New and Changed Information

The following table provides an overview of the significant changes up to this current release. The table does not provide an exhaustive list of all changes or of the new features up to this release.

Table 1. New Features and Changed Behavior in Cisco APIC

Cisco APIC Release Version

Feature

Description

Where Documented

Release 2.1(1h)

Global toggle between in-band and out-of-band default management connectivity

A toggle has been added to switch between in-band or out-of-band as the default management connectivity mode between the APIC server and other external management devices.

This content is available in Toggling between In-band and Out-of-band Default Management Connectivity.

Release 1.3(1g)

-

Removed object model CLI procedures and replaced them with NX-OS Style CLI procedures.

This content is available in the Configuring Static In-Band Management Access Using the NX-OS Style CLI section and in the Configuring Static Out-of-Band Management Access Using the NX-OS Style CLI section with static management access examples.

Release 1.2(2g)

IPv6 configurations supported

IPv6 configurations are supported using static configurations (for in-band and out-of-band).

-

Release 1.0(2j)

-

This article was written.

-

About Static Management Access

Configuring static in-band and out-of-band management connectivity is simpler than configuring dynamic in-band and out-of-band management connectivity. When configuring in-band static management, you must specify the IP address for each node and make sure to assign unique IP addresses. For simple deployments where users manage the IP addresses of a few leaf and spine switches, it is easy to configure a static management access. For more complex deployments, where you might have a large number of leaf and spine switches that require managing many IP addresses, static management access is not recommended. We recommend that you configure a dynamic management access that automatically avoids the possible duplication of IP addresses.

Guidelines and Limitations for Static Management Access

The following guidelines and limitations apply for static management access:

  • We recommend that you configure either in-band or out-of-band static management or in-band and out-of-band dynamic management. Do not combine the two methods in your deployments.

  • IPv4 and IPv6 addresses are supported for in-band management access. IPv6 configurations are supported using static configurations (for both in-band and out-of-band). IPv4 and IPv6 dual in-band and out-of-band configurations are supported only through static configuration. For more information, see the Configuring Static Management Access in Cisco APIC KB article.

  • Using log directive on filters in management contracts is not supported. Setting the log directive will cause zoning-rule deployment failure.

  • A simple ping to a spine switch will fail if it generates an ARP request, because spine switches do not respond to ARP requests. When pinging a spine switch from the Cisco APIC, you must specify the source interface/address so that the Cisco APIC does not send an ARP request.

  • A spine switch does not resolve ARP on the in-band mangement IP address. Due to this, any device in the in-band management network cannot communicate with the spine switch. Access to a spine switch is only possible over a Layer 3 network.

Static In-band Management

Configuring Static In-Band Management Access Using the GUI

Before you begin

Ensure that enough IP addresses are available to be allocated for the number of nodes that will be required for a deployment.

Procedure

Step 1

On the menu bar, choose FABRIC > Access Policies. In the Work pane, click Configure an Interface, PC, and VPC.

Step 2

In the Configure Interface, PC, and VPC dialog box, click the large + icon next to the switch diagram to create a new profile and configure VLANs for the APIC.

Step 3

In the Switches field, from drop-down list, check the check boxes for the switches to which the APICs are connected.

Step 4

In the Switch Profile Name field, enter a name for the profile.

Step 5

Click the + icon to configure the ports.

Step 6

Verify that in the Interface Type area, the Individual radio button is selected.

Step 7

In the Interfaces field, enter the ports to which APICs are connected.

Step 8

In the Interface Selector Name field, enter the name of the port profile.

Step 9

In the Interface Policy Group field, from drop-down list, choose Create Interface Policy Group.

Step 10

In the Create Access Port Policy Group dialog box, perform the following actions:

  1. In the Name field, enter the name of the policy group.

    You can leave the default values in the rest of the fields as they are.

  2. In the Attached Entity Profile field, choose Create Attachable Access Entity Profile.

    This new attach entity profile enables you to specify the VLAN ranges that will be used.

Step 11

In the Create Attachable Access Entity Profile dialog box, perform the following actions:

  1. In the Name field, enter a name.

  2. Expand Domains to be Associated to Interfaces field. In the Domain Profile field, from the drop-down list, choose Create Physical Domain.

  3. In the Create Physical Domain dialog box, in the Name field, enter the name.

  4. In the VLAN Pool field, from the drop-down list, choose Create VLAN Pool.

  5. In the Create VLAN Pool dialog box, in the Name field, enter the pool name.

  6. In the Allocation Mode area, click the Static Allocation radio button.

  7. Expand Encap Blocks. In the Create Ranges dialog box, in the Range fields, add a VLAN range.

  8. In the Create VLAN Pool dialog box, click Submit.

  9. In the Create Physical Domain dialog box, click Submit.

  10. In the Create Attachable Access Entity Profile dialog box, click Update and then Submit.

  11. In the Create Access Port Policy Group dialog box, click Submit.

  12. In the Configure Interface, PC, and VPC dialog box, click Save.

Step 12

Expand the Configured Switch Interfaces area to configure the VLANs for the VMM server ports, and perform the following actions:

  1. In the Switches drop-down list, check the check boxes for the switches that you want to connect to the APICs.

  2. In the Switch Profile Name field, enter a name for the profile.

  3. Click the + icon to configure the ports.

  4. In the Interface Type area, verify the Individual radio button is selected.

  5. In the Interfaces field, enter the ports to which the VMM servers are connected.

  6. In the Interface Selector Name field, enter the name of the port profile.

  7. In the Interface Policy Group field, from the drop-down list, choose the policy group that was created earlier. Click Save, and click Save again.

  8. In the Configure Interface, PC, and VPC dialog box, click Submit.

    The VLAN and the ports to which the APIC and the VMM servers are connected are now configured.

Step 13

Choose TENANTS > mgmt. In the Navigation pane, expand Tenant mgmt > Networking > Bridge Domains to configure the bridge domain on the in-band connection.

Step 14

Right-click the in-band bridge domain, click Create Subnet, and perform the following actions:

  1. In the Create Subnet dialog box, in the Gateway IP field, enter the in-band management gateway IP address.

  2. In the Mask field, enter the subnet mask if it does not self-populate. Click Submit.

    You can leave the default values in the rest of the fields as they are.

Step 15

On the menu bar, choose TENANTS > mgmt. In the Navigation pane, expand Tenant mgmt > Node Management EPGs, click In-Band EPG - default, and perform the following actions to set the VLAN on the in-band connection:

  1. In the Work pane, in the In-Band EPG default area, verify that the default is displayed.

  2. In the Encap field, enter the VLAN.

  3. Expand Provided Contracts. In the Name field, from the drop-down list, click the default contract radio button to enable EPG to provide the default contract that will be consumed by the EPGs on which the VMM servers are located.

  4. Click Update, and click Submit.

  5. In the Status dialog box where the Changes Saved Successfully message is displayed, click OK.

Step 16

On the menu bar, choose TENANTS > mgmt. In the Navigation pane, expand Tenant mgmt > Node Management Addresses, right-click Node Management Addresses, and click Create Static Node Management Addresses.

Step 17

In the Create Static Node Management Addresses dialog box, perform the following actions:

  1. In the Node Range fields enter the range of nodes.

  2. In the Config field, click the checkbox for In-Band Addresses.

    The In-Band IP Addresses area is displayed.

  3. In the In-Band Management EPG field, from drop-down list, choose the EPG.

  4. In the In-Band Starting IP Address field, enter the starting IP address.

  5. In the Mask field, enter the net mask.

  6. In the In-Band Gateway field, enter the in-band gateway address. Click Submit.

  7. In the Confirm dialog box that displays for confirmation that this will assign new management IP addresses to the selected range of nodes., click Yes to proceed.

The first node that was ID specified in the node range is allocated with the first or starting IP address. The next node ID is allocated with the next IP address and so on sequentially.
Step 18

To verify, in the Navigation pane, expand Node Management Addresses > Static Node Management Addresses, and in the Work pane, view the IP addresses allocated for each node.

Note 

You can pre-provision nodes with IP addresses. Therefore, even though nodes may be assigned with IP addresses, some nodes may be present and some nodes may not exist yet as they have been pre-provisioned.

Configuring Static In-Band Management Access Using the REST API

Procedure

Step 1

Create a VLAN namespace.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<!-- api/policymgr/mo/uni.xml -->
<polUni>
  <infraInfra>
    <!-- Static VLAN range -->
    <fvnsVlanInstP name="inband" allocMode="static">
      <fvnsEncapBlk name="encap" from="vlan-10" to="vlan-11"/>
    </fvnsVlanInstP>
  </infraInfra>
</polUni>
Step 2

Create a physical domain.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<!-- api/policymgr/mo/uni.xml -->
<polUni>
  <physDomP name="inband">
    <infraRsVlanNs tDn="uni/infra/vlanns-inband-static"/> 
  </physDomP>
</polUni>
Step 3

Create selectors for the in-band management.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<!-- api/policymgr/mo/.xml -->
<polUni>
  <infraInfra>
    <infraNodeP name="vmmNodes">
      <infraLeafS name="leafS" type="range">
        <infraNodeBlk name="single0" from_="101" to_="101"/>
      </infraLeafS>
      <infraRsAccPortP tDn="uni/infra/accportprof-vmmPorts"/>
    </infraNodeP>

    <!-- Assumption is that VMM host is reachable via eth1/40. -->
    <infraAccPortP name="vmmPorts">
      <infraHPortS name="portS" type="range">
        <infraPortBlk name="block1"
                      fromCard="1" toCard="1"
                      fromPort="40" toPort="40"/>
        <infraRsAccBaseGrp tDn="uni/infra/funcprof/accportgrp-inband" />
      </infraHPortS>
    </infraAccPortP>


    <infraNodeP name="apicConnectedNodes">
      <infraLeafS name="leafS" type="range">
        <infraNodeBlk name="single0" from_="101" to_="102"/>
      </infraLeafS>
      <infraRsAccPortP tDn="uni/infra/accportprof-apicConnectedPorts"/>
    </infraNodeP>

    <!-- Assumption is that APIC is connected to eth1/1. -->
    <infraAccPortP name="apicConnectedPorts">
      <infraHPortS name="portS" type="range">
        <infraPortBlk name="block1"
                      fromCard="1" toCard="1"
                      fromPort="1" toPort="3"/>
        <infraRsAccBaseGrp tDn="uni/infra/funcprof/accportgrp-inband" />
      </infraHPortS>
    </infraAccPortP>

    <infraFuncP>
      <infraAccPortGrp name="inband">
        <infraRsAttEntP tDn="uni/infra/attentp-inband"/>
      </infraAccPortGrp>
    </infraFuncP>

    <infraAttEntityP name="inband">
      <infraRsDomP tDn="uni/phys-inband"/>
    </infraAttEntityP>
  </infraInfra>
</polUni>
Step 4

Configure an in-band bridge domain and endpoint group (EPG).

Example:

<?xml version="1.0" encoding="UTF-8"?>
<!-- api/policymgr/mo/.xml -->
<polUni>
  <fvTenant name="mgmt">
    <!-- Configure the in-band management gateway address on the
         in-band BD. -->
    <fvBD name="inb">
      <fvSubnet ip="<subnet_ip_address>"/>
    </fvBD>

    <mgmtMgmtP name="default">
      <!-- Configure the encap on which APICs will communicate on the
           in-band network. -->
      <mgmtInB name="default" encap="vlan-10">
        <fvRsProv tnVzBrCPName="default"/>
      </mgmtInB>
    </mgmtMgmtP>
  </fvTenant>
</polUni>
Step 5

Create static in-band management IP addresses and assign them to node IDs.

Example:

<polUni>
  <fvTenant name="mgmt">
    <mgmtMgmtP name="default">
      <mgmtInB name="default">
        <mgmtRsInBStNode tDn="topology/pod-1/node-101"
                         addr="<ip_address_1>"
                         gw="<gw_address>”
			 v6Addr = “<ip6_address_1>”
			 v6Gw = “<ip6_gw_address>"/>
        <mgmtRsInBStNode tDn="topology/pod-1/node-102"
                         addr="<ip_address_2>"
                         gw="<gw_address>”
			 v6Addr = “<ip6_address_2>"
			 v6Gw = “<ip6_gw_address>"/>
        <mgmtRsInBStNode tDn="topology/pod-1/node-103"
                         addr="<ip_address_3>"
                         gw="<gw_address>”
			 v6Addr = “<ip6_address_3>"
			 v6Gw = “<ip6_gw_address>"/>
        <mgmtRsInBStNode tDn="topology/pod-1/node-104"
                         addr="<ip_address_4>"
                         gw="<gw_address>”
			 v6Addr = “<ip6_address_4>"
			 v6Gw = “<ip6_gw_address>"/>

        <mgmtRsInBStNode tDn="topology/pod-1/node-105"
                         addr="<ip_address_5>"
                         gw="<gw_address>”
			 v6Addr = “<ip6_address_5>"
			 v6Gw = “<ip6_gw_address>"/>

      </mgmtInB>
    </mgmtMgmtP>
  </fvTenant>
</polUni>

Configuring Static In-Band Management Access Using the NX-OS Style CLI

Before you begin

Ensure that enough IP addresses are available to be allocated for the number of nodes that will be required for a deployment.

Procedure

Configure the static in-band management configuration using the NX-OS Style CLI as follows:

Example:


apic1(config)# switch 101
apic1(config-switch)# interface inband-mgmt0 
apic1(config-switch-if)# ip address <ip_address_1/mask> gateway <gw_address>

apic1(config)# switch 102
apic1(config-switch)# interface inband-mgmt0 
apic1(config-switch-if)# ip address <ip_address_2/mask> gateway <gw_address>

apic1(config-switch-if)# show inband-mgmt
Table 2. In-Band Management Node Details

Type

Node ID

IP Address

Gateway

Inband EPG

Operational State

<node name>

<node ID>

<IP address/mask>

<gateway IP>

<EPG name>

<oper state>

Table 3. In-Band Management EPG Details

Name

Qos

Tag

Nodes

Vlan

Operational State

<in-band EPG name>

<Qos value>

<policy tag>

<node ID>

<in-band Vlan>

<oper state>

Table 4. In-Band Management EPG Contract Details

In-band Management EPG

Contracts

App EPG

L3 External

EPG

Operational State

<in-band EPG name>

<in-band contract>

<app EPG name>

<external-L3 EPG>

<epg name>

<oper state>

Static Out-of-Band Management

Configuring Static Out-of-Band Management Access Using the GUI

Before you begin

The APIC out-of-band management connection link must be 1 Gbps.

Procedure

Step 1

On the menu bar, choose TENANTS > mgmt. In the Navigation pane, expand Tenant mgmt.

Step 2

Right-click Node Management Addresses, and click Create Static Node Management Addresses.

Step 3

In the Create Node Management Addresses dialog box, perform the following actions:

  1. In the Node Range field, enter the range of node IDs.

  2. In the Config field, check the check box for Out of-Band Addresses.

    Note 

    The Out-of-Band IP addresses area is displayed.

  3. In the Out-of-Band Management EPG field, choose the EPG from the drop-down list.

  4. In the Out-of-Band Starting IP Address field, enter the starting IP address.

  5. In the Mask field, enter the mask if it is not already assigned.

  6. In the Out-of-Band Gateway field, enter the IP address. Click Submit.

The static node management IP addresses are configured.
Step 4

To verify, in the Navigation pane, expand Node Management Addresses, and click Static Node Management Addresses.

In the Work pane, the node management IDs and assigned IP addresses are displayed.
Step 5

In the Navigation pane, expand Security Policies > Out-of-Band Contracts.

Step 6

Right-click Out-of-Band Contracts, and click Create Out-of-Band Contract.

Step 7

In the Create Out-of-Band Contract dialog box, perform the following tasks:

  1. In the Name field, enter a name for the contract (oob-default).

  2. Expand Subjects. In the Create Contract Subject dialog box, in the Name field, enter a subject name (oob-default).

  3. Expand Filters, and in the Name field, from the drop-down list, choose the name of the filter (default). Click Update, and click OK.

  4. In the Create Out-of-Band Contract dialog box, click Submit.

An out-of-band contract that can be applied to the out-of-band EPG is created.
Step 8

In the Navigation pane, expand Node Management EPGs > Out-of-Band EPG - default.

Step 9

In the Work pane, expand Provided Out-of-Band Contracts.

Step 10

In the OOB Contract column, from the drop-down list, choose the out-of-band contract that you created (oob-default). Click Update, and click Submit.

The contract is associated with the node management EPG.
Step 11

In the Navigation pane, right-click External Network Instance Profile, and click Create External Management Entity Instance.

Step 12

In the Create External Management Entity Instance dialog box, perform the following actions:

  1. In the Name field, enter a name (oob-mgmt-ext).

  2. Expand the Consumed Out-of-Band Contracts field. From the Out-of-Band Contract drop-down list, choose the contract that you created (oob-default). Click Update.

    Choose the same contract that was provided by the out-of-band management.

  3. In the Subnets field, enter the subnet address. Click Submit.

    Only the subnet addresses you choose here will be used to manage the switches. The subnet addresses that are not included cannot be used to manage the switches.
The node management EPG is attached to the external network instance profile. The out-of-band management connectivity is configured.

Configuring Static Out-of-Band Management Access Using the REST API

Before you begin

The APIC out-of-band management connection link must be 1 Gbps.

Procedure

Step 1

Create an out-of-band contract.

Example:

<polUni>
    <fvTenant name="mgmt">
        <!-- Contract -->
        <vzOOBBrCP name="oob-default">
            <vzSubj name="oob-default">
                <vzRsSubjFiltAtt tnVzFilterName="default" />
            </vzSubj>
        </vzOOBBrCP>
    </fvTenant>
</polUni>
Step 2

Associate the out-of-band contract with an out-of-band EPG.

Example:

<polUni>
    <fvTenant name="mgmt">
        <mgmtMgmtP name="default">
            <mgmtOoB name="default">
                <mgmtRsOoBProv tnVzOOBBrCPName="oob-default" />
            </mgmtOoB>
        </mgmtMgmtP>
    </fvTenant>
</polUni>
Step 3

Associate the out-of-band contract with an external management EPG.

Example:

<polUni>
    <fvTenant name="mgmt">
        <mgmtExtMgmtEntity name="default">
            <mgmtInstP name="oob-mgmt-ext">
                <mgmtRsOoBCons tnVzOOBBrCPName="oob-default" />
                <!-- SUBNET from where switches are managed -->
                <mgmtSubnet ip="<mgmt_subnet_ip_address>" />
            </mgmtInstP>
        </mgmtExtMgmtEntity>
    </fvTenant>
</polUni>
Step 4

Create static out-of-band management IP addresses and assign them to node IDs.

CHECK IP Addresses

Example:

<polUni>
  <fvTenant name="mgmt">
    <mgmtMgmtP name="default">
      <mgmtOoB name="default">
        <mgmtRsOoBStNode tDn="topology/pod-1/node-101"
                         addr="<ip_address_1>"
                         gw="<gw_address>"/>
        <mgmtRsOoBStNode tDn="topology/pod-1/node-102"
                         addr="<ip_address_2>"
                         gw="<gw_address>"/>
        <mgmtRsOoBStNode tDn="topology/pod-1/node-103"
                         addr="<ip_address_3>"
                         gw="<gw_address>"/>
      </mgmtOoB>
    </mgmtMgmtP>
  </fvTenant>
</polUni>

Configuring Static Out-of-Band Management Access Using the NX-OS Style CLI

Before you begin

Ensure that enough IP addresses are available to be allocated for the number of nodes that will be required for a deployment.

Procedure

Configure the static out-of-band (OOB) management configuration using the NX-OS Style CLI as follows:

Example:


apic1(config)# switch 101
apic1(config-switch)# interface mgmt0 
apic1(config-switch-if)# ip address <ip_address_1/mask> gateway <gw_address>

apic1(config)# switch 102
apic1(config-switch)# interface mgmt0 
apic1(config-switch-if)# ip address <ip_address_2/mask> gateway <gw_address>
apic1(config-switch-if)# show oob-mgmt
Table 5. Out-of-Band Management Node Details

Type

Node ID

IP Address

Gateway

Out-of-Band EPG

Operational State

<node name>

<node ID>

<IP address/mask>

<gateway IP>

<EPG name>

<oper state>

Table 6. Out-of-Band Management EPG Details

Name

Qos

Tag

Nodes

Operational State

<OOB EPG name>

<Qos value>

<policy tag>

<node ID>

<oper state>

Table 7. Out-of-Band Management EPG Contract Details

Out-of-Band Management EPG

Contracts

Consumer OOB-Mgmt L3 External EPG

Operational State

<OOB EPG name>

<OOB contract>

<OOB External_L3 EPG>

<oper state>

Toggling between In-band and Out-of-band Mangement

Toggling between In-band and Out-of-band Default Management Connectivity

With APIC 2.1(1x), you can set a global toggle between In-band and out-of-band as the default management connectivity between the APIC server and other external management devices.

Toggling in-band or out-of-band management in the APIC GUI

You can make either in-band management access or out-of-band management access the default management connectivity mode for the APIC server.

Prior to Release 2.2(1x):

  • On the menu bar, choose Fabric > Fabric Policies > Global Policies > Connectivity Preferences.

    In the Connectivity Preferences page, click either inband or ooband.

For Release 2.2(x) and 2.3(x):

  • On the menu bar, choose Fabric > Fabric Policies > Global Policies > APIC Connectivity Preferences.

    In the APIC Connectivity Preferences page, click either inband or ooband.

For Release 3.0(1x) or later:

  • On the menu bar, choose System > System Settings > APIC Connectivity Preferences.

    In the APIC Connectivity Preferences page, click either inband or ooband.

Toggling in-band or out-of-band management using the NX-OS Style CLI

You can make either in-band management access or out-of-band management access the default management connectivity mode for the APIC server by using the following CLI command sequence: 
apic1# configure
apic1(config)# mgmt_connectivity pref {inband|ooband}

Toggling in-band or out-of-band management using the REST API

You can make either in-band management access or out-of-band management access the default management connectivity mode for the APIC server by posting the following REST API structure: 


POST https://APIC-IP/api/node/mo/.xml
<polUni>
<fabricInst>
    <mgmtConnectivityPrefs interfacePref=“ooband"/> <!- or "inband" --->
</fabricInst>
</polUni>