Now that we have the ACI fabric and the VMs running, it is time to test the connectivity between the VMs and theoutside world. In this section, we will apply some ACI concepts related to contracts and how they work within an EPG, and between an EPG.
It is important to remember that ACI is a white list policy model where Hosts in different EPG will not be able to communicate between each other unless there is a contract defined between them. This behavior could be changed by implementing many different options that ACI has. For example, you could leverage what is called the "Preferred Group", where the user admin and create this configuration in order for the different EPGs to be able to communicate. By leveraging this method, users can reduce the numbers of contracts in the system and can keep the operational model of a standard switch.
It is important during this step to make sure that you are on the correct host.
During this step we will be performing a test in order to verify that POD01-WEB-SRV-01 is able to communicate with POD01-WEB-SRV-02.
Make sure you are in POD01-WEB-SRV-01. From POD01-WEB-SRV-01 we are going to ping POD01-WEB-SRV-02
Using the same browser SSH client you are going to click on the ICON on the left to
connect to this linux server. Username:root
and Password:cisco.123
ping 10.0.144.3 -c 3
root@pod01-web-srv-01 ~]#ping 10.0.144.3 -c 3 PING 10.0.144.3 (10.0.144.35) 56(84) bytes of data. 64 bytes from 10.0.144.3: icmp_seq=1 ttl=64 time=0.174 ms 64 bytes from 10.0.144.3: icmp_seq=2 ttl=64 time=0.193 ms 64 bytes from 10.0.144.3: icmp_seq=3 ttl=64 time=0.164 ms --- 10.0.144.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.164/0.177/0.193/0.012 ms
As you can see POD01-WEB-SRV-01 is able to ping POD01-WEB-SRV-02. This is because hosts in the same EPG are allowed to communicate freely within the EPG. Cisco ACI has mechanisms not to allow this that we will discuss the following section
During this step we will test connectivity between POD01-WEB-SRV-01 and POD01-APP-SRV
Make sure that you are in POD01-WEB-SRV-01. From POD01-WEB-SRV-01 we are going to ping POD01-APP-SRV
ping 172.16.1.2 -c 3
root@pod01-web-srv-01 ~]#ping 172.16.1.2 -c 3 PING 172.16.1.2 (172.16.1.25) 56(84) bytes of data. 64 bytes from 172.16.1.2: icmp_seq=1 ttl=63 time=0.162 ms 64 bytes from 172.16.1.2: icmp_seq=2 ttl=63 time=0.156 ms 64 bytes from 172.16.1.2: icmp_seq=3 ttl=63 time=0.158 ms --- 172.16.1.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.156/0.158/0.162/0.014 ms
As you can see, we can ping between POD01-WEB-SRV-01 and POD01-APP-SRV.
Now let's try to ssh to POD01-APP-SRV from POD01-WEB-SRV-01.
ssh 172.16.1.2
Don't Open a P1...This a Lab...This is working as expected :-)
If you recall in the previous section we created a contract between POD01-WEB-SRV-01 and POD01-APP-SRV with a filter only allowing icmp. Therefore, because of this filter only ICMP is allowed to communicate. Now we need to add a filter to allow ssh traffic.
Click to open new window into the ACI Fabric Controller which is located at 10.0.226.41.
In order to verify the contract we need to go to the aci_p01_ap, navigate to:
Once you have clicked on Topology you should see the following topology of your Application Profile. If you hover your mouse over the contract aci_p01_con, you should see the contract and the filter we created in the previous section in order to allow icmp.
Now that we understand why POD01-WEB-SRV-01 and POD01-APP-SRV are able to ping each other but not able to ssh. We need to add the ssh filter. To add the filter to our contract, navigate to:
It is time to add ssh to our filter. This is a very similar process as you have been doing in the past when adding an Access List to your network devices. We need to add the port number of ssh to the Destination Port in our filter. We know ssh uses TCP Port 22. Follow these instructions to accomplish this:
Now that we have created the ssh filter is time to verify that everything working and we are able to connect from POD01-WEB-SRV-01 to POD01-APP-SRV
ssh 172.16.1.2
root@pod01-web-srv-01 ~]#ssh 172.16.1.2 The authenticity of host '172.16.1.2 (172.16.1.2)' can't be established. ECDSA key fingerprint is SHA256:N3KZyZgdzVOYr/lh8sam+9M7EPKkzDXzE4l6QnFTFIo. ECDSA key fingerprint is MD5:ef:99:2d:95:da:11:12:35:e7:8c:fd:89:0a:c6:9a:0d. Are you sure you want to continue connecting (yes/no)?
As you can see we are able to connect to the POD01-APP-SRV.
NOTE: The password is cisco.123. Once you have confirmed that you are in POD01-APP-SRV, make sure you exit.
exit
We confirmed that we are able to have connectivity between our VM's within the ACI fabric. Our next step is to verify outside users are able to connect to the POD01-WEB-SRV-01. Before we check, let's download an image to our POD01-WEB-SRV-01 in order to verify connectivity..
wget -O /var/www/localhost/htdocs/LTRACI-2143.jpg \
http://repo.ecatsrtpdmz.cisco.com/nfs/LTRACI-2143/LTRACI-2143.jpg
After the image has been downloaded we need to start the httpd process in our server.
/etc/init.d/apache2 start
Let's verify the httpd process has started correctly.
Now the connection from the outside to inside ACI should be working
Please click on the following URL to verify:
http://10.0.144.2/LTRACI-2143.jpg
Congratulations you have created your first ACI connection to the External Network!!!