Viewing ACI Topology
What we see under Fabric -> Inventory -> Topology is only the active components, i.e. failed devices are not displayed. Therefore this menu is not enough to have a complete view during any troubleshooting gig.
Operations and Troubleshooting with CLI
- We can view configuration values with either the GUI or the CLI.
- in CLI, we have the possiblity of doing it with the NX-OS style commands or with the Linux commands; a Nexus switch is based on Linux.
- When creating a normal port channel or a VPC, APIC associates to it in the background a numerical value. But we can not see it through a normal “show” command, but rather through a “show port-channel extended”
- The same is true for “show vlan”; we need to issue the “show vlan extended” to see the internally associated VLANs.
- The CLI in APIC does not support the pipe “|” symbol.
Operations and Troubleshooting with GUI
- ACI gathers and correlates information into Health Scores and Statistics, both help guide our troubleshooting process.
- We can see the health score of ACI components in various granularity levels. For example, there is a health score for an Application Profile, and a health score for each EPG within it.
- Here are some of the tools we can leverage in the GUI for troubleshooting.
- simulates a topology with an X number of ressources ( BD, EPG, leafs, spines, …) in order to analyze the performance impact associated with scalability. This tool helps to make the right decision when thinking about expanding the ACI fabric.
On-Demand Diagnostic Tests
- configured as a fabric policy
- as soon as an on-demand diagnostic test is configured, it can be seen under the corresponding level, whether it is a chassis test or a line card test, etc.
Visibility and Troubleshooting Tool
- allows to see:
- drop statistics
- traffic statistics
- inspects contract deny logs, and permit logs when the leaf in question is a Nexus EX.
- SPAN sessions. A SPAN session can be set up from the fabric menu, the tenant menu, or the Visibility and Troubleshooting tool menu.
- which is not to be confused with itraceroute Nexus-OS command.
- involve endpoints and devices external to the fabric.
- Atomic counters:
- count packets of a specific protocol between any two points in the fabric.
- are reset every 30 seconds
- are synchronized between the emitting leaf and the receiving leaf, unlike in legacy networks where the sum total of packets on endpoint A does not equal that on endpoint B.
- begin to be displayed after 90 seconds of running the atomic counter test.
End Point Tracker
End Point Tracker ( aka EP Tracker) : allows to answer questions such as:
- on which leaf and port is the endpoint?
- which encapsulation does the endpoint use?
- where was the endpoint historically connected to?
- Traffic Maps graphically displays dropped transmitted and received packets, thus helping identify bottlenecks on the fabric.
- use atomic counters
On-Demand Hardware Diagnostic Tests
- We configure on-demand diagnostic tests under the Fabric Policies. The results are to be seen under the respective devices, under Inventory.
SPAN / Port Mirroring
ACI supports these types of SPAN:
- Local SPAN: source and destination are on the same leaf
- Fabric SPAN: source port can be any fabric port, even a spine port.
- Tenant SPAN: source and destination on the same tenant
- Virtual SPAN: source is a virtual NIC, on a virtual machine.
- RSPAN: mirrored traffic is sent over a remote VLAN
- mirrored traffic is sent over IP using GRE tunnel technology.
- has two versions: version 1 (aka type 1) and version 2 (type 2).
- both versions use GRE encapsulation
- The difference between them is that version 2 includes an ERSPAN header in the GRE-encapsulated packet.
- not every packet analysis station supports both ERSPAN versions.
- Generally a SPAN session supports different destination types. Some leaf hardware models do not support all destination types.
- Copy service
In Nexus 3000 and 9300 the leaf switch can consolidate multiple ingress mirrored traffics and forward them, using OpenFlow, accordingly to different destinations. This may be useful when we want to interpret each mirrored traffic on a separate packet analysis station.
Network Audit Trail
Network Audit Trail in ACI is similar to the AAA framework. In fact, ACI already integrates the functionalities that AAA brings. We can perform network audit fabric-wide or per object.