Cisco introduced a NX-OS like CLI for the Cisco ACI Solution with release 1.2(1i).
In this post i will demonstrate some of the things that can be achieved through the NX-OS CLI.
There is no safety net, if you issue something like ‘no tenant XXX‘ the configuration is gone!
No commit, warning or similar!
The NX-OS like CLI is the new default if you connect via SSH to the APIC
→ ssh firstname.lastname@example.org Application Policy Infrastructure Controller email@example.com's password: apic1#
If you wan to access the Linux CLI you can go there through ‘bash’ and go back with ‘exit’
apic1# bash admin@apic1: ... admin@apic1: exit apic1#
Configure a Tenant, Application Profile and End Point Group
apic1# configure apic1(config)# tenant nxos_cli apic1(config-tenant)# application app_1 apic1(config-tenant-app)# epg epg_1 apic1(config-tenant-app-epg)# exit apic1(config-tenant-app)# epg epg_2 apic1(config-tenant-app-epg)# end ... apic1# show running-config tenant nxos_cli # Command: show running-config tenant nxos_cli # Time: Sun Dec 13 16:44:58 2015 tenant nxos_cli application app_1 epg epg_1 exit epg epg_2 exit exit exit
I’m sure that this configuration style is straight forward for all network engineers, and for some tasks i think this is a great way to get things done!
Example of adding a new Subnet to a VRF.
apic1(config)# tenant nxos_cli apic1(config-tenant)# vrf context vrf_1 apic1(config-tenant-vrf)# exit apic1(config-tenant)# bridge-domain bd_1 apic1(config-tenant-bd)# vrf member vrf_1 apic1(config-tenant-bd)# exit apic1(config-tenant)# interface bridge-domain bd_1 apic1(config-tenant-interface)# ip address 172.20.20.1/24
Complete Tenant example
This is how one of my tenants look in the CLI
tenant PoC vrf context Net_1 contract enforce egress exit application SimpleWebServer epg sqlServers bridge-domain member BD_1 contract provider mgmt_contract contract provider SQL_Contract vmware-domain member vmware_dom deploy immediate exit epg webServers bridge-domain member BD_1 contract consumer SQL_Contract contract provider Web_Contract contract provider mgmt_contract vmware-domain member vmware_dom deploy immediate exit exit contract Allow_ANY subject Allow_ANY_Subj access-group IP_ANY both exit exit contract SQL_Contract subject SQL_Subject access-group SQL_Filter both exit exit contract Ubuntu_to_Ext subject external_con access-group IP_ANY in access-group IP_ANY out exit exit contract Web_Contract subject Web_Subject access-group Web_Filter both exit exit contract mgmt_contract subject allow_icmp access-group icmp both exit subject allow_ssh access-group filter_telnet both access-group ssh both exit exit external-l3 epg L3_Out:ext_all vrf member Net_1 match ip 0.0.0.0/0 contract consumer mgmt_contract contract consumer Web_Contract contract provider Ubuntu_to_Ext exit access-list DNS match udp dest 53 exit access-list IP_ANY match raw ANY_TCP etherT ip prot 6 stateful yes match udp exit access-list SQL_Filter match tcp dest 3306 exit access-list Web_Filter match tcp dest 80 exit access-list filter_telnet match tcp dest 23 exit access-list icmp match icmp exit access-list ssh match raw ssh dFromPort 22 dToPort 22 etherT ip prot 6 stateful yes exit bridge-domain BD_1 arp flooding l2-unknown-unicast flood vrf member Net_1 exit interface bridge-domain BD_1 ip address 10.127.200.1/24 secondary scope public exit exit