Configuring OOB Management in ACI

 Configuring OOB Management in ACI

--> Out of Band Management requires APIC/Leaf/SPINE switches to be connected to dedicated OOB Network using Management Interfaces.

--> APIC/Leaf/Spine Switches uses OOB Network for Admin Access as well as to communicate to NTP/SYSLOG/DNS/SNMP Service.

--> OOB Configuration is the first thing we need to do after doing Fabric Discovery of ACI Fabric.

--> By Default, APIC Servers are assigned with the OOB Management IP address during the Initial Configuration of ACI Fabric.

--> Leaf and Spine Switches are not assigned with the OOB Management IP address during the Initial Configuration of ACI Fabric.

--> There are two methods for creating Node Management Addresses for the ACI Fabric:

i)  Create Node Management Addresses ( Using DHCP)

ii) Create Static Node Management Addresses ( Using Static)

--> We can assign OOB Management IP address dynamically or statically to the APIC/Leaf/SPINE switches.

--> It is recommended to have the static OOB Management IP address to all APIC/Leaf/SPINE switches.

--> APIC/Leaf/SPINE Switch management IP address is assigned to a special EPG known as OOB EPG.

Static Node Management Address Configuration:

1) Navigate to:

Tenants -> mgmt -> Node Management Addresses -> Static Node Management Addresses

2) Right Click on Static Node Management Addresses and select Create Static Node Management Address

--> For the APIC OOB Management IP Configuration:

Node Range: 1 - 3

Config: Check on Out-Of-Band Addresses

Out of Band Management EPG: Default

Out of Band IPV4 Address: 10.10.10.1/24

Out of Band IPV4 Gateway:  10.0.0.254/24

--> For the ACI LEAF OOB Management IP Configuration:

Node Range: 101 - 110

Config: Check on Out-Of-Band Addresses

Out of Band Management EPG: Default

Out of Band IPV4 Address: 10.10.10.10/24

Out of Band IPV4 Gateway:  10.0.0.254/24

--> For the ACI SPINE OOB Management IP Configuration:

Node Range: 201 - 204

Config: Check on Out-Of-Band Addresses

Out of Band Management EPG: Default

Out of Band IPV4 Address: 10.10.10.20/24

Out of Band IPV4 Gateway:  10.0.0.254/24

--> Now you can do SSH/PING to the APIC/SPINE/LEAF OOB Management IP address.

Verification Commands:

APIC# iplink | grep oobmgmt

APIC # ip route show | grep oobmgmt

APIC # acidiag fnvread

Leaf# iplink | grep eth0

Leaf# ipconfig -a eth0

Leaf# ip route show | grep eth0

SPINE # iplink | grep eth6

Leaf# ipconfig -a eth6

Leaf# ip route show | grep eth6

--> To check Link Status ( Connected/Disconnected) on the APIC/Leaf/SPINE switches:

APIC# ethtool oobmgmt

Leaf# ethtool eth0

Note: You should see Link Detected: Yes

--> By default, APIC/Leaf/SPINE Management is accessible from all over the network, If you want to limit the Management Access to a specific Network then do the following:

1) Navigate to:

Tenants -> mgmt -> External Management Network Instance Profile ( Creates External EPG)

2) Configure the following:

Name: OOBAccess

Subnets: 10.20.0.0/24

3) Create the Filter by navigating to : Tenants -> mgmt -> Security Policies > Filters:

Name: OOBServices

Entries: Name: AllowAccess,     EtherType: Unspecified

4) Create the OOB Contract by navigating to: Tenants -> mgmt -> Security Policies > Out-Of-Band-Contracts:

Name: OOBNetworkAccess

Scope: VRF

Subject: Create a new subject and assign the Filter which was created before to it

5) Apply the Provided Contract to allow Access by navigating to Tenants -> mgmt -> Node Management EPGs >  Out-Of-Band - EPG Default

Provided Out-Of-Band Contracts: OOBNetwork Access

 6) Apply the Consumed Contract to allow Access by navigating to Tenants -> mgmt -> External Management Network Instance Profile:

Consumed Out-Of-Band Contracts: OOBNetwork Access

Note: For the Outgoing traffic from APIC/Leaf/Spine Switches no contract is required. The contract is only used for Inbound Traffic to APIC/Leaf/SPINE switches.

Reference: Cisco.com / Labminutes