Configuring ACI Extensions
CloudCenter users can use out-of-the-box application profiles to create infrastructure-independent models of any application. Once modeled, the Cisco CloudCenter platform and Cisco Application Centric Infrastructure (ACI) can work together to provide automated, end-to-end provisioning of compute, storage, and network configuration of the application as well as its set of required components.
See the Cisco ACI Fundamentals Guide for additional details on the ACI policy model.
The CloudCenter – ACI integration provides the following benefits:
Use a fully automated creation of ACI policy objects.
Gain the security and efficiency of network microsegmentation without the need to program or modify application code, write cloud-specific scripts, or have special network expertise.
Users get self-service/on-demand deployment and management of applications with fully integrated Cisco ACI network policy and configuration.
The CloudCenter – ACI integration is available for VMware cloud environments.
CloudCenter supports the following APIC releases:
Cisco APIC, Release 1.0
Cisco APIC, Release 1.1
Cisco APIC, Release 1.2
Cisco APIC, Release 2.0 (only Distributed Virtual Switch – DVS mode)
Cisco APIC, Release 2.1
Cisco APIC, Release 2.3
Cisco APIC, Release 3.0
Cisco APIC, Release 3.1
The CloudCenter platform automates the end-to-end-provisioning of the overlay infrastructure and deployments of applications. On ACI, this includes the provisioning and management of the following resources:
Ensure that the APIC tenant being configured in the CloudCenter has the privileges to create these resources.
Application Network Profiles (ANP)
Endpoint Groups (EPG)
As a prerequisite for the CloudCenter platform to provision and configure the applications on APIC, first complete the following requirements to have a working Cisco ACI environment:
Leaf switch profiles, Switch Selectors, Interface Profile, and Policy Groups
VMware's Virtual Machine Manager (VMM) Domain
Routable IP subnet to a New Tenant and Bridge Domain(s) configured with Layer 3 out (L3 Out) for external internet connectivity.
The CloudCenter platform uses the L3 Out network to associate the Common tenant (or the selected tenant).
The Cisco Application Policy Infrastructure Controller (Cisco APIC) functions over both HTTP or HTTPS.
HTTPS: By default, Cisco APIC listens to HTTPS for both the UI and REST APIS.
Ensure that the APIC is configured with a valid SSL certificate that corresponds to the APIC host name.
HTTP: Enable the HTTP access for APIC and ensure accessibility using either the host name or IP address
To configure the ACI Extension for the CloudCenter tenant to use the APIC’s default SSL certificate for HTTPS access, follow this process:
Add an A record to the DNS zone for the “APIC” name - this record must match the name assigned to the default certificate shipped with the APIC.
Once the record is added, ensure that
is resolved to the IP Address of the APIC – This is especially important for the CloudCenter platform. To configure the ACI extension, the default certificate must be first be imported into the key store.
There is a useful utility that can facilitate this process:
Log on as root to the CCO appliance and change to the /tmp directory
Capture text necessary to create certificate (*.crt) file
openssl s_client -connect your https host:443 < /dev/null
openssl s_client -connect 18.104.22.168:443 < /dev/null
Copy the section from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE——
Save the copied text to a file named APIC.crt - for this example the file is placed in /tmp directory
Add the certificate to the trust store:
keytool -import -alias apic -keystore /usr/lib/jvm/jdk1.8.0_65/jre/lib/security/cacerts -file /tmp/APIC.crt
Enter the password.
keytool -import -alias apic -keystore /usr/local/osmosix/ssl/cco/cco_keystore.jks -file /tmp/APIC.crt
Restart the Tomcat process:
systemctl stop tomcat
systemctl start tomcat
Add the extension in CloudCenter Manager (ensure that you use the hostname APIC - for example, . - as the APIC Controller URL)
To ensure the sanity of the environment, follow this procedure.
Using the APIC UI, manually add a new application network profile with one EPG.
Verify that a new VMware Virtual Distribute Switch (vDS) port group is provisioned and displayed in the APIC UI.
Using the vCenter UI, provision/clone a new VM with the network pointing to the created port group.
If operating in Strict mode, you will not have SSH/RDP access to the VM:
Create a Contract for Port 22/3389 with its provider being the EPG from Step 1.
Create a new L3 out setting to be consumed by the Contract created in Step 4a.
SSH/RDP into the VM launched in Step 3 and verify that you can access the CloudCenter Bundle repository and the AMQP server.
The CCO being used in the ACI Extension should be able to access the corresponding APIC endpoint – activate the native APIC integration in CloudCenter by adding the endpoint URL of the APIC as an Extension in the Admin area
The CloudCenter platform assumes that you have configured the ACI extension based on the following setup requirements:
The typical ACI constructs for the tenant (Bridge Domain, DHCP Policy/Relay Label, VRF, External Routed Network - whether tenant specific or shared from the common tenant) are preconfigured and operationally health.
CloudCenter will create a new ACI Application Profile, new EPGs - one per tier of the application, new filters and contracts and apply them to the new EPGs according to the design of the CloudCenter application profile.
The ACI objects created by CloudCenter are named after the original deployment name so that they can be quickly and easily traced to the CloudCenter deployment.
Configure the ACI Extension in the CloudCenter platform.
Once the extension is selected, the CloudCenter will auto-discover the objects relevant to the privileges of the user whose credentials were used to configure the ACI Extension.
The following resources are specified by the APIC:
Virtual Machine Manager – My-vCenter is specified by the APIC
Network Type = ACI
End Point Group = Existing EPG
If the CloudCenter components (CCM, CCO, AMQP) are contained in a different and separate tenant than the existing EPG(s) into which the application nodes are deployed, policies and corresponding contracts should exist and be applied so as to allow the nodes to reach the requisite CloudCenter services.
To enable an application for ACI compatibility, enable the micro-segmentation capability in the application profile The default firewall rule for a service are automatically displayed in if microsegmentation is enabled – you can restrict any firewall rule to any tier by specifying the tier name or IP for the source. See Security and Firewall Rules > for additional context.
VMware vSphere Requirements
The following table describes the VMware vSphere requirements.
|A working VMware vCenter 5.0/5.5/6.0 environment|
The minimum VMware vSphere version is v5.0, but vSphere v5.5 U2 is optimal.
|The CloudCenter platform automates the provisioning of virtual machines into the VMware private datacenter.||The CloudCenter platform requires access credentials to the vCenter setup.|
|All ESX host(s) must be physically connected to the ACI leaf switches.||The prerequisite installation requirements for the datacenter are:|
|If the ESXi hosts are Cisco UCS based|
The APIC policy model is available as a standalone extension on the CloudCenter platform and provides increased ease when creating ACI objects by allowing better, faster, and easier network isolation by:
Using Extensions on the CloudCenter platform, network administrators can access CloudCenter from the UI or the API to create, update, or delete the following objects:
Virtual Machine Manager (VMM) domains
Allowing the consumption of newly-created bridge and VMM domains during the application deployment process or the deployment environment process without having to manually sync configurations.
Once you configure an extension (procedure provided later in this page), select the cloud and cloud accounts in the Network Settings section to see that a configured network, such as Cisco ACI, is available for selection when configuring this deployment environment.
Using ACI with CloudCenter Extensions
You can create a CloudCenter extension to extend the capabilities of the CCO to provision networks in an ACI environment. You can then Launch the ACI Extension to configure the following CloudCenter resources:
Deployment Environment Flow: ACI Extensions are also integrated in the deployment environment and you can determine the extension to be used by each cloud account. CCMs do not need to make the request to the cloud provider. Seefor additional context.
Application Deployment Level: Configure tenant and VMM domains to be populated into the application profile when Deploying an Application. You can configure the External Routed Network field (Layer 3 out) for your APIC setup, as shown in the following screenshot, and connect to that tenant network.
NIC: When you select the Cisco ACI tab, you have the option to select one of the options from the Endpoint Group (EPG) Type, as shown in the following screenshot.
Existing EPG: Uses a preconfigured EPG form the APIC setup.
New EPG: Creates a new EPG for this deployment. Optionally, you can also select contracts or interfaces that are consumed by this new EPG.
Bridge Domain Template: Creates a new bridge domain using the selected template.
ACI as an External Service: When you Deploy an Application that contains an External Service, you can configure the ACI extension in the Advanced section for this service tier to use the APIC Service Graph Template. The following screenshot shows this section.
When you have configured the cloud or datacenter resources (for example, the tasks listed in theIntegrations section), verify your network connectivity and launch a sample application to ensure everything is working from end-to-end. If all the requirements worked, you are ready to configure the extension from the CCM UI.
To configure an extension from the CCM UI, follow this procedure.
Access the CCM UI and navigate to Admin > Extensions. The Extensions page displays and you can edit an existing extension or add a new extension as required for your ACI integration. The following screenshot shows the Extensions page.
The TYPE column in the Extensions page currently displays ACI for all extensions as this is the only type of extension that is currently accepted by the CloudCenter platform.
Click Add Extension. The New ACI Extension page displays, as shown in the following screenshot.
Configure the following Cisco APIC endpoint information in the Connection Settings section:
The APIC Name
The APIC endpoint URL (HTTP or HTTPS)
The APIC access credentials (Username and Password) – Use the ACI admin credentials for APIC access.
If you do not use Admin credentials for the ACI account
Most integrations use the ACI admin credentials for APIC access.
If you use the Admin credentials, you do not need the information in this note.
If you prefer to limit the CloudCenter platform's access to ACI, then make sure that the ACI user for the ACI–CloudCenter integration account is configured as follows:
Create the Security Domain (SD) and associate the SD with the VMM(s) and Tenant(s) used for the ACI – CloudCenter integration.
Create an ACI Role with the following privileges:
Add (associate) the SD to the ACI–CloudCenter integration account and assign the created ACI Role with writePriv (write privilege).
The CCO used to manage this APIC endpoint (select the required CCO from the dropdown list)
Click Connect to connect and save the ACI configuration information.
The CloudCenter software validates the APIC endpoint connection and displays a status message displays at the top of this page.
Once the APIC endpoint connects successfully, you also see the New ACI Extension page refresh to display the Bridge Domain Template section below the Connection Settings section. You can use this section to provide additional placement information. See the Bridge Domain Template section below for additional details.
Click Save to save this new extension. The Extensions page refreshes to display the newly-configured extension to the list of configured and validated Extensions.
Launch the ACI Extension
To launch the ACI integration in your cloud, follow this procedure.
Access the CCM UI and navigate to Deployments. The Deployments page displays
Click the Environments tab. The Deployments page refreshes to dis play the configured environments and you can edit an existing environment or add a new environment as required for your ACI integration.
Click Add Environment. The New Deployment Environment page displays.
In the General Settings section:
Provide the deployment environment Name
Optionally, provide a Description.
Identify if approval is required to deploy to this environment by switching On the button.
In the Cloud Selection section:
Select the checkbox for the required Cloud Region. This cloud region must be the same as the CCO cloud region (used to manage your new APIC extension in the above section).
Select the Cloud Account from the dropdown list.
Click Define Default Cloud Settings to define the Deployment Environment default settings for this cloud. See
for additional context.
You can pre-define much of your experience during the deployment submission in the Default Settings of the Deployment Environment. See for additional context.
(Optional) Define the Networks Settings:
Turn On the Use Network Types button. The Networks section expands to display the Network Types.
Click +Network Type to add a new type. The New Network Type page displays.
Provide the network type Name.
Optionally, provide a Description.
Configure the Network Settings. The available networks for this cloud are displayed in the Network Settings section. The Network Settings section differs for each cloud.
VMware Network Settings
Toggle the Visibility switch to determine if you want to allow your end users to use pre-configured settings.
OFF: (Default) End users are not allowed to use preconfigured ACI extensions.
Select the Network in the NIC section. See IP Allocation Mode for additional context on NIC configuration.
Add additional NICs, if required.
ON: End users are allowed to use preconfigured ACI extensions.
Select the required extension, the corresponding options are displayed in the dropdown list for the remaining fields (see Extensions for additional details):
Select the APIC Extension from the dropdown list (see ACI Extensions for additional details).
Select the APIC Virtual Machine Manager (VMM) associated with this APIC Extension from the filtered dropdown list .
Select the APIC Tenant associated with this APIC Extension from the filtered dropdown list.
Select the Network in the NIC section.
If you select VMware, select the Network in the NIC section. See IP Allocation Mode for additional context on NIC configuration.
If you select Cisco ACI, select the type in the End Point Group (EPG) Type field.
Existing EPG: If you select this type, you must further select a pre-existing EPG (that is already connected to one of the Bridge Domains) from the Existing EPG dropdown, which appears if you select this type.
New EPG: If you select this type, you must further select a pre-existing Bridge Domain (to which this EPG must connect) from the Bridge Domain dropdown list.
Bridge Domain Template: See Extensions for additional context.
Add additional NICs, if required.
See SSH Options for additional context.
Click Save to save this new deployment environment. The Environments page refreshes to display the newly-configured deployment environment to the list of configured and validated Environments.
Designate a Bridge domain from the ACI environment. The list of bridge domains is pulled from ACI. See the Bridge Domain Template section for additional context.
Bridge Domain Template
A bridge domain represents a Layer 2 forwarding construct within the fabric. The Bridge Domain template (Layer 2 space) is linked to an ACI Virtual Routing and Forwarding (VRF) template (Layer 3 space). See the Cisco ACI Fundamentals Guide for additional details.
From the CloudCenter context, the ACI integration requires a routable IP subnet to a New Tenant that is configured with Layer 3 Out for external internet connectivity. When configuring an ACI Extension as part of the End Point Group (EPG) Type field.
If you do, you should have already configured the Bridge Domain Template so it displays in the dropdown list for that field.
CloudCenter administrators can create a Bridge Domain template to configure ACI extensions:
Each time CloudCenter admins configure an ACI extension, they also have the option to configure a Bridge Domain template.
The L3 Out connection to the external world is through the CloudCenter EPG Type selection. If you are deploying this instance into an existing EPG type, you do not need to update the subnet mask each time.
To restrict this subnet from being accessed by any other network, update the subnet mask with the database tier ID in the Bridge Domain template. This way, the subnet is exposed to the world on this external network and allows the destination to be open to the DB node.
When connecting to the database tier, the database Layer 3 out is linked to one of the IP addresses displayed in a dropdown list — instead of allowing everyone to connect to a tier.
To add a Bridge Domain Template, follow this procedure.
Access an ACI Extension as outlined in the section above (Admin > Extensions) and edit an existing extension. You can also opt to create a new extension in the process outlined above and continue to add a Bridge Domain Template as an extension of that process.
In the Add ACI Extension page or Edit ACI Extension page, scroll down to the Bridge Domain Templates section, as shown in the following screenshot.
Click Add Template. The New Bridge Domain Template pages displays.
Configure the following Bridge Domain Template details in the General Settings section:
Template Name: A name reference by which you can refer to this Bridge Domain template.
Bridge Domain Name Configuration: The exact name variable for the Bridge Domain that is used by the ACI.
Existing VRF: Select the VRF from the dropdown list. Templates are listed by tenant in the dropdown list, be sure to select the VRF template for the correct ACI tenant.
Shared resources are saved in the Common tenant, as shown in the following screenshot.
When you select a VRF from a Common tenant (highlighted in the dropdown list image), that Bridge Domain Template can be selected by any tenant and consequently deployed to any other tenant. If you select a VRF that is specific to just one tenant, you can only deploy the Bridge Domain Template to just that tenant.
Dynamic VRF: Select a VRF that is provisioned for this APIC. The VRF hosts the Bridge Domain that is created using the Bridge Domain Template.
Associated L3 Outs: Optional. Depending on the tenant selected in the VRF settings, you can now associate the L3 Out networks from the Common tenant (or the selected tenant).
L3 Out for Route Profile: Optional. Depending on the tenant selected in the VRF settings, you can now select the desired L3 Out for route profile from the Common tenant (or the selected tenant).
DHCP Relay Label: Optional. Depending on the tenant selected in the VRF settings, you can now select the one or more DHCP relay labels from the Common tenant (or the selected tenant) that is applied to the new bridge domain.
Configure the following network details in the Subnet section.
Scope: APIC concept – See the Cisco ACI Fundamentals Guide for additional details.
Private to VRF: An APIC setting that refers to a Private Network (context) is equivalent to a virtual routing and forwarding (VRF) instance in the networking world.
Advertised Externally: An APIC setting that refers to an EPG that provides a shared service must have its subnet configured under that EPG (not under a bridge domain), and its scope must be set to advertised externally, and shared between VRFs.
Shared between VRFs: An APIC setting that refers to shared subnets must be unique across the VRF involved in the communication. When a subnet under an EPG provides a Layer 3 external network shared service, such a subnet must be globally unique within the entire ACI fabric.
Subnet Control: APIC concept – See the Cisco ACI Fundamentals Guide for additional details.
ND RA Prefix: An APIC setting to control Neighbor Discovery (ND) – Router Advertisement (RA) message communications between an outside public or private network and the ACI fabric.
Querier IP: An APIC setting to enable Internet Group Management Protocol (IGMP) snooping on the subnet.
Subnet Pools: CloudCenter concept – Prevents any subnet in the pool from being wrongly reused. When you deploy a Bridge Domain Template on an application with multiple tiers, then each tier will use a different subnet from within this pool to ensure that the same subnet is not reused multiple times. If you deployment uses more subnets than are defined in this pool, the deployment will fail as all configured subnets are already used in this deployment.)
Master Subnet: The IP address of the first subnet in the tenant network.
Pool Subnet: A dropdown list to identify the last subnet in the tenant network.
Networks: This section automatically updates to reflect the number of networks in the pool based on the Master and Pool Subnet configurations.
You can add multiple subnet pools by clicking the Add Subnet Pool button.
Delete Icon: Allows you to delete a previously configured subnet pool from the CloudCenter platform.
Once you add a subnet pool, you cannot update the pool. You can only delete the configured pool and add a new subnet pool.
Click Save to save this new Bridge Domain Template along with the configured ACI extension. The Extensions page displays the Success message below the header to state the the extension is saved.
Administrators can perform the actions that the following screenshot shows for each ACI extension listed in the Extensions page.
The Deployment Environment pages list configured information and allows you perform the actions that the following table describes.
Change configurations for an existing extension. Once configured, you can only perform the following changes to an Extension:
See the Adding a Deployment Environment section (below) for additional details.
Share an Extension. See Permission Control > Extension Permissions for details.
Delete an Extension.
If you choose to delete a configured Extension, the Delete Extension popup confirms your intention, deletes the configured Extension, and displays a status message at the top of the Extension page.
If you set the cliqrIgnoreAppFailure parameter (see Troubleshooting Parameters), then the APIC resources (ANP, EPGs, Contracts, and so forth) created using the CloudCenter platform are not removed if the deployment fails. The launched VMs and related APIC policies are only removed when the user terminates the deployment from the Deployments page. See Terminate Protection for additional context.