Configure ACI Endpoint Groups

0:00If you're working your way through this course sequentially, then we just took

0:03a look at over

0:05the last couple of skills, the physical side of ACI configuration, getting

0:09policies to

0:10interfaces, getting VLANs configured, and then also now the logical side of

0:15things,

0:15making sure that in a multi-tenant environment that we are able to have

0:19multiple tenants,

0:20but then within each tenant we have the networking constructs, the VRFs and the

0:25bridge domains,

0:26but also as part of that, the EPGs.

0:29So now that we have an actual packet arriving on an interface, because at some

0:34point this

0:34all has to come back to networking, how do we glue these two worlds together?

0:40What does it mean when a packet shows up encapsulated with VLAN 15 on leaf

0:46switch 101 port 1/12?

0:49Well that is what we have to start to figure out.

0:52We have to glue these two worlds together, and again it's been quite a journey

0:57to even

0:57see how all these constructs come together within each world, the physical

1:01world and the

1:02logical world, but now we have to again bring those two worlds together.

1:07So to illustrate the point, let's say that we have leaf switch 101, and now we

1:14have a

1:15packet arriving on interface 1/10 on leaf 101, so ACI would actually number

1:22this 101/1/10,

1:25and this packet is encapsulated with VLAN 15.

1:30Meanwhile we have also created this logical world, this logical constructs.

1:35We have a VRF configured for example, maybe multiple VRFs, but we'll just keep

1:39this simple,

1:41say we have one VRF, we have a couple of bridge domains in here, we'll call

1:47this BD100 and

1:49BD200, and we have subnets as part of this as well, 10.100.x.x and 10.200.x.x.

1:59So we have subnets associated with this gateways associated with each bridge

2:04domain, and now

2:04we also have endpoint groups.

2:07We might have a couple of endpoint groups in bridge domain 100 and an endpoint

2:11group

2:12in bridge domain 200.

2:14But again right now there's this gap that exists between the physical world

2:20over here

2:20and the logical world on the right.

2:23So this is where we need to figure out how to bring these two worlds together.

2:28Because the whole point of ACI is to allow me to very simply deploy policy

2:35against traffic,

2:37as it enters into my fabric, and my policy is based within the logical world,

2:42meaning

2:43that whatever host is on the other end of this, this could be a physical host,

2:48this

2:48could be a virtual machine, it could be an appliance, it could be all kinds of

2:55different

2:56types of hosts, but in theory I have put all of my hosts into endpoint groups.

3:02And that's where the policy comes from.

3:04I have epgs for example, I have contracts like we've talked about, I need to

3:09know whether

3:10this traffic is allowed, I mean should I say okay we can accept this traffic

3:15and send it

3:16out to the destination, should we reject this traffic saying you're not allowed

3:20to communicate

3:21with the destination that you have in mind.

3:24And again this policy is based on the logical world.

3:27So is this coming in in this endpoint group or the endpoint group over on the

3:32right in

3:33the other bridge domain for that matter?

3:35Hey this endpoint group might be in the same bridge domain as the first, but it

3:38's going

3:39to have different contracts, it's going to have different policies associated

3:42with it.

3:43So which one of these endpoint groups does this traffic belong to?

3:49Well we have a primary mechanism for endpoint group traffic identification.

3:58And the primary mechanism we have for this is going to be to identify the port

4:03that this

4:04traffic is coming in on and the VLAN encapsulation or the VLAN identifier that

4:09it belongs to.

4:11In theory if we're showing up on whatever port we have up here in our case it's

4:16101/1/10,

4:18any traffic showing up on this belonging to a particular VLAN should tell me

4:24what host

4:26is on the other end.

4:28Now we are specifically talking about the physical domains, let me just write

4:33that out.

4:34The physical domain doesn't have fancy integrations like our virtual integ

4:40rations would, because

4:41when we're talking about a virtual machine and a virtual host we might well

4:45have integrations

4:46with the hypervisor and with the virtual machine manager so that I can just

4:52tell as traffic

4:53arrives what it's coming from.

4:55And I don't necessarily need to use the same identification methods especially

4:59if I'm extending

4:59the XLAN down into the virtual environment which is technically possible.

5:05Now that said if we have a virtual appliance or virtual host that's attached

5:09that's not

5:09part of our integrations then that would still be part of the physical domain.

5:13So all that to say just as far as how we want to think about this port and VLAN

5:20concept

5:20is going to be a primary means of us identifying which endpoint group this

5:26traffic belongs

5:27to.

5:28So let's say that this endpoint group on the left as part of bridge domain 100

5:34is mapped

5:34to this port and VLAN 15.

5:40Meanwhile this endpoint group is mapped to, if I draw my arrow around here, the

5:46same

5:46port but it's mapped to VLAN 20.

5:51So now that this traffic arrives tagged with VLAN 15 on the specific port we

5:57understand

5:58from a policy perspective that it belongs to the endpoint group on the left as

6:02part

6:03of bridge domain 100.

6:04And if let's say now this is a trunked interface, maybe this is a virtual host

6:09that's not integrated,

6:11well at this point we might have traffic show up on VLAN 20 later and that

6:15tells us that

6:15it belongs to a different endpoint group.

6:19So at this point we have our means of identifying traffic.

6:23The question that we have to then explore is how to apply this in our

6:28configuration.

6:30Because we are configuring endpoint groups and we are configuring our different

6:34physical

6:35parameters and our bridge domains on the logical side and we're creating our

6:40interface policy

6:42groups on the physical side.

6:44And so how does this all get mapped together?

6:48Well there are two different options that we have available to us here.

6:52We can map an endpoint group to an AEP and second we can map an endpoint group

7:02via static

7:03pathing or static binding depending on the documentation that we're reading.

7:08So we'll just call this static binding.

7:13So we are going to see examples of both of these configurations but let's go

7:16ahead and

7:17draw a picture of what exactly this looks like.

7:20So recall what the AEP is doing.

7:22The AEP we have said is the glue that connects our domain to our IPG.

7:33So we're taking the domain which includes our VLAN pools, we're tying it to the

7:37interface

7:38policy group which includes our interfaces, our policies and ultimately gets

7:43mapped to

7:43leaf, well I should just say switches and the interfaces that are associated

7:48with those

7:48switches via the switch and interface profiles.

7:51So this is where we connect our policies to our ports.

7:59And I'm using quotes here because it doesn't directly do that.

8:02It doesn't via all of these other mechanisms but this is the end result of the

8:08AEP and

8:09the job of the AEP.

8:11Well if we think about this and why we're doing it this way this is for the

8:15sake of scale.

8:18We want to be able to push interface policies out throughout a very large,

8:23potentially very

8:24large, leaf and spine architecture.

8:27We keep saying that ACI is focused on scaling.

8:30That's why we have so many different constructs we might say well this seems

8:35complicated but

8:36it's only complicated relative to the CLI because of our scaling concerns.

8:44If we try to configure just a pair of switches using ACI it'll seem like it's

8:49extra configuration.

8:50But as soon as we need to configure 200 switches or 1000 switches, well now all

8:57of a sudden

8:58we're going to understand that this is feeling a little bit more containable

9:04using ACI configuration.

9:06So that is the purpose of deploying some of these ACI configurations is because

9:11of scale.

9:12Well mapping the endpoint group to an AEP is also going to buy into this

9:18concept of scale.

9:20And the reason for this is because remember the AEP is specifying the domain

9:26and so now

9:26the endpoint group being mapped through the AEP via a VLAN ID is going to get

9:33mapped to

9:34a bunch of interfaces at scale.

9:38So we're essentially mapping into this concept.

9:41So if we glue it from start to finish our endpoint group here, change colors a

9:46little

9:47bit, our endpoint groups now are getting mapped to a bunch of ports throughout

9:53the environment.

9:55And the VLAN ID is going to be a part of that and it brings us back to what we

9:59're trying

9:59to accomplish.

10:00We're trying to say that traffic arriving on specific ports with a specific V

10:04LAN ID is

10:06going to result in getting mapped to a specific endpoint group.

10:11So that sounds pretty good except for the fact that now our endpoint groups are

10:15getting

10:16mapped throughout the entire domain or at least we should say that it has a

10:20perfect overlap

10:23with the domain.

10:25So if I have this domain configured on 12 different leaf switches on the first

10:3124 ports, on each

10:33one of those leaf switches, then this endpoint group policy is going to

10:37perfectly overlap

10:38that.

10:39So the question is, is that okay?

10:41For a large scale environment, it has to be okay.

10:44We can't get on to individual switches or try to map endpoint groups to

10:49individual ports

10:50and all of these kinds of things, we need the scaling capability of this method

10:55.

10:55But for smaller environments, this type of method might feel a little bit

10:59restrictive.

11:00For example, I might deploy a new host and this one host has its own EPG and it

11:06's going

11:06to tie into this physical domain that we have configured.

11:10I'm just going to borrow VLAN 220 or something like that.

11:16So that's well and good other than now if I'm using this first method, because

11:22I'm part

11:22of this physical domain, any traffic arriving on VLAN 220 on any of these

11:28physical domain

11:29ports will get mapped into this EPG.

11:32Yeah, I might not want that.

11:34So at this point, we might want to look at the other method.

11:38The other method is known as this static binding methodology.

11:42The idea here is I truly just configure an EPG to get mapped to specific ports.

11:52So notice we have the same end result.

11:56We are starting with an EPG here.

11:58We're ending on ports via a VLAN ID.

12:02We just do it in a more scaled out fashion with the first method.

12:07In this method, we're being more explicit.

12:09We are tying it to ports and we are once again including that VLAN ID.

12:16That is going to be important because now again, we are back to port and VLAN

12:20identifier.

12:21However, in this case, this is a static mapping.

12:28I have to manually tell ACI that this VLAN ID on this port belongs to this EPG.

12:36So this works really well for more granular type of deployments.

12:42But that's just it.

12:43Granular types of deployments require more manual configuration.

12:49Does this work for large scale infrastructure?

12:51It's not so much.

12:53But does it work for one-offs and smaller environments?

12:56Absolutely, which is why we have this method available to us.

12:59So as part of this, we notice we're not binding this to an AEP.

13:03We are going to perform this configuration manually.

13:07And as we dive into the configuration of the AEPIC, we're going to make sure we

13:10understand

13:11how both of these can be configured so that we can adapt to our own environment

13:15the method

13:16that makes the most sense.

0:00We've covered a lot of different ACI constructs at this point.

0:04On the physical side we have interface policies, interface policy groups,

0:08switch profiles, interface profiles, and on the logical side we have endpoint

0:12groups

0:13and bridge domains and VRFs and context as well as tenants.

0:17But there is one more construct that we need to talk about.

0:21And where it exists is a little bit more nebulous.

0:26I would say it exists on the logical side of things,

0:28but ultimately it's a little bit more of an organizational construct.

0:32It doesn't really belong in either one of our worlds here,

0:36our physical world or our logical world.

0:38The idea here is we are going to talk about our application profiles.

0:45Application profiles which have also been called application network profiles

0:51in the past.

0:52These days we typically just call them application profiles.

0:55So you might see them abbreviated as APs or possibly ANPs.

1:01But either way an application profile is actually a collection of EPGs,

1:10which is a little bit odd to talk about, especially as far as trying to map

1:15this into one of our models.

1:17Because we know that endpoint groups are going to be bound to a bridge domain.

1:23So I create an endpoint group, it gets mapped into a bridge domain,

1:27and so that works out well from networking, making sure we know which bridge

1:33domain

1:33and therefore layer two domain it's a part of, which subnet it's a part of all

1:38of these things.

1:39And yet we're saying now that endpoint groups are also collected,

1:43bundled up and put into an application profile.

1:45So where does it fit into our logical model?

1:48And this is where I'd argue it really doesn't.

1:50Our application profile is more of this management type of construct.

1:56Here's the idea.

1:58This whole concept of ACI is meant to give us an application centric view.

2:05It's right there in the name, application centric infrastructure.

2:09But what exactly does application centric mean?

2:12It means that I put the application into the middle of my conversation.

2:19Everything about the way that I apply policy, the way that I monitor network

2:27health,

2:27the way that I perform organization, the way that I perform networking,

2:31all of this is meant to be talked about with the application at the center of

2:39the conversation.

2:40So what does the application consist of?

2:42Well, the application typically consists of multiple endpoints

2:47and potentially multiple endpoint groups.

2:50And so we might have multiple endpoints.

2:52We might have multiple endpoint groups involved.

2:55But in the end, what we are really trying to get at here is that we want to

3:00identify an application

3:02and the endpoints that belong to that application.

3:05So we can apply all of these other concepts, including policy and health

3:09monitoring,

3:10to the application itself.

3:14A great idea of this would be to say that we've got an application,

3:17let's just call it application one.

3:19And I identify that it has a particular set of endpoint groups,

3:23maybe EPG1 and EPG2, all of the endpoints in these endpoints in the endpoint

3:31groups.

3:31I was saying that, right?

3:33All the EPs in the EPGs, however we want to say it, are part of this

3:37application.

3:39Well, once they're part of this application, and yes, this is an application

3:43profile,

3:44once they're part of this, I can perform network health monitoring.

3:48I can log in to ACI and take a look at this application's health.

3:53We might get a health score of 93 out of 100 or something along those lines.

3:59So I can actually just allow ACI to take all of the health information

4:05throughout the network,

4:06whether it's issues with leaf switches or issues with bandwidth on links,

4:11whether it's issues with specific endpoints, and ultimately compile that into a

4:15health rating

4:16for the application itself.

4:19So if I'm having user complaints, I might log in and see that we have a score

4:23of 71 out of 100.

4:25Or maybe more ideally, we see that, hey, we're taking down, normally we hover

4:30around 97, 98 out of 100,

4:33and today we're at 93 for this one application.

4:36And maybe we can be a little bit more proactive about going out and trying to

4:39figure out what's going on

4:41and fix it before the users can complain.

4:45And so this makes us a little bit more proactive, like we said, but ultimately

4:49it also returns our conversation

4:52to being application centric rather than network centric.

4:57Where our focus is on the bandwidth, on the network pipes, and our focus is on

5:02the status of the leaf and spine architecture

5:05and the VX line configuration, when ultimately as far as our users are

5:09concerned, it's the application that matters.

5:12And yeah, as far as the business is concerned, it's also the application that

5:17matters.

5:18So now we have to figure out how this works from a configuration perspective,

5:22and we will see this configuration coming up.

5:25But when we configure an endpoint group, that endpoint group is going to have

5:31to go under the application profile.

5:34ACI needs to know which endpoint groups belong to a particular application,

5:39meaning that this is a required config.

5:43We can't just say, OK, Cisco, that's great and all, but I don't really need

5:48this application-based health monitoring

5:51or whatever the situation is, and try to bypass that configuration.

5:56Absolutely not.

5:57This is required.

5:59We must configure endpoint groups as part of an application profile.

6:03And at that point, ACI can start to put together what applications are

6:09receiving which policies

6:10and how all of that ties into health monitoring and such.

6:13But also, when we configure the EPG under the application profile, I'm also

6:19going to map this to a bridge domain.

6:22As we said, over here on the left at the start of this conversation, endpoint

6:26groups are configured under a bridge domain.

6:28That is also a required configuration.

6:32So I can't just create an endpoint group though under the bridge domain,

6:36because again, we're trying to bring all this back to the application.

6:39So both of these bindings are going to be required, configurations as part of

6:45the EPG.

6:46And we'll see that based on what we just did in the previous video, talking

6:51about the different EPG configuration methods.

6:54We're going to want to make sure that we understand this concept so as we

6:57explore the configurations within the APIC,

7:00we understand what's actually happening here and why we're configuring

7:04application profiles as a required part of our EPGs.

0:00Let's jump into the APIC and perform our configuration for these various

0:04concepts.

0:04We're going to start by just configuring the logical side of ACI, and we do

0:09that by going to tenants.

0:10And we see the various tenants we actually created earlier in the course as

0:14part of our

0:15exploration into the different methods for configuration. But either way, we

0:19can just click this link up here and say add a tenant.

0:22We can create a name for this tenant. I'm just going to call this CBT test.

0:27And then we can actually create a VRF as part of this if we want to. I'm going

0:32to call this CBT VRF.

0:36And hit submit. So at this point, we've already got a tenant and a VRF.

0:41And we notice that when we're placed here on the networking side of things over

0:46on the left on the navigation pane,

0:47we actually see the networking topology start to develop over on the right.

0:52At this point, our topology is just a single VRF. And so it's time to flesh

0:56that out a little bit.

0:58We're going to want to create a bridge domain. So under the bridge domains here

1:02, we can just right click and say create a bridge domain.

1:06And we'll call this CBTBD. And we'll call this bridge domain 100 to represent

1:13the fact that we're going to tie it to VLAN 100.

1:16So I do have to select a VRF. So I can again, take any of the common different

1:21VRFs that are configured.

1:22But we're just going to take the VRF that we just created. We are usually going

1:27to do that as part of any of our bridge domain configurations.

1:31And then we can, well, just hit next here. And this is where we would apply our

1:36gateway address.

1:37And that ultimately allows us to use various subnets in the ACI environment.

1:43The way we do that is by clicking plus here under subnets. And I can say that

1:49this is 10.1.1.1.

1:52And we have to enter the mask of slash 24. We saw this very briefly earlier in

1:57the course.

1:58And so from here, we are going to, well, let's see here. I think the one thing

2:03that we probably want to consider is advertising the subnet externally.

2:07Keep in mind that ACI is its own environment, and it's designed to be its own

2:11environment.

2:12So the question is, do we want to advertise this to external layer three

2:17devices?

2:18Is this part of our larger network or is this meant to be a private part of our

2:22network?

2:22If it's part of the larger network and we know that our users out in the user

2:27subnets need to access the subnet,

2:29we're going to want to make sure that we check the box for advertised

2:32externally.

2:33So I'll say, okay, here, and then we'll say next. And at this point, we're just

2:39going to say finish.

2:40We see that we've got lots of options for configuration within ACI, but for the

2:44most part, we can just stick with what is presented to us.

2:48Now a couple of things at the bridge domain. So as we expand this, we actually

2:52see that the XLAN identifier that's been mapped to this specific bridge domain.

2:56Remember, a bridge domain effectively is mapped to a single virtual network

3:01identifier.

3:02And so we actually are presented with that here in ACI, which is pretty cool.

3:06Meanwhile, we also see the VRF that it's mapped to, as well as the multicast

3:11address that's been mapped to it as well.

3:14Again, that should be coming out of the multicast range that we configured

3:17earlier on as part of our configurations, the configuration of the fabric.

3:24So from here, we could create our endpoint groups, but we don't see a folder on

3:30the left for endpoint groups.

3:31As we mentioned, we are going to configure our endpoint groups under

3:34application profiles.

3:36So I can right click create an application profile. And let's just call this CB

3:41T app one.

3:42This can be as broad or as narrow of a scope as we want.

3:47We might suggest that an application is just a single small set of servers.

3:52Maybe an application is an entire department's worth of applications.

3:56The good news is, while an application profile is required, even if we don't

4:01want to really drill into the granularity of specific applications,

4:05yeah, we have to configure it, but we can define the scope of it.

4:08So either way, I'm just going to create this application one, and we see that I

4:12can configure ePGs as part of this.

4:14So I can go ahead and hit plus here and create some endpoint groups.

4:18So I'm going to call this ePG one and map it to a bridge domain.

4:23So BD 100, the one we just created. And which domain is this part of? Is it

4:27part of our physical domain?

4:29Or is it part of our virtual domain? An external domain? I'm going to map this

4:33to our physical domain.

4:34Now, keep in mind here, and at least notice, we've got the static path option.

4:39So once again, why we sometimes call it static binding, sometimes static pat

4:43hing, but we could define a very specific static path as part of this

4:47configuration.

4:48For right now, I'm just going to say update. And let's just add a second ePG, e

4:53PG two, map it to BD 100, and get our physical domain in there and update.

5:01So now we've created two different ePGs that are part of the same bridge domain

5:05.

5:05And we have yet to provide any kind of static pathing, which means that our

5:10endpoint groups are probably going to require getting mapped into the aep

5:14method, which we're going to see in the next video.

5:18So right away, we're given a topology here. We see that we have our one

5:23application that we've created.

5:25So this is an application profile and the ePGs that are mapped to that.

5:30So if we actually let's see here, so if we expand this and look at this

5:35specific application profile and go to the topology tab, we might want to zoom

5:41in a little bit.

5:42But we do see that, okay, I'll zoom in a lot.

5:46We see the individual endpoint groups that are mapped to specific domains.

5:52So be stands for bare metal here in this case, so we see these are part of the

5:56physical domain. These would be bare metal hosts, appliances or just physical

6:02servers.

6:03And so it tells us how they're mapped in here as well. So these topology tabs

6:06can be really useful. We see a topology here.

6:09We can see a topology here with various application profiles.

6:13And so this is just another way that ACI visualizes for us what's really

6:17happening within the fabric.

0:00Now remember, we have two different ways to configure our EPGs. We can map our

0:05EPGs directly to an AEP, the attached entity profile, and this will allow us to

0:11at scale push our EPG to our port to VLAN mappings essentially out to a wider

0:18space. Or we can statically map it to specific ports. And so we're going to

0:23take

0:23a look at both of these here in this video. Let's start with the scalable AEP

0:27method. So what we're going to do is we're going to come over to the fabric tab

0:32here. And under the fabric tab, once again remember fabric policies all about

0:37the fabric that exists between the leaf and the spine switches. Our access

0:42policies,

0:43these are about everything that is southbound of the leaf switches including

0:47our

0:47client traffic that needs to get mapped into the EPG. So we want to pull up our

0:53AEP. And so remember where our AEPs are, we have to go under policies, then we

1:00have to go under global, and then we'll see our attachable access entity

1:03profile. So

1:04again, either AEPs or RAPs. And then under here we actually have one that we

1:10configured as part of the physical model skill called CBT_AEP. So over here we

1:17see that once again we're going to take an AEP or AEP either one. And we're

1:23going

1:24to map a physical domain into it. But now we need to add our EPGs. In our first

1:30glance you might say well where do we do that? Well because of the resolution

1:33of

1:33the screen we do have to scroll down a little bit. So be aware of that. So we

1:38see an EPG that was part of a test tenant I did earlier. Meanwhile we are

1:43going to hit plus here and we're going to add an EPG from the tenant we just

1:48created. So I can use the drop down and select my CBT_Test tenant and then I

1:54select my application profile. Well look at that application one. That's the

1:59application profile we just configured. Now if I try to select an EPG first we

2:03see I can't because it doesn't know what tenant, well I've selected the tenant

2:07now, and for that matter which application profile. So we do need to

2:10select both of these and now we can look at the EPGs. Remember we created two

2:15EPGs. We called them just straight up EPG1 and EPG2. So now I can select EPG1.

2:21I do

2:22have to select what my VLAN encapsulation is going to be. Now fortunately

2:26they give us this identifier here or at least an example of how to type this

2:31out. For example I don't do 10 here and it will just lagged a little bit no

2:37problem. So I don't just type a number in. I don't cite VLAN 10. It has to be

2:42very

2:43specifically VLAN-10 for VLAN 10 or whatever VLAN 100 maybe in this case.

2:51This is going to be our encapsulation. But notice I'm not entering any kind of

2:56port. This is not a static mapping. I am mapping it into this AAEP because the

3:02AAEP is bound on one side to a bunch of interfaces and on another side to the

3:08domain which carries our VLANs. So now essentially we're just applying this to

3:13that policy that pushes things out at scale which is why we want to use this

3:18method if we're a large enough shop that it warrants pushing things out at

3:22scale.

3:23Because the alternative is we individually map every single EPG to

3:29physical ports that those endpoints could show up on and that might be a

3:34little bit more beyond what we want to do depending on the size of the

3:36environment. So that's exactly what we're doing with the EPG to AAEP method. I

3:42'm

3:42going to click update here and at this point any traffic showing up on a

3:48particular this particular set of ports on VLAN 100 is going to get mapped into

3:54EPG 1. So that would be the AAEP method. So next let's explore static

4:00pathing. So in order to do that we actually go back to the tenants tab and

4:05we find our tenant in this case CBT test and under application profiles here I

4:11'm

4:11going to start by creating an application profile and showing what it

4:15looks like here inside this wizard. If I were to make CBT_AP2 for example we

4:21see

4:21that I can enter EPGs directly as part of this wizard. So I could just hit the

4:26plus here we're just going to call this one let's just say EPG 3 because we

4:33already created EPGs 1 and 2. I tell it which broadcast domain to insert it

4:37into

4:38and which domain this is my physical domain and now I can take advantage of

4:42this static path and static path VLAN. So I could say for example leaf switch

4:47101

4:48and then port 1 and 2. So 101/1/1/1 to 2. I can also enter a comma here so I

4:58could

4:58also say 102/1/1/1 to 2 and unfortunately this box is pretty small but we get

5:06the

5:06point we can just enter in the physical ports that we expect these endpoints to

5:11be coming in on. But we're not done there because we also need to map the VLAN

5:15ID.

5:15So once again I could enter a number here and unfortunately in this case we

5:21don't actually have an example right here but if we hover over the red

5:26exclamation point it does say that's an invalid format it needs that under

5:30lowercase VLAN format. So I'd say VLAN -200 here we could apply contracts but

5:36I'm just going to say update and now we have applied EPG 3 to this brand new

5:41application profile and I'm going to click submit. So that is one way to add an

5:47EPG to a static path rather than to add it to the AEP. Now what if eventually I

5:55want to add new ports to that EPG or for that matter go back to one of these

5:59EPGs that we created earlier and add static mappings here. What we can do is

6:04we can click on this EPG and we can expand it and we see the option for static

6:10ports here. I can right click on this and it says deploy static EPGs onto any

6:15different types of interfaces. We click this and now we're taken to a wizard

6:19where

6:19we can do just that. It does look a little bit different than the wizard we

6:23just went through. In fact we've got some additional options that are in here

6:27but

6:27either way we can use the drop down to select a node and then right away we see

6:31the different ports that we have available to us so I could add Ethernet 1/1

6:35and then I can add VLAN 200 onto here. Just note that we can't select multiple

6:42ports here. I don't believe yet adding a dash 2 here does not allow us to do

6:49that so we're going to have to do this one at a time. So here I can click next

6:53and then hit finish and we have an error no problem. It says that we're

6:58actually already using VLAN 200 on that port for a different EPG. Go figure. So

7:03that's kind of cool. Let's just change it to VLAN 150 and hit finish. So then

7:09we

7:10will see the static ports show up here in the list. So lots of different ways

7:14to

7:15accomplish the same thing. We've got two different methods for mapping EPGs to

7:20different ports throughout our environment and we even have multiple ways

7:23of adding static pathing to the EPGs that we need to use those static mappings.

0:00Well, how'd you do with this challenge? This is a great challenge to make sure

0:03that we understand how to create these logical constructs within ACI as well as

0:09making sure we understand how to go about creating our EPGs and allowing

0:13ACI to identify the EPG traffic depending on one of those two scenarios.

0:18Again, from a practical perspective, if our organization has a scale-out

0:23architecture, we're probably going to want to consider going with the AEP

0:27method.

0:28But if we aren't a service provider, we're not multi-tenant and we aren't a

0:33large enough organization to justify the use of the AEP where maybe it causes

0:39problems when I'm just trying to apply more granular policy. Well, at that

0:43point,

0:43I might say based on the size of my organization, we should just do static

0:47mapping, which by the way is a fairly common way of doing it. It's not like

0:51we're sacrificing something we're supposed to be sacrificing in order to

0:55configure static binding. Configuring static binding is something a great

1:00many of organizations do today. So it's a perfectly valid method for

1:04configuring our EPGs. So let's go through these tests together. First of all,

1:09we're

1:09to create a tenant of VRF in a bridge domain. That might sound like a doll

1:13order. We're talking about three different constructs, but it's really not

1:17that bad. We're going to switch over to the Tenants tab here and I'm going to

1:21say

1:21add a tenant and we didn't give ourselves tenant names. So I'm just going to

1:26call

1:27this challenge one tenant here and then under a VRF name, I'll say challenge,

1:33actually we'll say VRF underscore challenge. In fact, let's go ahead and

1:38just make this tenant challenge just for the sake of seeing what exactly the

1:42construct is at the start. So I'll say submit here. We already have created the

1:47tenant and the VRF, which is a pretty good deal. Now every now and again, the

1:51graphical user interface doesn't load over here. I'm going to click off of

1:55tenant challenge and come back and now it is loaded. So now we need to create

2:00the

2:00bridge domain which goes under networking. So we see our bridge domains

2:03here. Let's just create one and we will call this a DD underscore challenge and

2:12we'll map this to our VRF. From here we can click next and this is where we are

2:20instructed to add a subnet and we'll make sure we advertise that subnet. So

2:25it's not super intuitive to be able to tell that this is the area where we add

2:30our subnets. It's going to form a list of subnets. Most of our bridge domains,

2:34from a practical perspective, once again, are going to be, they're going to

2:40have a

2:40single subnet per bridge domain. So let's go ahead and add the gateway that we

2:45were instructed to add 10.100.1.1/24 and we want to advertise this externally.

2:53We

2:53were directed to do that and we demonstrated that during the skill. So we

2:57say okay, now we have an advertised or externally advertised subnet and the

3:02gateway address is associated there. So we say next and finish and we've

3:07created

3:07our bridge domain. So now we have to create an application profile. Well, let's

3:12just

3:12create that right here. We'll just call this application one like we did in the

3:18skill. And for this one we're told to create this EPG using the AEP method. So

3:25we're going to create an EPG here and we're going to call this EPG1 and we'll

3:33apply this to the bridge domain right here, BD challenge. And our domain is

3:39going to be the physical domain. And again, this is going to be AEP based so

3:43we're not going to add static paths here. Now from here we've got to finish

3:48this

3:49EPG configuration out. And so I'm going to click submit. And I'm going to go

3:54back

3:55over to the fabric tab which is where our physical policies are, especially on

3:59the

3:59access policy side here. This is where our EAPs are going to show up. So let's

4:06go

4:06ahead and expand policies global. And then we see under AEP or AEP here under

4:13the one that should already be in our lab environment. Now, if you were firing

4:18this up and maybe should have said this from the beginning, if you're firing up

4:21a fresh environment, then the physical side is going to be required. It's right

4:25there in the lab notes that says that this is assuming we have a physical

4:28configuration in place. And so if we don't have a figure our configuration in

4:33place

4:33for the physical side, that's going to be a requirement here. So for now we are

4:38building this fortunately on our lab environment which does have the physical

4:42configuration built out. So we already have our AEP and we have our domain here

4:48.

4:48Now once again, we might be wondering where do I add the EPG? I simply scroll

4:54down and now the EPG section is down here. I'm going to hit plus. We're going

4:59to add

5:00an EPG but again I can't add an EPG or an application profile. Unless I select

5:06the tenant, I basically have to work from the left here. So I'm going to say

5:09that I

5:09want to create add an EPG from the challenge tenant, specifically an EPG

5:16from application one. And now I can select my EPG one. Now the encapsulation

5:21is going to be required here. We were told to apply it on. Let's see here VLAN

5:27101. So VLAN-101. And that's actually it. So we're going to click update here.

5:35And once it loads, hopefully it shows up there and indeed now it has shown up.

5:39So

5:39that is the AEP method for creating our EPG. So now we're going to do a couple

5:47of other options. We're going to go back to the Tenants tab, look on our Ten

5:51ants

5:51expand our application profiles. So what we want to do next is we want to

5:57create

5:57a new application profile. We're going to create app two. And we're going to

6:04add

6:04a statically mapped EPG. So we'll create EPG two here, EPG two. And then I'm

6:12going

6:12to select the bridge domain and the domain, except now I'm going to map a

6:16static path here. So I can add a static path for 101-101/1/1/1/1/1/2.

6:23So then we need to include the VLAN ID, which for this is going to be VLAN 100.

6:35And we'll hit update and submit. So that is our second application. We have a

6:41statically bound or statically mapped EPG for application two. So next, lastly,

6:49we

6:49want to create a 30PG that's going to leverage static path binding. But we're

6:55going to do it under app one, which we already created. I'm going to right

6:59click

6:59here and create an application EPG. And we're going to call this EPG three. And

7:06the reason why we're going through this exercise is to make sure that we

7:11understand if we're not creating an EPG as part of the initial application

7:15profile, then we're going to need to go through this wizard, which does look a

7:20little bit different. So here we're creating the EPG. We do have to, as always,

7:24bind a bridge domain. So I'm going to select that. And a couple of things here.

7:30So first of all, we could actually just submit this, no problem. But do notice

7:35that we have this option checkbox right here to statically link with leaves and

7:38paths. And that gives us a second part of this wizard that wasn't there before.

7:43Now this part, there we go, I just scroll down, scrolling inside of scrolling

7:48windows. Yeah, that's the problem with recordable resolutions, but it is what

7:53it

7:53is. So now we've got the option to add our physical domain here. And then we

7:58can

7:58do the leaves and paths. Now we didn't demonstrate this during the skill. So if

8:02what you did was leave this box unchecked, and then say finish, then at this

8:08point, we have our new EPG, EPG three here. And so we could have expanded this,

8:15gone down to static ports, and deployed a static port this way. So we were told

8:21to add the static port onto leaf 102, and specifically port one, and then use

8:28VLAN 102 here. So now we'll say next and finish. And that is probably the way

8:36that you ended up doing it. But as we see, when we do go through the process of

8:40creating the application EPG, we can check this box right here to allow us to

8:45do it right there when we are configuring the EPG itself. So lots of ways of

8:52doing things. And the more time we spend in the APIC GUI, we the more we're

8:57going to know how to go about clicking around and creating things, it's just

9:00going to really piece together for us how exactly all of this comes together.

9:05And one of the beautiful things about having multiple ways of configuring

9:08endpoint groups and endpoint group traffic identification is it allows us to

9:15think through how exactly this is working on the back end, whether I'm

9:19statically mapping it or applying it via an AEP, just thinking through that

9:24process helps me to even better understand what an AEP is, to reinforce

9:28that knowledge, which is something that we haven't talked about in a couple

9:31skills. So regardless of how you ended up accomplishing this, as long as you

9:36got your EPGs created and you found that you can do either EPG option, AEP or

9:43static mapping, either way, as long as we can get to that, then we are good to

9:48go for moving forward. I hope this has been informative for you, and I'd like

9:51to

9:51thank you for viewing.