APIC NXOS CLI – Vlan Domains
Agenda
•
•
Overview
Basic Configuration
•
Vlan Domain Model
•
API Configured Vlan Domains
•
Validations
•
Troubleshooting
Overview
• ACI fabric can be partitioned into sets of 4K VLANs.
• Each vlan domain represents set of VLANs that can be configured on a group of nodes
and ports.
• Vlans present in the vlan domain can be used for one of the APIC applications –
Application EPG, External-L2, External-L3, VMM, L4-L7 Services.
• In a multiple admin environment, including different privileges for Tenant and Fabric
Admins, VLAN domain is used as a security domain. Fabric Admin creates VLAN
domains and gives read access to specific Tenant Admins to use the particular vlan
domain. Any other tenant admin will not be able to use the vlan domain. This allows
multiple admins to manage the same fabric resources (ports, vlans) without over
running each other.
Note: Security domain feature will be supported in the follow on release.
Overview (cont.)
• Vlan domain can be static or dynamic. Static vlan domain can support static vlanpool, while dynamic vlan domain can support both static and dynamic vlan-pools.
• Vlans in the static vlan-pools are managed by the user and are used for
applications such as connectivity to bare metal hosts. Vlans in dynamic vlan-pools
are allocated and managed by the APIC controller without user intervention and
are used for applications such as VMM, where APIC allocates vlan for each EPG
behind the VMM controlled hosts.
• The default type for vlan domains and vlan-pool within the domain is static
Basic Configuration
Configuration Steps
Step 1: Create vlan domain in global mode.
Step 2: Add VLANs to vlan domain.
Step 3: Assign vlan domain to one or more interfaces.
Create Vlan Domain
Command Syntax:
[no] vlan-domain <domain-name> [dynamic]
• Executed in global configuration mode.
• dynamic: To create dynamic vlan domains. Default is static.
• Example:
apic1(config)# vlan-domain dom1
apic1(config-vlan)# ?
vlan Add VLANs to vlan-domain
Add / Remove VLAN’s
Command Syntax:
[no] vlan <vlan-range> [dynamic]
• Executed in vlan-domain mode
• dynamic: dynamic vlan encapBlks. Default is static.
• Example:
apic1(config-vlan)# vlan 5-6, 10, 50-100
apic1(config-vlan)# no vlan 5-6
apic1(config-vlan)# no vlan 50
Error: Static EncapBlk 50-50 not Found
Command execution failed.
Associate VLAN Domain To Interfaces
Command Syntax:
[no] vlan-domain member <domain-name>
• Associates vlan domain to an interface, port-channel, virtual port-channel or a template.
• Can associate multiple vlan domains to a given interface.
Associate VLAN Domain To A Port
Example:
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/4
apic1(config-leaf-if)# vlan-domain member dom1
apic1# show run leaf 101 interface ethernet 1/4
# Command: show running-config leaf 101 interface ethernet 1/4
# Time: Tue Mar 08 15:35:12 2016
leaf 101
interface ethernet 1/4
vlan-domain member dom1
exit
exit
Associate VLAN Domain To A Port-Channel
Example:
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/5
apic1(config-leaf-if)# vlan-domain member dom1
apic1# show run leaf 101 interface ethernet 1/5
# Command: show running-config leaf 101 interface ethernet 1/5
# Time: Tue Mar 08 15:37:12 2016
leaf 101
interface ethernet 1/5
vlan-domain member dom1
exit
exit
Associate VLAN Domain To A Virtual PortChannel
Example:
apic1# configure
apic1(config)# vpc context leaf 101 102
apic1(config-vpc)# interface vpc vpc5
apic1(config-vpc-if)# vlan-domain member dom1
apic1# sh run vpc context leaf 101 102
# Command: show running-config vpc context leaf 101 102
# Time: Tue Mar 08 15:38:52 2016
vpc context leaf 101 102
interface vpc vpc5
vlan-domain member dom1
exit
exit
apic1#
Associate VLAN Domain To A Template PolicyGroup
Example:
apic1# configure
apic1(config)# template policy-group tmppolGrp
apic1(config-pol-grp-if)# vlan-domain member dom2
apic1# show run template policy-group tmppolGrp
# Command: show running-config template policy-group tmppolGrp
# Time: Tue Mar 08 15:35:12 2016
template policy-group tmppolGrp
vlan-domain member dom2
exit
Associate VLAN Domain To A Template PortChannel
Example:
apic1# configure
apic1(config)# template port-channel tmppc
apic1(config-if)# vlan-domain member dom2
apic1# show run template port-channel tmppc
# Command: show running-config template port-channel tmppc
# Time: Tue Mar 08 15:35:12 2016
template port-channel tmppc
vlan-domain member dom2
exit
VLAN Domain Model
API Model
• There are three types of vlan domain – Physical, External Bridged, External Routed.
• “vlan-domain <domain-name>” : This command will internally create Physical(physDomP),
External Bridged (l2extDomP) and External Routed(l3extDomP) vlan domains and the vlan-pool
(fvnsVlanInstP) with the same name as the vlan domain. Basically, vlan domain lets the user use
the vlans defined under the vlan domain for any application. For example, if a vlan under the
vlan domain is used by a application EPG, internally, the relations are created for the
corresponding physDomP.
• “vlan-domain member <domain-name>”: Sets up the infraRsDomP to physDomP, l2extDomP and
l3extDomP matching the corresponding domain-name.
API Model For VLAN Domain
physDomP
l2extDomP
l3extDomP
infraRsVlanNs
fvnsVlanInstP (vlan-pool)
….…
EncapBlks
API Configured VLAN Domain
Overview
• physDomP, l2extDomP, l3extDomP and Relation to the Attachable Entity profiles created
through API can be modified through the vlan domain CLI with extensions to represent the
particular sub domain.
• CLI is fully compatible with API and GUI for vlan domain config changes.
• Since, the new CLI users are not expected to be aware of the model specifics, the vlan-domain
CLI type extensions are hidden for newly created vlan-domains through CLI.
Create VLAN Domain
Command Syntax:
[no] vlan-domain <domain-name> [dynamic] [type (phys|l2ext|l3ext)]
• Executed in global configuration mode.
• “type” option is visible and mandatory
- If all three vlan-domain types for <domain-name> are not present or
- If they have different vlan-pool or
- If they share same vlan-pool but if the pool name is different from the vlan domain name.
• Example:
apic1(config)# vlan-domain dom2 type phys
Assign VLAN-Pool To VLAN Domain
Command Syntax:
[no] vlan-pool <pool-name>
• Executed in vlan-domain mode
• If type option is present in vlan-domain command, user has to assign a pool to the vlan domain
before adding any vlans to it.
• “no vlan-pool <pool-name>” : If the vlan-pool is used by other vlan domains, we just delete the
relation(RsVlanNs), Otherwise, we delete the relation and the vlan-pool.
• Example:
apic1(config-vlan)# vlan-pool pool2
Associate VLAN Domain Member
Command Syntax:
[no] vlan-domain member <domain-name> [type (phys|l2ext|l3ext)]
• Associates vlan-domain to an interface, port-channel, virtual port-channel or a template.
• Can associate multiple vlan-domains to a given interface.
Associate VLAN Domain Member (cont.)
Example:
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/4
apic1(config-leaf-if)# vlan-domain member dom1 type phys
apic1# show run leaf 101 interface ethernet 1/4
# Command: show running-config leaf 101 interface ethernet 1/4
# Time: Tue Mar 08 15:35:12 2016
leaf 101
interface ethernet 1/4
vlan-domain member dom1 type phys
exit
exit
Validations
Validations
•
“no vlan-domain <name>”: Check if vlan-domain is in use by any interface. If yes, return error.
User needs to delete vlan-domain from interface using “no vlan-domain member <domainname>” under the interface config mode.
apic1(config)# no vlan-domain dom1
Error: Vlan-domain is in-use. Policies using vlan-domain dom1 : '__ui_p1_l101_eth1--1'.
Please remove it and re-try.
•
“no vlan <range>”: Cannot delete subset of vlans for a encapBlk.
Whole block has to be removed.
apic1(config-vlan)# vlan 2-3, 10, 50-100
apic1(config-vlan)# no vlan 2-3
apic1(config-vlan)# no vlan 50
Error: Static EncapBlk 50-50 not Found
Validations (cont.)
•
“no vlan-pool <pool-name>”: Check if vlan-pool is associated to any vlan-domain. If yes, only
remove the relation to vlan-pool. Otherwise, delete the relation and the vlan-pool.
apic1(config)# vlan-domain dom2 type phys
apic1(config-vlan)# vlan-pool pool1
apic1(config)# vlan-domain dom3 type l2ext
apic1(config-vlan)# vlan-pool pool2
apic1(config-vlan)# no vlan-pool pool2
Vlan-pool is in use by other vlan-domain(s). Removing only the vlan-pool relation from the
vlan-domain. To delete the vlan-pool, please remove the pool from the other vlandomain(s).
Validations (cont.)
•
“vlan-domain member <name>”: Cannot associate vlan-domains with overlapping vlans on a
given port. (Port, Vlan) should uniquely map to one vlan domain.
apic1(config)# vlan-domain dom2
apic1(config-vlan)# vlan 3-4
apic1(config)# vlan-domain dom3
apic1(config-vlan)# vlan 3-4
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/1
apic1(config-leaf-if)# vlan-domain member dom2
apic1(config-leaf-if)# vlan-domain member dom3
Error: Overlapping of Vlans is not allowed on an interface. Vlans overlapping with vlan-domain
dom2. Please remove the overlapping vlans.
Validations (cont.)
•
“ vlan <range>”: Cannot add new vlan range to a vlan-domain, if the vlan-domain is associated
with an interface, which is also a member of another vlan-domain with overlapping vlan set.
apic1(config)# vlan-domain dom2
apic1(config-vlan)# vlan 1-4
apic1(config)# vlan-domain dom3
apic1(config-vlan)# vlan 5-7
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/2
apic1(config-leaf-if)# vlan-domain member dom2
apic1(config-leaf-if)# vlan-domain member dom3
apic1(config)# vlan-domain dom2
apic1(config-vlan)# vlan 5-7
Error: Overlapping of Vlans is not allowed on an interface. Vlans overlapping with vlan-domain
dom3. Please remove the overlapping vlans.
Command execution failed.
Validations (cont.)
•
•
“switchport trunk allowed vlan <> ..”: When a vlan is associated to a application (app EPG, L2, SVI) ,
the vlan should be part one of the vlan-domains associated with the interface. If not, configuration is
not allowed
All interface level validations apply to all interface types and templates where vlan-domain member
configuration is allowed.
apic1(config)# leaf 101
apic1(config-leaf)# interface ethernet 1/14
apic1(config-leaf-if)# switchport trunk allowed vlan 100 tenant Nubecentro application ap1 epg epg1
No vlan-domain associated to node 101 interface ethernet1/14 encap vlan-100
Troubleshooting
Show VLAN Domain
Command Syntax:
show vlan-domain [name <domain-name>] [vlan <vlan-id>] [leaf <leaf-id>]
• Displays vlan usage for the following applications:
- Application EPG static path deployment.
- Legacy Bridge-domain.
- External-L2 EPG path deployment.
- External-L3: Vlan used by SVI, Sub-interface.
Show VLAN Domain (cont.)
• One stop shop for vlan usage in the system.
• Displays user configuration filtered by one or more combinations of vlan domain name, vlan id,
leaf id. Vlan Domain name incudes all three types(phys,l2ext,l3ext).
• Fetches the operational state of the Vlan interface (l2BD, sviIf objects) and the paths on which
EPG is deployed from the switch.
• In APIC, User configured encap vlan and BD are mapped to locally allocated vlans in the
switch. This mapping is displayed in the operational vlan.
• Faults (like invalid path, invalid vlan, ctx/vrf missing ) corresponding to the EPG deployment is
available in the operational state.
Show VLAN Domain (cont.)
Security Domain
Command Syntax:
[no] security-domain <domain-name>
•
•
•
•
•
Executed in vlan-domain mode
Security-domain is one of the main use-cases of vlan-domain
Supported in follow on release
Users with same security-domains associated can access the vlan-domain
Example:
userA associated to secdom1
apic1(config)# vlan-domain dom1
apic1(config-vlan)# vlan 100
apic1(config-vlan)# security-domain secdom2
apic1# ssh [email protected]
Application Policy Infrastructure Controller
[email protected]'s password:
apic1# configure
apic1(config)# vlan-domain ?
WORD Vlan domain name (Max Size 64)