Make sure you are in root@pod01-srv01 during these steps.

External Connectivity

In the previous exercise, we created two containers (DB and APP) and they were able to communicate between each other via the rules that we added. During this step, we will creating a new application which would have connectivity to the "outside" world. In this case we will creating a web server container.

Step 1 - Create External Rules (POD01-srv1)

External Contracts is what it is going to allow us to have communication between the webserver and the the external world. IF you think about it this is the linkage that Contiv and ACI, have to the outside world in order for users be able to connect to the webserver.

It is important to note that we already created a "common contract" in ACI called "Contiv_Contract". This contract is going to be shared among all the tenant. In this particular case it is important to understand the flags of the netctl external-contracts command.

The external-contract has multiple flags

# This is the copy group: 1
netctl external-contracts create -t ContivTN01 -p -contract "uni/tn-common/brc-Contiv_Contract" webcontract
# This is the copy group: 2
netctl external-contracts ls -t ContivTN01

[root@pod01-srv1 ~]# netctl external-contracts ls -t ContivTN01
Tenant         Name           Type        Contracts
------         ------         ------      -------
ContivTN01  webcontract    provided  [uni/tn-common/brc-Contiv_Contract]

Step 2 - Create Policy (POD01-srv1)

# This is the copy group: 3
netctl policy create -t ContivTN01 webapp
# This is the copy group: 4
netctl policy ls -t ContivTN01

[root@pod01-srv1 ~]# netctl policy ls -t ContivTN01
Tenant          Policy
------          ------
ContivTN01      app2db
ContivTN01      webapp

Step 3 - Create End Point Group WEB (POD01-srv1)

# This is the copy group: 5
netctl group create -t ContivTN01 -e webcontract -p webapp ContivNet01 conweb
# This is the copy group: 6
netctl group ls -t ContivTN01

[root@pod01-srv1 ~]# netctl group ls -t ContivTN01WEB
Tenant     Group   Network     Policies  Network profile
------     -----   -------     --------  ---------------
ContivTN01  condb   ContivNet01  app2db
ContivTN01  conapp  ContivNet01
ContivTN01  conweb  ContivNet01 webapp 

Step 4 - Create Application Network Profle (ANP) (POD01-srv1)

# This is the copy group: 7
netctl app-profile create -t ContivTN01 -g conweb ANP01WEB
# This is the copy group: 8
netctl app-profile ls -t ContivTN01

[root@pod01-srv1 ~]# netctl app-profile ls -t ContivTN01

Tenant         AppProfile  Groups
------         ----------  ------
ContivTN01     APP-TN01    conapp,condb
ContivTN01     ANP01WEB    conweb

Step 5 - Start the container (POD01-srv1)

# This is the copy group: 9
docker run -itd -h=webserver --name=webserver --net=conweb/ContivTN01 cobedien/ltrcld-2003

Lets make sure the webserver container has started

# This is the copy group: 10
docker ps | grep webserver
    [root@pod01-srv1 ~]# docker ps | grep webserver
    6a3699c2b74b       cobedien/ltrcld-2003  "/bin/bash"   12 hours ago   Up 12 hours   pod01-srv1.ecatsrtpdmz.cisco.com/webserver


Step 6 - Accessing the Webserver container (POD01-srv1)

During this step we will be accessing and starting the web services for the container

# This is the copy group: 11
docker exec -it webserver /bin/bash service apache2 start
[root@pod01-srv1 ~]# docker exec -it webserver /bin/bash service apache2 start
 * Starting web server apache2                                                                                 AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
# This is the copy group: 12
docker exec -it webserver /bin/bash
    [root@pod01-srv1 ~]# docker exec -it webserver /bin/bash

Lets find out the IP Address and Default Gateway that were assigned to the webserver container

# This is the copy group: 13
ip a
root@webserver:/# ip a

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
82: eth0@if81:  mtu 1450 qdisc noqueue state UP group default
    link/ether 02:02:0a:00:f8:ca brd ff:ff:ff:ff:ff:ff
    inet scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::2:aff:fe00:f8ca/64 scope link
       valid_lft forever preferred_lft forever
# This is the copy group: 14
netstat -rn
root@webserver:/# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG        0 0          0 eth0 U         0 0          0 eth0

Lets start a continuous ping from the container to the default in order for the ACI fabric to learn about this new container

# This is the copy group: 15
root@6a3699c2b74b:/# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=0.464 ms

ACI - Connecting to the outside world

Now that we have created the webserver, it is time to connect the conweb EPG to the external network. In order to do that we need to make some changes in ACI.

Step 7 - Connect to APIC GUI via web

You can login into the interface with the credentials

Step 8 - VRF change


Make sure you click on YOUR tenant/POD Number -- ContivTN01 -- . You may need to go to the next page in order to find your Tenant

Once you are inside your tenant ContivTN01. We need to modify the VRF which is under the Bridge Domain to Default - Common.

Step 9 - Add L3 Out

The last step in order to for us to be able to to connect to the outside world is to add the L3 out to the common tenant.


Make sure to select Contiv -> Common

Step 10 - View Web Server from the RDP Console

Using the same Chrome browser you have been using to check ACI, open a tab and point the browser to the IP assigned to the webserver container

© Copyright Cisco Systems 2017