ACI
Functionality

Now that we have the ACI fabric and the VMs running, it is time to test the connectivity between the VMs and theoutside world. In this section, we will apply some ACI concepts related to contracts and how they work within an EPG, and between an EPG.

It is important to remember that ACI is a white list policy model where Hosts in different EPG will not be able to communicate between each other unless there is a contract defined between them. This behavior could be changed by implementing many different options that ACI has. For example, you could leverage what is called the "Preferred Group", where the user admin and create this configuration in order for the different EPGs to be able to communicate. By leveraging this method, users can reduce the numbers of contracts in the system and can keep the operational model of a standard switch.

Alert!

It is important during this step to make sure that you are on the correct host.

Step 1 - Connectivity within the same EPG

During this step we will be performing a test in order to verify that POD01-WEB-SRV-01 is able to communicate with POD01-WEB-SRV-02.

Make sure you are in POD01-WEB-SRV-01. From POD01-WEB-SRV-01 we are going to ping POD01-WEB-SRV-02

Using the same browser SSH client you are going to click on the ICON on the left to connect to this linux server. Username:root and Password:cisco.123


ping 10.0.144.3 -c 3

root@pod01-web-srv-01 ~]#ping 10.0.144.3 -c 3
PING 10.0.144.3 (10.0.144.35) 56(84) bytes of data.
64 bytes from 10.0.144.3: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 10.0.144.3: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.144.3: icmp_seq=3 ttl=64 time=0.164 ms

--- 10.0.144.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.164/0.177/0.193/0.012 ms

As you can see POD01-WEB-SRV-01 is able to ping POD01-WEB-SRV-02. This is because hosts in the same EPG are allowed to communicate freely within the EPG. Cisco ACI has mechanisms not to allow this that we will discuss the following section

Step 2 - Connectivity between different EPGs

During this step we will test connectivity between POD01-WEB-SRV-01 and POD01-APP-SRV

Make sure that you are in POD01-WEB-SRV-01. From POD01-WEB-SRV-01 we are going to ping POD01-APP-SRV


ping 172.16.1.2 -c 3

root@pod01-web-srv-01 ~]#ping 172.16.1.2 -c 3
PING 172.16.1.2 (172.16.1.25) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=63 time=0.162 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=63 time=0.156 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=63 time=0.158 ms

--- 172.16.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.156/0.158/0.162/0.014 ms

As you can see, we can ping between POD01-WEB-SRV-01 and POD01-APP-SRV.

Now let's try to ssh to POD01-APP-SRV from POD01-WEB-SRV-01.


ssh 172.16.1.2


Don't Panic

Don't Open a P1...This a Lab...This is working as expected :-)


If you recall in the previous section we created a contract between POD01-WEB-SRV-01 and POD01-APP-SRV with a filter only allowing icmp. Therefore, because of this filter only ICMP is allowed to communicate. Now we need to add a filter to allow ssh traffic.

Step 3 - Check ACI contract

Click to open new window into the ACI Fabric Controller which is located at 10.0.226.41.

In order to verify the contract we need to go to the aci_p01_ap, navigate to:

  1. Your Tenant - aci_p01_tenant
  2. Expand Tenant aci_p01_tenant
  3. Expand Application Profiles
  4. Click aci_p01_ap
  5. Click on Topology

Once you have clicked on Topology you should see the following topology of your Application Profile. If you hover your mouse over the contract aci_p01_con, you should see the contract and the filter we created in the previous section in order to allow icmp.

Step 4 - Add SSH to the filter

Now that we understand why POD01-WEB-SRV-01 and POD01-APP-SRV are able to ping each other but not able to ssh. We need to add the ssh filter. To add the filter to our contract, navigate to:

  1. Your Tenant - aci_p01_tenant
  2. Expand Tenant aci_p01_tenant
  3. Click on Contracts
  4. Click on Filters
  5. Expand aci_p01_fil
  6. Click on the Plus (+) Sign

It is time to add ssh to our filter. This is a very similar process as you have been doing in the past when adding an Access List to your network devices. We need to add the port number of ssh to the Destination Port in our filter. We know ssh uses TCP Port 22. Follow these instructions to accomplish this:

  1. Name = ssh
  2. EtherType = IP
  3. IP Protocol = TCP
  4. Destination Port Range From To = 22
  5. Click on Update
  6. Click on Submit

Step 5 - Confirm ssh is working

Now that we have created the ssh filter is time to verify that everything working and we are able to connect from POD01-WEB-SRV-01 to POD01-APP-SRV


ssh 172.16.1.2

root@pod01-web-srv-01 ~]#ssh 172.16.1.2
The authenticity of host '172.16.1.2 (172.16.1.2)' can't be established.
ECDSA key fingerprint is SHA256:N3KZyZgdzVOYr/lh8sam+9M7EPKkzDXzE4l6QnFTFIo.
ECDSA key fingerprint is MD5:ef:99:2d:95:da:11:12:35:e7:8c:fd:89:0a:c6:9a:0d.
Are you sure you want to continue connecting (yes/no)?

As you can see we are able to connect to the POD01-APP-SRV.

NOTE: The password is cisco.123. Once you have confirmed that you are in POD01-APP-SRV, make sure you exit.


exit

Step 6 - Check Outside connectivity to the POD01-WEB-SRV-01

We confirmed that we are able to have connectivity between our VM's within the ACI fabric. Our next step is to verify outside users are able to connect to the POD01-WEB-SRV-01. Before we check, let's download an image to our POD01-WEB-SRV-01 in order to verify connectivity..


wget -O /var/www/localhost/htdocs/LTRACI-2143.jpg \
http://repo.ecatsrtpdmz.cisco.com/nfs/LTRACI-2143/LTRACI-2143.jpg

After the image has been downloaded we need to start the httpd process in our server.


    /etc/init.d/apache2 start

Let's verify the httpd process has started correctly.

Step 7 - Connect to the Web Server 10.0.144.2

Now the connection from the outside to inside ACI should be working

Please click on the following URL to verify:

http://10.0.144.2/LTRACI-2143.jpg

Congratulations you have created your first ACI connection to the External Network!!!