Cisco introduced a NX-OS like CLI for the Cisco ACI Solution with release 1.2(1i).
In this post i will demonstrate some of the things that can be achieved through the NX-OS CLI.
!Important!
There is no safety net, if you issue something like ‘no tenant XXX’ the configuration is gone!
No commit, warning or similar!
!Important!
Basics
The NX-OS like CLI is the new default if you connect via SSH to the APIC
1
2
3
4
|
→ ssh admin@10.127.129.50
Application Policy Infrastructure Controller
admin@10.127.129.50's password:
apic1#
|
If you wan to access the Linux CLI you can go there through ‘bash’ and go back with ‘exit’
1
2
3
4
5
6
7
8
|
apic1# bash
admin@apic1:
...
admin@apic1:
exit
apic1#
|
Configurations
Tenant
Configure a Tenant, Application Profile and End Point Group
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
apic1# configure
apic1(config)# tenant nxos_cli
apic1(config-tenant)# application app_1
apic1(config-tenant-app)# epg epg_1
apic1(config-tenant-app-epg)# exit
apic1(config-tenant-app)# epg epg_2
apic1(config-tenant-app-epg)# end
...
apic1# show running-config tenant nxos_cli
# Command: show running-config tenant nxos_cli
# Time: Sun Dec 13 16:44:58 2015
tenant nxos_cli
application app_1
epg epg_1
exit
epg epg_2
exit
exit
exit
|
I’m sure that this configuration style is straight forward for all network engineers, and for some tasks i think this is a great way to get things done!
Networking
Example of adding a new Subnet to a VRF.
1
2
3
4
5
6
7
8
|
apic1(config)# tenant nxos_cli
apic1(config-tenant)# vrf context vrf_1
apic1(config-tenant-vrf)# exit
apic1(config-tenant)# bridge-domain bd_1
apic1(config-tenant-bd)# vrf member vrf_1
apic1(config-tenant-bd)# exit
apic1(config-tenant)# interface bridge-domain bd_1
apic1(config-tenant-interface)# ip address 172.20.20.1/24
|
Complete Tenant example
This is how one of my tenants look in the CLI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
tenant PoC
vrf context Net_1
contract enforce egress
exit
application SimpleWebServer
epg sqlServers
bridge-domain member BD_1
contract provider mgmt_contract
contract provider SQL_Contract
vmware-domain member vmware_dom deploy immediate
exit
epg webServers
bridge-domain member BD_1
contract consumer SQL_Contract
contract provider Web_Contract
contract provider mgmt_contract
vmware-domain member vmware_dom deploy immediate
exit
exit
contract Allow_ANY
subject Allow_ANY_Subj
access-group IP_ANY both
exit
exit
contract SQL_Contract
subject SQL_Subject
access-group SQL_Filter both
exit
exit
contract Ubuntu_to_Ext
subject external_con
access-group IP_ANY in
access-group IP_ANY out
exit
exit
contract Web_Contract
subject Web_Subject
access-group Web_Filter both
exit
exit
contract mgmt_contract
subject allow_icmp
access-group icmp both
exit
subject allow_ssh
access-group filter_telnet both
access-group ssh both
exit
exit
external-l3 epg L3_Out:ext_all
vrf member Net_1
match ip 0.0.0.0/0
contract consumer mgmt_contract
contract consumer Web_Contract
contract provider Ubuntu_to_Ext
exit
access-list DNS
match udp dest 53
exit
access-list IP_ANY
match raw ANY_TCP etherT ip prot 6 stateful yes
match udp
exit
access-list SQL_Filter
match tcp dest 3306
exit
access-list Web_Filter
match tcp dest 80
exit
access-list filter_telnet
match tcp dest 23
exit
access-list icmp
match icmp
exit
access-list ssh
match raw ssh dFromPort 22 dToPort 22 etherT ip prot 6 stateful yes
exit
bridge-domain BD_1
arp flooding
l2-unknown-unicast flood
vrf member Net_1
exit
interface bridge-domain BD_1
ip address 10.127.200.1/24 secondary scope public
exit
exit
|