If I want (full) 2-way communication between 2 (or more) EPGs, does that mean I need two contracts between each EPG where one is the provider *and* consumer (one in each direction)? Like, if one isn't *only* providing a service to another, but both are providing (and consuming) to each other.
Yes exactly, you would need two set of contracts. The same way I configured for one, you configure for the other side as well. Thanks for the comment 👍
So, at the end with the "re-using" All the config guides I've seen so far, made a Switch Profile for 1 switch and an Interface Profile for 1 Port. Now, if I have a Fabric with 100+ Leafs and thousands of Servers, I'd be doing profiles for months and whenever there's a new server and/or a new leaf, I'd clicking through tabs and profiles for days. Does that mean it's possible to create 1 "master" profile to use for all Leafs and another "master" profile for all ports on a leaf? Or maybe a 'few' general ones depending on what you want to connect and you're good to go? If every (bare metal) server and/or port needs its own profile, it would be pure madness in a bigger fabric. I mean, normally, ports are all configured the same/similarly (for standard servers) and only the VLANs change (or now the EPG deployment on a port).
Normally you will not have to go thru all this again & again, you have a quick way to create profiles in ACI as well. Moreover the problem mainly comes between the VPC & NON VPC ports(Normal Access/Trunk). If you dedicate everything as NON VPC & your server team is OK with it then a master profile can work. But I know that somewhere you're going to need VPC's then it will be a little hasle removing those interfaces from profiles & creating a VPC profile for them.
@@doctor.networks Thank you for the reply! The networking team in our company and I are still pretty "old-school". We're using legacy NX-OS without anything fancy like VXLAN, so all of this looks extremely unintuitive to me. Right now, when the server team tells us they need 4 channeled ports, we SSH on the the VPC pairs in the rack, copy our VPC template over the ports, allow the VLANs they need and that's pretty much it. And when the server gets removed later on, we simply default the port. Having to do a switch profile for every leaf and then a new interface profile for every used port seems like a *lot* of extra work rather than simplifying it. After having done all the profiles and policies and whatnot, you then also still need to go in the EPGs menu and link all the needed EPGs to the ports. (Which can be a whole lot, like we have server that access 20-30 VLANs, so instead of "sw trunk allowed vlan 100-130", it's going through 30 individual EPGs menus now...?) And when the server gets decommissioned, you have to find and delete profiles (among the hundreds or thousands others) and remove the static bindings in the EPGs. You have every switch and port accessible from the same system, which is super cool, but if having to go through a dozens of menus takes more time than SSH-ing to the switches and configuring the ports manually, something about the whole ACI things seems odd to me. -- We've ordered a lab for next month and I'll be trying your videos to build it myself and experiment a little before having a session with our cisco rep over what the best approach for our usecase and current hiearachy is.
It was indeed insightful video. A quick question, is it safe to enable xforwarder, I was just wondering if xforwarder is exposing the Citrix backend infrastructure to somebody who is logging in from Internet? Is my understanding correct? Is it not a security issue? Look forward to seeing your response.
Thanks mate. Appreciate your comment, X forwarding only pulls out the client source IP (which could be a Internet Public IP) & puts that in the HTTP header, that packet will be sent to the backend servers. There is nothing as such that will be exposed to the client actually so i think it's pretty safe.
I am trying to configure a text sms message with this radius option but its only working with the Duo push approval option. Is there anything specific to be done to get a sms text ?
Bro it's been a long time since I have looked into Duo 😀 but you would certainly need to have a SMS API setting in the duo cloud. check if it's supported
It was an amazing video and helped me a lot. please create a video for a simple application like a web server and it's database and the EPGs for each one of them and show the communication end to end
I don't know if you still read comments here. But I've been having trouble with the differences between TACACS+ and RADIUS. This video completely cleared up every question I had about it plus a few more I didn't even know I had. Thank you so much for the video! Great content!
I still read comments here brother 😀 You are very welcome. When I was making this video I didn't knew it would help so much people. I'm happy that it helped you.
Yeah but but you may need different policies for a set of vlans, you can actually create multiple zones referencing multiple vlans. The video is to give a concept that's why kept it simple. Obviously zones will be a better approach in the long term.
ACI EPG to DOMAIN ISSUE UPDATE ============================ The EPG was not binded to the Physical domain & yet the communication began to work because of a bug as mentioned in this Cisco Forum. In later releases it may be fixed. community.cisco.com/t5/application-centric-infrastructure/epg-without-a-physical-domain-association/td-p/4462831
Hi, It's actually via regular expressions & all devices get that color. Here is how you do it. Navigate to Session Options >> Appearance >> Highlight Keywords & then edit. Put in the following in the word section one by one & set the color as needed: [^#]+# [^>]+>
@@doctor.networks Thanks. I think I tried this before but doesnt work for me. I have some key highlight already set but will try again. What is your font and size? I
Good stuff, thanks. Same situation, only ISPs (Gi1 and Gi2 in your diagram) are each in a different VRF - Internet1 and Internet2. I've tried the config you demonstrated but it doesn't work, presumably because of the VRFs. (Gi0 / Inside is GRT). When I use a basic NAT statement as in a single ISP (no route-map), it works, but of course I must change the nat manually or use EEM triggered by IP SLA tracked object. So, what am I missing? Will this even work with VRF's? I have seen similar NAT use cases where it simply won't work when overloading an interface, must be a different IP - is this one of those cases? TIA!
Hi Gary, interesting scenario. Now rather then asking you a bunch of questions, I would request if you could send the running config of your router to info@doctornetworks.net. I will be happy to assist (No charges).
sup dude ........what about ur exam .......did u cleared it yet or still preparing ........need help regarding it & suggestions i am also preparing for it
PBR/PFR. Not truly balanced, that's impossible with two different ISPs, but you can direct traffic x on int1 and traffic y to int2. In route- map you set next hop based on your traffic matching.