Installing Contiv Network with Cisco ACI
This page gives brief instructions for installing Contiv Network with Cisco's Application Centric Infrastructure (ACI).
For more information about ACI, contact Cisco Systems.
Configure your APIC Fabric and Access Policies as follows:
Create a VLAN Pool under Fabric -> Access Policies -> Pools -> VLAN. Set allocation mode to Static Allocation.
Create a physical domain under Fabric -> Access Policies -> Physical and External Domains -> Physical Domains.
Create an attachable access entity profile (AAEP) and associate it with the physical domain created in Step 2.
Create a Policy Group (under Interface Policies) and specify the AAEP created in Step 3.
Create an Interface Profile and specify the physical interfaces connected from your ToRs to the bare metal servers. You can create separate Interface Profiles for individual ToRs if you like.
Create a Switch Profile (Switch Policies/Profiles) and specify the appropriate interface profile created in Step 5.
Make a note of the full node names of the ToRs you have connected to your servers.
Configure the ACI Gateway Container
To enable the ACI-GW to access and configure ACI to match the Contiv configuration, set these environment variables (see configuring aci under Installation):
APIC_URL - The URL of the APIC.
APIC_USERNAME - The login username for the APIC.
APIC_LEAF_NODE - The full URI path of the ACI leaf nodes where the cluster servers are connected,
topology/pod-1/node-101. If there are multiple nodes, you can use comma separation,
APIC_PHYS_DOMAIN - The name of the physical domain used for the Contiv cluster (Step 2 above).
Set Up Authentication
Both key-based authentication and password authentication are supported. Key-based authentication is the recommended method.
For password-based authentication, pass the password to the ACI-GW using the
APIC_PASSWORD environment variable.
To enable key-based authentication, follow these steps:
Create a Key Create a key and certicate. Add the certificate to APIC using the procedure described here.
Set the APIC_CERT_DN Environment Variable in aci config Find the distinguished name (DN) of the key that was added to APIC and pass it to the ACI-GW via the
APIC_CERT_DNenvironment variable. This DN is of the form uni/userext/user-admin/usercert-admin The exact DN can be found from the APIC visore, for example,
Create a Key Directory Create a directory on the server that hosts ACI-GW and copy the key created in the previous step to this directory.
Share the key and restart aci_gw container TBD: this step is potentially different in k8s vs swarm environment. Share this directory with the ACI-GW using the bind mounting option of Docker. For example, if the keys are copied to the
/shared/keysdirectory on the host, use the
-v /shared/keys:/aciconfigoption while starting the ACI-GW container.