Day 2 Operations

This chapter contains the following sections:

Data Plane Verification

Data Plane Verification Overview

This chapter describes how to verify the Cisco ACI plugin for OpenStack has been installed correctly, how to test basic connectivity of an OpenStack instance with its default gateway and with the externally created network.

Prerequisite

Before you get started, make sure that you have met the following prerequisites:

  • Make sure the commands are executed sourcing the keystone file for the project where you want to create the network constructs and instance.

  • Make sure one external network called external-network-shared has already been created as a shared resource for any OpenStack project.

  • Make sure Nova already has a pre-defined flavor in order to create instances.

  • Make sure Glance already has a pre-defined with an image to boot instances.

Creating a Neutron Network

This section describes how to create a Neutron network.

Procedure

Step 1

Create a Neutron network, enter the following command: 

$ openstack network create test_net

Sample output:

+---------------------------+-------------------------------------------------+
|Field                      |Value                                            |
|---------------------------+--------------------------------------------------
| admin_state_up            | UP                                              |
| availability_zone_hints   |                                                 |
| availability_zone         |                                                 |
| created_at                | 2018-07-24T20:32:27z                            |
| description               |                                                 |
| dns_domain                | None                                            |
| id                        | 016b9885-c8ac-4a2d-be7e-e5203c945ba4            |
| ipv4_address_scope        | None                                            |
| ipv6_address_scope        | None                                            |
| is_default                | None                                            |
| mtu                       | 1500                                            |
| name                      | test_net                                        |
| port_security_enabled     | True                                            |
| project_id                | 7d0be879a12c47ae9c0a26d3fd4407d1                |
| provider:network_type     | opflex                                          |
| provider:physical_type    | physnet1                                        |
| provider:segmentation_id  | None                                            |
| qos_policy_id             | None                                            |
| revision_number           | 3                                               |
| router:external           | Internal                                        |
| segments                  | None                                            |
| shared                    | False                                           |
| status                    | ACTIVE                                          |
| subnets                   |                                                 |
| updated_at                | 2018-07-24T20:32:27Z                            |
+---------------------------------------------------------------------------+

Similarly, ACI fabric, it should be possible to verify that in the corresponding tenant the EPG and BD with the Neutron network name have been defined like in

Step 2

Verify the EPG and BD with the Neutron network name have been defined.

  1. In the APIC GUI, on the menu bar, choose Tenants > tenant_name > Application Profiles > OpenStack > Application EPGs > EPG_name. Check if the EPG has been defined.

  2. In the APIC GUI, on the menu bar, choose Tenants > tenant_name > Networking > Bridge Domains > BD_name. Check if the BD has been defined.

Creating a Neutron Subnet

This section describes how to create a Neutron Subnet.

Procedure

Create a Neutron subnet and bound to the network previously created, enter the following CLI command:

Example:

openstack subnet create --network test_net --gateway 192.168.1.254 \
--subnet-range 192.168.1.0/24 subnet01

Sample output:

+---------------------------+-------------------------------------------------+
|Field                      |Value                                            |
|---------------------------+--------------------------------------------------
| allocation_pools          | 192.168.1.1-192.168.1.253                       |
| cidr                      | 192.168.1.0/24                                  |
| created_at                | 2018-07-24T20:37:03Z                            |
| description               |                                                 |
| dns_nameservers           |                                                 |
| enable_dhcp               | True                                            |
| gateway_ip                | 192.168.1.254                                   |
| host_routes               |                                                 |
| id                        | d3341f6d-5fbe-476e-a0b7-d0e1b546eba4            |
| ip_version                | 4                                               |
| ipv6_address_mode         | None                                            |
| ipv6_ra_mode              | None                                            |
| name                      | subnet01                                        |
| network_id                | 016b9885-c8ac-4a2d-be7e-e5203c945ba4            |
| project_id                | 7d0be879a12c47ae9c0a26d3fd4407d1                |
| revision_number           | 2                                               |
| segment_id                | None                                            |
| service_types             |                                                 |
| subnetpool_id             | None                                            |
| updated_at                | 2018-07-24T20:37:03Z                            |
+---------------------------------------------------------------------------+

This command will not result in any change on ACI. The subnet is not yet attached to any router and this is not enabled for L3 routing. Therefore the ACI bridge domain keeps not having any subnet associated yet.

Creating a Neutron Router

This section describes how to create a Neutron router.

Procedure

Step 1

Create a Neutron router, enter the following CLI command:

Example:

openstack router create router01

Sample output:

+---------------------------+-------------------------------------------------+
|Field                      |Value                                            |
|---------------------------+--------------------------------------------------
| admin_state_up            | UP                                              |
| availability_zone_hints   | None                                            |
| availability_zone         | None                                            |
| created_at                | 2018-07-24T20:44:11Z                            |
| description               |                                                 |
| distributed               | False                                           |
| external_gateway_info     | None                                            |
| flavor_id                 | None                                            |
| ha                        | False                                           |
| id                        | 236734ab-c39e-4ad7-a9ab-c0d1fb03691a            |
| name                      | router01                                        |
| project_id                | 7d0be879a12c47ae9c0a26d3fd4407d1                |
| revision_number           | None                                            |
| routes                    | None                                            |
| status                    | ACTIVE                                          |
| updated_at                | 2018-07-24T20:41:11Z                            |
+---------------------------------------------------------------------------+

This command creates an ACI contract in the ACI Common tenant. The OpenStack routers are in fact rendered as ‘permit IP any any’ type of contracts in ACI. The contracts are always placed in the Common tenant and then applied as consumer and provider to all the EPG created Neutron networks, which subnets are bound to that router.

Step 2

Verify that the contract created in the Common ACI tenant.

In the APIC GUI, on the menu bar, choose Tenants > common > Tenant Common > Contracts > Standards > router_name. Check if the router has been defined.

Bind the Subnet to the Router

This section describes how to bind the subnet to the router.

Procedure

Step 1

Enable routing on the neutron network created, enter the following CLI command:

Example:

openstack router add subnet router01 subnet01

As a result, on APIC a VRF called DefaultRouterVRF will be created. The BD will be bound to this VRF and also the Neutron subnet will be created as BD subnet.

Step 2

Verify the VRF called DefaultRouterVRF was created, BD was bounded to the VRF and also the Neutron subnet was created as BD subnet.

  1. In the APIC GUI, on the menu bar, choose Tenants > tenant_name > Networking > Bridge Domains > BD_name > Subnets > subnet. Check if the subnet has been defined.

  2. In the APIC GUI, on the menu bar, choose Tenants > tenant_name > VRFs > DefaultRoutedVRF (DefaultVRF). Check if the DefaultRouterVRF has been defined.

Set a Gateway to the Router

This section describes how to set a gateway to the router.

Procedure

Step 1

In order to provide external connectivity from OpenStack domain to an external router, it is necessary to set a gateway for the OpenStack router previously created. The following command assumes that an external network defined as external-net-shared exists already and can be consumed by the OpenStack project:

Example:

openstack router set --external-gateway external-net-shared router01
Step 2

Verify that the L3out was created.

In the APIC GUI, on the menu bar, choose Tenants > tenant_name > Networking > External Routed Networks > l3out1-DefaultVRF (l3out1-DefaultVRF). Check if the l3out1-DefaultVRF has been defined.

Creating an Instance and Attach its NIC to the Network Previously Created

This section describes how to create an instance and attach its NIC to the network perviously created.

Procedure

Step 1

Now that network is created and configured to be routable to the external router, an OpenStack instance can be created and attached to the Neutron network to verify the connectivity. Create a Nova VM, enter the following CLI command:

Example:

NET1=$(openstack network list | awk '/test_net/ {print $2}')
nova boot --flavor m1.tiny --image cirros --nic net-id=$NET1 vm1
Step 2

Verify the VM vm1 is visible under the EPG test_net Operational tab.

In the APIC GUI, on the menu bar, choose Tenants > tenant_name > Application Profiles > EPG_name > Application EPGs > EPG. Click on the Operational tab in the pane. Check if the VM is visible. The IP address should be correctly sensed by APIC.

Verifying through ICMP that the VM is Correctly Connected to the Rest of the Infrastructure

This section describes how to verify through ICMP that the VM is correctly connected to the rest of the infrastructure.

Procedure

Verify that ICMP connectivity from the VM to its default gateway and to an external IP is reachable through the L3out, enter the following CLI commands:

Example:

$ ifconfig eth0
$ ping 192.168.1.254

Changing DNS Parameters or Static Routes

When you update the Domain Name System (DNS) parameters or static routes for a subnet, you must take extra steps to make the changes visible at a particular port or instance. We recommend that you use one of the two following sets of steps:

  • Associate and then disassociate the affected port with a dummy security group.

    A dummy security group is an extra security group that you add to any security groups already configured on the port. The dummy security group does not need to contain any rules.

  • Set the adminstrative state of the affected port to down, and then set the state to up.

Either set of steps triggers an update notification for the port, which allows the port to start using the changed parameters.