Configure Configuration Zone Feature in ACI

Introduction

This document describes how you can configure "Configuration Zone" feature in Cisco Application Centric Infrastructure (ACI).

Concept

Configuration Zone feature is used in ACI to lock configuration changes for an portion of Fabric Switches. It means if you group up Fabric switches into different Zones A and B then we can push configuration changes to switches which are in Zone A and hold changes for switches which are in Zone B.

This Feature can minimize the risk of deploying configuration changes to the switches where the configuration is going to be pushed to group of switches instead of every switch in the fabric.

Deployment modes when using configuration zone can be configured as;

1. Open — Updates are be sent immediately
2. Locked — New updates are postponed

Prerequisites

Basic understanding of ACI configuration features are interface policy group, interface selector, switch profiles , all of these fall under access policies section on the Cisco Application Policy Infrastructure Controller(APIC) GUI.

Configuration zone feature is only available for policies which are defined in section Configuration Zone Supported Policies (Refer to this document)

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_APIC_Config_Zones.html

Setup and Topology

This lab has been built with two leaf switches with Node IDs 101 and 104 respectively.

Model: N9K-C93180YC-FX

APIC Version 5.2(5c)

1. IPG Policy: config_zone_ipg
   • config_zone_aaep
   • system-cdp-enabled
   • system-lldp-enabled
2. Leaf Interface Selector: config_zone_leaf_interface_profile
   
   • Port7
   • config_zone_ipg
3. Switch Profile: Leaf_101_104_Port7
   • Leaf101
   • Leaf104
   • config_zone_leaf_interface_profile

Configuration Example

In this lab you are going to use configuration zone feature in ACI to postpone IPG Interface Policy Group (MO infraAccPortGrp) changes to Leaf 104 whereas changes are immediately pushed to Node 101 once deployed.

Config Zone Configuration

You are going to start with creation of config zone on APIC for Leaf 101 and Leaf 104

A) Leaf101 is the config zone name for leaf 101

B) Leaf104 is the config zone name for leaf 104

Step1. Create config Zone for “Leaf101”.  In oder to configure,

Navigate to System—> Configuration Zone —> Create Zone

Step 2. You set the mode “Open” for Leaf 101.

Step 3.Config Zone is created but no Leaf’s are mapped. Map switch node Leaf 101 with Config Zone “Leaf101”

1. Select Node Types —> Leaf Switches
2. Use + sign to add the switch node 101

Validation:

Make sure Leaf switch node 101 is added to config zone “Leaf101”.

Step 4. Create config zone for “Leaf104”. You set the mode “Locked” for config zone Leaf104.

Step 5. Add switch node Leaf 104 to config zone “Leaf104”.

Access Policies Configuration

In the previous section you have created an IPG Policy: config_zone_ipg and this is mapped to Leaf Interface Selector "config_zone_leaf_interface_profile" which you are going to map to Switch Profile: Leaf_101_104_Port7.

After doing the stated steps you can observe that changes are postponed to “Switches” which have config zone with deployment mode “Locked”( Leaf 104) whereas the changes are pushed immediately to the Nodes for which have config zone deployment mode is set to “Open”(Leaf 101).

Refer to the Interface Policy Group, Interface Selector and Switch profile configuration across two leaf’s for Port E1/7 in the snippet,

IPG Policy

IPG Policy is attached to interface E1/7

IPG is attached to Leaf’s 101 and 104 port E1/7 respectively

Configuration Zone feature testing with Interface configuration across two leaf’s

1. IPG changes are pushed to Leaf 101

Validation:

Check Pending Changes: Nothing (All changes are pushed)

CDP got enabled by the IPG policy and pushed to the Leaf 101 as config was "OPEN",

Validation:

apic1# fabric 101 show cdp neighbors int e1/7

----------------------------------------------------------------

 Node 101 (leaf01)

----------------------------------------------------------------
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater,

                  V - VoIP-Phone, D - Remotely-Managed-Device,

                  s - Supports-STP-Dispute

Device-ID          Local Intrfce  Hldtme  Capability  Platform      Port ID

switch1(FDO23331683)

                     Eth1/7          130     R S s      N9K-C93108TC-  Eth1/7

2. IPG policy changes are postponed for Leaf 104. Check Pending Changes; changes related to IPG and Interface selectors are seen as pending.

Validation:

You can click on the “Pending changes” to check more details on what is being changed, IPG configuration is pending to be pushed to Leaf 104.

Validation:

Leaf Interface profile changes are pending to be pushed to Leaf 104.

Validation:

CDP changes those were part of Interface Policy Group are “Not Pushed” to the Leaf 104 as config was locked.

Validation:

apic1# fabric 104 show cdp neighbors interface ethernet 1/7

----------------------------------------------------------------

 Node 104 (leaf04)

----------------------------------------------------------------

Note. CDP Neighbor entry not found

Pushing Pending Changes

Now you can push pending changes to leaf 104. We need to use (—>) button to push the pending changes. Click on (—>) button and select OK. Refresh Pending changes and make sure nothing is left .

Validation:

Ensure changes are finally pushed to Leaf 104.

Validation:

CDP got enabled on port E1/7 for Leaf 104 once the changes are pushed.

Validation:

apic1# fabric 104 show cdp neighbors interface ethernet 1/7

----------------------------------------------------------------

 Node 104 (leaf104)

----------------------------------------------------------------

Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater,

                  V - VoIP-Phone, D - Remotely-Managed-Device,

                  s - Supports-STP-Dispute

Device-ID          Local Intrfce  Hldtme  Capability  Platform      Port ID

switch1(FDO23331683)

                     Eth1/7          141     R S s      N9K-C93108TC-  Eth1/17 

In this configuration example, we have seen how can we use configuration zone feature in ACI.