KEMBAR78
Implementing ACIv 2 | PDF | Network Topology | Network Switch
Scribd
Upload
940 views105 pages

Implementing ACIv 2

Implmenting ACI

Uploaded by

Ismael
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
940 views105 pages

Implementing ACIv 2

Implmenting ACI

Uploaded by

Ismael
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 105

Implementing ACI

Authored By:

Khawar Butt
CCIE # 12353
Hepta CCIE#12353 Fabric Discovery
CCDE # 20110020

Netmetric Solutions Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
Http://www.Netmetric-Solutions.com 1 of 105
Lab 1 – Fabric Discovery

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
2 of 105
Fabric Discovery
➢ Discovery the Fabric and assign the Node Name and Node ID based on
the following table:

Node Name Node ID POD#


LEAF-01 101 1
LEAF-02 102 1
SPINE-01 201 1
SPINE-02 202 1

➢ Log into you APIC using the Username and Password provided.

➢ Click Fabric -> Inventory -> Fabric Membership

➢ You will see the first Leaf discovered.

➢ Right-click the Leaf and click Register Switch.

➢ Assign is parameters from the above table for LEAF-01.

➢ Click Update.

➢ The first Leaf will be registered. It will be assigned an IP Address from


the Bootstrap Pool.

➢ It will discover the Spines. We have 2 Spines. They should show up in


the Fabric Membership window.

➢ Right-click the first Spine switch and click Register Switch.

➢ Assign is parameters from the above table for SPINE-01.

➢ Click Update.

➢ Repeat the process for the second Spine switch. Assign it the
parameters from the above table for SPINE-02.

➢ Click Update.

➢ It will discover the 2nd Leaf switch now.

➢ Right-click the second Leaf switch and click Register Switch.

➢ Assign is parameters from the above table for LEAF-02.


Copyrights Kbits.live 2015-2025
Website: http://www.kbits.live; Email: kb@kbits.live
3 of 105
➢ Click Update.

➢ Your Fabric Membershp should like the following diagram.

➢ Notice the IP Address and Role.

➢ The role is automatically detected based on the Switch Model.

➢ This portion of your topology is configured now.

Spine-1 Spine-2

Leaf-1 Leaf-2

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
4 of 105
Implementing ACI

Authored By:

Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Access Provisioning – Topology I

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
Netmetric Solutions 5 of 105
Http://www.Netmetric-Solutions.com
Lab 2 – Access Provisioning
– Interface Policies

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
6 of 105
Access Provisioning – Access Port Interface Policies
Note: The Access Provisioning labs are based on the Fabric Provisioning
completed in Lab 1.

➢ You are planning on configuring the above topology for ACI. Besides
the devices displayed above, the Servers & Clients will be connected to
the following ports on the 2 Leaf switches.
o Clients
▪ LEAF-01 – Ports 1/1 – 15
▪ LEAF-02 – Ports 1/1 – 20
o Servers
▪ LEAF-01 – Ports 1/16 – 25
▪ LEAF-02 – Ports 1/21 – 28

➢ The port properties for the Devices will be based on the following
table:

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

➢ Configure all the Policies defined in the table above.

Task 1 – Configure the Interface Policies – CDP

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
CDP Policies

➢ Configure CDP Policies based on the following:


o Policy # 1
▪ Name: CDP-ON
▪ Admin-State: Enabled
o Policy # 2
▪ Name: CDP-OFF
▪ Admin-State: Disabled

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
7 of 105
Task 2 – Configure the Interface Policies – LLDP

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
LLDP Policies

➢ Configure LLDP Policies based on the following:


o Policy # 1
▪ Name: LLDP-ON
▪ Transmit – Enabled
▪ Receive – Enabled
o Policy # 2
▪ Name: LLDP-OFF
▪ Transmit – Disabled
▪ Receive – Disabled

Task 3 – Configure the Interface Policies – Link Level

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Link Level

➢ Configure Link Level Policies based on the following:


o Policy # 1
▪ Name: 1G-AUTO
▪ Speed – 1 gbps
o Policy # 2
▪ Name: 10G-AUTO
▪ Speed – 10 gbps
o Policy # 3
▪ Name: 40G-AUTO
▪ Speed – 40 gbps

Task 4 – Configure the Interface Policies –Port Security

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Port Security

➢ Configure Port-Secutiy Policies based on the following:


o Policy # 1
▪ Name: PS-1
▪ Parameters: Maximum EndPoints – 1
o Policy # 2
▪ Name: PS-5
▪ Parameters: Maximum EndPoints – 5

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
8 of 105
Task 5 – Configure the Interface Policies – Storm Control

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Storm Control

➢ Configure Storm Control Policies based on the following:


o Policy # 1
▪ Name: SC-50
▪ Percentages: 50
o Policy # 2
▪ Name: SC-60
▪ Percentages: 60

Task 6 – Configure the Interface Policies – Storm Control

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Storm Control

➢ Configure Storm Control Policies based on the following:


o Policy # 1
▪ Name: SC-50
▪ Percentages: 50
o Policy # 2
▪ Name: SC-60
▪ Percentages: 60

Task 7 – Configure the Interface Policies – BPDU Guard

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Spanning Tree

➢ Configure Spanning Tree Policies based on the following:


o Policy # 1
▪ Name: STP-BPDUGUARD
▪ BPDU Guard: Enabled

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
9 of 105
Lab 3 – Access Provisioning
– Leaf Access Port IPGs

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
10 of 105
Access Provisioning – Leaf Access Port IPGs
➢ Configure the IPGs for Clients, Servers & Routers based on the table
below. Switch IPG’s will be created later.

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

Task 1 – Configure the Interface Policy Groups – Clients

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-CLIENTS
o CDP: CDP-OFF
o LLDP: LLDP-OFF
o Port Security: PS-1
o Storm Control: SC-50
o Link Level: 1G-AUTO
o Spanning Tree: STP-BPDUGUARD

Task 2 – Configure the Interface Policy Groups – Servers

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-SERVERS
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Port Security: PS-5
o Storm Control: SC-60
o Link Level: 10G-AUTO
o Spanning Tree: STP-BPDUGUARD

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
11 of 105
Task 3 – Configure the Interface Policy Groups – Routers

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-ROUTERS
o CDP: CDP-ON
o LLDP: LLDP-OFF
o Port Security: PS-1
o Link Level: 10G-AUTO
o Spanning Tree: STP-BPDUGUARD

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
12 of 105
Lab 4 – Access Provisioning
– Switch IPGs

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
13 of 105
Access Provisioning – Port Channel IPGs
➢ Configure the IPGs for SW1, SW2 & SW3 based on the table below.
Use LACP Active for the Port-Channel Protocol. SW4 IPG will be
created later.

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

Task 1 – Configure the Interface Policies – Port-Channel

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Port-Channel

➢ Configure Port-Channel Policy based on the following:


o Policy # 1
▪ Name: LACP-Active
▪ Mode: Active

Task 2 – Configure the Interface Policy Groups – SW1

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-SW1
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
14 of 105
Task 3 – Configure the Interface Policy Groups – SW2

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> PC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-SW2-PC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO
o Port Channel: LACP-Active

Task 4 – Configure the Interface Policy Groups – SW3

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> PC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-SW3-PC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO
o Port Channel: LACP-Active

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
15 of 105
Lab 5 – Access Provisioning
– Configuring vPC Domain

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
16 of 105
Access Provisioning – vPC
Task 1 – Configure a vPC Domain between Leaf-01 & Leaf-02

➢ Click Fabric -> Access Policies -> Switch Policies -> Policies ->
Virtual Port Channel Default

➢ Configure a vPC between Leaf-01 & Leaf-02. Use the following


parameters:
▪ Name: vPC-LEAF-01-02
▪ Domain ID: 12
▪ VPC Domain Policy: Default
▪ Switch 1: 101
▪ Switch 2: 102

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
17 of 105
Lab 6 – Access Provisioning
– vPC IPG

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
18 of 105
Access Provisioning – Virtual Port Channel IPGs
➢ Configure a IPG for a SW4 based on the table below. Use LACP Active
for the Port-Channel Protocol.

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

Task 2 – Configure the Interface Policy Groups – SW4

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> vPC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-SW4-vPC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO
o Port Channel: LACP-Active

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
19 of 105
Lab 7 – Access Provisioning
– Interface Profile

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
20 of 105
Access Provisioning – Leaf Interface Profile
➢ You are planning on configuring the above topology for ACI. Besides
the devices displayed above, the Servers & Clients will be connected to
the following ports on the 2 Leaf switches.

Task 1 – Configure Interface Profiles

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> vPC Policy Group

➢ Configure an Interface Profiles based on the following:

Interface Profile: INT-PROF-1


Interface Names Ports IPGs
E1-15-CLIENTS 1/1-15 IPG-CLIENTS
E16-25-SERVERS 1/16-25 IPG-SERVERS
E26-27-ROUTERS 1/26-27 IPG-ROUTERS
E28-SW1 1/28 IPG-SW1
E29-30-SW2-PC 1/29-30 IPG-SW2-PC
E35-SW4-vPC 1/35 IPG-SW4-vPC

➢ Configure an Interface Profiles based on the following:

Interface Profile: INT-PROF-2


Interface Names Ports IPGs
E1-20-CLIENTS 1/1-20 IPG-CLIENTS
E21-28-SERVERS 1/21-28 IPG-SERVERS
E29-30-ROUTERS 1/29-30 IPG-ROUTERS
E31-32-SW3-PC 1/31-32 IPG-SW3-PC
E39-SW4-vPC 1/39 IPG-SW4-vPC

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
21 of 105
Lab 8 – Access Provisioning
– Switch Profile

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
22 of 105
Access Provisioning – Leaf Switch Profile
➢ Assign the Interface Profiles created in the previous labs to the
appropriate Leaf Switches.

Task 1 – Configure Switch Profiles

➢ Click Fabric -> Access Policies -> Switch Policies -> Profiles

➢ Configure a Switch Profile based on the following:


o Name: SW-PROF-1
o Leaf Name: LEAF-01
o Leaf Node ID: 101
o Interface profile: INT-PROF-1

➢ Configure a Switch Profile based on the following:


o Name: SW-PROF-2
o Leaf Name: LEAF-02
o Leaf Node ID: 102
o Interface profile: INT-PROF-2

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
23 of 105
Lab 9 – Access Provisioning
– VLAN Pools

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
24 of 105
Access Provisioning – VLAN Pool
➢ Create a VLAN Pool to be assigned to the Domain

Task 1 – Configure VLAN Pool

➢ Click Fabric -> Access Policies -> Pools -> VLANS

➢ Create a Pool of VLANs that will be used within ACI for Physical ACI
Ports:
o Name: VLAN-POOL-ACI
o Leaf Name: Static Allocation
o Range: 1-500

➢ Create a Pool of VLANs that will be used within ACI for External
Bridged Ports ACI Ports:
o Name: VLAN-POOL-L2
o Leaf Name: Static Allocation
o Range: 400-500

➢ Create a Pool of VLANs that will be used within ACI for External
Routed Ports ACI Ports:
o Name: VLAN-POOL-L3
o Leaf Name: Static Allocation
o Range: 1-400

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
25 of 105
Lab 10 – Access Provisioning
– Domains

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
26 of 105
Access Provisioning – Domains
➢ Create Domains to specify port types.

Task 1 – Configure a Physical Domain (Physical ACI Ports)

➢ Click Fabric -> Access Policies -> Physical and External Domains -
> Physical Domains

➢ Create a Physical Domain and link it to the VLAN Pool based on the
following:
o Name: ACI-PORTS
o VLAN Pool: VLAN-POOL-ACI

Task 2 – Configure an External L2 Domain (Connecting to Non-ACI


Switches for L2OUT)

➢ Click Fabric -> Access Policies -> Physical and External Domains -
> External Bridged Domain

➢ Create an External Brige Domain and link it to the VLAN Pool based
on the following:
o Name: EXT-L2-PORTS
o VLAN Pool: VLAN-POOL-L2

Task 3 – Configure an External L3 Domain (Connecting to Non-ACI


L3 Devices for L3OUT)

➢ Click Fabric -> Access Policies -> Physical and External Domains -
> External Routed Domains

➢ Create an External Routed Domain and link it to the VLAN Pool based
on the following:
o Name: EXT-L3-PORTS
o VLAN Pool: VLAN-POOL-L3

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
27 of 105
Lab 11 – Access Provisioning
– AAEP

Physical Topology

Spine-1 Spine-2

SW-1
Leaf-1 Leaf-2
28
29-30 35 39 31-32

26 29

1-15 16-25 1-20 21-28

SW-2 R1 SW-4 R2 SW-3

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
28 of 105
Access Provisioning – AAEP
➢ Link the Port Types (Domains/VLANs) to IPGs (Physical Ports)

Task 1 – Create a AAEP for Physical ACI Ports

➢ Click Fabric -> Access Policies -> Global Policies -> AAEP

➢ Create an AAEP for ACI Ports and link it to the Domain & IPGs based
on the following:
o Name: AAEP-ACI
o Domain: ACI-PORTS
o IPGs: IPG-CLIENTS & IPG-SERVERS

Task 2 – Create a AAEP for External L2 Ports

➢ Click Fabric -> Access Policies -> Global Policies -> AAEP

➢ Create an AAEP for ACI Ports and link it to the Domain & IPGs based
on the following:
o Name: AAEP-L2-PORTS
o Domain: EXT-L2-PORTS
o IPGs: IPG-SW1, IPG-SW2-PC, IPG-SW3-PC & IPG-SW4-vPC

Task 3 – Create a AAEP for External L3 Ports

➢ Click Fabric -> Access Policies -> Global Policies -> AAEP

➢ Create an AAEP for ACI Ports and link it to the Domain & IPGs based
on the following:
o Name: AAEP-L3-PORTS
o Domain: EXT-L3-PORTS
o IPGs: IPG-ROUTERS

This completes the Access Provisioning Process. The next set of labs
will repeat it for a different physical topology.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
29 of 105
Implementing ACI

Authored By:

Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Access Provisioning – Topology II

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
Netmetric Solutions 30 of 105
Http://www.Netmetric-Solutions.com
Lab 12 – Access Provisioning
– Interface Policies

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
31 of 105
Access Provisioning – Access Port Interface Policies
Note: The Access Provisioning labs are based on the Fabric Provisioning
completed in Lab 1.

➢ You are planning on configuring the above topology for ACI. Besides
the devices displayed above, the Servers & Clients will be connected to
the following ports on the 2 Leaf switches.
o Clients
▪ LEAF-01 – Ports 1/1 – 20
▪ LEAF-02 – Ports 1/1 – 30
o Servers
▪ LEAF-01 – Ports 1/21 – 30
▪ LEAF-02 – Ports 1/31 – 40

➢ The port properties for the Devices will be based on the following
table:

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

➢ Configure all the Policies defined in the table above.

Task 1 – Configure the Interface Policies – CDP

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
CDP Policies

➢ Configure CDP Policies based on the following:


o Policy # 1
▪ Name: CDP-ON
▪ Admin-State: Enabled
o Policy # 2
▪ Name: CDP-OFF
▪ Admin-State: Disabled

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
32 of 105
Task 2 – Configure the Interface Policies – LLDP

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
LLDP Policies

➢ Configure LLDP Policies based on the following:


o Policy # 1
▪ Name: LLDP-ON
▪ Transmit – Enabled
▪ Receive – Enabled
o Policy # 2
▪ Name: LLDP-OFF
▪ Transmit – Disabled
▪ Receive – Disabled

Task 3 – Configure the Interface Policies – Link Level

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Link Level

➢ Configure Link Level Policies based on the following:


o Policy # 1
▪ Name: 1G-AUTO
▪ Speed – 1 gbps
o Policy # 2
▪ Name: 10G-AUTO
▪ Speed – 10 gbps
o Policy # 3
▪ Name: 40G-AUTO
▪ Speed – 40 gbps

Task 4 – Configure the Interface Policies –Port Security

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Port Security

➢ Configure Port-Secutiy Policies based on the following:


o Policy # 1
▪ Name: PS-1
▪ Parameters: Maximum EndPoints – 1
o Policy # 2
▪ Name: PS-5
▪ Parameters: Maximum EndPoints – 5

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
33 of 105
Task 5 – Configure the Interface Policies – Storm Control

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Storm Control

➢ Configure Storm Control Policies based on the following:


o Policy # 1
▪ Name: SC-50
▪ Percentages: 50
o Policy # 2
▪ Name: SC-60
▪ Percentages: 60

Task 6 – Configure the Interface Policies – Storm Control

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Storm Control

➢ Configure Storm Control Policies based on the following:


o Policy # 1
▪ Name: SC-50
▪ Percentages: 50
o Policy # 2
▪ Name: SC-60
▪ Percentages: 60

Task 7 – Configure the Interface Policies – BPDU Guard

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Spanning Tree

➢ Configure Spanning Tree Policies based on the following:


o Policy # 1
▪ Name: STP-BPDUGUARD
▪ BPDU Guard: Enabled

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
34 of 105
Lab 13 – Access Provisioning
– Leaf Access Port IPGs

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
35 of 105
Access Provisioning – Leaf Access Port IPGs
➢ Configure the IPGs for Clients, Servers & Routers based on the table
below. Switch IPG’s will be created later.

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

Task 1 – Configure the Interface Policy Groups – Clients

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-CLIENTS
o CDP: CDP-OFF
o LLDP: LLDP-OFF
o Port Security: PS-1
o Storm Control: SC-50
o Link Level: 1G-AUTO
o Spanning Tree: STP-BPDUGUARD

Task 2 – Configure the Interface Policy Groups – Servers

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-SERVERS
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Port Security: PS-5
o Storm Control: SC-60
o Link Level: 10G-AUTO
o Spanning Tree: STP-BPDUGUARD

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
36 of 105
Task 3 – Configure the Interface Policy Groups – Routers

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-ROUTERS
o CDP: CDP-ON
o LLDP: LLDP-OFF
o Port Security: PS-1
o Link Level: 10G-AUTO
o Spanning Tree: STP-BPDUGUARD

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
37 of 105
Lab 14 – Access Provisioning
– Switch & PC IPGs

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
38 of 105
Access Provisioning – Port Channel IPGs
➢ Configure the IPGs for SW1 & SW2 based on the table below. Use
LACP Active for the Port-Channel Protocol. SW3 IPG will be created
later.

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

Task 1 – Configure the Interface Policies – Port-Channel

➢ Click Fabric -> Access Policies -> Interface Policies -> Policies ->
Port-Channel

➢ Configure Port-Channel Policy based on the following:


o Policy # 1
▪ Name: LACP-Active
▪ Mode: Active

Task 2 – Configure the Interface Policy Groups – SW1

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> Leaf-Access-Port

➢ Configure Client IPGs based on the following:


o Name: IPG-SW1
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
39 of 105
Task 3 – Configure the Interface Policy Groups – SW2

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> PC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-SW2-PC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO
o Port Channel: LACP-Active

Task 4 – Configure the Interface Policy Groups – SALES-BE-SERVER

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> PC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-SALES-BE-PC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Port Security: PS-5
o Storm Control: SC-60
o Link Level: 10G-AUTO
o Spanning Tree: STP-BPDUGUARD
o Port Channel: LACP-Active

Task 5 – Configure the Interface Policy Groups – MARK-BE-SERVER

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> PC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-MARK-BE-PC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Port Security: PS-5
o Storm Control: SC-60
o Link Level: 10G-AUTO
o Spanning Tree: STP-BPDUGUARD
o Port Channel: LACP-Active

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
40 of 105
Lab 15 – Access Provisioning
– Configuring vPC Domain

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
41 of 105
Access Provisioning – vPC
Task 1 – Configure a vPC Domain between Leaf-01 & Leaf-02

➢ Click Fabric -> Access Policies -> Switch Policies -> Policies ->
Virtual Port Channel Default

➢ Configure a vPC between Leaf-01 & Leaf-02. Use the following


parameters:
▪ Name: vPC-LEAF-01-02
▪ Domain ID: 12
▪ VPC Domain Policy: Default
▪ Switch 1: 101
▪ Switch 2: 102

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
42 of 105
Lab 16 – Access Provisioning
– vPC IPG

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
43 of 105
Access Provisioning – Virtual Port Channel IPGs
➢ Configure a IPG for a SW4 based on the table below. Use LACP Active
for the Port-Channel Protocol.

Clients Servers Routers Switches


CDP Disabled Disabled Enabled Enabled
LLDP Disabled Enabled Disabled Disabled
Port 1 5 1
Security
Storm 50% 60% 60%
Control
Speed 1G 10G 10G 40G
STP Enabled Enabled Enabled

Task 2 – Configure the Interface Policy Groups – SW3

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> vPC Policy Group

➢ Configure Client IPGs based on the following:


o Name: IPG-SW3-vPC
o CDP: CDP-OFF
o LLDP: LLDP-ON
o Storm Control: SC-60
o Link Level: 40G-AUTO
o Port Channel: LACP-Active

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
44 of 105
Lab 17 – Access Provisioning
– Interface Profile

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
45 of 105
Access Provisioning – Leaf Interface Profile
➢ You are planning on configuring the above topology for ACI. Besides
the devices displayed above, the Servers & Clients will be connected to
the following ports on the 2 Leaf switches.

Task 1 – Configure Interface Profiles

➢ Click Fabric -> Access Policies -> Interface Policies -> Policy
Groups -> vPC Policy Group

➢ Configure an Interface Profiles based on the following:

Interface Profile: INT-PROF-1


Interface Names Ports IPGs
E1-15-CLIENTS 1/1-20 IPG-CLIENTS
E16-25-SERVERS 1/21-30 IPG-SERVERS
E41-SW1 1/41 IPG-SW1
E42-43-SW2-PC 1/42-43 IPG-SW2-PC
E44-45-ROUTERS 1/44-45 IPG-ROUTERS
E47-SW3-vPC 1/47 IPG-SW3-vPC

➢ Configure an Interface Profiles based on the following:

Interface Profile: INT-PROF-2


Interface Names Ports IPGs
E1-20-CLIENTS 1/1-30 IPG-CLIENTS
E21-28-SERVERS 1/31-40 IPG-SERVERS
E41-42-SALES-BE-SERVER 1/41-42 IPG-SALES-BE-PC
E43-44-SALES-BE-SERVER 1/43-44 IPG-MARK-BE-PC
E47-SW3-vPC 1/47 IPG-SW3-vPC
E48-ROUTERS 1/48 IPG-ROUTERS

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
46 of 105
Lab 18 – Access Provisioning
– Switch Profile

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
47 of 105
Access Provisioning – Leaf Switch Profile
➢ Assign the Interface Profiles created in the previous labs to the
appropriate Leaf Switches.

Task 1 – Configure Switch Profiles

➢ Click Fabric -> Access Policies -> Switch Policies -> Profiles

➢ Configure a Switch Profile based on the following:


o Name: SW-PROF-1
o Leaf Name: LEAF-01
o Leaf Node ID: 101
o Interface profile: INT-PROF-1

➢ Configure a Switch Profile based on the following:


o Name: SW-PROF-2
o Leaf Name: LEAF-02
o Leaf Node ID: 102
o Interface profile: INT-PROF-2

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
48 of 105
Lab 19 – Access Provisioning
– VLAN Pools

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
49 of 105
Access Provisioning – VLAN Pool
➢ Create a VLAN Pool to be assigned to the Domain

Task 1 – Configure VLAN Pool

➢ Click Fabric -> Access Policies -> Pools -> VLANS

➢ Create a Pool of VLANs that will be used within ACI for Physical ACI
Ports:
o Name: VLAN-POOL-ACI
o Leaf Name: Static Allocation
o Range: 1-500

➢ Create a Pool of VLANs that will be used within ACI for External
Bridged Ports ACI Ports:
o Name: VLAN-POOL-L2
o Leaf Name: Static Allocation
o Range: 400-500

➢ Create a Pool of VLANs that will be used within ACI for External
Routed Ports ACI Ports:
o Name: VLAN-POOL-L3
o Leaf Name: Static Allocation
o Range: 1-400

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
50 of 105
Lab 20 – Access Provisioning
– Domains

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
51 of 105
Access Provisioning – Domains
➢ Create Domains to specify port types.

Task 1 – Configure a Physical Domain (Physical ACI Ports)

➢ Click Fabric -> Access Policies -> Physical and External Domains -
> Physical Domains

➢ Create a Physical Domain and link it to the VLAN Pool based on the
following:
o Name: ACI-PORTS
o VLAN Pool: VLAN-POOL-ACI

Task 2 – Configure an External L2 Domain (Connecting to Non-ACI


Switches for L2OUT)

➢ Click Fabric -> Access Policies -> Physical and External Domains -
> External Bridged Domain

➢ Create an External Brige Domain and link it to the VLAN Pool based
on the following:
o Name: EXT-L2-PORTS
o VLAN Pool: VLAN-POOL-L2

Task 3 – Configure an External L3 Domain (Connecting to Non-ACI


L3 Devices for L3OUT)

➢ Click Fabric -> Access Policies -> Physical and External Domains -
> External Routed Domains

➢ Create an External Routed Domain and link it to the VLAN Pool based
on the following:
o Name: EXT-L3-PORTS
o VLAN Pool: VLAN-POOL-L3

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
52 of 105
Lab 21 – Access Provisioning
– AAEP

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

SW-2 R1 SW-3 R2

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
53 of 105
Access Provisioning – AAEP
➢ Link the Port Types (Domains/VLANs) to IPGs (Physical Ports)

Task 1 – Create a AAEP for Physical ACI Ports

➢ Click Fabric -> Access Policies -> Global Policies -> AAEP

➢ Create an AAEP for ACI Ports and link it to the Domain & IPGs based
on the following:
o Name: AAEP-ACI
o Domain: ACI-PORTS
o IPGs: IPG-CLIENTS, IPG-SERVERS, IPG-SALES-BE-PC & IPG-
MARK-BE-PC

Task 2 – Create a AAEP for External L2 Ports

➢ Click Fabric -> Access Policies -> Global Policies -> AAEP

➢ Create an AAEP for ACI Ports and link it to the Domain & IPGs based
on the following:
o Name: AAEP-L2-PORTS
o Domain: EXT-L2-PORTS
o IPGs: IPG-SW1, IPG-SW2-PC & IPG-SW3-vPC

Task 3 – Create a AAEP for External L3 Ports

➢ Click Fabric -> Access Policies -> Global Policies -> AAEP

➢ Create an AAEP for ACI Ports and link it to the Domain & IPGs based
on the following:
o Name: AAEP-L3-PORTS
o Domain: EXT-L3-PORTS
o IPGs: IPG-ROUTERS

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
54 of 105
Implementing ACI

Authored By:

Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Tenant Provisioning

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
Netmetric Solutions 55 of 105
Http://www.Netmetric-Solutions.com
Lab 22 – Tenant Provisioning
– Creating a Tenant & VRF

Logical Topology

Tenant : KBITS

VRF : GRT

Bridge Domain : BD1

Subnets:
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
56 of 105
Tenant Provisioning – Creating a Tenant
Note: The Access Provisioning labs are based on the Access Provisioning
completed in Lab 21.

Task 1 – Create the Tenant

➢ Click Tenant -> Add a Tenant

➢ Create a Tenant based on the following:


o Name: KBITS

Task 2 – Create a VRF

➢ Create a VRF within Tenant KBITS based on the following:


o Name: GRT

➢ Click Tenant -> KBITS -> Networking -> VRF -> Create

➢ Create a VRF based on the information above.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
57 of 105
Lab 23 – Tenant Provisioning
– Creating a Bridge Domain

Logical Topology

Tenant : KBITS

VRF : GRT

Bridge Domain : BD1

Subnets:
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
58 of 105
Tenant Provisioning – Creating a Bridge Domain
Task 1 – Create a Bridge Domain

➢ Create a Bridge Domain within Tenant KBITS based on the following:


o Name: BD1
o VRF: GRT
o Subnets/GW: 10.1.1.254/24, 10.1.2.254/24 & 10.1.3.254/24

➢ Click Tenant -> KBITS -> Networking -> Bridge Domain -> Create

➢ Create the Bridge Domain based on the information above.

➢ Configure the Subnets/GW based on the information above.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
59 of 105
Implementing ACI

Authored By:

Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 Application Provisioning

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
Netmetric Solutions 60 of 105
Http://www.Netmetric-Solutions.com
Lab 24 – Application Provisioning
– Creating Application Profile and EPGs
for Sales

Sales Application

Sales Application Profile

SALES-CLIENTS SALES-FE SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 31 - 34 Leaf-02=> 35
Sales-BE-Server
Sales-FE-2-BE
Sales-C-2-FE
ICMP
ICMP
Oracle DB (1521)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
61 of 105
Application Provisioning – Creating an Application
Profile
Note: The Application Provisioning labs are based on the Successful
completion of Lab 23.

Task 1 – Create an Application Profile

➢ Click Tenant -> KBITS -> Application Profiles -> Create

➢ Create an Application Profile based on the following:


o Name: SALES-APPS

Task 2 – Create EndPoint Groups (EPGs)

➢ Create EPGs based on the following:


o Name: SALES-CLIENTS
o Bridge domain: BD1

o Name: SALES-FE
o Bridge domain: BD1

o Name: SALES-BE
o Bridge domain: BD1

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> Create

➢ Create 3 EPGs based on the information above.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
62 of 105
Lab 25 – Application Provisioning
– Assign Ports to EPGs in the Sales
Application Profile

Sales Application

Sales Application Profile

SALES-CLIENTS SALES-FE SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 31 - 34 Leaf-02=> 35
Sales-BE-Server
Sales-FE-2-BE
Sales-C-2-FE
ICMP
ICMP
Oracle DB (1521)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
63 of 105
Application Provisioning – Port Assignments
Task 1 – Assign ports to the “SALES Client” EPGs

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-CLIENTS ->
Static Ports

➢ Assign Ports to the SALES-CLIENT EPG based on the following:

Port VLAN Port-Type Deployment


LEAF-01 – 1 /1 10 Access Immediate
LEAF-01 – 1 /2 10 Access Immediate
LEAF-01 – 1 /3 10 Access Immediate
LEAF-01 – 1 /4 10 Access Immediate
LEAF-02 – 1 /1 10 Access Immediate
LEAF-02 – 1 /2 10 Access Immediate
LEAF-02 – 1 /3 10 Access Immediate
LEAF-02 – 1 /4 10 Access Immediate

Task 2 – Assign ports to the “SALES FE” EPGs

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-FE -> Static
Ports

➢ Assign Ports to the SALES-FE EPG based on the following:

Port VLAN Port-Type Deployment


LEAF-01 – 1 /21 20 Trunk Immediate
LEAF-01 – 1 /22 20 Trunk Immediate
LEAF-01 – 1 /23 20 Trunk Immediate
LEAF-01 – 1 /24 20 Trunk Immediate
LEAF-02 – 1 /31 20 Trunk Immediate
LEAF-02 – 1 /32 20 Trunk Immediate
LEAF-02 – 1 /33 20 Trunk Immediate
LEAF-02 – 1 /34 20 Trunk Immediate

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
64 of 105
Task 3 – Assign ports to the “SALES BE” EPGs

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-BE -> Static
Ports

➢ Assign Ports to the SALES-BE EPG based on the following:

Port VLAN Port-Type Deployment


LEAF-01 – 1 /25 30 Trunk Immediate
LEAF-01 – 1 /26 30 Trunk Immediate
LEAF-02 – 1 /35 30 Trunk Immediate
SALES-BE-PC 30 Trunk Immediate

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
65 of 105
Lab 26 – Application Provisioning
– Creating Filters based on Sales
Application

Sales Application

Sales Application Profile

SALES-CLIENTS SALES-FE SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 31 - 34 Leaf-02=> 35
Sales-BE-Server
Sales-FE-2-BE
Sales-C-2-FE
ICMP
ICMP
Oracle DB (1521)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
66 of 105
Application Provisioning – Creating Filters
Task 1 – Create a Filter for Web-Access

➢ Click Tenant -> KBITS -> Security Policies -> Filters -> Create

➢ Create a Filter for Web Access based on the following:

o Name: Web-Access
o Policy#1:
▪ Name: HTTP
▪ Ethertype: IP
▪ Protocol: TCP
▪ Destination Port Range: HTTP To HTTP
o Policy#2:
▪ Name: HTTPS
▪ Ethertype: IP
▪ Protocol: TCP
▪ Destination Port Range: HTTPS To HTTPS

Task 2 – Create a Filter for PING

➢ Click Tenant -> KBITS -> Security Policies -> Filters -> Create

➢ Create a Filter for PING based on the following:

o Name: ICMP-PING
o Policy#1:
▪ Name: PING
▪ Ethertype: IP
▪ Protocol: ICMP

Task 3 – Create a Filter for Oracle DB Access

➢ Click Tenant -> KBITS -> Security Policies -> Filters -> Create

➢ Create a Filter for Oracle DB Access based on the following:

o Name: ORACLE-DB-ACCESS
o Policy#1:
▪ Name: ORACLE-DB
▪ Ethertype: IP
▪ Protocol: TCP
▪ Destination Port Range: 1521 To 1521

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
67 of 105
Lab 27 – Application Provisioning
– Creating Contracts based on Sales
Application Profile

Sales Application

Sales Application Profile

SALES-CLIENTS SALES-FE SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 31 - 34 Leaf-02=> 35
Sales-BE-Server
Sales-FE-2-BE
Sales-C-2-FE
ICMP
ICMP
Oracle DB (1521)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
68 of 105
Application Provisioning – Creating Contracts
Task 1 – Create a Contract for traffic from SALES-CLIENTS EPG
towards SALES-FE EPG

➢ Click Tenant -> KBITS -> Security Policies -> Contracts -> Create

➢ Create a Contract allowing Access from the SALES-CLIENTS EPG


towards the SALES-FE EPG based on the following:

o Contract Name: SALES-C-2-FE


o Subject Name: SALES-C-2-FE
o Filters:
▪ Name: KBITS/Web-Access
▪ Name: KBITS/ICMP-PING

Task 2 – Create a Contract for traffic from SALES-FE EPG towards


SALES-BE EPG

➢ Click Tenant -> KBITS -> Security Policies -> Contracts -> Create

➢ Create a Contract allowing Access from the SALES-FE EPG towards


the SALES-BE EPG based on the following:

o Contract Name: SALES-FE-2-BE


o Subject Name: SALES-FE-2-BE
o Filters:
▪ Name: KBITS/ORACLE-DB-ACCESS
▪ Name: KBITS/ICMP-PING

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
69 of 105
Lab 28 – Application Provisioning
– Provisioning Contracts based on Sales
Application Profile

Sales Application

Sales Application Profile

SALES-CLIENTS SALES-FE SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 31 - 34 Leaf-02=> 35
Sales-BE-Server
Sales-FE-2-BE
Sales-C-2-FE
ICMP
ICMP
Oracle DB (1521)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
70 of 105
Application Provisioning – Provisioning Contracts
Task 1 – Provisiong the SALES-C-2-FE contract for the SALES-
CLIENT EPG

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-CLIENTS ->
Contracts

➢ Provision the SALES-C-2-FE contract as a Consumed Contract.

o Contract Name: SALES-C-2-FE


o Provision type: Consumed

Task 2 – Provisiong the SALES-C-2-FE contract for the SALES-FE


EPG

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-FE ->
Contracts

➢ Provision the SALES-C-2-FE contract as a Provided Contract.

o Contract Name: SALES-C-2-FE


o Provision type: Provided

Task 3 – Provisiong the SALES-FE-2-BE contract for the SALES-FE


EPG

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-FE ->
Contracts

➢ Provision the SALES-FE-2-BE contract as a Consumed Contract.

o Contract Name: SALES-FE-2-BE


o Provision type: Consumed

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
71 of 105
Task 4 – Provisiong the SALES-FE-2-BE contract for the SALES-BE
EPG

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-BE ->
Contracts

➢ Provision the SALES-FE-2-BE contract as a Provided Contract.

o Contract Name: SALES-FE-2-BE


o Provision type: Provided

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
72 of 105
Lab 29 – Application Provisioning
– Creating Application Profile and EPGs
for Mark

Mark Application

MARK Application Profile

MARK-CLIENTS MARK-FE MARK-BE

Leaf-01=> 5 – 8 Leaf-01=> 27 – 28 Leaf-01=> 29 - 30


Leaf-02=> 5 - 8 Leaf-02=> 37 - 38 Leaf-02=> 39
MARK-FE-2-BE Mark-BE-Server
MARK-C-2-FE
ICMP
ICMP
MS SQL DB (TCP/1433)
IMAP(143)
(UDP/1434)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
73 of 105
Application Provisioning – Creating an Application
Profile
Note: The Application Provisioning labs are based on the Successful
completion of Lab 23.

Task 1 – Create an Application Profile

➢ Click Tenant -> KBITS -> Application Profiles -> Create

➢ Create an Application Profile based on the following:


o Name: MARK-APPS

Task 2 – Create EndPoint Groups (EPGs)

➢ Create EPGs based on the following:


o Name:MARK-CLIENTS
o Bridge domain: BD1

o Name: MARK-FE
o Bridge domain: BD1

o Name: MARK-BE
o Bridge domain: BD1

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> Create

➢ Create 3 EPGs based on the information above.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
74 of 105
Lab 30 – Application Provisioning
– Assign Ports to EPGs in the Mark
Application Profile

Mark Application

MARK Application Profile

MARK-CLIENTS MARK-FE MARK-BE

Leaf-01=> 5 – 8 Leaf-01=> 27 – 28 Leaf-01=> 29 - 30


Leaf-02=> 5 - 8 Leaf-02=> 37 - 38 Leaf-02=> 39
MARK-FE-2-BE Mark-BE-Server
MARK-C-2-FE
ICMP
ICMP
MS SQL DB (TCP/1433)
IMAP(143)
(UDP/1434)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
75 of 105
Application Provisioning – Port Assignments
Task 1 – Assign ports to the “MARK Client” EPGs

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-CLIENTS ->
Static Ports

➢ Assign Ports to the MARK-CLIENT EPG based on the following:

Port VLAN Port-Type Deployment


LEAF-01 – 1 /5 40 Access Immediate
LEAF-01 – 1 /6 40 Access Immediate
LEAF-01 – 1 /7 40 Access Immediate
LEAF-01 – 1 /8 40 Access Immediate
LEAF-02 – 1 /5 40 Access Immediate
LEAF-02 – 1 /6 40 Access Immediate
LEAF-02 – 1 /7 40 Access Immediate
LEAF-02 – 1 /8 40 Access Immediate

Task 2 – Assign ports to the “MARK FE” EPGs

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-FE -> Static
Ports

➢ Assign Ports to the MARK-FE EPG based on the following:

Port VLAN Port-Type Deployment


LEAF-01 – 1 /27 50 Trunk Immediate
LEAF-01 – 1 /28 50 Trunk Immediate
LEAF-02 – 1 /37 50 Trunk Immediate
LEAF-02 – 1 /38 50 Trunk Immediate

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
76 of 105
Task 3 – Assign ports to the “SALES BE” EPGs

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-BE -> Static
Ports

➢ Assign Ports to the MARK-BE EPG based on the following:

Port VLAN Port-Type Deployment


LEAF-01 – 1 /29 60 Trunk Immediate
LEAF-01 – 1 /30 60 Trunk Immediate
LEAF-02 – 1 /39 60 Trunk Immediate
MARK-BE-PC 60 Trunk Immediate

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
77 of 105
Lab 31 – Application Provisioning
– Creating Filters based on Mark
Application

Mark Application

MARK Application Profile

MARK-CLIENTS MARK-FE MARK-BE

Leaf-01=> 5 – 8 Leaf-01=> 27 – 28 Leaf-01=> 29 - 30


Leaf-02=> 5 - 8 Leaf-02=> 37 - 38 Leaf-02=> 39
MARK-FE-2-BE Mark-BE-Server
MARK-C-2-FE
ICMP
ICMP
MS SQL DB (TCP/1433)
IMAP(143)
(UDP/1434)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
78 of 105
Application Provisioning – Creating Filters
Task 1 – Create a Filter for IMAP

➢ Click Tenant -> KBITS -> Security Policies -> Filters -> Create

➢ Create a Filter for Web Access based on the following:

o Name: IMAP
o Policy#1:
▪ Name: IMAP4
▪ Ethertype: IP
▪ Protocol: TCP
▪ Destination Port Range: 143 To 143

Task 2 – Create a Filter for MS SQL DB Access

➢ Click Tenant -> KBITS -> Security Policies -> Filters -> Create

➢ Create a Filter for Oracle DB Access based on the following:

o Name: MS-SQL-DB-ACCESS
o Policy#1:
▪ Name: MS-SQL-DB-TCP
▪ Ethertype: IP
▪ Protocol: TCP
▪ Destination Port Range: 1433 To 1433
o Policy#2:
▪ Name: MS-SQL-DB-UDP
▪ Ethertype: IP
▪ Protocol: UDP
▪ Destination Port Range: 1434 To 1434

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
79 of 105
Lab 32 – Application Provisioning
– Creating Contracts based on Mark
Application Profile

Mark Application

MARK Application Profile

MARK-CLIENTS MARK-FE MARK-BE

Leaf-01=> 5 – 8 Leaf-01=> 27 – 28 Leaf-01=> 29 - 30


Leaf-02=> 5 - 8 Leaf-02=> 37 - 38 Leaf-02=> 39
MARK-FE-2-BE Mark-BE-Server
MARK-C-2-FE
ICMP
ICMP
MS SQL DB (TCP/1433)
IMAP(143)
(UDP/1434)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
80 of 105
Application Provisioning – Creating Contracts
Task 1 – Create a Contract for traffic from MARK-CLIENTS EPG
towards MARK-FE EPG

➢ Click Tenant -> KBITS -> Security Policies -> Contracts -> Create

➢ Create a Contract allowing Access from the MARK-CLIENTS EPG


towards the MARK-FE EPG based on the following:

o Contract Name: MARK-C-2-FE


o Subject Name: MARK-C-2-FE
o Filters:
▪ Name: KBITS/IMAP
▪ Name: KBITS/Web-Access
▪ Name: KBITS/ICMP-PING

Task 2 – Create a Contract for traffic from MARK-FE EPG towards


MARK-BE EPG

➢ Click Tenant -> KBITS -> Security Policies -> Contracts -> Create

➢ Create a Contract allowing Access from the MARK-FE EPG towards


the MARK-BE EPG based on the following:

o Contract Name: MARK-FE-2-BE


o Subject Name: MARK-FE-2-BE
o Filters:
▪ Name: KBITS/MS-SQL-DB-ACCESS
▪ Name: KBITS/ICMP-PING

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
81 of 105
Lab 33 – Application Provisioning
– Provisioning Contracts based on Mark
Application Profile

Mark Application

MARK Application Profile

MARK-CLIENTS MARK-FE MARK-BE

Leaf-01=> 5 – 8 Leaf-01=> 27 – 28 Leaf-01=> 29 - 30


Leaf-02=> 5 - 8 Leaf-02=> 37 - 38 Leaf-02=> 39
MARK-FE-2-BE Mark-BE-Server
MARK-C-2-FE
ICMP
ICMP
MS SQL DB (TCP/1433)
IMAP(143)
(UDP/1434)
Web Access (80,443)

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
82 of 105
Application Provisioning – Provisioning Contracts
Task 1 – Provisiong the MARK-C-2-FE contract for the MARK-
CLIENT EPG

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-CLIENTS ->
Contracts

➢ Provision the MARK-C-2-FE contract as a Consumed Contract.

o Contract Name: MARK-C-2-FE


o Provision type: Consumed

Task 2 – Provisiong the MARK-C-2-FE contract for the MARK-FE


EPG

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-FE ->
Contracts

➢ Provision the MARK-C-2-FE contract as a Provided Contract.

o Contract Name: MARK-C-2-FE


o Provision type: Provided

Task 3 – Provisiong the MARK-FE-2-BE contract for the MARK-FE


EPG

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-FE ->
Contracts

➢ Provision the MARK-FE-2-BE contract as a Consumed Contract.

o Contract Name: MARK-FE-2-BE


o Provision type: Consumed

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
83 of 105
Task 4 – Provisiong the MARK-FE-2-BE contract for the MARK-BE
EPG

➢ Click Tenant -> KBITS -> Application Profiles -> MARK-


APPLICATION-PROFILE -> Application EPGs -> MARK-BE ->
Contracts

➢ Provision the MARK-FE-2-BE contract as a Provided Contract.

o Contract Name: MARK-FE-2-BE


o Provision type: Provided

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
84 of 105
Implementing ACI

Authored By:

Khawar Butt
CCIE # 12353
Hepta CCIE#12353
CCDE # 20110020 External Domains – L2OUT &
L3OUT

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
Netmetric Solutions 85 of 105
Http://www.Netmetric-Solutions.com
Lab 34 – Configuring L2OUT –
External Bridged Outside

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
86 of 105
Configuring L2OUT
Note: The External Domain Labs are based on the successful completion
of upto and including Lab 33.

➢ The VLAN 10 & 20 are stretched between ACI & Non-ACI Domains.
➢ Devices connected to VLAN 10 are located on Non-ACI Switches SW1
& SW2. Sales Clients are allocated to this VLAN.
➢ Devices connected to VLAN 20 are located on Non-ACI Switches SW2
& SW3. Sales FE are allocated to this VLAN.

Task 1 – Configure a L2OUT – VLAN 10

➢ Click Tenant -> ABC -> Networking -> External Bridge Networks

➢ Configure a Bridge Outside based on the following:

o Name: L2OUT-SALES-CLIENTS-VLAN-10
o External Bridge Domain: EXT-L2-PORTS
o Bridge Domain: BD1
o VLAN: 10
o External L2 Connection:
▪ Port: Leaf-1 - 101/1/41
▪ PC: IPG-SW2-PC
o External L2OUT Network EPG: L2OUT-SALES-CLIENTS

Task 2 – Configure a L2OUT – VLAN 20

➢ Click Tenant -> ABC -> Networking -> External Bridge Networks

➢ Configure a Bridge Outside based on the following:

o Name: L2OUT-SALES-CLIENTS-VLAN-20
o External Bridge Domain: EXT-L2-PORTS
o Bridge Domain: BD1
o VLAN: 20
o External L2 Connection:
▪ PC: IPG-SW2-PC
▪ vPC: IPG-SW3-vPC
o External L2OUT Network EPG: L2OUT-SALES-FE

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
87 of 105
Lab 35 – Configuring L2OUT –
Provisioning Contracts

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
88 of 105
Logical Topology

Sales Application Profile

Sales-C-2-FE
Sales-FE-2-BE
ICMP
Web Access (80,443) ICMP
SALES-CLIENTS SALES-FE Oracle DB (1521) SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 35
Leaf-02=> 31 - 34
Sales-BE-Server

Sales-C-2-Int

Permit Any

L3-OUT- L2-OUT- L3-OUT-


L2-OUT- SALES-
SALES- SALES-
SALES- FE
Internet CLIENTS FE
CLIENTS

10.11.11.0/24 VLAN 20 10.13.13.0/24


0.0.0.0/0 VLAN 10
10.12.12.0/24 10.14.14.0/24

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
89 of 105
L2OUT Provisioning Contracts
Task 1 – Provisiong the SALES-C-2-FE contract for the L2-OUT-
SALES-CLIENTS EPG

➢ Click Tenant -> ABC -> Networking -> External Bridge Networks ->
L2OUT-SALES-CLIENTS-VLAN-10 -> Networks -> SALES-CLIENTS-
L2OUT

➢ Provision the SALES-C-2-FE contract as a Consumed Contract.

o Contract Name: SALES-C-2-FE


o Provision type: Consumed

Task 2 – Provisiong the SALES-FE-2-BE contract for the L2-OUT-


SALES-FE EPG

➢ Click Tenant -> ABC -> Networking -> External Bridge Networks ->
L2OUT-SALES-FE-VLAN-20 -> Networks -> SALES-FE-L2OUT

➢ Provision the SALES-FE-2-BE contract as a Consumed Contract.

o Contract Name: SALES-FE-2-BE


o Provision type: Consumed

➢ Provision the SALES-C-2-FE contract as a Provisioned Contract.

o Contract Name: SALES-C-2-FE


o Provision type: Provided

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
90 of 105
Lab 36 – Configuring L3OUT –
Configuring MP-BGP in the Fabric

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
91 of 105
Task 1 – Configure the Fabric for MP-BGP

➢ Click Fabric -> Fabric Policies -> Pod Policies -> Policies -> BGP
Route Reflector Default

➢ Configure the Policy based on the following:

o AS: 65001
o Route Reflectors: Spine1(103) & Spine2(104)

➢ Click Submit.

Task 2 – Configure a POD Policy Group

➢ The Policy Group links to the Default BGP Route Reflector Policy.

➢ Click Fabric -> Fabric Policies -> Pod Policies -> Policy Group ->
New

➢ Configure the Policy Group based on the following:

o Name: MY-POD-POLICY-GROUP
o BGP Route Reflector Policy: default

Task 3 – Configure a POD Profile

➢ The Profile links to the POD Policy Group created in the previous step.

➢ Click Fabric -> Fabric Policies -> Pod Policies -> Profiles -> Pod
Profile Default -> default

➢ Configure the Fabric Policy Group as MY-POD-POLICY-GROUP

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
92 of 105
Lab 37 – Configuring L3OUT –
Configuring Routed Outside - EIGRP

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
93 of 105
Task 1 – Configure the L3OUT using EIGRP

➢ Click Tenant -> KBITS -> Networking -> External Routed Network -
> Create New

➢ Configure EIGRP using the following parameters:

Main Page:

Name: L3OUT-EIGRP
Protocol: EIGRP
AS # : 111
VRF: GRT
External Routed Domain: EXT-L3-PORTS

Node Profile:

Name: LEAF-01-EIGRP
LEAF-1 - Node ID : 101
Router-ID: 11.11.11.11

Interface Profile:

Name: L3OUT-EIGRP
EIGRP Policy: default
Routed Interface: Leaf-01/1/44
IP Address: 192.1.100.11/24

EPG:

Name: L3OUT-SALES-CLIENTS
Networks: 10.11.11.0/24 & 10.12.12.0/24

Name: L3OUT-SALES-FE
Networks: 10.13.13.0/24 & 10.14.14.0/24

➢ Click Submit.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
94 of 105
Task 2 – Associating the L3OUT with the Bridge Domain

➢ Click Tenant -> KBITS -> Networking -> Bridge Domains -> BD1 ->
L3 Configurations -> Associated L3OUT

➢ Select L3OUT-EIGRP from the drop-down list and update.

➢ Click Submit.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
95 of 105
Lab 38 – Configuring L3OUT –
Provisioning Contracts

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
96 of 105
Logical Topology

Sales Application Profile

Sales-C-2-FE
Sales-FE-2-BE
ICMP
Web Access (80,443) ICMP
SALES-CLIENTS SALES-FE Oracle DB (1521) SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 35
Leaf-02=> 31 - 34
Sales-BE-Server

Sales-C-2-Int

Permit Any

L3-OUT- L2-OUT- L3-OUT-


L2-OUT- SALES-
SALES- SALES-
SALES- FE
Internet CLIENTS FE
CLIENTS

10.11.11.0/24 VLAN 20 10.13.13.0/24


0.0.0.0/0 VLAN 10
10.12.12.0/24 10.14.14.0/24

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
97 of 105
L3OUT Provisioning Contracts
Task 1 – Provisiong the SALES-C-2-FE contract for the L3-OUT-
SALES-CLIENTS EPG

➢ Click Tenant -> KBITS -> Networking -> External Routed Networks
-> L3OUT-EIGRP -> Networks -> L3OUT-SALES-CLIENTS ->
Contracts

➢ Provision the SALES-C-2-FE contract as a Consumed Contract.

o Contract Name: SALES-C-2-FE


o Provision type: Consumed

Task 2 – Provisiong the SALES-FE-2-BE contract for the L3-OUT-


SALES-FE EPG

➢ Click Tenant -> KBITS -> Networking -> External Routed Networks
-> L3OUT-EIGRP -> Networks -> L3OUT-SALES-FE -> Contracts

➢ Provision the SALES-FE-2-BE contract as a Consumed Contract.

o Contract Name: SALES-FE-2-BE


o Provision type: Consumed

➢ Provision the SALES-C-2-FE contract as a Provisioned Contract.

o Contract Name: SALES-C-2-FE


o Provision type: Provided

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
98 of 105
Lab 39 – Configuring L3OUT –
Configuring Routed Outside - OSPF

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
99 of 105
Task 1 – Configure the L3OUT using OSPF

➢ Click Tenant -> KBITS -> Networking -> External Routed Network -
> Create New

➢ Configure EIGRP using the following parameters:

Main Page:

Name: L3OUT-OSPF
Protocol: OSPF
Area # : 0
Area Type: Regular
VRF: GRT
External Routed Domain: EXT-L3-PORTS

Node Profile:

Name: LEAF-02-OSPF
LEAF-1 - Node ID : 102
Router-ID: 22.22.22.22

Interface Profile:

Name: L3OUT-OSPF
OSPF Policy: default
Routed Interface: Leaf-02/1/48
IP Address: 192.1.200.22/24

EPG:

Name: Internet
Networks: 0.0.0.0/0

➢ Click Submit.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
100 of 105
Task 2 – Associating the L3OUT with the Bridge Domain

➢ Click Tenant -> KBITS -> Networking -> Bridge Domains -> BD1 ->
L3 Configurations -> Associated L3OUT

➢ Select L3OUT-OSPF from the drop-down list and update.

➢ Click Submit.

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
101 of 105
Lab 40 – Configuring L3OUT –
Provisioning Internet Contract

Physical Topology

Spine-1 Spine-2

SW-1 SALES-BE-
SERVER
Leaf-1 Leaf-2
41-42
41
42-43 47 47

44 43-44
48 MARK-BE-
SERVER

1-20 21-30 1-30 31-40

R1 R2

SW-2 SW-3
Internet
MPLS
VPN

Clients Servers Clients Servers

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
102 of 105
Logical Topology

Sales Application Profile

Sales-C-2-FE
Sales-FE-2-BE
ICMP
Web Access (80,443) ICMP
SALES-CLIENTS SALES-FE Oracle DB (1521) SALES-BE

Leaf-01=> 1 – 4 Leaf-01=> 21 – 24 Leaf-01=> 25 - 26


Leaf-02=> 1 - 4 Leaf-02=> 35
Leaf-02=> 31 - 34
Sales-BE-Server

Sales-C-2-Int

Permit Any

L3-OUT- L2-OUT- L3-OUT-


L2-OUT- SALES-
SALES- SALES-
SALES- FE
Internet CLIENTS FE
CLIENTS

10.11.11.0/24 VLAN 20 10.13.13.0/24


0.0.0.0/0 VLAN 10
10.12.12.0/24 10.14.14.0/24

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
103 of 105
Creating Filters
Task 1 – Create a Filter for Internet

➢ Click Tenant -> KBITS -> Security Policies -> Filters -> Create

➢ Create a Filter for Web Access based on the following:

o Name: Internet
o Policy#1:
▪ Name: Internet
▪ Ethertype: IP
▪ Protocol: Any
▪ Destination Port Range: Unspecified to Unspecified

Creating Contracts
Task 1 – Create a Contract for traffic from SALES-CLIENTS EPG
towards the Internet

➢ Click Tenant -> KBITS -> Security Policies -> Contracts -> Create

➢ Create a Contract allowing Access from the SALES-CLIENTS EPG


towards the Internet based on the following:

o Contract Name: SALES-C-2-INT


o Subject Name: SALES-C-2-INT
o Filters:
▪ Name: KBITS/Internet

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
104 of 105
L3OUT Provisioning Contracts
Task 1 – Provisiong the SALES-C-2-INT contract for the L3-OUT-
SALES-CLIENTS EPG

➢ Click Tenant -> KBITS -> Networking -> External Routed Networks
-> L3OUT-OSPF -> Networks -> Internet -> Contracts

➢ Provision the SALES-C-2-INT contract as a Provided Contract.

o Contract Name: SALES-C-2-INT


o Provision type: Provided

Task 2 – Provisiong the SALES-C-2-INT contract for the SALES-


CLIENTS EPG

➢ Click Tenant -> KBITS -> Application Profiles -> SALES-


APPLICATION-PROFILE -> Application EPGs -> SALES-CLIENTS ->
Contracts

➢ Provision the SALES-C-2-INT contract as a Consumed Contract.

o Contract Name: SALES-C-2-INT


o Provision type: Consumed

Copyrights Kbits.live 2015-2025


Website: http://www.kbits.live; Email: kb@kbits.live
105 of 105

You might also like