Initial Setup

This chapter contains these sections:

Additional documents

Provide information about related documents that are useful references along with the Cisco APIC Getting Started Guide.

For next steps, see....

All related documents are available on the APIC documents landing page. The document names are indicative and will help you to find relevant information about APIC concepts, funtionality and behavior.

APIC configuration methods

You can configure Cisco APIC using the GUI, REST API or the CLI method.

In several instances, the NX-OS style CLI can create the ACI model constructs implicitly for a user's ease of use, and they also provide validations to ensure consistency in configuration. This functionality reduces and prevents faults.

For further details about configurations and tasks, see the Cisco APIC Basic Configuration Guide and the Cisco APIC NX-OS Style Command-Line Interface Configuration Guide.

Change the default BIOS password

Use this procedure to change the BIOS password.

Cisco APIC ships with a default BIOS password. The default password is "password". When the boot process starts, the boot screen displays the BIOS information on the console server.

Procedure

Step 1

During the BIOS boot process, when the screen displays Press <F2> Setup, press F2.

The Entering Setup message displays as it accesses the setup menu.

Step 2

At the Enter Password dialog box, enter the current password.

The default password can be password or Insieme123.

Step 3

In the Setup Utility, choose the Security tab, and choose Set Administrator Password.

Step 4

In the Enter Current Password dialog box, enter the current password.

Step 5

In the Create New Password dialog box, enter the new password.

Step 6

In the Confirm New Password dialog box, re-enter the new password.

Step 7

Choose the Save & Exit tab.

Step 8

In the Save & Exit Setup dialog box, choose Yes.

Step 9

Wait for the reboot process to complete.

The updated BIOS password is effective.

Cisco Application Centric Infrastructure

The Cisco Application Centric Infrastructure (ACI) is a distributed, scalable, multitenant infrastructure with external endpoint connectivity controlled and grouped through application-centric policies.

The centralized management controller for ACI is the Application Policy Infrastructure Controller (APIC). The Application Policy Infrastructure Controller (APIC) is a cluster-based management controller that

  • serves as the unified point for automation, management, monitoring, and programmability for the ACI. The APIC supports the deployment, management, and monitoring of any application anywhere, with a unified operations model for the physical and virtual components of the infrastructure.

  • programmatically automates network provisioning and control based on application requirements and policies. It is the central control engine for the broader cloud network. It simplifies management and allows flexibility in how application networks are defined and automated.

  • provides northbound REST APIs to support integration and custom workflows.

The APIC is a distributed system that is implemented as a cluster of many controller instances.

Local serial connection for basic configuration

This section describes how to establish a local serial connection to the Cisco APIC server to begin the initial basic configuration. For additional connection information, including instructions on connecting to the server remotely for setup, refer to "Initial Server Setup" in the Cisco APIC M4/L4 server installation and service guide. If you are on Cisco APIC release 6.1(4), you can refer the Cisco APIC G5 server installation and service guide.

Initial Connection

The Cisco APIC server operates on a Cisco Integrated Management Controller (CIMC) platform. You can make an initial connection to the CIMC platform using one of these methods:

  • Use a KVM cable (Cisco PID N20-BKVM) to connect a keyboard and monitor to the KVM connector on the front panel of the server.

    If you want to use vKVM, see Installing an OS Using the KVM Console in Cisco UCS C-Series Integrated Management Controller GUI Configuration Guide, Release 4.3.

  • Connect a USB keyboard and VGA monitor to the corresponding connectors on the rear panel of the server.


    Note
    You cannot use the front panel VGA and the rear panel VGA at the same time.

You can make a serial connection using one of the following methods. Two of these methods require a configuration change in the CIMC:


Note
You cannot use more than one of these methods simultaneously.

  • Use the DB9 connector of the KVM cable

  • Use the rear panel RJ-45 console port (after enabling in the CIMC)

  • Connect by Serial-over-LAN (SoL) (after enabling in the CIMC)

The default connection settings from the factory are:

  • The serial port baud rate is 115200

  • The RJ-45 console port located on the rear panel is disabled in the CIMC

  • SoL is disabled in the CIMC

The following are additional notes about serial access:

  • If you are using a Cisco Integrated Management Controller (CIMC) for your setup, setup the CIMC first, and then access the Cisco APIC through the CIMC KVM or continue to access the Cisco APIC locally through the rear panel USB/VGA port. If you choose the CIMC KVM access, you will have remote access available later which is required during operations.

  • If you are using the RJ-45 console port, connect to CIMC using SSH and enable the SoL port using the following commands:

    
scope sol
  set enabled yes
  set baud-rate 115200
  commit
  exit

    After enabling SoL, enter the command connect host to access the APIC console.


    Note

    When using SoL, physically disconnect the rear panel RJ-45 console port.

Initial Cisco APIC Setup

When the Cisco APIC is launched for the first time, the APIC console presents a series of initial setup options. For many options, you can press Enter to choose the default setting that is displayed in brackets. At any point in the setup dialog, you can restart the dialog from the beginning by pressing Ctrl-C.

Important Notes

  • If the UNIX user ID is not explicitly specified in the response from the remote authentication server, then some Cisco APIC software releases assign a default ID of 23999 to all users. If the response from the remote authentication server fails to specify a UNIX ID, all users will share the same ID of 23999 and this can result in the users being granted higher or lower privileges than the configured privileges through the RBAC policies on the Cisco APIC.

  • Cisco recommends that you assign unique UNIX user IDs in the range of 16000 to 23999 for the AV Pairs that are assigned to the users when in Bash shell (using SSH, Telnet, or Serial/KVM consoles). If a situation arises where the Cisco AV Pair does not provide a UNIX user ID, the user is assigned a user ID of 23999 or similar number from the range that also enables the user's home directories, files, and processes accessible to the remote users with a UNIX ID of 23999.

    To ensure that your remote authentication server does not explicitly assign a UNIX ID in its cisco-av-pair response, open an SSH session to the Cisco APIC and log in as an administrator (using a remote user account). Once logged in, run the following commands (replace userid with the username that you logged in with):

    • admin@apic1: remoteuser-userid> cd /mit/uni/userext/remoteuser-userid

    • admin@apic1: remoteuser-userid> cat summary

  • Cisco recommends against modifying any parameters using CIMC. If there are any issues, ensure that the default setting for CIMC management node is Dedicated mode and not Shared. If Dedicated mode is not used, it can prevent the discovery of fabric nodes.

  • Do not upgrade software or firmware using the CIMC user interface, XML, or SSH interfaces unless the modified property and software or firmware version are supported with your specific Cisco APIC version.

  • Set the NIC mode to Dedicated, when setting up the CIMC, in the CIMC Configuration Utility. After the CIMC is configured, in the CIMC GUI, verify that you have the following parameters set.

    Parameters

    Settings

    LLDP

    Disabled on the VIC

    TPM Support

    Enabled on the BIOS

    TPM Enabled Status

    Enabled

    TPM Ownership

    Owned

  • If you log in to your Cisco APIC using https, and then attempt to log in to the same Cisco APIC using http in the same browser window without first logging out of the Cisco APIC in the https window, you might see the following error message:

    Need a valid webtoken cookie (named APIC-Cookie) or a signed request with signature in the cookie.

    If this occurs, resolve the issue using either of the following methods:

    • Log out of the Cisco APIC in the https window, or

    • Delete the cookies in the browser window

    You should be able to successfully log into the Cisco APIC using http after resolving the issue with either of the methods above.

  • During the initial setup, the system will prompt you to select IPv4, or IPv6, or dual stack configuration. Choosing dual stack will enable accessing the Cisco APIC and Cisco ACI fabric out-of-band management interfaces with either IPv4 or IPv6 addresses. While the examples in the table below use IPv4 addresses, you can use whatever IP address configuration options you chose to enable during the initial setup.

  • A minimum subnet mask of /19 is recommended.

  • Connecting the Cisco APIC to the Cisco ACI fabric requires a 10G interface on the ACI-mode leaf switch. You cannot connect the Cisco APIC directly to the Cisco Nexus 9332PQ, Cisco Nexus 93180LC, or Cisco Nexus 9336C-FX2 ACI-mode leaf switches unless you use a 40G to 10G converter (part number CVR-QSFP-SFP10G), in which case the port on the leaf switches will auto-negotiate to 10G without requiring any manual configuration.

  • The fabric ID is set during the Cisco APIC setup and it cannot be changed unless you perform a clean reload of the fabric. To change the fabric ID, export the Cisco APIC configuration, change the sam.config file, and perform a clean reload of the Cisco APIC and leaf switches. Remove the "fvFabricExtConnP" setting from the exported configuration before importing the configuration into the Cisco APIC after the Cisco APIC comes up. All Cisco APICs in a cluster must have the same fabric ID.

  • All logging is enabled by default.

  • For login and cluster operations, non-default HTTPS port (default is 443) is not supported for layer 3 physical and layer 3 virtual APICs (on ESXi and AWS). Virtual APICs on ESXi/ AWS are supported from release 6.0(2).

Setup for active and standby APICs

This section has details about the initial setup fpr active and standby APICs.

Setup for active APIC

Name

Description

Default value

Fabric name

Fabric domain name

ACI Fabric1

Fabric ID

Fabric ID

1

Number of active controllers

Cluster size

3

Note

 

When setting up a Cisco APIC in an active-standby mode, you must have at least 3 active Cisco APICs in a cluster.

POD ID

POD ID

1

Standby controller

Setup standby controller

no

Setup for standby APIC

Name

Description

Default value

Fabric name

Fabric domain name

ACI Fabric1

Fabric ID

Fabric ID

1

Number of active controllers

Cluster size

3

Note

 

When setting up a Cisco APIC in an active-standby mode, you must have at least 3 active Cisco APICs in a cluster.

POD ID

POD ID

1

Standby controller

Setup standby controller

yes

Bring up the APIC cluster using the GUI

This procedure provides details of the initial cluster set up and bootstrapping process. Enter the relevant details for each of the screens

The APIC Cluster Bringup GUI supports virtual and physical APIC platforms. The virtual APICs (deployed using ESXi or AWS), and physical APICs can be connected to the ACI fabric directly to the leaf switches or remotely attached through a layer 3 network. The GUI supports both the scenarios. A major advantage of using the APIC Cluster Bringup GUI is that, you do not need to enter the parameters for every APIC in a cluster. One APIC can relay the information to the other APICs of the cluster.

Alternatively, you can perform the initial setup and cluster bringup using the REST APIs. See the Getting Started section of the APIC REST API Configuration Procedures guide.

Before you begin

  • For virtual APIC on ESXi, ensure to complete the deployment of the APIC VM using the OVF template on the VMware vCenter GUI. For a three-node cluster, configure three VMs with the management IP address, gateway, and admin passwords. The number of VMs is dependent on the size of the APIC cluster.

  • For virtual APIC on AWS, ensure to complete the deployment of the APIC VM using the cloud formation template (CFT) on the AWS GUI. AWS allocates IP addresses dynamically from the out-of-band (OOB)/infra/inband subnets accordingly, to correspond with the network adapters of the virtual APIC's EC2 instance.

  • For virtual APICs (deployed using AWS/ ESXi), ensure that the admin password(s) are the same for all the APICs in a cluster.

  • For the physical APIC cluster, configure the OOB address for APIC 1. Ensure that the CIMC addresses of APICs 2 to N (where N is the cluster size) are reachable via the OOB address of APIC 1.

  • Connectivity between out-of-band and the CIMC is mandatory.

Limitations:

  • No support for IPv6 addresses on virtual APICs deployed using AWS.

  • For login and cluster operations, non-default HTTPS port (default is 443) is not supported for remotely-attached APICs (physical and virtual).

Procedure

Step 1

Log in to the APIC 1 using https://APIC1-IP.

  1. For virtual APICs:

    If you have completed the deployment of virtual APICs using ESXi (OVF template) or remote AWS (CFT), then you see output on the VM console similar to the following example: 

    System pre-configured successfully.
Use: https://172.31.1.2 to complete the bootstrapping.

    The IP address to access the bootstrapping GUI (APIC Cluster Bringup) is explicitly indicated, as shown in the example. You can proceed to step 2.

    After deploying APIC on AWS, keep the OOB management IP address handy to access the Cluster Bringup GUI. You can get the OOB management IP address from the Stacks Outputs tab on the AWS GUI.

  2. For physical APICs:

    Log in to the APIC 1 KVM console using the CIMC; you will see a screen as shown below:

    APIC Version: 6.0(2a)
Welcome to Cisco APIC Setup Utility
Press Enter Or Input JSON string to bootstrap your APIC node.

    If you see only a black screen on the KVM, connect to the CIMC using SSH and use serial over LAN (SoL) ("connect host") to connect to the console.

    On APIC 1, press Enter and provide the requested information. The IP address to access the bootstrapping GUI (APIC Cluster Bringup) is explicitly indicated. 

    admin user configuration ...
  Enter the password for admin [None]:
  Reenter the password for admin [None]:
Out-of-band management configuration ...
  Enter the IP Address [192.168.10.1/24]: 172.20.7.79/23
  Enter the IP Address of default gateway [192.168.10.254]: 172.20.6.1
Would you like to edit the configuration? (y/n) [n]:
System pre-configured successfully.
Use: https://172.20.7.79 to complete the bootstrapping

    The IP addresses displayed above are examples. The IP addresses will vary based on your deployment.

Step 2

Using the OOB address, log in to the APIC Cluster Bringup GUI.

Step 3

In the Select Workflow screen, choose New cluster and click Next.

Note

 

The workflow selection is only from Release 6.1(3) and later.

The GUI screen has four parts. Enter the details in the following screens:

  • Connection Type

  • Cluster Details

  • Controller Registration

  • Summary

Each of the above screens are discussed in detail in the subsequent steps. The screens are marked as steps with sequential numbers: 1, 2, 3, and 4; after you have entered and saved the required details in each of these screens, the number is replaced with a tick-mark.

Step 4

The first step is entering the Connection Type information. In the Connection Type screen, choose the type of connection between the APIC and the fabric.

The options are:

  • Directly connected to leaf switches (APIC fabric)

  • Remotely attached through a Layer 3 network

If it is virtual APIC using AWS, the system detects that the APIC is remotely-attached through a Layer 3 network and proceeds directly to the Cluster Details screen.

Step 5

Click Next.

Step 6

The second step is entering the Cluster Details. Enter the fabric-level details in the Cluster Details screen.

  • Fabric Name: Enter a name for the fabric.

  • Cluster Size: The default cluster size displayed is "3", which is the recommended minimum cluster size. You can modify this value, based on your cluster size. The supported values are 1, 3, 4, 5, 6, 7, 8, and 9.

  • GiPo Pool: Enter the IP address used for fabric multicast. The default address is 225.0.0.0/15. The range is from 225.0.0.0/15 to 231.254.0.0/15. The prefixlen must be 15 (128k IP addresses).

    You cannot change this value after you have completed the configuration. Having to modify this value requires a wipe of the fabric.

  • Pod ID: (applicable only for directly connected APICs (virtual and physical)) the pod ID is displayed. If this is your first APIC, "1" is auto-populated. Subsequent APICs of the cluster can be associated with any pod number.

    For a remotely-attached APICs, pod is 0.

  • TEP Pool: (applicable only for directly connected APICs (ESXi virtual APIC and physical APIC)) enter the subnet of addresses used for internal fabric communication. The size of the subnet used will impact the scale of your pod.

    You can not change this value after you have completed the configuration. Having to modify this value requires a wipe of the fabric.

  • Infrastructure VLAN: Enter the VLAN ID for fabric connectivity (infra VLAN). This VLAN ID should be allocated solely to APIC, and not used by any other legacy device(s) in your network. Default value is 3914. The range is from 0 to 4093.

    You can not change this value after you have completed the configuration. Having to modify this value requires a wipe of the fabric.

  • Enable IPv6 on APICs (not applicable for virtual APIC on AWS): Put a check in this box if you want to enable IPv6 addresses for out-of-band management.

Step 7

Click Next.

Step 8

The third step is entering the Controller Registration details. Click Add Controller to add the first APIC (of the cluster). Enter the following details:

  • Controller Type: The bootstrapping procedure auto-detects the deployment for which the configuration is being carried out. Based on that, either Virtual or Physical is chosen. The options displayed for the virtual and physical controller types are discussed in substeps (a) and (b), respectively. Follow either of these substeps based on the controller type.

  1. When the Controller Type is Virtual:

    • Virtual Instance: The management IP used to access the APIC cluster bringup GUI. Only for the first APIC, this IP address is auto-populated. For the nodes that you subsequently add to the cluster, you will need to enter the management IP address and click Validate.

      The management IP addresses are defined during the deployment of the VMs using ESXi/AWS. As mentioned in the prerequisites, keep all the required IP addresses handy while bringing up the cluster.

    • General pane

      • Name: User-defined name for the controller.

      • Controller ID: The ID is auto-populated. If this is the first APIC of the cluster, the ID is "1". If you are adding the second controller of the cluster, "2" is auto-populated (and so on).

      • Pod ID: (Applicable only for directly connected virtual APIC on ESXi) The pod ID is auto-populated for APIC 1 of the cluster. For subsequent controllers of the cluster, enter a value. The range is from 1 to 128.

      • Serial Number: The serial number of the virtual machine is auto-populated.

    • Out of Band Network pane

      • IPv4 Address: The IP address is displayed (as defined during the deployment).

      • IPv4 Gateway: The IP address is displayed (as defined during the deployment).

      If you have enabled IPv6 addresses for OOB management earlier (step 5), enter the IPv6 address and gateway.

    • Infra L3 Network pane (this pane is displayed only if the Connection Type that you chose earlier is Remotely attached through an L3 network.

      • IPv4 Address: Enter the infra network address.

      • IPv4 Gateway: Enter the IP address of the gateway.

      • VLAN: (Applicable only for remotely attached virtual APIC- ESXi) Enter the interface VLAN ID to be used.

      The Infra L3 Network pane does not display when you deploy the virtual APIC using AWS.

    After you have entered and saved the first APIC details, click Add Controller on the Controller Registration screen to add another APIC to the cluster.

  2. When the Controller Type is Physical:

    • CIMC Details pane

      • IP Address: The CIMC IP address. Only for the first APIC, this IP address is auto-populated. When you add more controllers to the cluster, you need to enter the CIMC IP addresses.

      • Username: The username to access the CIMC. The username is auto-populated (for the first controller and subsequent controllers).

      • Password: Enter the password to access CIMC. For the first controller, the password is auto-populated. For the subsequent controllers, enter the password.

      • Click Validate. Validation success is displayed on successful authentication.

        If the CIMC is unreachable from the APIC out of band management IP address due to the CIMC NIC mode settings, change the NIC mode or enter JSON strings to perform the bootstrap.

    • General pane

      • Name: Enter a name for the controller.

      • Controller ID: If it is the first controller of the cluster, "1" is auto-populated. If it is the second controller, "2" is auto-populated, and so on (increasing order).

      • Pod ID: (applicable only for a directly-connected APIC) the pod ID is auto-populated for APIC 1 of the cluster. For subsequent controllers of the cluster, enter a value. The range is from 1 to 128.

      • Serial Number: The serial number is auto-populated (for APICs 1 to N, where N is the cluster size) after CIMC validation.

        APIC 1 verifies the reachability of the CIMC IP addreses and also captures the serial number of the new APICs.

    • Out of Band Network pane

      • IPv4 Address: For APIC 1, the address is auto-populated. For subsequent APICs, enter the IP address (as defined during the deployment).

      • IPv4 Gateway: For APIC 1, the gateway address is auto-populated. For subsequent APICs, enter the IP address (as defined during the deployment).

      If you have enabled IPv6 addresses for OOB management earlier (step 5), enter the IPv6 address and gateway.

    • Infra L3 Network pane (this pane is displayed only if the Connection Type that you chose earlier is remotely attached through a Layer 3 network).

      • IPv4 Address: Enter the infra network IP address.

      • IPv4 Gateway: Enter the infra network IP address of the gateway.

      • VLAN: Enter a VLAN ID.

    On the Controller Registration screen, after you have entered and saved the first APIC details, click Add Controller to add another APIC to the cluster.

    (Optional, applicable only for virtual APICs) On the Controller Registration screen, put a check in the Import existing security certificates box to import existing security certificates for fabric recovery in virtual APICs. After putting a check in the box, enter the required details in the following fields:

    • The Remote Server IP Address which contains the configuration file.

    • The Remote Path which contains the configuration file.

    • The configuration File Name.

    • The AES Encryption Passphrase which was earlier used while backing up the configuration. The backup configuration file is linked to this key (passphrase).

    • Choose the Protocol. The choices are:

      • FTP

      • SFTP

      • SCP

    • Remote Port

    • (applicable only for SFTP and SCP Protocols) Choose the Authentication Type. The choices are:

      • Use Password

      • Use SSH Private Key Files

    • The Username to access the remote server.

    • The Password to authenticate access to the remote server.

    • (applicable only for Use SSH Private Key Files Authentication Type) Enter the SSH Key Contents here.

    • (applicable only for Use SSH Private Key Files Authentication Type) Specify the SSH Key Passphrase used for encrypting the private key.

      For details about the Import/Export procedure, see the Cisco ACI Configuration Files: Import and Export document.

    The Import existing security certificates is applicable only for virtual APICs (deployed using AWS/ ESXi). Physical APICs have in-built certificates. However, in case of virtual APICs, when you are restoring using backup configuration to recover the fabric, the existing security certificates can be re-used.

Step 9

Click Next.

The Next button is disabled until all the controllers for a cluster are added. This is defined by the value you have entered for Cluster Size in the Cluster Details screen.

You can use the Back button to navigate to an earlier screen. After adding an APIC, click Edit Details to edit the information for an APIC. Except the first APIC, you can delete the other controllers, if required, by clicking the delete icon.

IPv6 management addresses on Cisco APIC

IPv6 management addresses can be provisioned on the Cisco Application Policy Infrastructure Controller (APIC) at setup time or through a policy once the Cisco APIC is operational. Pure IPv4, pure IPv6, or dual stack (that is, both IPv6 and IPv4 addresses) are supported.

For the detailed cluster bring up procedure, see Bring up the APIC cluster using the GUI.

Access the APIC GUI

Use this procedure to access the APIC GUI.

APIC GUI is the interface which enables you to configure the APIC. The Cisco APIC can be configured using the GUI or using REST API or CLI.

Procedure

Step 1

Open one of the supported browsers:

  • Chrome version 59 (at minimum)

  • Firefox version 54 (at minimum)

  • Internet Explorer version 11 (at minimum)

  • Safari version 10 (at minimum)

Note

 

A known issue exists with the Safari browser and unsigned certificates. Read the information presented here before accepting an unsigned certificate for use with WebSockets. When you access the HTTPS site, the following message appears:

“Safari can’t verify the identity of the website APIC. The certificate for this website is invalid. You might be connecting to a website that is pretending to be an APIC, which could put your confidential information at risk. Would you like to connect to the website anyway?”

To ensure that WebSockets can connect, you must do the following:

Click Show Certificate.

Choose Always Trust in the three drop-down lists that appear.

If you do not follow these steps, WebSockets will not be able to connect.

Step 2

Enter the URL: https://mgmt_ip-address

Use the out-of-band management IP address that you configured during the initial setup. For example, https://192.168.10.1.

Note

 

Only https is enabled by default. By default, http and http-to-https redirection are disabled.

Note

 

If you see the following error message when logging into your Cisco APIC:

Need a valid webtoken cookie (named APIC-Cookie) or a signed request with signature in the cookie.

This is due to a known issue that occurs when you are logging into a Cisco APIC using both https and http. See the "Important Notes" section for more information on this issue and the workaround.

Step 3

When the login screen appears, enter the administrator name and password that you configured during the initial setup.

Step 4

In the Domain field, from the drop-down list, choose the appropriate domain that is defined.

If multiple login domains are defined, the Domain field is displayed. If the user does not choose a domain, the DefaultAuth login domain is used for authentication by default. This may result in login failure if the username is not in the DefaultAuth login domain.

Access REST API

The Cisco APIC can be configured using the REST API. Other options to configure the APIC are the GUI and CLI.
By using a script or a browser-based REST client, you can send an API POST or GET message of the form: 
https://apic-ip-address/api/api-message-url

Use the out-of-band management IP address that you configured during the initial setup. You must send an authentication message to initiate an API session. Use the administrator login name and password that you configured during the initial setup.


Note

Only https is enabled by default. By default, http and http-to-https redirection are disabled.

Access the NX-OS style CLI

You can access the APIC NX-OS style CLI either directly from a terminal or through the APIC GUI.

Guidelines for the APIC NX-OS style CLI

  • The CLI is supported only for users with administrative login privileges.

  • The APIC NX-OS style CLI uses similar syntax and other conventions to the Cisco NX-OS CLI, but the APIC operating system is not a version of Cisco NX-OS software. Do not assume that a Cisco NX-OS CLI command works with or has the same function on the APIC CLI.

  • If FIPS is enabled in the Cisco ACI setups, then SHA256 support is mandatory on the SSH Client. Additionally, to have the SHA256 support, the openssh-client must be running version 6.6.1 or higher.

  • The object model CLI is available by typing the bash command at the initial CLI prompt.

Access the NX-OS style CLI from a terminal

Use this procedure to access the NX-OS style CLI from a terminal.

Procedure

Step 1

From a secure shell (SSH) client, open an SSH connection to APIC at username@ip-address .

Use the administrator login name and the out-of-band management IP address that you configured during the initial setup. For example, admin@192.168.10.1.

Step 2

When prompted, enter the administrator password.

What to do next

When you enter the NX-OS style CLI, the initial command level is the EXEC level. You can stay in EXEC mode or you can type configure to enter global configuration mode. In any mode, type ? to see the available commands.

For information about using the NX-OS style CLI commands, see the Cisco APIC NX-OS Style Command-Line Interface Configuration Guide and the Cisco APIC NX-OS Style CLI Command Reference.

Access the NX-OS style CLI from the GUI

Use this procedure to access the NX-OS style CLI from the APIC GUI.

Procedure

Step 1

From the menu bar, choose System > Controllers.

Step 2

In the navigation pane, click Controllers.

Step 3

Right-click the desired APIC and choose Launch SSH.

Step 4

Follow the displayed instructions to open an SSH session to the selected controller.

What to do next

When you enter the NX-OS style CLI, the initial command level is the EXEC level. You can stay in EXEC mode or you can type configure to enter global configuration mode. In any mode, type ? to see the available commands.

For information about using the NX-OS style CLI commands, see the Cisco APIC NX-OS Style Command-Line Interface Configuration Guide and the Cisco APIC NX-OS Style CLI Command Reference.

Access the object model CLI

Use this procedure to access the object model CLI. The object model CLI is available by typing the bash command at the initial CLI prompt.

Procedure

Step 1

From a secure shell (SSH) client, open an SSH connection to username@ip-address .

Use the administrator login name and the out-of-band management IP address that you configured during the initial setup. For example, ssh admin@192.168.10.1.

Step 2

When prompted, enter the administrator password that you configured during the initial setup.

You are now in the NX-OS style CLI for APIC.

Step 3

Type bash to enter the object model CLI.

Step 4

To return to the NX-OS style CLI, type exit .

This example shows how to enter the object model CLI and how to return to the NX-OS style CLI:


$ ssh admin@192.168.10.1
Application Policy Infrastructure Controller
admin@192.168.10.1's password: cisco123
apic#             <---- NX-OS style CLI prompt
apic# bash
admin@apic1:~>    <---- object model CLI prompt
admin@apic1:~> exit
apic#

What to do next

Every user must use the shared directory called /home. This directory gives permissions for a user to create directories and files; files created within /home inherit the default umask permissions and are accessible by the user and by root. We recommend that users create a /home/userid directory to store files, such as /home/jsmith, when logging in for the first time.

For detailed information about configuring the APIC CLI, see the Cisco APIC Object Model Command Line Interface User Guide.