Now that we have the ACI fabric and the VMs running, it is time to test the connectivity between the VMs and theoutside world. In this section, we will apply some ACI concepts related to contracts and how they work within an EPG, and between an EPG.

It is important to remember that ACI is a white list policy model where Hosts in different EPG will not be able to communicate between each other unless there is a contract defined between them. This behavior could be changed by implementing many different options that ACI has. For example, you could leverage what is called the "Preferred Group", where the user admin and create this configuration in order for the different EPGs to be able to communicate. By leveraging this method, users can reduce the numbers of contracts in the system and can keep the operational model of a standard switch.

Step 1 - Connectivity within the same EPG

During this step we will be performing a test in order to verify that POD03-WEB-SRV-01 is able to communicate with POD03-WEB-SRV-02.

Make sure you are in POD03-WEB-SRV-01. From POD03-WEB-SRV-01 we are going to ping POD03-WEB-SRV-02

ping 10.0.144.19 -c 3

root@pod03-web-srv-01 ~]#ping 10.0.144.19 -c 3
PING 10.0.144.19 (10.0.144.195) 56(84) bytes of data.
64 bytes from 10.0.144.19: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 10.0.144.19: icmp_seq=2 ttl=64 time=0.193 ms
64 bytes from 10.0.144.19: icmp_seq=3 ttl=64 time=0.164 ms

--- 10.0.144.19 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.164/0.177/0.193/0.012 ms

As you can see POD03-WEB-SRV-01 is able to ping POD03-WEB-SRV-02. This is because hosts in the same EPG are allowed to communicate freely within the EPG. Cisco ACI has mechanisms not to allow this that we will discuss the following section

Step 2 - Connectivity between different EPGs

During this step we will test connectivity between POD03-WEB-SRV-01 and POD03-APP-SRV

Make sure that you are in POD03-WEB-SRV-01. From POD03-WEB-SRV-01 we are going to ping POD03-APP-SRV

ping 172.16.1.2 -c 3

root@pod03-web-srv-01 ~]#ping 172.16.1.2 -c 3
PING 172.16.1.2 (172.16.1.25) 56(84) bytes of data.
64 bytes from 172.16.1.2: icmp_seq=1 ttl=63 time=0.162 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=63 time=0.156 ms
64 bytes from 172.16.1.2: icmp_seq=3 ttl=63 time=0.158 ms

--- 172.16.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.156/0.158/0.162/0.014 ms

As you can see, we can ping between POD03-WEB-SRV-01 and POD03-APP-SRV.

Now let's try to ssh to POD03-APP-SRV from POD03-WEB-SRV-01.

ssh 172.16.1.2

If you recall in the previous section we created a contract between POD03-WEB-SRV-01 and POD03-APP-SRV with a filter only allowing icmp. Therefore, because of this filter only ICMP is allowed to communicate. Now we need to add a filter to allow ssh traffic.

Step 3 - Check ACI contract

Click to open new window into the ACI Fabric Controller which is located at 10.0.226.41.

In order to verify the contract we need to go to the aci_p03_ap, navigate to:

1. Your Tenant - aci_p03_tenant
2. Expand Tenant aci_p03_tenant
3. Expand Application Profiles
4. Click aci_p03_ap
5. Click on Topology

Once you have clicked on Topology you should see the following topology of your Application Profile. If you hover your mouse over the contract aci_p03_con, you should see the contract and the filter we created in the previous section in order to allow icmp.

Step 4 - Add SSH to the filter

Now that we understand why POD03-WEB-SRV-01 and POD03-APP-SRV are able to ping each other but not able to ssh. We need to add the ssh filter. To add the filter to our contract, navigate to:

1. Your Tenant - aci_p03_tenant
2. Expand Tenant aci_p03_tenant
3. Contracts
4. Filters
5. Expand aci_p03_fil
6. Click on the Plus (+) Sign

It is time to add ssh to our filter. This is a very similar process as you have been doing in the past when adding an Access List to your network devices. We need to add the port number of ssh to the Destination Port in our filter. We know ssh uses TCP Port 22. Follow these instructions to accomplish this:

1. Name = ssh
2. EtherType = IP
3. IP Protocol = TCP
4. Destination Port Range From To = 22
5. Click on Update
6. Click on Submit

Step 5 - Confirm ssh is working

Now that we have created the ssh filter is time to verify that everything working and we are able to connect from POD03-WEB-SRV-01 to POD03-APP-SRV

ssh 172.16.1.2

root@pod03-web-srv-01 ~]#ssh 172.16.1.2
The authenticity of host '172.16.1.2 (172.16.1.2)' can't be established.
ECDSA key fingerprint is SHA256:N3KZyZgdzVOYr/lh8sam+9M7EPKkzDXzE4l6QnFTFIo.
ECDSA key fingerprint is MD5:ef:99:2d:95:da:11:12:35:e7:8c:fd:89:0a:c6:9a:0d.
Are you sure you want to continue connecting (yes/no)?

As you can see we are able to connect to the POD03-APP-SRV.

NOTE: The password is cisco.123. Once you have confirmed that you are in POD03-APP-SRV, make sure you exit.

exit

Step 6 - Check Outside connectivity to the POD03-WEB-SRV-01

We confirmed that we are able to have connectivity between our VM's within the ACI fabric. Our next step is to verify outside users are able to connect to the POD03-WEB-SRV-01. Before we check, let's download an image to our POD03-WEB-SRV-01 in order to verify connectivity..

wget -O /var/www/localhost/htdocs/LTRACI-2143.jpg \
http://repo.ecatsrtpdmz.cisco.com/nfs/LTRACI-2143/LTRACI-2143.jpg

After the image has been downloaded we need to start the httpd process in our server.

    /etc/init.d/apache2 start

Let's verify the httpd process has started correctly.

Step 7 - Connect to the Web Server 10.0.144.18

Now the connection from the outside to inside ACI should be working

Please click on the following URL to verify:

http://10.0.144.18/LTRACI-2143.jpg

Congratulations you have created your first ACI connection to the External Network!!!