The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can install the Cisco APIC-EM on a server (bare-metal hardware) and then deploy it within your network. The Cisco APIC-EM can be deployed as a single host (single server) or within a multi-host environment (multiple servers).
We recommend that you install and deploy Cisco APIC-EM in a multi-host environment for enhanced scalability and redundancy. For information about multi-host support, see Multi-Host Support.
Step |
Description |
---|---|
1 |
Review Cisco UCS server support for Cisco APIC-EM. |
2 |
Review the listed considerations for a bare metal installation. |
3 |
Review the system requirements for a bare-metal hardware installation. |
4 |
Review the pre-install checklists for the installation (standalone and multi-host modes). |
5 |
Review information about port usage for the controller. |
6 |
Download and verify the ISO image. |
7 |
Install the ISO image. |
8 |
Proceed to configure the Cisco APIC-EM in standalone or multi-host mode. Refer to the following sections for information about the configuration wizard process: |
The Cisco APIC-EM is available as an ISO image that can be downloaded from Cisco.com and installed on any Cisco UCS server that meets the minimum server (bare-metal hardware) requirements as listed in the following section.
Cisco APIC-EM has been tested and qualified to run on the following Cisco UCS servers:
For more information about Cisco UCS servers, see the following documentation:
Cisco Integrated Management Controller documentation:
Cisco UCS C220 M4 Rack Server Specifications Sheet:
Cisco UCS C220 Server Installation and Service Guide:
http://www.cisco.com/c/en/td/docs/unified_computing/ucs/hw/C220/install/C220.html
Before you begin your bare-metal hardware installation, note the following:
You must configure RAID on your bare metal hardware before you begin the installation process.
After starting the installation of the ISO, the Cisco APIC-EM software packages will be installed. The bare metal hardware system will reset twice.
Do not press any the Escape key or any other keys on the keyboard once the installation process has started. Pressing a key will cause the system logs to be displayed during the installation process.
If you are installing the Cisco APIC-EM ISO using a bootable disk, then you may encounter a known issue with mounting the media (bootable disk). If this occurs, you will receive the following error message:
There was a problem reading data from the CD-ROM. Please make sure it is in the drive. If retrying does not work, you should check the integrity of your CD-ROM. Failed to copy file from CD-ROM. Retry?
If this occurs, then you need to unmount the media and mount it as a CD-ROM. For example, the following Linux commands can be used to mount the media as a CD-ROM. Log onto the bare metal console to enter these commands.
The following is an example of entering these Linux commands:
~ # ~ # mount rootfs on / type rootfs (rw, size=32927728k,nr_inodes=823192) none on /run type tmpfs (rw, nousid, relatime, size=6586808k,mode=755) none on /proc type proc (rw, relatime) none on /sys type sysfs (rw, relatime) devtmpfs on /dev type devtmpfs (rw, relatime, size=32927744k, nr_inodes-8231936, mode=755) devpts on /dev/pts type devpts (re, nosuid, noexec, relatime, gid=5, mode=620, ptmxmode=000) /dev/sr0 on /media type iso9660 (ro, relatime) ~ # ~ # ~ # umount /dev/sr0 ~ # mount /dev/sr0/cdrom ~ # ~ # ~ # ~ # ~ # ~ #
Note | For information about and an example of creating a bootable USB disk from a USB flash drive and attaching the ISO to it, see Creating a Bootable USB Disk and Attaching the ISO. For additional information about this issue, see https://bugs.launchpad.net/ubuntu/+source/debian-installer/+bug/1347726. |
During the installation process, you may be prompted to install the Linux GNU GRUB boot loader package. If so prompted, select the option to install the GRUB boot loader package and proceed with the installation.
The following table lists the minimum system requirements for a successful Cisco APIC-EM server (bare-metal hardware) installation. The minimum system requirements for each server in a multi-host deployment are the same as in a single host deployment, except that the multi-host deployment requires two or three servers.
Note | The three server, multi-host deployment provides both software and hardware high availability. The two server, multi-host deployment only provides software high availability and does not provide hardware high availability. For this reason, we strongly recommend that for a multi-host deployment three servers be used. With either two or three servers, all of the servers must reside in the same subnet. |
Caution | You must dedicate the entire server for the Cisco APIC-EM. You cannot use the server for any other software programs, packages, or data. During the Cisco APIC-EM installation, any other software programs, packages or data on the server will be deleted. |
Server Option |
Image Format |
Bare metal/ISO |
||
Hardware Specifications |
CPU (cores) |
6 (minimum)
|
||
|
Memory |
32 GB (minimum single host deployment)
|
||
|
Disk Capacity |
200 GB of available/usable storage after hardware RAID |
||
|
RAID Level1 |
Hardware-based RAID at RAID Level 10 |
||
|
CPU Speed |
2.4 GHz |
||
|
Disk I/O Speed |
200 MBps |
||
|
Network Adapter |
1 |
||
Networking |
Web Access |
Required |
||
|
Browser |
The following browsers are supported when viewing and working with the Cisco APIC-EM: |
Review the following checklists before beginning a single-host Cisco APIC-EM installation (standalone mode).
Note | A host is defined as an appliance, physical server, or virtual machine with instances of a Grapevine root and clients running. The Grapevine root is located in the host OS and the clients are located within Linux containers. The clients run the services within the Linux containers. You can set up either a single host deployment or multi-host deployment (2 or 3 hosts) for your network. For high availability and scale, your multi-host deployment must contain three hosts. All inbound traffic to the controller in a single host deployment is through the host IP address that you configure using the configuration wizard. All inbound traffic to the controller in a multi-host deployment is through a Virtual IP that you configure using the configuration wizard. |
Networking Requirements
This Cisco APIC-EM installation requires that the network adapters (NICs) on the host (physical or virtual) are connected to the following networks:
Internet (network access required for Make A Wish requests and telemetry collection)
Network with NTP server(s)
Network with devices that are to be managed by the Cisco APIC-EM
Note | The Cisco APIC-EM should never be directly connected to the Internet. It should not be deployed outside of a NAT configured or protected datacenter environment. |
IP Address Requirements
Ensure that you have available at least one IP address for the network adapter (NIC) on the host.
The IP address is used as follows:
Note | If your host has 2 NICs, then you may want to have two IP addresses available and configure one IP address for each NIC. |
Review the following checklist before beginning a multi-host Cisco APIC-EM installation (multi-host mode).
You must satisfy the requirements for the single host installation as described in the previous section for each host.
Additionally, you must establish a network connection between each of the hosts using either a switch or a router. Each host must be routable with the other two hosts.
You must configure a virtual IP (VIP).
You configure one or more NICs on each host using the configuration wizard. Each NIC that you configure must point to a non-routable network (if all your networks are routable, then you only need one NIC). A VIP is required per non-routable network. For example, if you configure 2 NICs on all 3 hosts in a multi-host cluster and each NIC points to a separate, non-routable network, then you need to configure 2 VIPs. The VIP provides an interface redundancy feature for your multi-host deployment. With a VIP, the IP address can float between the hosts.
When deploying the controller in a multi-host configuration:
You provide a VIP address when configuring the controller using the wizard.
On startup, the controller will bring up the VIP on one of the hosts.
All inbound requests into controller from the external network are made via this VIP (instead of the host IP address), and the requests are routed to the services running on different hosts via the reverse-proxy service.
If the host on which has the VIP fails, then Grapevine will bring up the VIP on one of the remaining two hosts.
The VIP must reside in the same subnet as the three hosts.
If you are planning to obtain a certificate issued for a multi-host environment, then it is important to get the certificate issued against the virtual IP or the host name resolvable to the virtual IP.
A multi-host deployment has three physical IP addresses and one virtual IP that floats across the IP addresses by design in order to provide high availability. This capability to float also means that any SSH client that wants to connect to the virtual IP address will see different host-identity public SSH keys each time the virtual IP moves its residence from one host to another host. Most SSH clients will complain that the new host is not trusted, since an entry already exists (as you might have accepted the key earlier for the older host which owned that virtual IP address before). To prevent this inconvenience, you may want to add the host keys of all the three hosts to your known hosts list as described below.
For example on a Linux or Apple Mac OS client machine, run the ssh-keyscan command on each of the three host physical IP addresses as follows:
$ ssh-keyscan -t rsa 209.165.200.30 # 209.165.200.30 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 209.165.200.30 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA1B6/1JpKPFOmG3S82eE8OKZkGYmRd SYnuCHfDiY5Pptt3BmaPgC6OlER4wwDL8VP2Rx2kxj3diIzFpUOyDqTbFxIRKVzlwtHHZdhO6G93MyLLGsWq XSMWs4xVcqpembKeCrdjakPaPAXqiAeKW9oimdv.....
$ ssh-keyscan -t rsa 209.165.200.31 # 209.165.200.31 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 209.165.200.31 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF57F90z2His86tEj4s75pTc7h0nfzF 2c3QweHCNN2ov474HJJcPrnWTw4DAoPpPCU6zWvR0QLxunURDb+pMeZrIIyd49xn9+OBSmBpzrnety7UB2uP XzL1RvVxayw8mkXkj779LhFh9vkXR4DtX7XLjg.....
$ ssh-keyscan -t rsa 209.165.200.32 # 209.165.200.32 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 209.165.200.32 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9kwzodGzGkh/UFXVa9fptGe+sa3CBR 6SNerXxpCmfT9AOXH8xuk3/CBX+DDUQgGJVmqw6maCYKOy0RtAhGxdsNdPL6ETTKzxYB5uzw3KhcDJ6D6ob6 jdzkR6yRuXVFi2OE+u1Aqs7J8GO66FfdavU8.....
Next, change the IP address in the SSH key line of each output to the virtual IP address of the following and append all three key lines to the ~/.ssh/known_hosts file and save it.
Assuming that 209.165.200.33 is the virtual IP address in the above multi-host example, you would add three lines in the ~/.ssh/known_hosts file of your client machine as follows:
209.165.200.33 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA1B6/1JpKPFOmG3S82eE8OKZkGYmRdSYnuCHfDiY5Pptt3BmaPgC6OlER4 wwDL8VP2Rx2kxj3diIzFpUOyDqTbFxIRKVzlwtHHZdhO6G93MyLLGsWqXSMWs4xVcqpembKeCrdjakPaPAXqiAeKW9 oimdvPbrQPua7Zg9oblDxaBPn0Fqj00YDjKqTkp/IkZHEfHbDM996GLEbWlOvoHeCCqeZ1nWgFIqzAF+ty8+X5Z/fh hmGe+w2tQlMfrs9pcZDaEEmq/w1W+uRohxLKs+OHnHYAbMzC6O+5fLEr2BwaZf8W016eo1WpPsxUVK6StbXBOQZrcH0 bPsUbIjKJkzafpft9Dp73pSd/vwaoB3DrvNec/PiEJYk+R.....
After the above change, the client will have no trouble performing uninterrupted SSH into the virtual IP address of the hosts even with the IP address floating.
The following tables list the Cisco APIC-EM ports that permit incoming traffic, as well as the Cisco APIC-EM ports that are used for outgoing traffic. You should ensure that these ports on the controller are open for both incoming and outgoing traffic flows.
Note | Ensure that proper protections exist in your network for accessing port 22. For example, you can configure a proxy gateway or secure subnets to access this port. |
Port Number |
Permitted Traffic |
Protocol (TCP or UDP) |
---|---|---|
22 |
SSH |
TCP |
80 |
HTTP |
TCP |
123 |
NTP |
UDP |
162 |
SNMP |
UDP |
443 2 |
HTTPS |
TCP |
500 |
ISAKMP In order for deploying multiple hosts across firewalls in certain deployments, the IPSec ISAKMP (Internet Security Association and Key Management Protocol) UDP port 500 has to be allowed to be traversed. |
UDP |
16026 |
SCEP |
TCP |
Port Number |
Permitted Traffic |
Protocol (TCP or UDP) |
||
---|---|---|---|---|
22 |
SSH (to the network devices) |
TCP |
||
23 |
Telnet (to the network devices) |
TCP |
||
53 |
DNS |
UDP |
||
80 |
Port 80 may be used for an outgoing proxy configuration. Additionally, other common ports such as 8080 may also be used when a proxy is being configured by the Cisco APIC-EM configuration wizard (if a proxy is already in use for your network).
|
TCP |
||
123 |
NTP |
UDP |
||
161 |
SNMP agent |
UDP |
||
443 3 |
HTTPS |
TCP |
||
500 |
ISAKMP In order for deploying multiple hosts across firewalls in certain deployments, the IPSec ISAKMP ( (Internet Security Association and Key Management Protocol) UDP port 500 has to be allowed to be traversed. |
UDP |
Prior to deploying the Cisco APIC-EM, verify that the ISO image that you downloaded is a genuine Cisco image.
Note | If you are deploying the Cisco APIC-EM from an ISO image that you downloaded, then perform this procedure. This procedure is not required, if deploying the controller with the Cisco APIC-EM Controller Appliance (Cisco APIC-EM ISO image pre-installed and tested). |
You must have received notification of the location of the Cisco APIC-EM ISO image or contacted Cisco support for the location of the Cisco APIC-EM ISO image.
After you verify that the ISO image is genuine and from Cisco, install the Cisco ISO image.
Perform the steps in the following procedure to install the Cisco ISO image on the host (bare-metal hardware or server).
Note | If you are deploying the Cisco APIC-EM from an ISO image that you downloaded, then perform this procedure. This procedure is not required, if deploying the controller with the Cisco APIC-EM Controller Appliance (ISO image pre-installed and tested). |
You must review the system requirements before beginning this procedure.
You must review the Cisco APIC-EM pre-deployment checklist before beginning this procedure.
You must have downloaded and verified the Cisco ISO image by performing the tasks in the previous procedure.
Step 1 | Burn the ISO image onto a DVD or copy it onto a bootable USB disk. | ||
Step 2 | If the ISO image
was burned onto a DVD, then insert the DVD into the DVD drive of the server.
| ||
Step 3 | Alternatively,
if the ISO image was copied onto a bootable USB disk, then insert this bootable
USB disk into the server.
For information about and an example of creating a bootable USB disk from a USB flash drive and attaching the ISO to it, see Creating a Bootable USB Disk and Attaching the ISO.
| ||
Step 4 | Boot up the host (server) and start the configuration wizard. |
Proceed to configure Cisco APIC-EM to run on either a single or multiple hosts. Refer to the following sections for information about the configuration wizard process: