Cisco APIC Basic Configuration Guide, Release 2 ... ConfiguringNTPUsingtheNX-OSStyleCLI 99 ConfiguringNTPUsingtheRESTAPI

  • View
    0

  • Download
    0

Embed Size (px)

Text of Cisco APIC Basic Configuration Guide, Release 2 ... ConfiguringNTPUsingtheNX-OSStyleCLI 99...

  • Cisco APIC Basic Configuration Guide, Release 2.x First Published: 2016-06-29

    Last Modified: 2018-08-08

    Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

    800 553-NETS (6387) Fax: 408 527-0883

  • THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

    THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

    The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

    NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

    IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

    Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

    © 2016–2017 Cisco Systems, Inc. All rights reserved.

    www.cisco.com/go/trademarks www.cisco.com/go/trademarks

  • C O N T E N T S

    Preface xiiiP R E F A C E Audience xiii

    Document Conventions xiii

    Related Documentation xv

    Documentation Feedback xvi

    Obtaining Documentation and Submitting a Service Request xvi

    New and Changed Information 1C H A P T E R 1

    New and Changed Information 1

    About Cisco ACI/APIC Configuration 5C H A P T E R 2

    Recommended Settings for the Cisco Application Policy Infrastructure Controller 5

    About ACI/APIC Interfaces 7

    Mixing the NX-OS Style CLI and the APIC GUI 8

    About the Modes of Configuring Layer 3 External Connectivity 9

    Configuration Validation 10

    User Access, Authentication, and Accounting 13C H A P T E R 3

    Access Rights Workflow Dependencies 13

    User Access, Authorization, and Accounting 13

    Multiple Tenant Support 14

    User Access: Roles, Privileges, and Security Domains 14

    Configuring a Local User 15

    Configuring a Local User Using the GUI 15

    Configuring SSH Public Key Authentication Using the GUI 17

    Configuring a Local User Using the NX-OS Style CLI 17

    Cisco APIC Basic Configuration Guide, Release 2.x iii

  • Configuring a Local User Using the REST API 18

    Configuring a Remote User 18

    AV Pair on the External Authentication Server 19

    Best Practice for Assigning AV Pairs 20

    Configuring an AV Pair on the External Authentication Server 20

    Configuring APIC for TACACS+ Access 21

    Configuring APIC for RADIUS Access 22

    Configuring a Cisco Secure Access Control Server for RADIUS and TACACS+Access to the APIC 23

    Configuring Windows Server 2008 LDAP for APIC Access with Cisco AVPair 24

    Configuring APIC for LDAP Access 26

    Changing the Default Behavior for Remote Users with Missing or Bad Cisco AV Pairs 28

    Changing Default Behavior for Remote Users with Missing or Bad Cisco AV Pairs Using the NX-OS Style CLI 28

    About Signature-Based Transactions 29

    Guidelines and Limitations 29

    Generating an X.509 Certificate and a Private Key 30

    Configuring a Local User 31

    Creating a Local User and Adding a User Certificate Using the GUI 31

    Creating a Local User and Adding a User Certificate Using the REST API 32

    Creating a Local User Using Python SDK 34

    Using a Private Key to Calculate a Signature 35

    Accounting 37

    Routed Connectivity to External Networks as a Shared Service Billing and Statistics 38

    Management 39C H A P T E R 4

    Management Workflows 39

    ACI Management Access Workflows 39

    Adding Management Access 40

    Adding Management Access in the GUI 41

    IPv4/IPv6 Addresses and In-Band Policies 41

    IPv4/IPv6 Addresses in Out-of-Band Policies 41

    IPv6 Table Modifications to Mirror the Existing IP Tables Functionality 41

    Configuring In-Band and Out-of-Band Management Access with Wizards 42

    Cisco APIC Basic Configuration Guide, Release 2.x iv

    Contents

  • Configuring In-Band Management Access Using the Cisco APIC GUI 43

    Configuring In-Band Management Access Using the NX-OS Style CLI 47

    Configuring In-Band Management Access Using the REST API 48

    Configuring Out-of-Band Management Access Using the Cisco APIC GUI 51

    Configuring Out-of-Band Management Access Using the NX-OS Style CLI 52

    Configuring Out-of-Band Management Access Using the REST API 53

    Exporting Tech Support, Statistics, and Core Files 55

    About Exporting Files 55

    File Export Guidelines and Restrictions 55

    Creating a Remote Location for Exporting Files 55

    Sending an On-Demand Techsupport File Using the GUI 56

    Sending an On-Demand Techsupport File Using the NX-OS Style CLI 56

    Sending an On-Demand TechSupport File Using the REST API 57

    Overview 58

    Configuration File Encryption 59

    Configuring a Remote Location Using the GUI 60

    Configuring a Remote Location Using the NX-OS Style CLI 60

    Configuring a Remote Location Using the REST API 61

    Configuring an Export Policy Using the GUI 61

    Configuring an Export Policy Using the NX-OS Style CLI 62

    Configuring an Export Policy Using the REST API 63

    Configuring an Import Policy Using the GUI 63

    Configuring an Import Policy Using the NX-OS Style CLI 64

    Configuring an Import Policy Using the REST API 65

    Encrypting Configuration Files Using the GUI 65

    Encrypting Configuration Files Using the NX-OS Style CLI 69

    Encrypting Configuration Files Using the REST API 69

    Backing up, Restoring, and Rolling Back Controller Configuration 70

    Backing Up, Restoring, and Rolling Back Configuration Files Workflow 70

    About the fileRemotePath Object 71

    Configuration Export to Controller 71

    Configuration Import to Controller 73

    Snapshots 76

    Snapshot Manager Policy 76

    Cisco APIC Basic Configuration Guide, Release 2.x v

    Contents

  • Rollback 78

    Using Syslog 79

    About Syslog 79

    Creating a Syslog Destination and Destination Group 80

    Creating a Syslog Source 81

    Enabling Syslog to Display in NX-OS CLI Format, Using the REST API 82

    Using Atomic Counters 83

    About Atomic Counters 83

    Atomic Counters Guidelines and Restrictions 85

    Configuring Atomic Counters 86

    Using SNMP 86

    About SNMP 86

    SNMP Access Support in ACI 86

    SNMP Trap Aggregation 87

    Configuring SNMP 87

    Configuring the SNMP Policy Using the GUI 87

    Configuring an SNMP Trap Destination Using the GUI 89

    Configuring an SNMP Trap Source Using the GUI 90

    Monitoring the System Using SNMP 90

    Configuring SNMP Policy Using CLI 90

    Using SPAN 92

    About SPAN 92

    SPAN Guidelines and Restrictions 92

    Configuring a SPAN Session 93

    Using Traceroute 94

    About Traceroute 94

    Traceroute Guidelines and Restrictions 94

    Performing a Traceroute Between Endpoints 94

    Provisioning Core ACI Fabric Services 97C H A P T E R 5

    Time Synchronization and NTP 97

    In-Band and Out-of-Band Management NTP 98

    NTP over IPv6 98

    Configuring NTP Using the GUI 98

    Cisco APIC Basic Configuration Guide, Release 2.x vi

    Contents

  • Configuring NTP Using the NX-OS Style CLI 99

    Configuring NTP Using the REST API 101

    Verifying NTP Operation Using the GUI 102

    Verifying NTP Policy Deployed to Each Node Using the NX-OS Style CLI 103

    NTP Server 103

    Enabling the NTP Server Using the GUI 104

    Enabling the NTP Server Using the CLI 105