Configuring Cisco ACI

This topic provides information about the Pod and Container Management (PCM) changes and the requirements to support the management of Cisco Application Centric Infrastructure (ACI) using BMC Network Automation as part of a BMC Cloud Lifecycle Management implementation.

• Overview of the Cisco ACI environment
• Mapping of Cisco ACI components to device adapters
• Supported use cases
• Making configuration changes through injection templates
• Pod requirements
• Container management
• Sample pod and container blueprints

Cisco ACI is compatible with BMC Cloud Lifecycle Management 4.6.05 and later, BMC Network Automation 8.9.01 and later, and BMC Server Automation 8.9 Service Pack 1 Rolling Update 2 or later. For more information about BMC Server Automation 8.9 Service Pack 1 Rolling Update 2, see the knowledge article 000142444.

Overview of the Cisco ACI environment

Cisco ACI automates IT tasks, accelerates data center application deployments by using a software defined networking (SDN) policy model across networks, servers, storage, security and services. This policy-based automation solution supports a business-relevant application policy language, greater scalability through a distributed enforcement system, and greater network visibility.

A tenant in Cisco ACI acts as a logical container for application policies that enable an administrator to implement domain-based access control. A tenant represents a unit of isolation from a policy perspective, but it does not represent a private network. For example, tenants can represent a customer in a service provider setting, an organization or domain in an enterprise setting, or just a convenient grouping of policies.

Mapping of Cisco ACI components to device adapters

BMC Network Automation uses REST API calls to communicate with Cisco API Controller (APIC) and performs GET, POST, PUT, and DELETE operations in order to get, add, modify, or delete Cisco configurations. BMC Network Automation supports the following device adapters for Cisco ACI components. These adapters access APIC to manage specific components.

• Cisco ACI: In BMC Network Automation, Cisco ACI controller is represented as a device of type Cisco ACI, whose address is the IP address of the Cisco ACI controller. When BMC Network Automation captures a snapshot of its configuration, it captures a copy of the entire Cisco ACI model. The device type manages the complete ACI system.
• Cisco ACI-Tenant: An individual tenant within Cisco ACI is represented in BMC Network Automation as a device of type Cisco ACI-Tenant. This device adapter supports multiple-security context, where Context Name is represented as Tenant name. Snapshot of the Device with Admin security context type captures configuration of the built-in tenant named "mgmt", whereas snapshot of device with System security context captures configuration of built-in tenant named "common". Snapshot of the Device with User-Defined security context type captures configuration of respective tenant as populated in user-defined security context name.

Supported use cases

In order to make traffic flow from workload VMs to external network and vice versa, an External Routed Network is needed. L3-Out can be used in the following ways to provide external network connectivity:

• Dedicated L3-Out per network container: A dedicated External Routed Network is created per tenant/network container. External Routed network has SVI interface for Layer 3 Routing with External Router, as shown in the following figure:
  
  
• Shared L3-Out between multiple Network Container: If Customer already has existing L3-OUT or External Routed Network in Tenant Common and want to use the same for Network Containers. BNA supports this use-case.
  

Back to top

Making configuration changes through injection templates

You can push configuration changes to all the Cisco ACI device types through injection templates. Injection templates are templates whose contents are an XML snippet of the same form that is used in device commands within the device adapters. When you push the template through a Deploy to Active operation, the snippet is inserted in place of the injectTemplate tag within the device adapter, and interpreted at run time. This allows you to embed REST API style interactions within the XML snippet, to make changes to a device that does not support CLI-based commands. For more information, see Using injection templates to change device configuration.

Pod requirements

Before you start creating a Cisco ACI POD, ensure that the following prerequisites are met:

• Create a VMM domain.
• After connecting the External Router with the ACI Leaf, add an External Routed domain.

• While adding pod nodes, they must be assigned particular node types and host devices with particular device types, which are added in BMC Network Automation as follows:

  Pod node	Node type	Device type of the host device
  ExternalRouter	Vanilla	Cisco IOS Switch/Router
  CiscoACIController	Vanilla	Cisco ACI
  Access	Hypervisor Switch	VMware dvSwitch

• Gather the values for the following attributes that you need to provide during pod creation:

  Attribute	Description	Steps to gather the value
  vmmDomainName	Virtual Machine Manager (VMM) domain registered for vCenter	Click the VM Networking tab. Under VMware node, first node is VMM domain name. In this example, vw-aus-bcan-vc1 is the vmmDomainName.
  vlanPoolNameAttachedToVMMDomain	VLAN pool attached to the VMM domain This VLAN pool is used to provision customer networks. Each customer network consumes one VLAN from the pod VLAN pool. While provisioning a customer network, BMC Network Automation adds one VLAN to this VLAN pool.	Click the VMM domain name (vw-aus-bcan-vc1) that you obtained in a previous step. In the right pane, look for the VLAN Pool property. In this example, VLAN_POOL_DYNAMIC is the vlanPoolNameAttachedToVMMDomain.
  vlanPoolTypeAttachedToVMMDomain	Allocation mode of the VLAN pool It can be static or dynamic. BMC Network Automaton needs to know the type of allocation mode used. The type can be any, but BMC Network Automation adds VLAN to this pool as static allocation.	Click the icon next to the VLAN Pool property. On the Properties page, look for the Allocation Mode property. In this example, Dynamic Allocation is the vlanPoolTypeAttachedToVMMDomain.
  mgmtPortGroupName	Management network port group name
  mtu	Maximum transmission unit By default, Nexus 9K supports a value of 9000. If the connected External Router supports any other value, provide that value.
  interfaceNameExternalRouter	Interface name of the External Router connected with the ACI Leaf. For example, G 0/0.
  physicalInterfaceNodePath	Path of the node connected to the External Router.	Click the Tenants tab. Click the common link. Under Tenant Common, go to Networking > External Routed Networks. Click the External Routed Network which is shared among multiple tenants or network containers. Expand Logical Node Profiles. Click the node that is connected to the External Router. In the right pane, under Nodes, look for Node ID. In this example, topology/pod-1/node-102 is the physicalInterfaceNodePath.
  physicalInterfacePath	Complete path of physical interface connected to the External Router	Click the Tenants tab. Click the common link. Under Tenant Common, expand Networking > External Routed Networks. Click the External Routed Network which is shared among multiple tenants or network containers. Expand Logical Node Profiles. Expand the physical interface node is connected to the External Router. Expand Logical Interface Profiles. Click the logical interface profile. In the right pane, under SVI, look for Path.  In this example, Node-102/eth 1/3 is the physicalInterfacePath.
  externalRoutedDomain	External routed domain name  After connecting the External Router with the ACI Leaf, an External Routed Domain needs to be added.	Click the Access Policies tab. Go to Physical and External Domains > External Routed Domains. In this example, DomainL3Out_RnD is the externalRoutedDomain.
  vlanPoolExternalName	VLAN pool attached to the External Routed Domain. Note: This pool is only for the external network, not for the customer networks.	Click the External Routed Domain (DomainL3Out_RnD) that you obtained in a previous step. In the right pane, look for the VLAN Pool property. In this example, Vlan19_for_RnD_L3Out is the vlanPoolExternalName.
  vlanPoolExternalType	Allocation mode of the VLAN pool used in the External Routed Domain It can be static or dynamic. BMC Network Automaton needs to know the type of allocation mode used. The type can be any, but BMC Network Automation adds VLAN to this pool as static allocation while adding External Routed Network.	Click the icon next to the VLAN Pool property. On the Properties page, look for the Allocation Mode property. In this example, Static Allocation is the vlanPoolExternalType.
  CommonSharedContractName	Required only when multiple tenants are sharing an External Routed Network A contract is a security entity which defines high level security filter between End Point Groups.	Click the Tenants tab. Click the common link. Under Tenant Common, expand Security Policies > Contracts. In this example, Global-Shared-Contract is the CommonSharedContractName.
  sharedL3Out	Name of the External Routed Network which is shared among multiple tenants or network containers. It is not required in case of a dedicated L3-out network containers.	Click the Tenants tab. Click the common link. Under Tenant Common, expand Networking > External Routed Networks. In this example, Shared-L3-OUT is the sharedL3Out.

  Back to top

Container management

This section describes the container requirements and the container provisioning sequence.

Container requirements

Before importing a container blueprint, ensure the container blueprint templates are added to the system before importing container blueprints.

Back to top

Provisioning sequence

The following sequence of actions are executed when an Cisco ACI container is provisioned:

1. A tenant is added using container name. One network container contains one tenant. The following figure shows a tenant named as Tenant CiscoACI11.
   
   
2. A VRF is added per tenant. VRF provides network traffic isolation. One tenant might be associated with multiple VRFs depending upon the environment you are using. BMC Network Automation sample content has one VRF per tenant.
   
3. A bridge domain is added per NIC segment. A bridge domain represents a Layer 2 forwarding construct within the fabric.
   
   
4. An application profile is added, which defines communication between Endpoint Groups (EPG).
   
5. One EPG is added per NIC segment. These are customer network EPGs where VMs are hosted.
   
6. External Routed Network is created. It is required for the communication between the EPGs and external world. In case of shared L3-Out, external network is not created.
   
   Using one Routed interface per Tenant might not be economical as one physical interface is also consumed. Sharing physical interface between multiple Tenants is more economical. Here, SVI interface is being used on the ACI side and Routed sub-interface on the Router side. 

Back to top

Sample pod and container blueprints

You can find sample pod and container blueprints and related templates in the BCAN_HOME\public\bmc\bca-networks\csm\samples\sampleWithCiscoACI directory on the BMC Network Automation application server. The directory contains the following types of blueprints:

• Bronze container blueprint
• Bronze container blueprint using dedicated L3-out
• Pod blueprint

Back to top