Integrate Cisco ACI with VMware

Note: Be sure to review the Objectives and

Job Aids links above for required
information. Password Information and
Command Lists for Detailed Lab Steps are
in the Job Aids link.

Task 1: Configure VMM Domain Integration

You will define VMware vCenter as a virtual machine manager (VMM) on the Cisco APIC. This action will integrate Cisco ACI with VMware vCenter.
Cisco APIC will automatically provision DVS in VMware vCenter.

Cisco ACI supports two integration methods with VMware vCenter:

• Distributed Virtual Switch (VDS)

• Cisco ACI Virtual Edge (AVE)

In this activity, you will implement the native VDS. You need a dynamic VLAN pool to facilitate the VM Manager and Cisco ACI integration. The APIC
will signal the VLAN-to-EPG bindings to the vCenter.

Show Steps

• Step 1:

Connect to the Cisco APIC GUI and log in with admin credentials.

Tip:
On your Student PC, open Google Chrome and connect to the APIC GUI at [Link] Accept the security warning and log in as
admin with password 1234QWer.

• Step 2:

Close the introduction window.

Tip:
In the Welcome to APIC page, check the Do not show on login check box, click Begin First Time Setup.
Click Close in the Set Up - Overview window.
• Step 3:

Create a new VLAN Pool.

Tip:
Go to Fabric > Access Policies > Pools. Right-click VLAN and choose Create VLAN Pool.
• Step 4:

Name the VLAN pool vCenter_VLANs with dynamic allocation and add an encapsulation block.

Tip:
In the Name field, enter vCenter_VLANs, set the Dynamic Allocation mode, and click the plus sign (+) to add an encapsulation block.

The name of the VLAN pool indicates its intended use.

Note
 The allocation mode can be static or dynamic. The static mode allows you to individually select the VLAN IDs for the endpoint groups
(EPG) connected to the fabric. In the dynamic mode, the APIC uses an internal scheme to allocate VLANs to the EPGs. Integration with
VMM domains requires the dynamic allocation mode.

• Step 5:

Define the VLAN range 100–199. Leave all settings at their default values and save the configuration.

Tip:
In the Range field, enter values 100 and 199. Click OK.

The Inherit allocMode from parent setting takes over the allocation mode defined on the VLAN pool level, in this case dynamic.

Note

The role defines the use of the VLAN range. External or on the wire encapsulations are most commonly used for allocating VLANs for
each EPG assigned to a domain. The Cisco ACI Virtual Edge (Cisco AVE) uses the internal mode. With the Internal role, the VLANs are
not seen outside the ESXi host or on the wire.

• Step 6:

Save the VLAN pool configuration.

Tip:
Click Submit to complete the configuration of the VLAN pool.
 Your VLAN pool will look as in the following figure.

• Step 7:

Create a new vCenter Domain.

Tip:
Go to Virtual Networking > VMware. Right-click VMware and choose Create vCenter Domain.
• Step 8:

Start the configuration of a vCenter domain with the following settings:

◦ Virtual Switch Name: vCenter_VMM

◦ Virtual Switch: VMware vSphere Distributed Switch (default option)
◦ VLAN Pool: vCenter_VLANs

Tip:
In the Virtual Switch Name field, enter vCenter_VMM. In the Virtual Switch field, choose the VMware vSphere Distributed Switch
option. From the VLAN Pool drop-down menu, choose vCenter_VLANs.

You will configure the Associated Attachable Entity Profile and assign it to the VMM domain later.

• Step 9:

Continuing the configuration of the vCenter domain, scroll down and configure the static port channel with mode on and enable CDP on
the vSwitch. Save the configuration.
 Tip:
From the Port Channel Mode drop-down menu, choose Static Channel - Mode On (this defines the VDS uplink bundling mode and port-
group load-balancing mode). In the vSwitch Policy field, choose CDP. These parameters will be passed to the VDS. Click Submit.

Another common alternative is to use LLDP, which must be enabled in the respective interface policies. In this scenario, LLDP is disabled.
You can configure the vCenter Credentials and vCenter controller parameters from this page. Instead, you will add them from the
navigation menu.

• Step 10:

Create new credentials for vCenter.

Tip:
Expand the VMM domain, right-click Controllers, and choose Create vCenter Credential.
• Step 11:

Set the username administrator@[Link] and password 1234QWer* and save the configuration.

Tip:
In the Name field, enter Credential. In the Username field, enter administrator@[Link], and in the Password and Confirm Password
fields, enter a password 1234QWer* (entered twice). Click Submit.

Before completing the VMM domain configuration, you will connect to the vCenter and verify that no VDS exists. When you complete the
configuration, the VDS will be automatically pushed to the vCenter.

• Step 12:

Use your browser to navigate to the vCenter vSphere web client and log in with administrator credentials.

Tip:
Open another tab and go to [Link] Accept the security warnings caused by the untrusted certificate and click LAUNCH
VSPHERE CLIENT (HTML5). Log in to the vSphere web client as administrator@[Link] with a 1234QWer* password.

Note

The vCenter can take several minutes to be ready. When it becomes active and reachable, you will be able to see the elements.
• Step 13:

Verify that no VDS exists in the data center DC currently.

Tip:
In the vSphere Web Client, go to Networking, expand the data center DC, and verify that no VDS exists.
 You should not see a VDS because you still need to complete the VMM domain configuration on the APIC. Therefore, the VDS still needs
to be pushed to the vCenter.

• Step 14:

Back in the APIC user interface, create a vCenter Controller.

Tip:
In the APIC GUI, in the Controllers menu, choose Create vCenter Controller.

You may add child elements by right clicking the parent in the navigation pane or by choosing the Tools button.

• Step 15:

Configure a vCenter controller with the following settings and save the configuration:

◦ Name: vCenter
◦ Host Name (or IP Address): [Link]
◦ DVS Version: vCenter Default
◦ Datacenter: DC
◦ Associated Credential: Credential

Tip:
In the Name field, enter vCenter. In the Host Name (or IP Address) field, enter [Link]. From the DVS Version drop-down menu,
choose vCenter Default. This option will provision a VDS version appropriate for the vCenter version. In the Datacenter field, enter DC.
The data center name must match the data center defined in the VMware vCenter. From the Associated Credential drop-down menu,
choose Credential. Leave other parameters at default values and click Submit.
Task 2: Verify Cisco APIC Connection to VMware vCenter Server
The APIC should have provisioned a VDS in the vCenter. You will verify its settings.

Show Steps

• Step 1:

Verify the VDS that the APIC has pushed.

Tip:
In the vSphere Web Client, in Networking, expand the DC data center, the new VDS folder, and the new VDS.
 You should see a VDS with the name of the configured vCenter domain (vCenter_VMM) within a folder of the same name. The VDS
includes two networks that have been automatically created.

• Step 2:

Verify that CDP has been enabled on this VDS in both directions.

Tip:
In the vSphere Web Client, choose the VDS, click the Configure tab, and verify the Discovery Protocol settings (under Settings >
Properties > Discovery Protocol).
Task 3: Configure AAEP to Selectively Allow VLAN Traffic
Attachable Access Entity Profiles (AAEPs) can be considered the "where" of the fabric configuration and are used to group domains with similar
requirements. They allow a one-to-many relationship between the interface policy groups and domains.

AAEPs are tied to interface policy groups. One or more domains are added to an AAEP. By associating domains with AAEPs, the fabric knows where
the various devices in the domain reside. Cisco APIC can push the VLANs and policy to the required interfaces.

Show Steps

• Step 1:

In the APIC UI, create a new AAEP.

Tip:
In the APIC user interface, go to Fabric > Access Policies > Policies > Global, right-click Attachable Access Entity Profiles, and
choose Create Attachable Access Entity Profile.

Note

An AAEP bundles groups of interfaces through Interface Policy Groups, which contain multiple interfaces that share the same port level
policies, such as LLDP. An AAEP is attached to a domain, linking logical resources such as EPG to a group of interfaces (via AAEP) and
VLANs (via VLAN pool). An AAEP can be attached to more than one domain.

• Step 2:

Name the AAEP HOST_AAEP and add a vCenter_VMM domain.

Tip:
In the Name field, enter HOST_AAEP. Click the plus sign (+) to add a domain and select the vCenter_VMM domain.
 The name of the AAEP HOST_AAEP indicates its intended use, which is to attach the ESXi host to the fabric.

Note

Enable Infrastructure VLAN option would trunk the infra VLAN on all interfaces under this AAEP. It is required for certain VMM integration
purposes but is not used here.

• Step 3:

Update the AAEP configuration, verify the Encapsulation details, and go to the next configuration step.

Tip:
Click Update, and verify that Encapsulation details list from:vlan-100 to:vlan-199. Click Next.
 Note

The encapsulation details are automatically retrieved from the physical domain and the referenced VLAN pool.

• Step 4:

Complete the AAEP configuration without assigning the AAEP to your interface policy group.

Tip:
Do not change any configuration in the Association To Interfaces step and click Finish.
 If the AAEP was already assigned to an interface policy group, you could confirm the resulting interface association on this page.

• Step 5:

Associate HOST_AAEP AAEP to your VPC policy group Leaf101..[Link]_VPCIPG and save the configuration.

Tip:
Go to Interfaces > Leaf Interfaces > Policy Groups > VPC Interface and select your VPC policy group Leaf101..[Link]_VPCIPG.
Scroll down, expand the Attached Entity Profile drop-down menu, and then choose HOST_AAEP. Click Submit and Submit Changes.
Task 4: Associate VMM Domain with EPGs
You will associate EPGs with the VMM domain. For each EPG that you associate with the VMM domain, Cisco APIC will automatically provision a
port group in the VDS.

Show Steps

• Step 1:

Associate VMM Domain to App_EPG.

Tip:
In the APIC user interface, within your Sales tenant, go to Application Profiles > eCommerce_AP > Application EPGs. Right-click the
App_EPG and choose Add VMM Domain Association.
• Step 2:

Choose your vCenter domain profile vCenter_VMM, leave all parameters at their default values, and save the configuration.

Tip:
In the VMM Domain Profile drop-down menu, select vCenter_VMM and click Submit without any other changes.

Dynamic VLAN mode will cause the APIC to assign VLANs to the EPG and port group dynamically. The VLAN IDs will be retrieved from
the VLAN pool.
 After policies are downloaded to the leaf software, deployment immediacy can specify when the policy is pushed into the hardware policy
content-addressable memory (CAM). The options are immediate and on-demand.

Note

Resolution immediacy specifies whether policies are resolved immediately or when needed. In the Immediate variant, EPG policies
(including VLANs, contracts, and filters) are downloaded to the associated leaf switch software when the hypervisor is attached to the VDS
and hypervisor-to-leaf attachment is confirmed. LLDP or CDP is used to resolve the hypervisor-to-leaf attachments.

• Step 3:

In DB_EPG and Web_EPG, use the same method to associate the EPGs with your VMM domain.

Tip:
The following figure shows the association of the DB_EPG.
 The following figure shows the association of the Web_EPG.

• Step 4:

In the vSphere client, within the VDS vCenter_VMM examine the port groups.

Tip:
Examine the port groups by expanding the VDS or in the Networks tab. Refresh the browser if needed.
 Under the quarantine port group, you should see three port groups that correspond to the associated EPGs. The VLAN IDs will be from the
VLAN range (100–199) and different from the example shown here. The Cisco APIC assigned them dynamically from the VLAN pool.

Task 5: Add ESXi Host to the VDS (Optional)

Because your ESXi host is not attached to a physical fabric, you cannot verify traffic flows exchanged between the VMs through the fabric.
Nevertheless, you can optionally add the ESXi host to the ACI-managed VDS that the Cisco APIC has created to practice the procedure for real-life
scenarios.

In this optional task, you will assign three VMs to their respective VDS port group; the VMs will belong to the appropriate EPGs. If the host was
connected to the leafs, the communication between the endpoints would be controlled by the applied contracts.

Show Steps

• Step 1:

In the vSphere Web Client, add a host to your new VDS.

Tip:
In the vSphere Web Client, go to Networking. Right-click the created VDS and choose Add and Manage Hosts.

• Step 2:

Select a task to add a new host to the distributed switch.

Tip:
On the Select task page keep the default Add hosts selection. Click Next.
• Step 3:

Select your host to be added to the distributed switch.

Tip:
On the (2) Select hosts page, select your ESXi ([Link]). Click Next.
• Step 4:

Don’t add any physical adapters. In this scenario, there is no hardware fabric.

Tip:
On the (3) Manage physical network adapters page, click Next. If the host was physically connected to the leafs, you would define the
uplinks on this page.

• Step 5:

Confirm that the host has no physical network adapters attached to the fabric.

Tip:
In the Warning window click OK.

• Step 6:
 Do NOT assign any VMkernel network adapters to the distributed switch.

Tip:
On the (4) Manage VMkernel adapters page, click Next.

• Step 7:

Do not migrate any virtual machines or network adapters to the distributed switch.

Tip:
On the (5) Migrate VM networking page, click Next.
• Step 8:

Review the settings and add your host to the VDS.

Tip:
On the (6) Ready to complete page, click Finish.
• Step 9:

In the vSphere Web Client, manage a host added to your new VDS.

Tip:
In the vSphere Web Client, right-click the created VDS and choose Add and Manage Hosts.

• Step 10:

Select a task to manage host networking of hosts attached to this distributed switch.

Tip:
On the (1) Select task page, select Manage host networking and click Next.
• Step 11:

Select your host to be managed.

Tip:
On the (2) Select hosts page, select your ESXi ([Link]). Click Next.
• Step 12:

Do not add any physical adapters.

Tip:
On the (3) Manage physical network adapters page, click Next and OK to confirm that no adapters are attached to the fabric.

• Step 13:

Do not assign any VMkernel network adapters to the distributed switch.

Tip:
On the (4) Manage VMkernel adapters page, click Next.
• Step 14:

Perform these assignments:

◦ APP_VM to Sales|eCommerce_APP|App_EPG
◦ DB_VM to Sales|eCommerce_APP|DB_EPG
◦ WEB_VM to Sales|eCommerce_APP|Web_EPG

Tip:
On the (5) Migrate VM networking page, check the Migrate virtual machine networking check box. Then, navigate to the Configure
per Virtual Machine tab. Click the double arrow in front of the Network Adapter 1 for APP_VM to open a Select Network field. Click
Assign to assign the adapter to their respective EPG-backed port groups, in this case, Sales|eCommerce_APP|App_EPG. Click the
double arrow again to close the Select Network field.
 Repeat the procedure for DB_VM and WEB_VM. You must go to the second page of the Virtual machine list to find WEB_VM. Click
Next.

• Step 15:
 Review the settings and migrate the VMs to the VDS.

Tip:
On the (6) Ready to complete page, click Finish to migrate the virtual machines.

This VM migration completes the lab exercise. You may check the results by examining the settings of the individual virtual machine. You
will not be able to examine the inter-EPG traffic flows because the host is not attached to the hardware fabric.

Lab Completion Instructions

You have now completed this lab exercise.
Please click 'End Session'.

Choose 'Exit'.