Waiting at the airport

While I am sitting here waiting for boarding I realize that it is actually my first year as a NetVet!

Because I also have the CCIE certification I will be attending a special reception with the Cisco CEO Chuck Robbins. Interesting!

Furthermore there is a special NetVet Lounge and a free e-book from Cisco Press.

And probably some more perks! 

Ready for Cisco Live US 2017

Finally..again…I am going to Las Vegas for Cisco Live!

I’ll be traveling from Amsterdam and will arrive at 7:30pm. I’ll be staying at the Luxor, right next to the Manadalay Bay convention center. It will be a 15 minute walk every day to get there.

So of course I’m wearing my fitbit 🙂

Today I’ll meetup with some Brazilian friends and have (probably) some steak for dinner 🙂

tomorrow I have a 8 hour session called: TECCCDE-3005: CCDE: The Cisco Certified Design Expert

Because I am preparing for the CCDE exam this is the perfect session (they say)

So keep an eye on my blog, as I will be posting a lot this week!!

Michel van Kessel

Cisco ACI 2.1.1h notes


Some interesting notes on the latest ACI 2.1.1h firmware.

When configuring two Layer 3 external networks on the same node, the loopbacks need to be configured separately for both Layer 3 networks.

All endpoint groups (EPGs), including application EPGs and Layer 3 external EPGs, require a domain. Interface policy groups must also be associated with an Attach Entity Profile (AEP), and the AEP must be associated with domains. Based on the association of EPGs to domains and of the interface policy groups to domains, the ports and VLANs that the EPG uses are validated. This applies to all EPGs including bridged Layer 2 outside and routed Layer 3 outside EPGs. For more information, see the Cisco Fundamentals Guide and the KB: Creating Domains, Attach Entity Profiles, and VLANs to Deploy an EPG on a Specific Port article.

When creating static paths for application EPGs or Layer 2/Layer 3 outside EPGs, the physical domain is not required. Upgrading without the physical domain will raise a fault on the EPG stating “invalid path configuration.”

When contracts are not associated with an endpoint group, DSCP marking is not supported for a VRF with a vzAny contract. DSCP is sent to a leaf along with the actrl rule, but a vzAny contract does not have an actrl rule. Therefore, the DSCP value cannot be sent.

The Cisco Discovery Protocol (CDP) is not supported in policies that are used on FEX interfaces.

Download ACI firmware via WGET

In release 1.1(4e) was a bug present that caused issues with uploading/downloading firmware via the GUI.

A workaround is using WGET from the APIC CLI and download the firmware from a http server to the /tmp directory

After downloading just use the “firmware repository” command to add the firmware to the repository.

After doing this, you can use the GUI to upgrade the firmware for the APIC and switches, as you were used to.


apic1# cd /tmp
apic1# ls
bootflash flashenc logrotate.status snmpd2.pid vrf-init.log vrf-set-spineproxy.log
apic1# pwd

apic1# wget
–2016-01-03 16:50:06–
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 558322599 (532M) [application/octet-stream]
Saving to: `aci-n9000-dk9.11.2.1k.bin’

58% [======================================================================================> ] 327,484,640 1.81M/s eta 2m 5s h100%[====================================================================================================================================================>] 558,322,599 1.81M/s in 5m 0s

2016-01-03 16:55:06 (1.77 MB/s) – `aci-n9000-dk9.11.2.1k.bin’ saved [558322599/558322599]

apic1# firmware
repository upgrade
apic1# firmware repository
add delete
apic1# firmware repository add aci-n9000-dk9.11.2.1k.bin
Syncing… might take a bit if the image is large or many pending filesystem buffers
Firmware image aci-n9000-dk9.11.2.1k.bin is added to the repository


Scott and Brad

Quick Recap:

implementing NSX. – business wants to be Amazon-like. Do more with less. Abstract, Pool,Automation is key. Across compute networking and storage.

Both need access to same environment. how?

RBAC, integration with AD groups

Modify existing role for network admins and server admins are administrator

1. restrict per DVS. NSX groups for Network Admins. VMkernels, system traffic, etc for Server admins.

> network folder, modify permissions,

2. RBAC with a single DVS (preferred methode)

> just give read-only on a portgroup level to network admins. (like vmotion, mgmt, nfs, etc)

On a VM level, RBAC on VM’s. Network admins get access on Folder level (F5, LB, NSX). Server admin get no access/read-only

TEX2254 VMworld 2014 Barcelona

Quick Recap:

A lot of customers want to be Amazon-like. SDDC is a used for this. NSX is the SDN part of the SDDC model.

NSX momentum, over 150 customers.

How are these customers using NSX today: Three main use cases

1. Self-Service IT (Portal) – DevOps Cloud and On-boarding M&A

2. Data Center Automation – Micro-segmentation of App – Simplifying Compute Silo

3. DMZ Deployments

NSX is not a product, it is a platform. how?

Operations, Security, Physical + Virtual (L2 L3 gateway) Application Delivery (LB, Wan Optimization)

Service Insertion through Gateway, VTEP.




VMware NSX Distributed Firewall

Quick recap:

The VMware NSX Distributed Firewall can be used for micro-segmentation. There are no choke points and there is scale-out performance up to 20 Gbps.

It acts like firewall on the vNic. Each vNic has it’s own rule set. Performance is close to line-rate. Traffic Redirection is possible to 3th party.

Of course there is the Rest API.

DFW is a stateful engine.  During a VMotion the state table is migrated tand is in place before the VM arrives on the destination host