Now that we have the ACI fabric and the VMs running, it is time to test the connectivity between the VMs and theoutside world. In this section, we will apply some ACI concepts related to contracts and how they work within an EPG, and between an EPG.

It is important to remember that ACI is a white list policy model where Hosts in different EPG will not be able to communicate between each other unless there is a contract defined between them. This behavior could be changed by implementing many different options that ACI has. For example, you could leverage what is called the "Preferred Group", where the user admin and create this configuration in order for the different EPGs to be able to communicate. By leveraging this method, users can reduce the numbers of contracts in the system and can keep the operational model of a standard switch.

Step 1 - Connectivity within the same EPG

During this step we will be performing a test in order to verify that POD10-WEB-SRV-01 is able to communicate with POD10-WEB-SRV-02.

Make sure you are in POD10-WEB-SRV-01. From POD10-WEB-SRV-01 we are going to ping POD10-WEB-SRV-02

ping 10.0.144.75 -c 3

root@pod10-web-srv-01 ~]#ping 10.0.144.75 -c 3
PING 10.0.144.75 (10.0.144.755) 56(84) bytes of data.
64 bytes from 10.0.144.75: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 10.0.144.75: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.144.75: icmp_seq=3 ttl=64 time=0.164 ms

--- 10.0.144.75 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.164/0.177/0.193/0.012 ms

As you can see POD10-WEB-SRV-01 is able to ping POD10-WEB-SRV-02. This is because hosts in the same EPG are allowed to communicate freely within the EPG. Cisco ACI has mechanisms not to allow this that we will discuss the following section

Step 2 - Connectivity between different EPGs

During this step we will test connectivity between POD10-WEB-SRV-01 and POD10-APP-SRV

Make sure that you are in POD10-WEB-SRV-01. From POD10-WEB-SRV-01 we are going to ping POD10-APP-SRV

ping 172.16.1.2 -c 3

root@pod10-web-srv-01 ~]#ping 172.16.1.2 -c 3
PING 172.16.1.2 (172.16.1.25) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=63 time=0.162 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=63 time=0.156 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=63 time=0.158 ms

--- 172.16.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.156/0.158/0.162/0.014 ms

As you can see, we can ping between POD10-WEB-SRV-01 and POD10-APP-SRV.

Now let's try to ssh to POD10-APP-SRV from POD10-WEB-SRV-01.

ssh 172.16.1.2

If you recall in the previous section we created a contract between POD10-WEB-SRV-01 and POD10-APP-SRV with a filter only allowing icmp. Therefore, because of this filter only ICMP is allowed to communicate. Now we need to add a filter to allow ssh traffic.

Step 3 - Check ACI contract

Click to open new window into the ACI Fabric Controller which is located at 10.0.226.42.

In order to verify the contract we need to go to the aci_p10_ap, navigate to:

1. Your Tenant - aci_p10_tenant
2. Expand Tenant aci_p10_tenant
3. Expand Application Profiles
4. Click aci_p10_ap
5. Click on Topology

Once you have clicked on Topology you should see the following topology of your Application Profile. If you hover your mouse over the contract aci_p10_con, you should see the contract and the filter we created in the previous section in order to allow icmp.

Step 4 - Add SSH to the filter

Now that we understand why POD10-WEB-SRV-01 and POD10-APP-SRV are able to ping each other but not able to ssh. We need to add the ssh filter. To add the filter to our contract, navigate to:

1. Your Tenant - aci_p10_tenant
2. Expand Tenant aci_p10_tenant
3. Contracts
4. Filters
5. Expand aci_p10_fil
6. Click on the Plus (+) Sign

It is time to add ssh to our filter. This is a very similar process as you have been doing in the past when adding an Access List to your network devices. We need to add the port number of ssh to the Destination Port in our filter. We know ssh uses TCP Port 22. Follow these instructions to accomplish this:

1. Name = ssh
2. EtherType = IP
3. IP Protocol = TCP
4. Destination Port Range From To = 22
5. Click on Update
6. Click on Submit

Step 5 - Confirm ssh is working

Now that we have created the ssh filter is time to verify that everything working and we are able to connect from POD10-WEB-SRV-01 to POD10-APP-SRV

ssh 172.16.1.2

root@pod10-web-srv-01 ~]#ssh 172.16.1.2
The authenticity of host '172.16.1.2 (172.16.1.2)' can't be established.
ECDSA key fingerprint is SHA256:N3KZyZgdzVOYr/lh8sam+9M7EPKkzDXzE4l6QnFTFIo.
ECDSA key fingerprint is MD5:ef:99:2d:95:da:11:12:35:e7:8c:fd:89:0a:c6:9a:0d.
Are you sure you want to continue connecting (yes/no)?

As you can see we are able to connect to the POD10-APP-SRV.

NOTE: The password is cisco.123. Once you have confirmed that you are in POD10-APP-SRV, make sure you exit.

exit

Step 6 - Check Outside connectivity to the POD10-WEB-SRV-01

We confirmed that we are able to have connectivity between our VM's within the ACI fabric. Our next step is to verify outside users are able to connect to the POD10-WEB-SRV-01. Before we check, let's download an image to our POD10-WEB-SRV-01 in order to verify connectivity..

wget -O /var/www/localhost/htdocs/LTRACI-2143.jpg \
http://repo.ecatsrtpdmz.cisco.com/nfs/LTRACI-2143/LTRACI-2143.jpg

After the image has been downloaded we need to start the httpd process in our server.

    /etc/init.d/apache2 start

Let's verify the httpd process has started correctly.

Step 7 - Connect to the Web Server 10.0.144.74

Now the connection from the outside to inside ACI should be working

Please click on the following URL to verify:

http://10.0.144.74/LTRACI-2143.jpg

Congratulations you have created your first ACI connection to the External Network!!!