Cisco ACI – NX-OS Style CLI

Posted on by richardstrnad

Cisco introduced a NX-OS like CLI for the Cisco ACI Solution with release 1.2(1i).
In this post i will demonstrate some of the things that can be achieved through the NX-OS CLI.

!Important!
There is no safety net, if you issue something like ‘no tenant XXX‘ the configuration is gone!
No commit, warning or similar!
!Important!

Basics

The NX-OS like CLI is the new default if you connect via SSH to the APIC

→ ssh admin@10.127.129.50
Application Policy Infrastructure Controller
admin@10.127.129.50's password:
apic1#

If you wan to access the Linux CLI you can go there through ‘bash’ and go back with ‘exit’

apic1# bash
admin@apic1:

...

admin@apic1:
exit
apic1#

Configurations

Tenant

Configure a Tenant, Application Profile and End Point Group

apic1# configure
apic1(config)# tenant nxos_cli
apic1(config-tenant)# application app_1
apic1(config-tenant-app)# epg epg_1
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)# epg epg_2
apic1(config-tenant-app-epg)# end

...

apic1# show running-config tenant nxos_cli
# Command: show running-config tenant nxos_cli
# Time: Sun Dec 13 16:44:58 2015
  tenant nxos_cli
    application app_1
      epg epg_1
        exit
      epg epg_2
        exit
      exit
    exit

I’m sure that this configuration style is straight forward for all network engineers, and for some tasks i think this is a great way to get things done!

Networking

Example of adding a new Subnet to a VRF.

apic1(config)# tenant nxos_cli
apic1(config-tenant)# vrf context vrf_1
apic1(config-tenant-vrf)# exit
apic1(config-tenant)# bridge-domain bd_1
apic1(config-tenant-bd)# vrf member vrf_1
apic1(config-tenant-bd)# exit
apic1(config-tenant)# interface bridge-domain bd_1
apic1(config-tenant-interface)# ip address 172.20.20.1/24

Complete Tenant example

This is how one of my tenants look in the CLI

tenant PoC
  vrf context Net_1
    contract enforce egress
    exit
  application SimpleWebServer
    epg sqlServers
      bridge-domain member BD_1
      contract provider mgmt_contract
      contract provider SQL_Contract
      vmware-domain member vmware_dom deploy immediate
      exit
    epg webServers
      bridge-domain member BD_1
      contract consumer SQL_Contract
      contract provider Web_Contract
      contract provider mgmt_contract
      vmware-domain member vmware_dom deploy immediate
      exit
    exit
  contract Allow_ANY
    subject Allow_ANY_Subj
      access-group IP_ANY both
      exit
    exit
  contract SQL_Contract
    subject SQL_Subject
      access-group SQL_Filter both
      exit
    exit
  contract Ubuntu_to_Ext
    subject external_con
      access-group IP_ANY in
      access-group IP_ANY out
      exit
    exit
  contract Web_Contract
    subject Web_Subject
      access-group Web_Filter both
      exit
    exit
  contract mgmt_contract
    subject allow_icmp
      access-group icmp both
      exit
    subject allow_ssh
      access-group filter_telnet both
      access-group ssh both
      exit
    exit
  external-l3 epg L3_Out:ext_all
    vrf member Net_1
    match ip 0.0.0.0/0
    contract consumer mgmt_contract
    contract consumer Web_Contract
    contract provider Ubuntu_to_Ext
    exit
  access-list DNS
    match udp dest 53
    exit
  access-list IP_ANY
    match raw ANY_TCP etherT ip prot 6 stateful yes
    match udp
    exit
  access-list SQL_Filter
    match tcp dest 3306
    exit
  access-list Web_Filter
    match tcp dest 80
    exit
  access-list filter_telnet
    match tcp dest 23
    exit
  access-list icmp
    match icmp
    exit
  access-list ssh
    match raw ssh dFromPort 22 dToPort 22 etherT ip prot 6 stateful yes
    exit
  bridge-domain BD_1
    arp flooding
    l2-unknown-unicast flood
    vrf member Net_1
    exit
  interface bridge-domain BD_1
    ip address 10.127.200.1/24 secondary scope public
    exit
  exit

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *