpoint)
Blade Server Adjacency

• hvsAdj object’s attribute ifId is supposed to point to a ACI Leaf interface

• With Blade Servers, ifId is the Veth on the FI
• hvsAdj has children
• hvsRsLsNode = target dn towards the unmanaged node which is the FI
• This is what we want to explore
• hvsRtNicAdj = target dn towards hpnic-vmnic2
hvsRsLsNode and fabricLooseNode
• Target DN relation towards a topology/lsnode-[FI-IP]/
• Starting to look more like a fabricPathEP that we would expect
• This object is a fabricLooseNode as described the tCl or target class

• fabricLooseNode has children of interest:

• fabricRtLsNode = references the hvsAdj
• fabricProtLooseLink = describes the location of where the FI’s are connected, the
interface policy group and the ProtPath in this case since there is a vPC involved.
• fabricProtLooseLink has the attribute protPathDn which is accually
referencing a fabricPathEp!
• Cloud is almost equivalent to vCenter Datacenter
• Portgroup in vCenter = Network Site = VM Network
• APIC and Windows Agents automatically provision Network Sites and VM Networks
when the Windows VMM Domain is associated to an EPG.
Case Studies
High Level Domain & EPG relation
AAEP Interfaces

VLAN Pool Domain

Static Path

What are Domains and why I need them?
• Domains tie together the Access Policy model to the Tenant/EPG model.
• When a domain is associated VLANs and interfaces are associated to an EPG
• Static Paths and Static VLAN pools work together with Domains to properly
program interfaces
• Imperative to have domains associated to EPGs when mixing VMM dynamic
domains and any other Domains
UCSB and port group hashing
• Known issue between UCSB FI’s and vCenter
• Problem exists in ACI
• Solved with vSwitch over ride for LACP
• Use MAC-Pinning so that port groups in vCenter are created as “route based on
originating virtual port”

You might also like