Cisco introduced a NX-OS like CLI for the Cisco ACI Solution with release 1.2(1i).
In this post i will demonstrate some of the things that can be achieved through the NX-OS CLI.
!Important!
There is no safety net, if you issue something like ’no tenant XXX’ the configuration is gone!
No commit, warning or similar!
!Important!
Basics
The NX-OS like CLI is the new default if you connect via SSH to the APIC
If you wan to access the Linux CLI you can go there through ‘bash’ and go back with ’exit’
1
2
3
4
5
6
7
8
|
apic1# bash
admin@apic1:
...
admin@apic1:
exit
apic1#
|
Configurations
Tenant
Configure a Tenant, Application Profile and End Point Group
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
apic1# configure
apic1(config)# tenant nxos_cli
apic1(config-tenant)# application app_1
apic1(config-tenant-app)# epg epg_1
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)# epg epg_2
apic1(config-tenant-app-epg)# end
...
apic1# show running-config tenant nxos_cli
# Command: show running-config tenant nxos_cli
# Time: Sun Dec 13 16:44:58 2015
tenant nxos_cli
application app_1
epg epg_1
exit
epg epg_2
exit
exit
exit
|
I’m sure that this configuration style is straight forward for all network engineers, and for some tasks i think this is a great way to get things done!
Networking
Example of adding a new Subnet to a VRF.
1
2
3
4
5
6
7
8
|
apic1(config)# tenant nxos_cli
apic1(config-tenant)# vrf context vrf_1
apic1(config-tenant-vrf)# exit
apic1(config-tenant)# bridge-domain bd_1
apic1(config-tenant-bd)# vrf member vrf_1
apic1(config-tenant-bd)# exit
apic1(config-tenant)# interface bridge-domain bd_1
apic1(config-tenant-interface)# ip address 172.20.20.1/24
|
Complete Tenant example
This is how one of my tenants look in the CLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
tenant PoC
vrf context Net_1
contract enforce egress
exit
application SimpleWebServer
epg sqlServers
bridge-domain member BD_1
contract provider mgmt_contract
contract provider SQL_Contract
vmware-domain member vmware_dom deploy immediate
exit
epg webServers
bridge-domain member BD_1
contract consumer SQL_Contract
contract provider Web_Contract
contract provider mgmt_contract
vmware-domain member vmware_dom deploy immediate
exit
exit
contract Allow_ANY
subject Allow_ANY_Subj
access-group IP_ANY both
exit
exit
contract SQL_Contract
subject SQL_Subject
access-group SQL_Filter both
exit
exit
contract Ubuntu_to_Ext
subject external_con
access-group IP_ANY in
access-group IP_ANY out
exit
exit
contract Web_Contract
subject Web_Subject
access-group Web_Filter both
exit
exit
contract mgmt_contract
subject allow_icmp
access-group icmp both
exit
subject allow_ssh
access-group filter_telnet both
access-group ssh both
exit
exit
external-l3 epg L3_Out:ext_all
vrf member Net_1
match ip 0.0.0.0/0
contract consumer mgmt_contract
contract consumer Web_Contract
contract provider Ubuntu_to_Ext
exit
access-list DNS
match udp dest 53
exit
access-list IP_ANY
match raw ANY_TCP etherT ip prot 6 stateful yes
match udp
exit
access-list SQL_Filter
match tcp dest 3306
exit
access-list Web_Filter
match tcp dest 80
exit
access-list filter_telnet
match tcp dest 23
exit
access-list icmp
match icmp
exit
access-list ssh
match raw ssh dFromPort 22 dToPort 22 etherT ip prot 6 stateful yes
exit
bridge-domain BD_1
arp flooding
l2-unknown-unicast flood
vrf member Net_1
exit
interface bridge-domain BD_1
ip address 10.127.200.1/24 secondary scope public
exit
exit
|
