A floating static route is a static route with a higher administrative distance than the primary route, so it only takes over if the primary route becomes unavailable.
Example
ip route 10.10.10.0 255.255.255.0 192.168.2.1 200
Sunday, 27 July 2025
The standard order of accessing modes on a Cisco device
The standard order
of accessing modes on a Cisco device (like a router or switch)
running IOS or IOS XE is:
✅ User EXEC mode → Privileged EXEC mode →
Global Configuration mode → Specific Configuration modes
📘 Detailed Order:
- User EXEC Mode (>)
- Access level: Basic
- Prompt: Router>
- Limited commands (e.g., ping, show
version)
- Entry point when you first log in
- Privileged EXEC Mode (#)
- Access level: Elevated
- Prompt: Router#
- Accessed using: enable
- Allows full monitoring and some
configuration
- Global Configuration Mode ((config)#)
- Prompt: Router(config)#
- Accessed using: configure terminal
- Allows device-wide configuration changes
- Specific Configuration Modes
- Examples:
- Interface mode: Router(config-if)#
- Line mode: Router(config-line)#
- Router protocol mode: Router(config-router)#
- Accessed by entering sub-configuration
commands from global config
✅ Summary of Command Flow:
plaintext
CopyEdit
User EXEC Mode →
enable
Router> ─────────►
Router#
Privileged EXEC Mode
Privileged EXEC
Mode →
configure terminal
Router# ─────────► Router(config)#
Global
Configuration Mode
Global Config
Mode → interface Gig1/0
Router(config)# ─────────►
Router(config-if)#
Specific
Config Mode
Create a Match-All Contract in Cisco ACI (via GUI)
Creating a "match
all" contract in Cisco ACI means defining a contract that
allows all traffic types (all protocols, all ports) between
EPGs (Endpoint Groups). This is often used in lab environments or for initial
testing, but should be used with caution in production due to its
permissiveness.
🔧 Steps to Create a Match-All Contract in Cisco
ACI (via GUI):
- Log in to the APIC GUI.
- Navigate to:
- Tenants > [Your Tenant] > Contracts
- Right-click on Contracts > Create
Contract.
- Name: e.g., match_all_contract
- Scope: Tenant (or as per your requirement)
- Click Next.
- Add a Subject:
- Name: e.g., match_all_subject
- Filter: Click + to add a filter.
- Create a New Filter:
- Name: e.g., match_all_filter
- Click + to add a filter
entry.
- Add Filter Entry:
- Entry Name: e.g., allow_all
- EtherType: ip
- Protocol: unspecified
- Source Port: unspecified
- Destination Port: unspecified
- Apply Both Directions: ✅ (checked)
- Click OK, then Finish.
- Associate the Contract:
- Go to the EPG that
should provide the contract.
- Under Provided Contracts,
add match_all_contract.
- Go to the EPG that
should consume the contract.
- Under Consumed Contracts,
add match_all_contract.
Saturday, 26 July 2025
Overview of BGP Aggregation
BGP route aggregation
is a powerful feature that helps reduce the size of routing tables by
summarizing multiple specific routes into a single, broader route. This is
especially useful in large-scale networks where route optimization and
scalability are critical.
In Cisco IOS,
the aggregate-address command provides flexible options to control
how and when summary routes are advertised. Whether you're looking to advertise
only the summary, retain specific routes, or apply custom attributes, this
command gives you granular control over BGP route announcements.
By default, when you use the aggregate-address command,
the router advertises both the aggregate route and the more specific routes
that fall under it
Let’s dive in and understand how each option can be used to fine-tune your BGP advertisements.
- Purpose: Includes the AS numbers of the contributing routes in the AS path
of the aggregate.
- Use Case: When you want to preserve AS path information for loop prevention
or policy decisions.
- Effect: The aggregate route will have an AS_SET attribute, which is a
list of AS numbers from the contributing routes.
2. summary-only
- Purpose: Suppresses the advertisement of the more specific routes.
- Use Case: When you want to advertise only the summarized route and hide the
specifics.
- Effect: Only the aggregate route is advertised; specific routes are not
sent to BGP peers.
3. suppress-map
<map-name>
- Purpose: Selectively suppress specific routes from being advertised.
- Use Case: When you want to suppress some specific prefixes but still
advertise others along with the aggregate.
- Effect: Routes matching the route-map are suppressed; others are
advertised.
4. advertise-map
<map-name>
- Purpose: Controls which specific routes are used to generate the
aggregate.
- Use Case: When you want the aggregate to be created only if certain routes
exist.
- Effect: Aggregate is advertised only if routes matching the map are
present in the BGP table.
5. attribute-map
<map-name>
- Purpose: Applies specific BGP attributes to the aggregate route.
- Use Case: When you want to set attributes like MED, community, or local
preference on the aggregate.
- Effect: The aggregate route inherits attributes defined in the route-map.
Sunday, 20 July 2025
Cisco ACI – Port Channel (eth1/4 & eth1/5) Trunk Configuration for VLAN 420
Cisco ACI – Port
Channel (eth1/4 & eth1/5) Trunk Configuration for VLAN 420 – Complete Guide
In modern data center architectures, Cisco ACI (Application Centric Infrastructure) plays a vital role in automating and simplifying complex network configurations. One such common scenario is setting up a Port Channel trunk to carry specific VLAN traffic—like VLAN 420—across fabric leaf switches. This step-by-step guide walks you through the complete configuration of a Port Channel using interface eth1/4 and eth1/5 on Leaf 101, allowing VLANs 400–500, and deploying VLAN 420 in production.
Note - Multivlan on Same port on same switch in same EPG is not supported.
✅ Objective
Configure a Port Channel (eth1/4 & eth1/5) on Leaf 101 in trunk mode to carry VLAN 420, using a static EPG binding, and associate it with the necessary ACI components like VLAN Pool, Physical Domain, AAEP, Bridge Domain, EPG, and Contract.
✅ Prerequisites
-
Cisco ACI Fabric running with APIC access.
-
Leaf 101 is discovered and operational.
-
End host (e.g., server or hypervisor) connected to eth1/4 and eth1/5.
-
Basic understanding of ACI policies and constructs.
✅ Step-by-Step Summary
|
Step |
Task |
Navigation Path |
|
1 |
Create VLAN Pool
(400–500, static) |
Fabric > Access
Policies > Pools > VLAN |
|
2 |
Create Physical
Domain linked to VLAN Pool |
Fabric > Access
Policies > Physical and External Domains > Physical Domains |
|
3 |
Create Interface
Policies (Link Level, CDP, LLDP) |
Fabric > Access
Policies > Policies > Interface |
|
4 |
Create AAEP and
associate Physical Domain |
Fabric > Access
Policies > Policies > Global > Attachable Access Entity Profiles |
|
5 |
Create Leaf Port
Channel Policy Group |
Fabric > Access
Policies > Interfaces > Leaf Interfaces > Policy Groups > Port
Channel |
|
6 |
Create Leaf
Interface Profile and assign eth1/4 & eth1/5 |
Fabric > Access
Policies > Interfaces > Leaf Interfaces > Profiles |
|
7 |
Create Leaf Switch
Profile and assign Node 101 and Interface Profile |
Fabric > Access
Policies > Switches > Leaf Switch Profiles |
|
8 |
Create Tenant, VRF,
and Bridge Domain |
Tenants |
|
9 |
Create Application
Profile and EPG |
Tenants > Tenant
Name > Application Profiles |
|
10 |
Deploy Static EPG on
Port Channel (Trunk mode, VLAN 420) |
Tenants > Tenant
Name > Application Profile > EPG > Static Ports |
|
11 |
Associate EPG with
Physical Domain |
Tenants > Tenant
Name > Application Profile > EPG > Domains |
|
12 |
Create Contract, add
Subject, Filters, and associate with EPG |
Tenants > Tenant
> Contracts & Application Profile > EPG > Contracts |
|
13 |
Associate Contract
with EPG |
Tenants > Tenant
> Contracts & Application Profile > EPG |
✅ Step 1 – Create VLAN Pool (VLANs 400–500)
- Path: Fabric > Access Policies > Pools > VLAN
- Action:
- Right-click on "VLAN" >
Create VLAN Pool
- Name: VLANPool-400-500
- Allocation Mode: Static Allocation
- Add Encap Block:
- From: 400
- To: 500
- Allocation Type: Static
- Click OK > Submit
✅ Step 2 – Create Physical Domain
- Path: Fabric > Access Policies > Physical and External Domains
> Physical Domains
- Action:
- Right-click Physical Domains > Create
Physical Domain
- Name: physDom-400-500
- Associate VLAN Pool: VLANPool-400-500
- Click Submit
✅ Step 3 – Create Interface Policies
- Path: Fabric > Access Policies > Policies > Interface
- Create: Whatever parameters you want to set on the interface
- Link Level Policy: 10G-Auto
- CDP Policy: CDP-Enabled
- LLDP Policy: LLDP-Enabled
- Portchannel: PCP_101_1_4_1_5
Ø Mode: LACP Active
Ø Click Submit
✅ Step 4 – Create AAEP
- Path: Fabric > Access Policies > Policies > Global >
Attachable Access Entity Profiles
- Action:
- Right-click Attachable Access Entity
Profiles > Create AAEP
- Name: AAEP_400-500
- Click+ under Domain and Associate Domain:
physDom-400-500
- Click Update > Next > Finish
✅ Step 5 – Create Leaf Port Channel Policy Group
- Path: Fabric > Access Policies > Interfaces > Leaf Interfaces
> Policy Groups > PC Interface
- Action:
- Right-click PC Interface > Create PC
Interface Policy Group
- Name: PCPG_101_1_4_and_1_5
- Interface Type: PC (Port Channel)
- Policies:
- Link Level: 10G-Auto
- CDP: CDP-Enabled
- LLDP: LLDP-Enabled
- Portchannel: PCP_101_1_4_1_5
- AAEP: AAEP_400-500
- Click Next - > Finish
⚠️ Note: VLAN Trunking is controlled through Static
Binding and Domain VLAN Range, not inside the PC Policy Group.
✅ Step 6 – Create Leaf Interface Profile
- Path: Fabric > Access Policies > Interfaces > Leaf Interfaces
> Profiles
- Action:
- Right Click on Profiles and Create Leaf
Interface Profile: Leaf101_IntProf_PC
- Add Interface Selector: Click + under
Interface Selectors
- Name: PC-eth1_4-1_5
- Interface IDs: 1/4,1/5
- Interface Policy Group: PCPG-101
- Click Ok and then Submit
✅ Step 7 – Create Leaf Switch Profile
- Path: Fabric > Access Policies > Switches > Leaf Switch >Profiles
- Right Click on Profiles and Create
Leaf Profile: Leaf101-SWProf-PC
- Click + under Leaf Selectors
Ø Name: LS101
Ø Blocks: 101
- Click update, then Next Associate Interface
Selector Profile: Leaf101-IntProf-PC
- Click Finish
✅ Step 8 – Create Tenant, VRF, and Bridge Domain
- Path: Tenants
- Action:
- Click Add Tenants and Create Tenant: T1
and Click Submit
- Create VRF : Path
Tenants->Networking->VRFs
Ø
Right
click on VRFs and Create VRF: VRF-T1, uncheck “Create A Bridge Domain” and
click Finish
- Create Bridge Domains : Path
Tenants->Networking-> Bridge Domains
Ø
Right
click on Bridge Domain > Create Bridge Domain: BD-420
Ø Associate with VRF-T1 and Next
Ø Click + on Subnets and Add Gateway IP:
192.168.42.1/24
- Click Ok, Next and then Finish
✅ Step 9 – Create Application Profile and EPG
- Path: Tenants > T1 > Application Profiles
- Action:Right Click on Application Profiles
- Create Application Profile: App420 and
click Submit
- Create EPG Path: Tenants > T1 > Application Profiles>
App420
- Right Click on Application EPG > Create
Application EPG:
Ø
Name:
EPG-420
Ø
Associate
with Bridge Domain: BD-420
Ø
Click
Finish
✅ Step 10 – Deploy Static EPG on Port Channel
(Trunk, VLAN 420)
- Path: Tenants > T1 > App420 > EPG-420 > Application EPGs
> EPG-420
- Action:
- Right-click EPG-420 > Click Deploy
Static EPG on PC, VPC or Interface
- Path Type: Direct Port Channel
- Path: PCPG-101
- Port Encap: 420
- Mode: Trunk
- Click Next>Finish
✅ Step 11 – Associate EPG with Physical Domain
- Path: Tenants > T1 > App420 > EPG-420
- Action:
- Right Click EPG-420 and click on Add
Physical Domain Association
- Domain: physDom-400-500
- Click Submit
Step 12 – Create
Contract and Associate with EPG
🔹 12.1 – Create Filter
- Path: Tenants > T1 > Contracts
- Right-click Filters > Create Filters:
Filter-TCP80
- Click + under Entries
- Node: Entry_TCP80
- EtherType: IP
- IP Protocol: tcp
- Stateful: checked
- Destination Port/Range: From/To:http
- Click Update and then Submit
🔹 12.2 – Create Contract
- Path: Tenants > T1 > Contracts
- Right-click Standard > Create
Contract: Contract-420
- Click + under Subject ,Name:Subject-420
- Click + under Filters
- Name: choose T1/Filter-TCP80
- Action: Permit
- Click Update and then Submit
- Click OK, then Submit
🔹 12.2 – Associate Contract with EPG
- Path: Tenants > T1 > Application Profile>App420 >Application
EPG> EPG-420
- Right Click on EPG-420
- Click Add Provided Contracts
- Select: Contract-420
- Click Add, then Submit
Understanding the Limitation: Single EPG, Single Port, Single VLAN in Cisco ACI
🧩 Understanding the Limitation: Single EPG, Single Port, Single VLAN in Cisco ACI
In Cisco ACI, static port binding is a powerful method to associate specific leaf switch ports to End Point Groups (EPGs) using VLAN encapsulation. However, there's a key design limitation to be aware of:
✅ One static port binding supports only one EPG with one VLAN encapsulation.
This means:
A single leaf port (e.g.,
eth1/1) can only be statically associated to one EPG.That EPG can only use one encapsulation VLAN on that port.
🔒 Why is this a limitation?
Unlike traditional switching where a trunk port can carry multiple VLANs, in ACI's static binding model:
If you want to pass multiple VLANs on the same port, you must use multiple EPGs, each with a separate static binding.
But since a single port cannot be bound to multiple EPGs, this effectively blocks trunking behavior in static access port configuration.
💡 Design Tip:
To enable trunk-like behavior (multiple VLANs on a port), you must:
Configure a Port Channel or physical interface as trunk
Use multiple static EPG bindings with different VLAN encapsulations to the same trunk interface
🚫 Common Misconception:
It’s often assumed that a single static EPG can carry multiple VLANs on the same port—this is not possible. The design is intentionally strict to enforce segmentation and policy enforcement in the ACI fabric.
Subscribe to:
Comments (Atom)