Warning!

Make sure you are in root@pod01-srv01 during these steps.

Contiv Configuration

During these steps we will be configuring several items in the Netmaster. During these steps Contiv will not communicate with APIC until we create the Application Network Profile (ANP).

Step 1 - VLAN configuration

Contiv leverages static VLAN binding in order to talk to ACI. It is important to know that these VLANs must match the APIC configuration as previously shown.

pod01-srv1
2
# This is the copy group: 2
netctl global set --fabric-mode aci --vlan-range 500-505
pod01-srv1
3
# This is the copy group: 3
netctl global info
pod01-srv1

# netctl global info
Fabric mode: aci
Forward mode: bridge
ARP mode: proxy
Vlan Range: 500-505
Vxlan range: 1-10000
Private subnet: 172.19.0.0/16

Step 2 - Tenant Creation

Tenant is a logical container for application policies. A tenant represents an unit of isolation from a policy perspective. Tenant can represent a customer, a division, a business unit, etc.

pod01-srv1
4
# This is the copy group: 4
netctl tenant create ContivTN01
pod01-srv1
5
# This is the copy group: 5
netctl tenant ls
pod01-srv1

[root@pod01-srv1 ~]# netctl tenant ls

Name
------
default
ContivTN01 


Step 3 - Tenant Subnet

Tenant subnet refers to the action where the user defined the subnet, gateway and the network name in Contiv. Then Contiv will create Bridge Domain in ACI with the information provide.

pod01-srv1
6
# This is the copy group: 6
netctl net create -t ContivTN01 -e vlan -s 10.0.248.0/29 -g 10.0.248.1 ContivNet01
pod01-srv1
7
# This is the copy group: 7
netctl net ls -t ContivTN01
pod01-srv1

[root@pod01-srv1 ~]# netctl net ls -t ContivTN01
Tenant     Network     Nw Type  Encap type  Packet tag  Subnet      Gateway    IPv6Subnet  IPv6Gateway
------     -------     -------  ----------  ----------  -------     ------     ----------  -----------
ContivTN01  ContivNet01  data     vlan        0        10.0.248.0/29  10.0.248.1


Step 4 - Create Policy

Contiv Policy creates the object where then the user can add EPGs, policies, rules.

pod01-srv1
8
# This is the copy group: 8
netctl policy create -t ContivTN01 app2db
pod01-srv1
9
# This is the copy group: 9
netctl policy ls -t ContivTN01
pod01-srv1

[root@pod01-srv1 ~]# netctl policy ls -t ContivTN01
Tenant     Policy
------     ------
ContivTN01 app2db

Step 5 - Create End Point Group

End Point Group (EPG), is logical relationship where it is a group of End Points (EP) that contain the same characteristics. EPGs act as a container for of applications. They allow the separation of network policy, security, and forwarding from addressing and instead apply it to logical application boundaries.

During this exercise we will be creating 2 EPGs condb and conapp.

pod01-srv1
10
# This is the copy group: 10
netctl group create -t ContivTN01 -p app2db ContivNet01 condb netctl group create -t ContivTN01 ContivNet01 conapp
pod01-srv1
11
# This is the copy group: 11
netctl group ls -t ContivTN01
pod01-srv1

[root@pod01-srv1 ~]# netctl group ls -t ContivTN01
Tenant     Group   Network     Policies  Network profile
------     -----   -------     --------  ---------------
ContivTN01  condb   ContivNet01  app2db
ContivTN01  conapp  ContivNet01

Step 6 - Create Rules

Rules are the actions or policies (ACL) between a set of EPG in order to allow or deny certain traffic.

pod01-srv1
12
# This is the copy group: 12
netctl policy rule-add -t ContivTN01 -d in --protocol tcp --port 6379 --from-group conapp --action allow app2db 1
pod01-srv1
13
# This is the copy group: 13
netctl policy rule-ls app2db -t ContivTN01
pod01-srv1

[root@pod01-srv1 ~]# netctl policy rule-ls app2db -t ContivTN01
Incoming Rules:
Rule  Priority  From EndpointGroup  From Network  From IpAddress  Protocol  Port  Action
----  --------  ------------------  ------------  ---------       --------  ----  ------
1     1         conapp                                            tcp       6379  allow
Outgoing Rules:
Rule  Priority  To EndpointGroup  To Network  To IpAddress  Protocol  Port  Action
----  --------  ----------------  ----------  ---------     --------  ----  ------

Step 7 - Create Application Network Profle (ANP)

This is the step where the integration between ACI and Contiv occurs. After this command is executed, Contiv will send the information to APIC in order to create the objects in ACI.

pod01-srv1
14
# This is the copy group: 14
netctl app-profile create -t ContivTN01 -g conapp,condb APP-TN01
pod01-srv1
15
# This is the copy group: 15
netctl app-profile ls -t ContivTN01
pod01-srv1

[root@pod01-srv1 ~]# netctl app-profile ls -t ContivTN01
Tenant      AppProfile  Groups
------      ----------  ------
ContivTN01  APP-TN01    conapp,condb

Step 8 - New Docker Networks

During this step, we are going to be using docker network ls (as previously explained) to identify the new networks that have been created for the EPG (conapp and condb).

pod01-srv1
16
# This is the copy group: 16
docker network ls
pod01-srv1

[root@pod01-srv1 ~]# docker network ls
docker network ls
NETWORK ID          NAME                                      DRIVER              SCOPE
532dac286f4b        conapp/ContivTN01                         netplugin           global
a7c653149b03        condb/ContivTN01                          netplugin           global    
595e958bc90f        pod01-srv1.ecatsrtpdmz.cisco.com/bridge   bridge              local
3f1c2d05057e        pod01-srv1.ecatsrtpdmz.cisco.com/host     host                local
e30eb5255d1a        pod01-srv1.ecatsrtpdmz.cisco.com/none     null                local
59fe7dc02201        pod01-srv2.ecatsrtpdmz.cisco.com/bridge   bridge              local
3a563496bafd        pod01-srv2.ecatsrtpdmz.cisco.com/host     host                local
f8d06f7bae0d        pod01-srv2.ecatsrtpdmz.cisco.com/none     null                local

© Copyright Cisco Systems 2017