Please enable JavaScript.
Coggle requires JavaScript to display documents.
M1 Policy - Coggle Diagram
M1 Policy
policies
access policy
pools
specify vlan and multicast
interface profile
switch profile
Physical & external domain
Domain to Map AAEP (set of interfaces) to vlan pool
A physical domain is a collection of physical resources, where a certain EPG can be deployed
Monitoring & troubleshooting
threshold, log , fault
Stats Collection Policies
For example, to have it poll a component every 5 minutes, but be retained for 2 hours, just click on the policy that specifies a 5 minute granularity and change the retention period to 2 hours.
Apply to tenant level
2.fault lifecycle policy
To change the soaking interval
fault severty assignment
set certain object not to affect health score
stats export policy
JSON or XML
module policy
spine switch module policy
domain ?
Specify he ports and type of encap that should used (VLAN/VXLAN(
Interface policy group sl ?
link level policy
The ports on the leaf switches default to 10GE, and a 1GE link level policy must be created for devices connected at that spee
L2 interface(DT)
Reflective Relay (802.1Qbg)
Nexus N9K-C93180YC-EX and N9K-C93180TC-EX switches support the switching option, reflective relay. This feature is a tagless approach of IEEE standard 802.1Qbg.
It forwards all traffic to an external switch that applies policy and sends the traffic back to the destination or target VM on the server as needed. There is no local switching. For broadcast or multicast traffic, reflective relay provides packet replication to each VM locally on the server.
AAEP
diagram
Monitoring
Monitoring policies define the following:
■ How long and how often statistics are collected and retained
■ Upon which threshold crossing faults are triggered
■ Which statistics are exported
control plane policies
IS-IS, and MP-BGP and For per interface per protocol the supported protocols are; ARP, ICMP, CDP, LLDP, LACP, STP, BFD, and.
ecommend that you use the default CoPP policy initially and then later modify the CoPP policies based on the data center and application requiremen
Anotehr example : to prevent DDOS attack
Netflow
etFlow Exporter Policy: Indicates whether NetFlow should be configured in the
virtual switch.
VPC
Parent sw can be 9300 and 9500
list of FEx supported
https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/200529-Configure-a-Fabric-Extender-with-Applica.html
AAEP in VPC
A single AAEP for static path
Another AAEP for VMM domain
EPG is map to AAEP
vlan pool ?
Specify static vlan to contain legacy vlan
to trunk ACI bridge domain and EPG
ACI will encapsulate BPDU with VXLAN ID based on the pool
VXLAN ID allow VPC switches to synchornize VPC MAC and IP address
switch profile contain 2 SW
is a VPC
vpc flow chart
based on diagram
Both SW use port 1/9
Interface policy group
default is mostly disable
You should not modify the Interface Policy for “LLDP Interface” named “default”
because this policy is used by spines and leaf nodes for bootup and to look for an image to
run. If you need to create a different default configuration for the servers, you can create
a new LLDP policy and give it a name, and then use this one instead of the policy called
“default.”
refer to diagram " VPC interface Group"
LACP
This is normally the recommended option for most deployments. If
the hypervisor is connected to two different physical leaf switches, a virtual port
channel (VPC) must be enabled for them.
■ LACP Passive: LACP in passive mode is only recommended when there is an intermediate switch (such as a blade switch) between the hypervisors and the ACI leaf
switches, and this blade switch requires LACP Passive
VLAn pool
Refer to VLAn pool diagram
Refer to VLAN pool example
Common practice to have a 1:1 mapping between a VLAN pool and a domain.
Common practice to have separate VLAN pools and domains per tenant
Refer to EPG to Vlan mappng rule
same VLAN cant be use on same switch with same physical domain
Best practise: configure separate physical domain for separate bridge domain
default
Fabric initialization, device discovery, and cabling detection
■ Storm control and flooding
■ VPC
■ Endpoint retention for caching and aging of learned endpoints in switch buffers
■ Loop detection
■ Monitoring and statistics
■ Bridge domain (in the common tenant)
■ Layer 2 and Layer 3 protocols
when to use?
he node registers itself with the APIC, which pushes all the default policies to the
node
Another example : when port rempve from port channel
AAEP
Is analogy to switchport access vlan x on an interface in a
traditional NX-OS configuration.
Best practise
When possible, create one AAEP for physical bare-metal compute and another AAEP for virtualized compute
If a single interface needs access to both virtual and physical domains, multiple domains can be associated with a single AAEP.
A good use would be if you had a blade switch connected to the ACI fabric.
On a given leaf switch port, there might be several hosts connected, offering different functions and trunking different VLAN ranges
. In such a case, the AAEP associated with
the interfaces connecting to the blade switch would need access to multiple domains.
domain
best practise
Build one physical domain per tenant for bare-metal servers or servers without hypervisor integraiton
■ Build one physical domain per tenant for external connectivity.
■ If a VMM domain needs to be leveraged across multiple tenants, a single VMMdomain can be created and associated with all leaf ports where VMware ESXi servers are connected.
Refer to EPG to Vlan mapping rule Diagram
physical domian
for bare metal server AND VIrtualzed environemnt
text
mainframes or big databases. Even if these servers represent a small percentage of
the overall server number, they should be carefully included in the network strategy.
Typically, the few hosts running on bare metal are the most critical ones, such as
How to assign to EPG
Assign using static path
and reference the interface policy group
Interface profile and switch profile
Int. profile
Interface profiles exist in the ACI fabric to marry a port or a range of ports to a specific int. policy group
should name your interface profile the same as the switch with which you will be associating the interface profile. An interface/leaf profile would then be created for every leaf
and every VPC pair in your ACI fabric
Sw profile
Switch Profile
Specify from which ACI leaf your interface profiles will be selecting interfaces. As with interface profiles, it is a best practice to define a switch profile for each
individual leaf and VPC pair in your fabric
VPC/PC port channel policy
VPC interface policy group should have a 1:1 mapping to a port channel or VPC.
Administrators should not try to reuse port channel and VPC interface policy groups for more than one port channel or VPC.
This rule applies only to port channels and VPCs.
For access port policies can be reusable