Configuring Cisco ACI Sites

Pod Profile and Policy Group

In each site's APIC, you must have one POD profile with a POD policy group. If your site does not have a POD policy group you must create one. Typically, these settings will already exist as you will have configured them when you first deployed the fabric.

Procedure

Step 1

Log in to the site's APIC GUI.
Step 2

Check that the POD profile contains a POD policy group.

Navigate to Fabric > Fabric Policies > Pods > Profiles > Pod Profile default.

Step 3

If necessary, create a POD policy group.

  1. Navigate to Fabric > Fabric Policies > Pods > Policy Groups.

  2. Right-click Policy Groups and select Create Pod Policy Group.

  3. Enter the appropriate information and click Submit.

Step 4

Assign the new POD policy group to the default POD profile.

  1. Navigate to Fabric > Fabric Policies > Pods > Profiles > Pod Profile default

  2. Select the default profile.

  3. Choose the new pod policy group and click Update.

Configuring Fabric Access Policies for All APIC Sites

Before your APIC fabrics can be added to and managed by the Multi-Site Orchestrator, there is a number of fabric-specific access policies that you must configure on each site.

Configuring Fabric Access Global Policies

This section describes the global fabric access policy configurations that must be created for each APIC site before it can be added to and managed by the Multi-Site Orchestrator.

Procedure

Step 1

Log in directly to the site's APIC GUI.
Step 2

From the main navigation menu, select Fabric > Access Policies.

You must configure a number of fabric policies before the site can be added to the Multi-Site Orchestrator. From the APIC's perspective, this is something you do just like you would if you were connecting a bare-metal host, where you would configure domains, AEPs, policy groups, and interface selectors; you must configure the same options for connecting the spine switch interfaces to the inter-site network for all the sites that will be part of the same Multi-Site domain.

Step 3

Specify the VLAN pool.

The first thing you configure is the VLAN pool. We use Layer 3 sub-interfaces tagging traffic with VLAN-4 to connect the spine switches to the inter-site network.

  1. In the left navigation tree, browse to Pools > VLAN.

  2. Right-click the VLAN category and choose Create VLAN Pool.

    In the Create VLAN Pool window, specify the following:

    • For the Name field, specify the name for the VLAN pool, for example msite.

    • For Allocation Mode, specify Static Allocation.

    • And for the Encap Blocks, specify just the single VLAN 4. You can specify a single VLAN by entering the same number in both Range fields.

Step 4

Configure Attachable Access Entity Profiles (AEP).

  1. In the left navigation tree, browse to Global Policies > Attachable Access Entity Profiles.

  2. Right-click the Attachable Access Entity Profiles category and choose Create Attachable Access Entity Profiles.

    In the Create Attachable Access Entity Profiles window, specify the name for the AEP, for example msite-aep.

  3. Click Next and Submit

    No additional changes, such as interfaces, are required.
Step 5

Configure domain.

The domain you configure is what you will select from the Multi-Site Orchestrator when adding this site.

  1. In the left navigation tree, browse to Physical and External Domains > External Routed Domains.

  2. Right-click the External Routed Domains category and choose Create Layer 3 Domain.

    In the Create Layer 3 Domain window, specify the following:

    • For the Name field, specify the name the domain, for example msite-l3.

    • For Associated Attachable Entity Profile, select the AEP you created in Step 4.

    • For the VLAN Pool, select the VLAN pool you created in Step 3.

  3. Click Submit.

    No additional changes, such as security domains, are required.

What to do next

After you have configured the global access policies, you must still add interfaces policies as described in Configuring Fabric Access Interface Policies.

Configuring Fabric Access Interface Policies

This section describes the fabric access interface configurations that must be done for the Multi-Site Orchestrator on each APIC site.

Before you begin

You must have configured the global fabric access policies, such as VLAN Pool, AEP, and domain, in the site's APIC, as described in Configuring Fabric Access Global Policies.

Procedure

Step 1

Log in directly to the site's APIC GUI.
Step 2

From the main navigation menu, select Fabric > Access Policies.

In addition to the VLAN, AEP, and domain you have configured in previous section, you must also create the interface policies for the fabric's spine switch interfaces that connect to the Inter-Site Network (ISN).

Step 3

Configure a spine policy group.

  1. In the left navigation tree, browse to Interface Policies > Policy Groups > Spine Policy Groups.

    This is similar to how you would add a bare-metal server, except instead of a Leaf Policy Group, you are creating a Spine Policy Group.

  2. Right-click the Spine Policy Groups category and choose Create Spine Access Port Policy Group.

    In the Create Spine Access Port Policy Group window, specify the following:

    • For the Name field, specify the name for the policy group, for example Spine1-PolGrp.

    • For the Link Level Policy field, specify the link policy used between your spine switch and the ISN.

    • For CDP Policy, choose whether you want to enable CDP.

    • For the Attached Entity Profile, select the AEP you have configured in previous section, for example msite-aep.

  3. Click Submit.

    No additional changes, such as security domains, are required.
Step 4

Configure a spine profile.

  1. In the left navigation tree, browse to Interface Policies > Profiles > Spine Profiles.

  2. Right-click the Spine Profiles category and choose Create Spine Interface Profile.

    In the Create Spine Interface Profile window, specify the following:

    • For the Name field, specify the name for the profile, for example Spine1-ISN.

    • For Interface Selectors, click the + sign to add the port on the spine switch that connects to the ISN. Then in the Create Spine Access Port Selector window, provide the following:

      • For the Name field, specify the name for the port selector, for example Spine1-ISN.

      • For the Interface IDs, specify the switch port that connects to the ISN, for example 5/32.

      • For the Interface Policy Group, choose the policy group you created in the previous step, for example Spine1-PolGrp.

      Then click OK to save the port selector.

  3. Click Submit to save the spine interface profile.

Step 5

Configure a spine switch selector policy.

  1. In the left navigation tree, browse to Switch Policies > Profiles > Spine Profiles.

  2. Right-click the Spine Profiles category and choose Create Spine Profile.

    In the Create Spine Profile window, specify the following:

    • For the Name field, specify the name for the profile, for example Spine1.

    • For Spine Selectors, click the + to add the spine and provide the following:

      • For the Name field, specify the name for the selector, for example Spine1.

      • For the Blocks field, specify the spine node, for example 201.

  3. Click Update to save the selector.

  4. Click Next to proceed to the next screen.

  5. Select the interface profile you have created in the previous step

    For example Spine1-ISN.

  6. Click Finish to save the spine profile.

Configuring Sites That Contain Remote Leaf Switches

Starting with Release 2.1(2), the Multi-Site architecture supports APIC sites with Remote Leaf switches. The following sections describe guidelines, limitations, and configuration steps required to allow Multi-Site Orchestrator to manage these sites.

Remote Leaf Guidelines and Limitations

If you want to add an APIC site with a Remote Leaf to be managed by the Multi-Site Orchestrator, the following restrictions apply:

  • You must upgrade your Cisco APIC to Release 4.2(4) or later.

  • Only physical Remote Leaf switches are supported in this release

  • Only -EX and -FX or later switches are supported as Remote Leaf switches for use with Multi-Site

  • Remote Leaf is not supported with back-to-back connected sites without IPN switches

  • Remote Leaf switches in one site cannot use another site's L3Out

  • Stretching a bridge domain between one site and a Remote Leaf in another site is not supported

You must also perform the following tasks before the site can be added to and managed by the Multi-Site Orchestrator:

  • You must enable Remote Leaf direct communication and configure routable subnets directly in the site's APIC, as described in the following sections.

  • You must add the routable IP addresses of Cisco APIC nodes in the DHCP-Relay configuration applied on the interfaces of the Layer 3 routers connecting to the Remote Leaf switches.

    The routable IP address of each APIC node is listed in the Routable IP field of the System > Controllers > <controller-name> screen of the APIC GUI.

Configuring Routable Subnets for Remote Leaf Switches

Before you can add a site that contains one or more Remote Leaf switches to the Multi-Site Orchestrator, you must configure routable subnets for the pod with which the Remote Leaf nodes are associated.

Procedure

Step 1

Log in directly to the site's APIC GUI.

Step 2

From the menu bar, select Fabric > Inventory.

Step 3

In the Navigation pane, click Pod Fabric Setup Policy.

Step 4

In the main pane, double-click the pod where you want to configure the subnets.
Step 5

In the Routable Subnets area, click the + sign to add a subnet.

Step 6

Enter the IP and Reserve Address Count, set the state to Active or Inactive, then click Update to save the subnet.

When configuring routable subnets, you must provide a netmask between /22 and /29.

Step 7

Click Submit to save the configuration.

Enabling Direct Communication for Remote Leaf Switches

Before you can add a site that contains one or more Remote Leaf switches to the Multi-Site Orchestrator, you must configure direct remote leaf communication for that site. Additional information about remote leaf direct communication feature is available in the Cisco APIC Layer 3 Networking Configuration Guide. This section outlines the steps and guidelines specific to the integration with Multi-Site.


Note

Once you enable Remote Leaf switch direct communication, the switches will function in the new mode only

Procedure

Step 1

Log in directly to the site's APIC.

Step 2

Enable direct traffic forwarding for Remote Leaf switches.

  1. From the menu bar, navigate to System > System Settings.

  2. From the left side bar, select Fabric Wide Setting.

  3. Check the Enable Remote Leaf Direct Traffic Forwarding checkbox.

    Note 

    You cannot disable this option after you enable it.

  4. Click Submit to save the changes.

Cisco Mini ACI Fabrics

Cisco Multi-Site supports Cisco Mini ACI fabrics as typical on-premises sites without requiring any additional configuration. This section provides a brief overview of Mini ACI fabrics, detailed info on deploying and configuring this type of fabrics is available in Cisco Mini ACI Fabric and Virtual APICs.

Cisco ACI, Release 4.0(1) introduced Mini ACI Fabric for small scale deployment. Mini ACI fabric works with Cisco APIC cluster consisting of one physical APIC and two virtual APICs (vAPIC) running in virtual machines. This reduces the physical footprint and cost of the APIC cluster, allowing ACI fabric to be deployed in scenarios with limited rack space or initial budget, such as a colocation facility or a single-room data center, where a full-scale ACI installations may not be practical due to physical footprint or initial cost.

The following diagram shows an example of a mini Cisco ACI fabric with a physical APIC and two virtual APICs (vAPICs):

Figure 1. Cisco Mini ACI Fabric